Data protection has a particularly high priority for us. We therefore process your data exclusively on the basis of the statutory provisions (within the meaning of the General Data Protection Regulation - DSGVO). In accordance with Art. 13 DSGVO, we would like to inform you with this data protection declaration about the most important aspects of data processing and in particular about the type, scope and purpose of the personal data processed by us. Furthermore, data subjects are informed about the rights to which they are entitled.

Definitions

The data protection declaration we have created is based on terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration aims to be easy to read and understand for everyone. To ensure this, we would like to briefly explain the most important terms in advance.

1. Personal data
   Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name. In short, personal data is information that can be linked to a natural person.
2. Person concerned
   Data subject is any identified or identifiable natural person whose personal data are processed by the controller.
3. Processing
   Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Responsible
   The controller of personal data is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
5. Processor
   Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.
6. Receiver
   Recipient means a natural or legal person, public authority, agency or other body to whom Personal Data is disclosed, whether or not a third party.
7. Consent
   Consent is any voluntary expression of will by the data subject in the form of a statement or other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

Who we are: Name and address of the person in charge

The responsible party in the sense of the General Data Protection Regulation (Art 4 Z 7 DSGVO) is the:

Xeas GmbH

Address: Lakeside B01, 9020 Klagenfurt am Wörthersee

E-mail: office@vaulteron.com

For any inquiries and information regarding data protection when using our website or the Vaulteron App, please contact us by mail at the above address with the addition of "Data Protection" or by e-mail to datenschutz@vaulteron.com.

Processing activities

• Use of our website and the Vaulteron app

As soon as you browse or visit our website (https://vaulteron.com), we process some of your personal data as described in this privacy policy.

We process those personal data that you provide to us through the use of our website (including all sub-pages) or as a user and/or customer of the Vaulteron app by providing information, either in the context of mere browsing, app use, an inquiry or message, a contract or a communication. The purposes of the processing primarily include the provision of the services that you can access at https://vaulteron.com or via the Vaulteron App.

We offer the following services:

• We operate the Vaulteron app and the associated website
• The purpose of the automation-supported data processing is the provision of an internet platform and/or app so that you can use our services for the secure management of passwords.
• The purpose of the automation-supported data processing of the website is to provide information about our products and services and to contact and communicate with you as a customer or interested party.

If a data subject wants to use special services (e.g., contact us or access our services) of our enterprise via our website, further processing of personal data may become necessary. The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall be in line with the requirements of the Data Protection Regulation, and in accordance with the country-specific data protection regulations.

What data do we process: Categories of personal data

Our website collects a series of general data and information with each call by a data subject or an automated system. This general data and information is stored in the log files of the server.

When you use our website, we collect the following personal data:

• Time of the call of our website (request to the server of the host provider)
• URL of the website from which you have accessed our website
• the operating system you are using
• Type and version of the browser you use
• the country from which you are accessing our website
• Device information: brand, type, screen resolution
• Pages visited on the Vaulteron website incl. time and duration of visit
• the name of the retrieved file and the time of retrieval
• Certain cookies, which are described in more detail in this privacy policy

The data of the server log files are stored separately from any personal data provided by a data subject.

The server hosts and IT service providers we use are contractually obligated to process the data only to the extent of the service provision and to treat it confidentially. (Art 28 DSGVO)

When you use our Vaulteron app, we collect the following personal data:

• First name
• Last name
• E-mail address
• Company name
• Encrypted user-specific password or passwords
• Time of modification of entries
• Administrators username
• User name of users

How long do we store your data: Storage periods

We store your personal data only as long as it is necessary for the fulfillment of the stated purposes and the provision of the services you have requested or for other necessary purposes, such as the fulfillment of our legal obligations, the settlement of disputes and the enforcement of our legal position/defense of our legal position as well as our General Terms and Conditions. Your personal data will be deleted or anonymized when it is no longer relevant for the purposes listed and there are also no longer any retention obligations. The following reasons lead to an extension of the retention or storage period:

• Existence of an active registration with our Vaulteron Services, additionally booked (paid) services, communication with us regarding concluded contracts, etc.
• The type of data has an impact on the retention period, especially since we are required by law to retain contract documents and invoices for 7 years in the course of providing our services.

Who else processes your data besides us: Processors and transferees

We make use of order processors. The processors used have been contractually obligated to process your data only to the extent of providing the service and to treat it confidentially.

Our processors are:

• IT service provider for the operation of our servers (Hetzner Online GmbH

Industriestr. 25, 91710 Gunzenhausen, Germany)

• Processing of personal data in the course of contacting Xeas

For the purpose of responding to your inquiry, we process the personal data you provide. The legal basis is based on Art. 6 para 1 lit b DSGVO (... "for the implementation of pre-contractual measures"). Based on your inquiry, we draw the conclusion that you are interested in our services by contacting us or that you already have an existing customer relationship with us. The collection of your data is necessary in order to process your inquiry. You provide us with this information voluntarily. We do not use any automated decision-making or profiling in this processing of your data.

How long do we store your data: Storage periods

We only store your data for the period of time necessary to fulfill the purpose for which it was collected. Beyond that, only the data that is absolutely necessary due to the applicable legal provisions or retention obligations (Austria: UGB, BAO, ABGB etc.) is stored.

Who else processes your data besides us: Processors and transferees

We make use of order processors. The processors used have been contractually obligated to process your data only to the extent of providing the service and to treat it confidentially.

Our processors are:

• IT service provider for the operation of the website (Hetzner Online GmbH
• 25, 91710 Gunzenhausen, Germany)
• IT service provider for mail dispatch (SendGrid, Sendinblue)

• Processing of personal data in the course of the customer relationship with Xeas

Within the scope of the registration on the website, the use of the Vaulteron App and for customer management, we process the data provided by you for the purpose of contract performance pursuant to Art 6 para 1 lit b DSGVO (... "necessary for the performance of the contract"). The personal data provided by you is necessary for the performance of the contract. We would like to expressly point out that within Xeas, only those offices or employees will receive your data that require it for the fulfillment of contractual, legal and supervisory obligations as well as for the protection of legitimate interests.

How long do we store your data: Storage periods

Your personal data will be stored for the duration of the entire business relationship (from the initiation to the execution to the termination of a contract) and beyond that in accordance with the statutory storage and documentation obligations. These result, among other things, from: the Unternehmensgesetzbuch (UGB), the Bundesabgabenordnung (BAO), Allgemeine Bürgerliche Gesetzbuch (ABGB). If the assignment is not carried out, the stored personal data will be processed for a maximum of one year in order to determine conflicts of interest for future assignments. The legal basis for this is based on the fulfillment of the contract pursuant to Art 6 para 1 lit b (... "necessary for the fulfillment of the contract") or on our legitimate interests pursuant to Art 6 para 1 lit f DSGVO in the case of a recurring commissioning on your part, from requirements of the best possible customer service to not have to collect this again.

Who else processes your data besides us: Processors and transferees

Processors commissioned by us (in particular IT service providers and transmission recipients) receive your data if they need it for the purpose of fulfilling the order. The contracted processors have been contractually obligated to process your data only within the scope of the service provision and to treat it confidentially.

Our processors or transferees (own responsible parties) are:

• IT service provider for the operation of the website (Hetzner Online GmbH
• 25, 91710 Gunzenhausen, Germany)
• IT service provider for mail dispatch (SendGrid ...)
• Tax consultant for tax consulting, document processing, bookkeeping and accounting (Treuhandunion Klagenfurt)

• Processing of personal data for the newsletter dispatch of Xeas

For the purpose of sending the newsletter, your provided e-mail address is used. We process your name, your e-mail address, the time of registration and your IP address. The purpose of sending the newsletter is to provide further information on similar products and services of Xeas. The newsletter dispatch is carried out exclusively in compliance with the legal provisions of the Telecommunications Act (TKG) and we use the above data exclusively for the provision of the requested information and offers.

The processing of this data is covered by the consent given when registering for our newsletter. You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter.

We use the so-called double opt-in procedure to ensure that the newsletter is sent in a consensual manner. In the course of this process, the potential recipient is added to a distribution list. Subsequently, the user is given the opportunity to confirm the registration in a legally secure manner by means of a confirmation e-mail. Only if the confirmation takes place, the address is actively included in the distribution list.

How long do we store your data: Storage periods

In the event of your revocation pursuant to Art 7 (3) DSGVO, your personal data will be deleted from the newsletter distribution list without delay.

Who else processes your data besides us: Processors and transferees

Processors commissioned by us (in particular IT service providers and transmission recipients) receive your data if they need it for the purpose of fulfilling the order. The contracted processors have been contractually obligated to process your data only within the scope of the service provision and to treat it confidentially.

Our processors or transferees (own responsible parties) are:

• IT service provider for mail dispatch: SendGrid, Sendinblue)

• Information about our payment service provider

For the execution of payments initiated via our website, we use the company Stripe. If Stripe provides services as a payment service provider (PSP - Payment Service Provider), Stripe itself is the controller iSd DSGVO. We do not process this data for our own purposes.

Payment processing via credit card and SEPA direct debit is done directly through Stripe Payments Europe Ltd,7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, UK (hereinafter referred to as Stripe). Stripe receives your company name from us. You provide your first and last name as well as your e-mail address and any other data directly to Stripe.

If necessary, the exchange of such data may also be necessary for the processing of payment processing differences between us and Stripe, which are related to your respective booking. These data transfers take place in each case on the basis of a legitimate interest pursuant to Art. 6 (1) lit. f DSGVO. Please note that Stripe as a financial service provider and controller with respect to the processing of financial transaction data may also disclose your personal data to credit agencies as well as affiliated companies and subcontractors, if necessary, to the extent this is required for the fulfillment of contractual obligations or on the basis of a legitimate interest or the data is processed on behalf. It is not excluded that Stripe may also transfer personal information to affiliated companies outside the EU or the EEA (e.g. in the USA).

Your data is transmitted to Stripe in encrypted form and processed exclusively by Stripe for the purpose of payment processing. Stripe is required by law to process and verify this data.

For more information on data protection in connection with this payment service provider, please refer to Stripe's privacy policy: https://stripe.com/at/privacy

• Cookies use

We would like to inform you that we only use technical cookies. We do NOT use cookies for analysis marketing purposes. Cookies are text files that are placed and stored on a computer system via an Internet browser.

When using or setting cookies that contain personal data or affect privacy, we obtain your prior consent through your active behavior by navigating through and over our cookie banner on the website after being informed about the purposes of the cookies used, thereby giving your consent to the setting of cookies.

Only in those cases in which the sole purpose is the technical execution of the transmission of a message via a communication network or if this is absolutely necessary so that we can provide the service that you have expressly requested, cookies will be used or set without your prior consent. In these cases, you can prevent the use or setting of cookies by changing your browser settings accordingly.

Cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognized and identified via the unique cookie ID.

You can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, you can delete cookies that have already been set at any time via an Internet browser or other software programs. This is possible in all common Internet browsers.

The legal basis for the setting of technical cookies is based on Art 6 para 1 f DSGVO (legitimate interest). The purpose is to provide our users with the best and a secure service offer.

We would like to explicitly point out that we only use cookies in accordance with EU and Austrian law (Art 5 para 3 E-Privacy-RL as well as § 96 para 3 TKG).

a) Use of technical cookies

We use various services for our website and the Vaulteron app, which also set cookies.

These are the following technical cookies:

b) Use of third-party cookies

We use various services for our website, which also set cookies.

Statistics: Google Analytics

Information about Google services 

We use various services of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland on our website.

Through the integration of Google services, Google may collect information (including personal data) and process it. It cannot be ruled out that Google also transmits the information to a server in a third country.

For more information, please see the following link: https://www.google.de/policies/privacy/frameworks/

We expressly point out that we cannot influence which data Google actually collects and processes. However, Google states that in principle the following information (including personal data) may be processed, among others:

• Log data (especially the IP address)
• Site-related information
• Unique application numbers
• Cookies and similar technologies

More detailed information can be found at the following link: https://policies.google.com/privacy/update?hl=de#infocollect

If you are logged into your Google account, Google may add the processed information to your account depending on your account settings and treat it as personal data, cf. in particular https://www.google.de/policies/privacy/partners/ .

Google states the following about this, among other things:

"We may link personal data from one service with information and personal data from other Google services. This makes it easier for you to share content with friends and acquaintances, for example. Depending on your account settings, your activities on other websites and apps may be linked to your personal data to improve Google's services and ads served by Google." (https://www.google.com/intl/de/policies/privacy/index.html)

You can prevent this data from being added directly by logging out of your Google account or by making the appropriate account settings in your Google account. Furthermore, you can prevent the installation of cookies - insofar as Google sets them - by making the appropriate settings in your browser; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

You can learn how to delete cookies in the most common browsers here, among others:

• Google Chrome: Website
• Mozilla Firefox: Website
• Apple Safari: Website
• Microsoft Internet Explorer: Website

You can find more information in Google's privacy policy, which you can access here: https://www.google.com/policies/privacy/

You can find information about Google's privacy settings at the following link: https://privacy.google.com/take-control.html

Insert and use of Google Analytics (with anonymization function)

The controller has integrated the Google Analytics component (with anonymization function) on this website. Google Analytics is a web analysis service. Web analysis is the collection, compilation and analysis of data about the behavior of visitors to websites. Among other things, a web analysis service collects data on which website a data subject came to a website from, which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is predominantly used to optimize a website and to analyze the costs and benefits of Internet advertising.

We use the addition "_gat._anonymizeIp" for web analysis via Google Analytics. By means of this addition, the IP address of the Internet connection of the person concerned is shortened and anonymized by Google if access to our Internet pages is from a member state of the European Union or from another state party to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyze the flow of visitors to our website. Google uses the data and information obtained, among other things, to evaluate the use of our website, to compile online reports for us showing the activities on our website, and to provide other services related to the use of our website.

Google Analytics sets a cookie on the information technology system of the data subject. What cookies are has already been explained above. By setting the cookie, Google is enabled to analyze the use of our website. By each call of one of the individual pages of this website, which is operated by the controller and on which a Google Analytics component has been integrated, the internet browser on the information technology system of the data subject is automatically caused by the respective Google Analytics component to transmit data to Google for the purpose of online analysis.

As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the data subject, which Google uses, among other things, to track the origin of visitors and clicks and subsequently enable commission calculations.

By means of cookies, personal information, for example the access time, the location from which an access originated and the frequency of visits to our website by the data subject, is stored. Each time the data subject visits our website, this personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical procedure to third parties.

The data subject can prevent the setting of cookies by our website, as already described above, at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the information technology system of the data subject. In addition, a cookie already set by Google Analytics can be deleted at any time via the internet browser or other software programs.

Furthermore, the data subject has the option to object to the collection of data generated by Google Analytics and related to the use of this website as well as to the processing of this data by Google and to prevent such processing. For this purpose, the data subject must download and install a browser add-on under the link https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information regarding visits to Internet pages may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google as an objection. If the data subject's information technology system is deleted, formatted or reinstalled at a later point in time, the data subject must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person within the data subject's sphere of control, it is possible to reinstall or reactivate the browser add-on.

For more information and the applicable privacy policy, please see the following links:

https://www.google.de/intl/de/policies/privacy/

https://www.google.com/analytics/terms/de.html

https://www.google.com/intl/de_de/analytics/


FRIENDLY CAPTCHA (BOT/SPAM PROTECTION)

Our website uses the "Friendly Captcha" service (www.friendlycaptcha.com).

This service is offered by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany.

Friendly Captcha is a novel, privacy-friendly protection solution to make it more difficult for automated programs and scripts (so-called "bots") to use our website.

For this purpose, we have integrated a program code from Friendly Captcha into our website (e.g. for contact forms) so that the end device of the visitor can establish a connection to the servers of Friendly Captcha in order to receive a calculation task from Friendly Captcha. The visitor's terminal solves the calculation task, which takes up certain system resources, and sends the calculation result to our web server. The server contacts the Friendly Captcha server via an interface and receives a response indicating whether the puzzle was solved correctly by the end device. Depending on the result, we can apply security rules to requests via our website and thus, for example, process or reject them.

The data is used exclusively for the protection against spam and bots described above.

Friendly Captcha does not set or read cookies on the visitor's terminal device.

IP addresses are only stored in hashed (one-way encrypted) form and do not allow us and Friendly Captcha to identify an individual.

If personal data is collected, it will be deleted after 30 days at the latest.

The legal basis for the processing is our legitimate interests in protecting our website from abusive access by bots, i.e. spam protection and protection against attacks (e.g. mass requests) pursuant to Art 6 para 1 lit f DSGVO.

For more information about privacy when using Friendly Captcha, please visit. https://friendlycaptcha.com/legal/privacy-end-users/.

• Data security

The security of your personal data is of particular concern to us.

We take appropriate technical and organizational measures within the meaning of Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the likelihood and severity of the risk to the rights and freedoms of natural persons.

In this sense, the following measures, among others, are taken to protect and secure your data against loss, destruction, access, alteration and dissemination by unauthorized persons:

• Ensuring the confidentiality, integrity, availability and resilience of systems and services related to the processing;
• Ensure rapid restoration of availability of personal data in the event of a physical or technical incident;
• Implementation of procedures for regular monitoring, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing
• Passwords are encrypted end-to-end
• No specific error messages are returned for incorrect login attempts
• Internet connections take place using secure transmission protocol (https)
• A role and user authorization concept is in place to prevent unauthorized access to information
• Our data center is ISO/IEC 27001 certified

Please note that we do not assume any liability for the disclosure of information due to errors in data transmission not caused by us or attributable to us and/or unauthorized access by third parties (e.g. hacking attacks).

• Transmission of personal data

Your data will be disclosed within our company to persons or departments/offices that need them to fulfill contractual, legal and supervisory obligations as well as due to legitimate interests or processing activities based on your consent.

In the event of legal obligations, we must transfer your personal data to public bodies and institutions.

In the context of contract fulfillment or in the context of the fulfillment of data applications based on a declaration of consent, the disclosure of your personal data may also be necessary under certain circumstances.

In addition, processors commissioned by us (in particular IT and tax consultants or mail providers) and our own responsible parties (payment service providers) receive your data if they require the data to fulfill their respective service. All processors are contractually obligated to treat your data confidentially and to process it only in the context of providing the service.

Some of the recipients mentioned above may be located outside of Austria or may process your personal data there. The level of data protection in other countries may not be the same as in Austria. However, we only transfer your personal data to countries for which the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients have an adequate level of data protection.

• Third-party supplier

The website contains links to other websites over whose content Xeas has no influence. Xeas does not assume any liability for these contents. The respective provider of the linked website is solely responsible for the content and accuracy of the information provided there.

• What rights you have as a data subject

You have the right to information, correction of incorrect data, the right to restriction of processing and deletion of inadmissibly processed data as well as the right to data portability.

Furthermore, the GDPR also provides for a right to object to the processing of personal data if this is done to protect our overriding legitimate interests. If you have consented to the processing of your data, you can revoke this consent at any time. Please note that the rights arising from the General Data Protection Regulation may be subject to legal restrictions under certain circumstances, insofar as the exercise of these rights would impair the fulfillment of legal obligations.

You are entitled to claim the following data subject rights according to Art 15ff DSGVO:

• Right to information according to Art 15 DSGVO
• Right to rectification according to Art 16 DSGVO
• Right to erasure according to Art 17 DSGVO
• Right to restriction of processing according to Art 18 DSGVO
• Right to data portability according to Art 20 DSGVO
• Right of withdrawal of consent pursuant to Art 7 para 3 DSGVO
• Right of objection according to Art 21 DSGVO

If you believe that your personal data is not being processed in accordance with the General Data Protection Regulation, you have the right to complain to the competent supervisory authority and thus to the Austrian Data Protection Authority (DPA).

The contact details of the Austrian data protection authority are as follows:

Address: Barichgasse 40-42, 1030 Vienna

E-mail: dsb@dsb.gv.at

To exercise your rights under the General Data Protection Regulation, please contact us as follows:

• by e-mail at office@vaulteron.com or
• by mail at: Xeas GmbH, Neubaugasse 24 8020 Graz

Last updated: 10.12.2021