Welcome to x09.io. We respect your privacy and are committed to protecting your personal data.
This Privacy Policy informs you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, about which personal data (referred to as "data" for short) we, as the data controller – and the data processors commissioned by us (e.g., service providers) – process, will process in the future, and what legal options you have. The terms used are to be understood as gender-neutral.
This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies commissioned by us (data processors). By personal data, we mean information as defined in Art. 4 No. 1 GDPR, such as a person's name, email address, and postal address. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline.
The scope of this Privacy Policy includes:
all online presences (websites) operated by us
social media presences and email communication
mobile apps for smartphones and other devices
In short: This Privacy Policy applies to all areas where personal data is processed within the company through the specified channels. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.
1. Legal Bases
In the following Privacy Policy, we provide you with transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation (GDPR), that allow us to process personal data.
Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can, of course, read this GDPR regulation online on EUR-Lex, the access point for EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.
We process your data only if at least one of the following conditions applies:
Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered in a contact form.
Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we enter into a purchase agreement with you, we need personal information in advance.
Legal Obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For instance, we are legally required to retain invoices for accounting purposes, which typically contain personal data.
Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website securely and efficiently. This processing is therefore a legitimate interest.
Other legal bases, such as processing in the public interest or for the exercise of official authority, as well as the protection of vital interests, generally do not apply to us. If such a legal basis becomes relevant, we will specify it in the appropriate section.
In addition to the EU regulation, national laws also apply:
In Austria, this is the Federal Act on the Protection of Natural Persons with Regard to the Processing of Personal Data (Data Protection Act, or DSG).
In Germany, the applicable law is the Federal Data Protection Act (BDSG).
If additional regional or national laws apply, we will inform you in the following sections.
2. Storage Duration
As a general principle, we store personal data only for as long as it is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing it no longer exists. In some cases, however, we are legally required to retain certain data even after the original purpose has ceased to exist, for example, for accounting purposes.If you request the deletion of your data or withdraw your consent to data processing, the data will be deleted as soon as possible, provided there is no legal obligation to retain it.Further details on the specific duration of each data processing activity are provided below, if additional information is available.
3. Rights Under the General Data Protection Regulation (GDPR)
In accordance with Articles 13 and 14 of the GDPR, we inform you about the following rights that you are entitled to, ensuring fair and transparent data processing:
Right of Access (Article 15 GDPR): You have the right to know whether we process data about you. If this is the case, you are entitled to receive a copy of the data and the following information:
The purpose of the data processing
The categories of data being processed
The recipients of the data, and if data is transferred to third countries, how security is ensured
The duration of data storage
The existence of the right to rectification, deletion, restriction of processing, and the right to object to processing
Your right to lodge a complaint with a supervisory authority (links to these authorities can be found below)
The source of the data, if we did not collect it from you
Whether profiling is performed, meaning if data is automatically analyzed to create a personal profile of you
Right to Rectification (Article 16 GDPR): You have the right to have your data corrected if you find any errors.
Right to Erasure (“Right to be Forgotten,” Article 17 GDPR): You have the right to request the deletion of your data.
Right to Restriction of Processing (Article 18 GDPR): You have the right to restrict the processing of your data, meaning we may only store it but not use it further.
Right to Data Portability (Article 20 GDPR): You have the right to receive your data in a commonly used format upon request.
Right to Object (Article 21 GDPR): You have the right to object to data processing, which will result in changes to how your data is processed.
If data processing is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will review your objection as quickly as possible to determine whether we can legally comply with it.
If your data is used for direct marketing purposes, you may object at any time. In that case, we may no longer use your data for direct marketing.
If your data is used for profiling, you may object at any time. We will then cease using your data for profiling.
Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR): Under certain circumstances, you have the right not to be subject to a decision based solely on automated processing (such as profiling).
Right to Lodge a Complaint (Article 77 GDPR): You have the right to file a complaint with a data protection authority if you believe that the processing of your personal data violates the GDPR.
If you believe that the processing of your data violates data protection laws or that your data protection rights have been infringed in any other way, you can file a complaint with the relevant supervisory authority.
In Austria, this is the Data Protection Authority, which you can find at https://www.dsb.gv.at/.
In Germany, each federal state has its own data protection officer. For further information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
For our company, the following local data protection authority is responsible:
Austrian Data Protection Authority
Head: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Vienna, Austria
Phone Number: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/
4. Security of Data Processing
To protect personal data, we have implemented both technical and organizational measures. Whenever possible, we encrypt or pseudonymize personal data. This ensures, to the best of our ability, that third parties cannot easily infer personal information from our data.
Article 25 of the GDPR refers to "data protection by design and by default", meaning that security measures must be considered and implemented in both software (e.g., forms) and hardware (e.g., access to server rooms).
Below, we will outline specific measures if necessary.
5. TLS Encryption with HTTPS
TLS, encryption, and HTTPS may sound highly technical—and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to securely transmit data over the internet and prevent eavesdropping.
This means that the entire transmission of data from your browser to our web server is secured—no one can "listen in."
With this additional security layer, we comply with privacy by design (Article 25(1) GDPR). By implementing TLS (Transport Layer Security), an encryption protocol for secure data transmission on the internet, we ensure the protection of confidential data.
You can recognize this secure data transmission by the padlock icon in the upper left corner of your browser, next to the web address (e.g., example.com), and by the use of the HTTPS protocol (instead of HTTP) in our website address.
6. Communication
When you contact us via phone, email, or online forms, the processing of personal data may occur.
The data is processed to handle and respond to your inquiry and any related business transactions. It is stored only as long as necessary for these purposes or as required by law.
Affected Individuals
All individuals who contact us through the communication channels we provide are affected by this data processing.
Phone Communication
If you call us, call data may be pseudonymized and stored on the respective device and with the telecommunications provider. Additionally, details such as your name and phone number may be sent via email and stored for response purposes. The data is deleted once the business matter is resolved and legal requirements allow for deletion.
Email Communication
When you communicate with us via email, data may be stored on the respective device (e.g., computer, laptop, smartphone) and on our email server. The data is deleted as soon as the business transaction is completed and legal regulations allow it.
Online Forms
If you communicate with us via an online form, the data is stored on our web server and may be forwarded to one of our email addresses. The data is deleted once the business matter is resolved and legal requirements allow for deletion.
Legal Bases
The processing of data is based on the following legal foundations:
Article 6(1)(a) GDPR (Consent): You provide consent for us to store and use your data for the business-related purpose.
Article 6(1)(b) GDPR (Contract): Processing is necessary for fulfilling a contract with you or a service provider (e.g., a telecommunications provider), or for pre-contractual activities such as preparing an offer.
Article 6(1)(f) GDPR (Legitimate Interests): We aim to handle customer inquiries and business communication professionally. This requires technical infrastructure such as email programs, Exchange servers, and mobile network providers to enable efficient communication.
7. Data Processing Agreement (DPA)
In this section, we explain what a Data Processing Agreement (DPA) is and why it is necessary. Since the term Auftragsverarbeitungsvertrag is quite a mouthful, we will use the abbreviation DPA throughout this text.
Like most companies, we do not operate alone but also use the services of other businesses or individuals. By involving various companies or service providers, we may need to share personal data for processing. These partners then act as data processors, with whom we enter into a contract known as a Data Processing Agreement (DPA).
The most important thing for you to know is that the processing of your personal data is carried out exclusively under our instructions and must be regulated by the DPA.
Who Are Data Processors?
As a company and website owner, we are responsible for all the data we process from you. In addition to controllers (the entities responsible for data processing), there are also data processors.
A data processor is any company or individual that processes personal data on our behalf. According to the GDPR definition, any natural or legal person, authority, institution, or other entity that processes personal data on our instructions qualifies as a data processor.
Data processors can include service providers such as hosting or cloud providers, payment processors, newsletter services, or large companies like Google or Microsoft.
To clarify these roles under the GDPR, here is an overview:
Data Subject (You as a customer or user) → Controller (We as the company and data owner) → Data Processor (Service providers such as web hosts or cloud providers)
Contents of a Data Processing Agreement (DPA)
As mentioned above, we have signed a DPA with all our partners who act as data processors. This contract primarily ensures that the data processor processes data strictly in accordance with the GDPR.
The contract must be in writing, although an electronic agreement is also considered legally valid. Data processing can only take place once the contract has been signed.
A DPA must include the following:
Obligation to follow our instructions as the controller
Duties and rights of the controller
Categories of data subjects
Types of personal data processed
Nature and purpose of data processing
Scope and duration of data processing
Location where data processing is conducted
Obligations of the Data Processor
Additionally, the contract defines all obligations of the data processor, including:
Implementing data security measures
Taking technical and organizational measures to protect the data subject’s rights
Maintaining a data processing record
Cooperating with data protection authorities upon request
Conducting a risk analysis regarding the personal data received
Appointing sub-processors only with the written approval of the controller
8. Web Hosting
Whenever you visit a website, certain information—including personal data—is automatically collected and stored, including on this website. This data should be processed as sparingly as possible and only with justification.
By website, we refer to all pages on a domain, from the homepage to the last subpage (such as this one). A domain could be, for example, example.com or mywebsite.net.
To view a website on a computer, tablet, or smartphone, you use a program called a web browser—such as Google Chrome, Microsoft Edge, Mozilla Firefox, or Apple Safari.
To display a website, the browser must connect to another computer where the website’s code is stored: the web server. Running a web server is a complex task, which is why this is usually handled by professional web hosting providers, ensuring reliable and error-free storage of website data.
Processing of Personal Data During Web Hosting
When your browser connects to our web server and data is transferred, personal data may be processed. Both your device (computer, smartphone, etc.) and the web server may store data temporarily to ensure proper functionality.
Why Do We Process Personal Data?
The purposes of data processing include:
Professional hosting of the website and ensuring operational stability
Maintaining IT and operational security
Anonymous analysis of user behavior to improve our services
Potential legal enforcement, such as in cases of fraudulent activity
What Data Is Processed?
Even as you visit our website now, our web server—where this website is stored—typically automatically records the following data:
The full internet address (URL) of the requested page
The browser type and version (e.g., Chrome 87)
The operating system used (e.g., Windows 10)
The previously visited page (Referrer URL) (e.g.,
https://www.example-source.com/)The hostname and IP address of the accessing device (e.g.,
COMPUTERNAMEand194.23.43.121)The date and time of access
All of this information is stored in web server log files
How Long Is Data Stored?
Typically, this data is stored for two weeks and is then automatically deleted. We do not share this data but cannot rule out access by authorities in cases of legal violations.
In short: Your visit is logged by our web hosting provider, but your data is not shared without consent!
Legal Basis
The legal basis for processing personal data in web hosting is Article 6(1)(f) GDPR (Legitimate Interests). The use of professional web hosting services is necessary to securely and efficiently present our website online while also protecting against cyberattacks or legal claims.
A Data Processing Agreement (DPA) is typically in place between us and our hosting provider in accordance with Article 28 GDPR, ensuring compliance with data protection regulations and security standards.
9. Framer Privacy Policy
Why Do We Use Framer?
We utilize Framer to design and host our website, ensuring a seamless and efficient user experience. Framer provides a platform that emphasizes reliability, speed, and security, allowing our website to function flawlessly regardless of traffic levels or time of access. Their robust infrastructure includes comprehensive backup systems to safeguard our content and data. By partnering with Framer, we ensure that our web presence is both professional and dependable.
What Data Does Framer Process?
Framer may process certain personal data when you interact with our website. According to Framer's Privacy Statement, they collect information to provide and improve their services. This includes data you provide directly, such as your name and email address when creating an account, as well as information collected automatically, like your IP address, browser type, and usage patterns. Framer employs industry-standard techniques to protect this data against unauthorized access and does not share personal information without your consent, except under specific circumstances outlined in their policy.
Where and How Long Is the Data Stored?
Framer stores data on secure servers and implements industry-standard measures to protect your personal information. The retention period for your data depends on the nature of the information and the purposes for which it was collected. Framer retains personal data as long as necessary to provide their services, comply with legal obligations, resolve disputes, and enforce agreements. Specific details about data retention can be found in Framer's Privacy Statement.
How Can I Delete or Prevent Data Storage?
You have the right to access, correct, delete, or restrict the processing of your personal data. To manage cookies and prevent data storage, you can adjust your browser settings to refuse cookies or notify you when a cookie is being sent. However, please note that disabling cookies may affect the functionality of certain features on our website. For more detailed instructions on managing cookies, refer to the "Cookies" section of Framer's GDPR and Cookies documentation.
Legal Basis
Our use of Framer is based on legitimate interests to provide and enhance our online services. The processing of personal data in this context is conducted in accordance with Article 6(1)(f) of the General Data Protection Regulation (GDPR). Framer is committed to protecting your privacy and complies with applicable data protection laws. For more information, please review Framer's Privacy Statement.
If you have further questions about Framer's data protection policies, you can refer to their Privacy Statement:
Data Processing Agreement (DPA) for Framer
In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have established a Data Processing Agreement (DPA) with Framer B.V., located at Rozengracht 207B, 1016 LZ Amsterdam, The Netherlands. This agreement is legally required, as Framer processes personal data on our behalf. The DPA ensures that Framer processes any data received from us solely based on our instructions and in compliance with the GDPR. You can review Framer's Data Processing Addendum at https://www.framer.com/legal/data-processing-addendum/.
11. Web Analytics
What is Web Analytics?
We use software on our website to analyze visitor behavior, commonly known as Web Analytics or Web Analysis. This involves collecting data that the respective analytics tool provider (also referred to as a tracking tool) stores, manages, and processes.
With the help of this data, reports on user behavior on our website are generated and made available to us as the website operator. Most tools also offer various testing options. For example, we can test which offers or content are most popular with our visitors by displaying two different versions of a page for a limited time. After the test (known as an A/B test), we can determine which product or content is more engaging for our visitors. These testing procedures, along with other analytics processes, may involve creating user profiles and storing data in cookies.
Why Do We Use Web Analytics?
Our website has a clear goal: to provide the best online experience in our industry. To achieve this, we aim to offer the most engaging and relevant content while ensuring an optimal user experience.
Web analytics tools allow us to closely examine visitor behavior and continuously improve our website. For example, we can determine:
The average age of our visitors
Their geographic locations
Peak visit times
Which content or products are most popular
All this information helps us optimize the website and tailor it to your needs, interests, and preferences.
What Data is Processed?
The exact data collected depends on the analytics tools used. However, in general, the following information is recorded:
Which content you view on our website
Which buttons or links you click on
The time you access a page
Which browser you use
Which device you use (PC, tablet, smartphone, etc.)
Which operating system you have
If you have consented to the collection of location data, this information may also be processed by the web analytics tool provider.
Additionally, your IP address is stored. Under the General Data Protection Regulation (GDPR), IP addresses are considered personal data. However, in most cases, your IP address is pseudonymized (i.e., stored in an anonymized and shortened format).
For testing, analytics, and website optimization purposes, we generally do not store direct personal data such as your name, age, address, or email address. If such data is collected, it is stored in a pseudonymized manner, meaning it cannot be used to identify you personally.
Duration of Data Processing
We provide details about the duration of data processing below if further information is available. In general, we process personal data only as long as necessary to provide our services and products. If required by law, such as in accounting, the storage period may exceed this timeframe.
Right to Object
You have the right to withdraw your consent to the use of cookies and third-party providers at any time. This can be done via:
Our cookie management tool
Other opt-out features provided by analytics tools
Adjusting browser settings to manage, disable, or delete cookies
Legal Basis
The use of web analytics requires your consent, which we obtain via our cookie pop-up. According to Article 6(1)(a) GDPR (Consent), this consent serves as the legal basis for processing personal data collected through web analytics tools.
In addition to consent, we have a legitimate interest in analyzing visitor behavior to technically and economically optimize our services. Web analytics help us:
Identify website errors
Detect potential cyberattacks
Improve efficiency and user experience
The legal basis for this is Article 6(1)(f) GDPR (Legitimate Interests). However, we only use analytics tools if you have given consent.
Since web analytics tools use cookies, we recommend reviewing our general cookie policy. To understand which data is collected and processed, please read the privacy policies of the respective analytics tools.
For information about specific web analytics tools, please refer to the following sections, if available.
12. Google Analytics Privacy Policy
What is Google Analytics?
We utilize the analytics tracking tool Google Analytics 4 (GA4) from the American company Google Inc. For the European region, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible for all Google services. Google Analytics collects data about your actions on our website. By combining various technologies such as cookies, device IDs, and login information, you can be identified as a user across different devices, allowing for cross-platform analysis of your actions.
For instance, if you click on a link, this event is stored in a cookie and sent to Google Analytics. The reports we receive from Google Analytics enable us to better tailor our website and services to your needs. Below, we delve deeper into this tracking tool, focusing on the data processed and how you can prevent this.
Google Analytics is a tracking tool used to analyze website traffic. The foundation of these measurements and analyses is a pseudonymous user identification number. This number does not contain personal data such as your name or address but serves to associate events with a specific device. GA4 employs an event-based model that captures detailed information about user interactions, such as page views, clicks, scrolling, and conversion events. Additionally, GA4 incorporates various machine learning functions to better understand user behavior and trends. Through machine learning, GA4 can model data, meaning it can extrapolate missing data based on collected information to optimize analysis and provide forecasts.
For Google Analytics to function, a tracking code is embedded into our website's code. When you visit our website, this code records various events you perform. With GA4's event-based data model, we, as website operators, can define and track specific events to gain insights into user interactions. This allows us to monitor not only general information like clicks or page views but also specific events crucial to our business, such as submitting a contact form or purchasing a product.
Once you leave our website, this data is sent to Google Analytics servers and stored there.
Google processes the data, and we receive reports about your user behavior. These reports may include:
Audience Reports: These help us better understand our users and identify who is interested in our services.
Ad Reports: These make it easier to analyze and improve our online advertising.
Acquisition Reports: These provide valuable insights into how we can attract more people to our services.
Behavior Reports: These show how you interact with our website, allowing us to trace your navigation path and the links you click.
Conversion Reports: A conversion occurs when you perform a desired action in response to a marketing message, such as transitioning from a mere website visitor to a buyer or newsletter subscriber. These reports inform us about the effectiveness of our marketing efforts, helping us increase our conversion rate.
Real-Time Reports: These provide immediate insights into current activities on our website, such as how many users are reading this text at this moment.
In addition to the reports mentioned above, Google Analytics 4 offers features like:
Event-Based Data Model: This model captures specific events occurring on our website, such as playing a video, purchasing a product, or subscribing to our newsletter.
Advanced Analysis Functions: These allow us to better understand your behavior on our website or identify general trends, enabling us to segment user groups, conduct comparative analyses of audiences, or trace your navigation path on our site.
Predictive Modeling: Based on collected data, machine learning can extrapolate missing information to predict future events and trends, aiding us in developing better marketing strategies.
Cross-Platform Analysis: Data collection and analysis are possible from both websites and apps, allowing us to analyze user behavior across platforms, provided you have consented to data processing.
Why Do We Use Google Analytics on Our Website?
Our goal with this website is clear: to provide you with the best possible service. The statistical data from Google Analytics helps us achieve this goal.
The statistically evaluated data gives us a clear picture of our website's strengths and weaknesses. On one hand, we can optimize our site to be more easily found by interested individuals on Google. On the other hand, the data helps us better understand you as a visitor, allowing us to make improvements that enhance your experience. The data also enables us to conduct our advertising and marketing efforts more individually and cost-effectively, ensuring that our products and services are presented to those who are genuinely interested.
What Data Does Google Analytics Store?
Google Analytics generates a random, unique ID linked to your browser cookie via a tracking code, identifying you as a new user and assigning you a user ID. Upon your next visit, you are recognized as a "returning" user, and all collected data is stored alongside this user ID, allowing for the evaluation of pseudonymous user profiles.
To analyze our website using Google Analytics, a Property ID must be inserted into the tracking code, with data then stored in the corresponding property. Each newly created property defaults to a Google Analytics 4 property, with data retention varying based on the property used.
Through identifiers like cookies, app instance IDs, user IDs, or custom event parameters, your interactions—provided you have consented—are measured across platforms. Interactions encompass all actions you perform on our website. If you use other Google systems (e.g., a Google account), data generated by Google Analytics can be linked with third-party cookies. Google does not share Google Analytics data unless authorized by us as the website operator, with exceptions occurring when legally required.
According to Google, Google Analytics 4 does not log or store IP addresses. However, Google uses IP address data to derive location information and deletes it immediately afterward. All IP addresses collected from users in the EU are deleted before the data is stored on a server or in a data center.
What Data Does Google Analytics Collect?
Google Analytics collects various types of data, including:
Heatmaps: Shows which areas of a webpage you interact with most.
Session Duration: The time you spend on our website before leaving. Sessions automatically end after 20 minutes of inactivity.
Bounce Rate: Tracks whether you visit only one page before leaving the website.
Account Creation: If you create an account or place an order, Google Analytics records this data.
Location Data: IP addresses are not stored but are temporarily used to derive approximate geographic locations.
Technical Information: Browser type, internet service provider, screen resolution, and other device details.
Referral Source: Tracks how you arrived at our site, whether through another website or an online ad.
Additional Data: Contact details, reviews, media interactions (e.g., playing a video), social media shares, and saved favorites.
This list is not exhaustive but provides a general overview of what Google Analytics collects.
How Long and Where is the Data Stored?
Google operates data centers worldwide. You can view their locations here: Google Data Center Locations.
Data is stored across multiple physical devices to ensure fast access and prevent manipulation. Each data center has disaster recovery protocols to minimize service interruptions due to hardware failures or natural disasters.
Data Retention Options in Google Analytics 4:
2 months (shortest retention period)
14 months (default retention in GA4)
26 months (extended storage option)
Manual deletion (data is deleted only when manually removed)
If you revisit our site within the selected retention period, the storage duration resets. If the period expires, data is deleted once a month.
Aggregated Data (used for reports and analytics) is stored separately and is not linked to individual users.
How Can I Delete or Prevent Data Storage?
Under EU data protection laws, you have the right to access, update, delete, or restrict the processing of your personal data.
To prevent Google Analytics from collecting your data, you can:
Use the Google Analytics Opt-Out Browser Add-on
Disable or manage cookies in your browser settings (see our Cookies section for instructions on specific browsers).
Legal Basis
The use of Google Analytics on our website is based on your consent, which we obtain via our cookie popup.
Legal Basis for Processing:
Article 6(1)(a) GDPR (Consent) – You grant us permission to collect and analyze personal data using Google Analytics.
Article 6(1)(f) GDPR (Legitimate Interest) – We have a legitimate interest in analyzing website traffic to improve usability, identify errors, and enhance business operations. However, Google Analytics is only used if you have provided consent.
Data Transfers to the USA
Google processes some data in the United States. Google is a certified participant in the EU-US Data Privacy Framework, ensuring the lawful and secure transfer of personal data from the EU to the US.
For more details, see: EU Commission Data Privacy Framework.
Google also uses Standard Contractual Clauses (SCCs) under Article 46(2) and (3) GDPR, ensuring that your data meets European data protection standards, even when transferred outside the EU.
For more details on SCCs, see: EU Commission Decision on SCCs.
Further Information
For more details on how Google Analytics handles data, visit:
13. Data Processing Agreement (DPA) for Google Analytics
In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have entered into a Data Processing Agreement (DPA) with Google. You can find general information about what a DPA is and what it must contain in our "Data Processing Agreement" section.
This contract is legally required because Google processes personal data on our behalf. The agreement ensures that Google only processes data received from us according to our instructions and in compliance with GDPR.
You can view Google's Data Processing Terms at the following link: https://business.safety.google/intl/de/adsprocessorterms/
14. Email Marketing Policy
What is Email Marketing?
To keep you informed, we use email marketing. If you have consented to receiving our emails or newsletters, certain personal data will be processed and stored. Email marketing is a subcategory of online marketing, where updates or general information about a company, products, or services are sent via email to a specific group of interested individuals.
To subscribe to our email marketing (usually via newsletters), you typically need to provide your email address by filling out and submitting an online form. In some cases, we may also request your name and salutation to personalize our communication.
Our newsletter subscription process follows the Double Opt-In method:
You sign up on our website.
You receive a confirmation email to verify your subscription.
Only after confirming your email are you added to our mailing list.
This ensures that no unauthorized sign-ups occur. To maintain legal compliance, we (or our email service provider) log each registration, including:
Timestamp of signup and confirmation
IP address
Any updates to your stored data
Why Do We Use Email Marketing?
We aim to stay connected with you and share important updates about our company. Email marketing (or newsletters) is an essential part of our online communication.
If you consent, or if it is legally permitted, we send you:
Newsletters
System emails
Other notifications
We strive to ensure that our newsletters are relevant and interesting, covering:
Company updates
Products and services
Special promotions and offers
If we use an external email marketing service, it is to ensure fast and secure email delivery. Our main objective is to inform you about new offerings and achieve our business goals.
What Data is Processed?
When you subscribe to our newsletter, we process:
Email address
IP address
Name and salutation (if provided)
Other contact details (if provided, e.g., phone number, address)
Additional optional data includes:
Device information
Content preferences based on website interactions
All data processing is recorded to ensure compliance with relevant laws.
Data Retention Period
If you unsubscribe from our newsletter, we may store your email address for up to three years to demonstrate that your consent was valid. However, this data will only be processed if necessary to defend against legal claims.
If you explicitly confirm that you provided consent, you may request immediate deletion of your data. If you permanently revoke consent, we may store your email in a suppression list to prevent future emails.
While you are subscribed, we retain your email address to continue sending newsletters.
Right to Object
You may unsubscribe at any time by revoking your consent. This usually takes just a few seconds and can be done with one or two clicks.
You can unsubscribe via:
The "unsubscribe" link at the bottom of each email
Contacting us directly via email (if the unsubscribe link is unavailable)
We will immediately remove you from our newsletter list.
Legal Basis
Our newsletters are sent only with your consent, in accordance with Article 6(1)(a) GDPR (Consent). This means we are only allowed to send newsletters if you have actively signed up.
We may also send promotional emails to existing customers, provided they have not opted out of direct marketing.
For information on specific email marketing services and how they process personal data, please refer to the sections below (if applicable).
15. Loops Privacy Policy
Loops is an email marketing platform designed to help businesses create, send, and track email campaigns efficiently. It offers a unified interface for managing product updates, marketing communications, and transactional emails, making it particularly suitable for modern SaaS companies.
Why Do We Use Loops on Our Website?
We utilize Loops to enhance our email marketing efforts, ensuring that our communications are timely, relevant, and tailored to your interests. By leveraging Loops' features, we can effectively manage our email campaigns, automate workflows, and provide you with personalized content that aligns with your preferences.
What Data Does Loops Store?
When you interact with our email communications, Loops may collect and process the following data:
Contact Information: Your name, email address, and any other details you provide when subscribing to our newsletters or updates.
Engagement Metrics: Data on how you interact with our emails, such as open rates, click-through rates, and the specific links you click on.
Technical Information: Information about the device and browser you use to access our emails, including IP address, browser type, and operating system.
This data helps us understand your preferences and improve the relevance of our communications.
How Long and Where is the Data Stored?
Loops retains your data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law. The data is stored on secure servers, and Loops implements appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.
How Can I Delete or Prevent Data Storage?
You have the right to access, correct, or delete your personal data stored by Loops. To manage your preferences or unsubscribe from our communications, you can:
Unsubscribe: Click the "unsubscribe" link at the bottom of any of our emails to opt out of future communications.
Contact Us: Reach out directly to our support team, and we will assist you in managing or deleting your data as per your request.
Additionally, you can configure your browser settings to block cookies or alert you when cookies are being used, which may limit some tracking functionalities.
Legal Basis
Our use of Loops for email marketing is based on your consent, which you provide when subscribing to our communications. This consent serves as the legal basis for processing your personal data in accordance with applicable data protection laws. You have the right to withdraw your consent at any time by unsubscribing or contacting us directly.
For more detailed information, please refer to Loops' official Privacy Policy.
Data Processing Agreement (DPA) for Loops
We have entered into a Data Processing Agreement (DPA) with Loops in accordance with Article 28 of the General Data Protection Regulation (GDPR). A DPA is a contract that ensures personal data is processed on our behalf in compliance with applicable data protection regulations.
This agreement specifies that Loops processes the data received from us strictly according to our instructions and in accordance with GDPR.
For more information, please refer to Loops' Privacy Policy at https://loops.so/privacy.
17. Explanation of Terms Used
We strive to make our privacy policy as clear and understandable as possible. However, when dealing with technical and legal topics, this can sometimes be challenging.
It is often necessary to use legal terms (such as personal data) or technical expressions (such as cookies or IP addresses). However, we do not want to use these terms without explanation.
Below, you will find an alphabetical list of key terms used in this privacy policy. If these terms are defined under the GDPR (General Data Protection Regulation), we will include the official GDPR definitions and, if necessary, provide additional explanations.
Data Processor
Definition under Article 4 GDPR
A "data processor" refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Explanation
As the company and website owner, we are responsible for all data that we collect and process. However, in addition to the controller, there are also data processors.
A data processor is any company or person that processes personal data on our behalf. This can include:
Service providers such as accountants
Hosting providers and cloud services
Payment processors
Newsletter providers
Large companies such as Google or Microsoft
Consent
Definition under Article 4 GDPR
"Consent" of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Explanation
For websites, consent is typically obtained through a cookie consent banner.
When you first visit a website, you may see a banner asking whether you agree to data processing.
You can customize your preferences and decide which types of data processing to allow.
If you do not consent, no personal data should be processed.
Consent can also be given in writing outside of online tools.
Personal Data
Definition under Article 4 GDPR
"Personal data" means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be directly or indirectly identified, particularly by reference to:
Name
Identification number
Location data
Online identifier
Physical, physiological, genetic, mental, economic, cultural, or social identity characteristics
Explanation
Personal data includes any information that can be used to identify you. This includes:
Name
Address
Email address
Postal address
Phone number
Date of birth
Identification numbers (e.g., Social Security number, tax ID, passport number)
Bank data (e.g., account number, credit information, balances)
According to the European Court of Justice (ECJ), your IP address is also considered personal data, as IT experts can use it to determine your approximate location and identify your internet connection owner.
There are also special categories of personal data that require additional protection, including:
Racial and ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data (e.g., from blood or saliva samples)
Biometric data (e.g., fingerprint, facial recognition)
Health data
Sexual orientation and sexual life data
Profiling
Definition under Article 4 GDPR
"Profiling" means any automated processing of personal data that involves:
Analyzing personal characteristics
Predicting aspects of a person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements
Explanation
Profiling collects and evaluates information about a person to learn more about them.
In the online world, profiling is commonly used for:
Advertising (e.g., showing targeted ads based on browsing history)
Credit checks
For example, web analytics tools collect data about your website behavior and interests. This data is used to create a user profile, allowing advertisers to target specific audiences more effectively.
Controller
Definition under Article 4 GDPR
A "controller" is the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data.
Explanation
In our case, we are responsible for processing your personal data, making us the controller.
If we transfer collected data to external service providers for processing, these companies act as "data processors". A Data Processing Agreement (DPA) must be signed between us and the data processor to ensure compliance with GDPR.
Processing
Definition under Article 4 GDPR
"Processing" refers to any operation performed on personal data, whether automated or not, including:
Collection
Recording
Organization
Structuring
Storage
Modification
Retrieval
Use
Disclosure by transmission
Erasure or destruction
Explanation
Whenever we mention "processing" in our privacy policy, we refer to any handling of data, including:
Collecting personal data
Storing data
Using and analyzing data
This aligns with the GDPR definition, which includes all types of data processing activities.
18. Updates to This Policy
We may change this Privacy Statement from time to time. If we make changes, we will notify you by revising the date at the top of the statement. We encourage you to review the Privacy Statement whenever you use our Services to stay informed about our information practices and the ways you can help protect your privacy. We may update this Privacy Policy from time to time, and any changes will be posted on this website. If you have any questions, you can contact us at info@x09.io.