We process our customers’ data within the scope of Kartha services to provide our contractual services.

Processed Data: General customer data (company name, contact person, address, VAT registration number, email address), user and account data (name, email address, cryptographic hash of the password), payment data (account details and/or credit card details), contract data (service type, tariff, term, contract history, payment history), content data entered by customers/users themselves into Kartha (QR codes, location data, landing pages), usage data/metadata (server log: IP address, user agent, request parameter, timestamp).

Special categories of personal data: In general, no special categories of data are processed unless provided by the user.

Data Subjects: Customers, trial users, business partners, visitors viewing customer landing pages or QR codes.

Purpose of Processing: Infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services.

Legal Basis: Art. 6 (1) b GDPR (performance of the contract).

Necessity / Interest in Processing: The data is necessary to establish and fulfill the contractual performance.

External Disclosure and Purpose: Exclusively for hosting purposes or within the scope of legal permissions and obligations towards legal advisors and authorities.

Processing in Third Countries: None.

Data Deletion: Content data entered into Kartha by the customers themselves will be archived for 2 years after account termination or trial expiration and automatically deleted thereafter. Basic customer data will be stored indefinitely, unless no longer necessary; the need to store the data will be reviewed every three years; in the case of legal archiving obligations, deletion will occur after their expiration (end of retention obligation - commercial law, 2 years / tax law, 7 years). Content data created by visitors to a customer's landing page can be deleted by the customers themselves. With digital guest registration, contacts older than 28 days are automatically deleted. Contacts from potential customer landing pages can be deleted automatically or manually.

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services.

Processed Data: Inventory data, contact data, content data, contract data, usage data, metadata/communication.

Special categories of personal data: None.

Legal Basis: Art. 6 (1) f GDPR.

Data Subjects: Customers, prospective customers.

Special Security Measures: Data Processing Agreement.

Processing in Third Countries: None.

External Disclosure and Purpose: Hetzner Online GmbH - Industriestr. 25 - 91710 Gunzenhausen - Germany.

Necessity / Interest in Processing: Security, efficiency, commercial interests.

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services.

Processed Data: Inventory data, contact data, content data, contract data, usage data, metadata/communication.

Special categories of personal data: None.

Legal Basis: Art. 6 (1) f GDPR.

Data Subjects: Customers, prospective customers, website visitors.

Special Security Measures: Data Processing Agreement.

External Disclosure and Purpose: DI Kurz Klaus e.U. - Untere Weißgerberstr. 28/11 - 1030 Wien - Österreich (Website, blog, mail server hosting).

Processing in Third Countries: None.

Necessity / Interest in Processing: Security, efficiency, commercial interests.

The services we use serve to protect our service from DDoS attacks. Only in the event of an attack are visitors first directed to an external server, which checks whether they are a real person and only if the check is positive will they be forwarded to our servers.

Processed Data: Content data, usage data, metadata/communication.

Special categories of personal data: None.

Legal Basis: Art. 6 (1) f GDPR.

Data Subjects: Customers, prospective customers, website visitors.

Special Security Measures: Data Processing Agreement.

External Disclosure and Purpose: Cloudflare Germany GmbH Rosental 7, c/o Mindspace, 80331 München (securing Kartha ).

Processing in Third Countries: Yes.

Necessity / Interest in Processing: Security.

We process information from inquiries we receive via our contact form and other means, e.g., by email, to respond to these inquiries.

Processed Data: Inventory data, contact data, contract data, payment data, usage data, metadata.

Data Subjects: Customers, prospective customers, business partners, website visitors.

Purpose of Processing: Responding to inquiries.

Type, Scope, and Mode of Operation of Processing: Registration process, termination option.

Necessity / Interest in Processing: Necessary to respond to inquiries.

Legal Basis: Art. 6 (1) b./f GDPR.

External Disclosure and Purpose: nächste Ebene Telekommunikationsdienstleistungs- und BeratungsGmbH - Mariahilfer Gürtel 37/7 - 1150 Wien - Österreich (Website, blog, mail server hosting).

Processing in Third Countries: None.

Data Retention: We delete inquiries if they are no longer necessary. We review the necessity every two years; customer inquiries who have a customer account are permanently stored and linked to the customer account data for deletion. In the case of legal archiving obligations, deletion takes place after their expiration (end of storage obligation: commercial law (2 years) tax law (7 years)).

We process data within the scope of administrative tasks, as well as the organization of our company, financial accounting, and compliance with legal obligations such as archiving.

Processed Data: Data that we process in the course of our Online Services.

Special categories of personal data: None.

Legal Basis: Art. 6 (1) c GDPR, Art. 6 (1) f GDPR.

Data Subjects: Customers, prospective customers, business partners, website visitors.

Purpose of Processing: Administration, financial accounting, office organization, archiving.

Necessity / Interest in Processing: Processing is necessary to maintain our business and services.

External Disclosure and Purpose: Financial administration, tax advisors, other payment agencies, payment service providers to carry out contractual payment transactions or legal payment transactions; payment data is only stored with the following payment service providers (=no own storage or processing): GEVEST Steuer- und BetriebsberatungsgmbH - Schottenfeldgasse 40/8 - 1070 Wien - Österreich.

Processing in Third Countries: None.

Data Retention: We delete inquiries if they are no longer necessary. We review this necessity every two years; customer inquiries who have a customer account are permanently stored and linked to the customer account data for deletion. In the case of legal archiving obligations, deletion takes place after their expiration (end of storage obligation: commercial law (2 years) tax law (7 years)).

Users accessing our website will obtain static files such as images, JavaScript, or CSS files from a Content Delivery Network.

Processed Data: IP Address.

Special categories of personal data: None.

Principles of Processing: Art. 6 (1) b GDPR; Art. 6 (1) f GDPR.

Affected Persons: Website visitors.

Purpose of Processing: Improve page loading time.

Necessity/Interest in Processing: Reduce bounce rates and improve SEO.

Protection Measures: IP addresses are stored anonymously.

Processing in Third Countries: Yes.

Data Deletion: Not necessary, as no personal data is stored.

User comments on the blog are stored and may be validated to ensure they are not spam.

Processed Data: Inventory data (names, email addresses, links to own website); content data (comment).

Special categories of personal data: None.

Principles of Processing: Art. 6 (1) b GDPR; Art. 6 (1) f GDPR.

Affected Persons: Comment authors.

Purpose of Processing: Storage of the comment.

Necessity / Interest in Processing: Security purposes (spam control).

Protection Measures: Users can use pseudonyms.

Processing in Third Countries: No.

Data Deletion: Data remains stored until the author deletes their comment. If the comment was identified as spam, the data remains permanently stored.

To display QR code scan positions on a map, we have included maps from the Google Maps service of Google LLC via its API on our website.

Processed Data: IP Address.

Special categories of personal data: None.

Principles of Processing: Art. 6 (1) b GDPR; Art. 6 (1) f GDPR.

Affected Persons: Customers, trial users.

Purpose of Processing: Map visualization.

Necessity / Interest in Processing: Visualization of QR code scan positions.

Protection Measures: Users can use pseudonyms.

Note: In this processing, our cooperation with Google is based on a joint controllership agreement according to Art. 26 GDPR, which you can access here.

Data Retention: The deletion policies of the respective networks / platforms apply.

We maintain online presences on social media and platforms to communicate with active customers, interested parties, and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and privacy policy of their respective providers apply. Unless otherwise stated in our privacy policy, we will process the data of users who communicate with us within social media and platforms, for example, to send us messages.

Links to social media and platforms (hereinafter, social networks) used within our Online Services do not establish data transmission between the social networks and users until they click on the links and access the respective networks or their websites.

Social Networks/Platforms Used: Facebook, Twitter.

Processed Data: Inventory data, content data.

Special categories of personal data: In principle, none, except those voluntarily provided by users.

Legal Basis: Art. 6 (1) f GDPR.

Data Subjects: Users of social media networks/platforms (may be customers and prospective customers).

Purpose of Processing: Information and communication.

Type, Scope, and Mode of Operation of Processing: By the providers of the respective platforms as a general rule: permanent cookies, tracking, targeting, remarketing, online behavioral advertising.

Necessity / Interest in Processing: Expectations of active users on the platforms, commercial interests.

External Disclosure and Purpose: To social media/platforms.

Processing in Third Countries: USA.

Safeguard for Processing in Third Countries: Privacy Shield, Facebook Inc., Twitter, Google LLC.

Data Retention: The deletion policies of the respective networks / platforms apply.

The server on which this Online Service is hosted collects so-called log files every time the Online Service is accessed, in which user data is stored. The data is used for statistical analysis to maintain and optimize server operation and for security purposes, e.g., to detect possible unauthorized access attempts.

Processed Data: Usage data and metadata (name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, user's operating system, IP address).

Special categories of personal data: None.

Legal Basis: Art. 6 (1) f GDPR.

Data Subjects: Customers, prospective customers, visitors to the Online Service.

Purpose of Processing: Optimization of server operation and security monitoring.

Necessity / Interest in Processing: Security, commercial interests.

Processing in Third Countries: No.

Data Deletion: After 1 month from the time of collection.

We monitor our servers with a local instance of Matomo (Piwik) to ensure the availability and integrity of our Online Services and use the data for technical and usage optimization.

Processed Data: Aggregated performance data and IP address pseudonymization.

Special categories of personal data: None.

Legal Basis: Art. 6 (1) f GDPR, Art. 28 (3 p. 1) GDPR.

Data Subjects: Customers, users, business partners, website visitors.

Purpose of Processing: Server logging; server monitoring; error tracking.

Type, Scope, and Mode of Operation of Processing: Third-party cookies, permanent cookies.

Special Security Measures: No transmission of IP addresses. No unique user identifiers such as email are transmitted. Additionally, users who have set "Do not track me" in their browser (do-not-track enabled) will not be tracked by Matomo.

Necessity / Interest in Processing: Security, efficiency of the Online Service.

Processing in Third Countries: No.

Data Deletion: IP addresses are anonymized immediately. Aggregated data that is not personal data remains stored indefinitely.

We send email newsletters to users and our customers informing them about platform updates, maintenance work, new features, etc.

Processed Data: Email address, First Name, Last Name.

Special categories of personal data: None.

Legal Basis: Art. 6 (1) f GDPR, Art. 28 (3 p. 1) GDPR.

Data Subjects: Customers, users.

Purpose of Processing: Communication about maintenance, changes, and news regarding our service.

Special Security Measures: All data is processed internally and not sent to any third-party newsletter software. A newsletter will only be sent to the user if they have given consent and confirmed their email address via double opt-in. No profiling is carried out.

Necessity / Interest in Processing: Communication about maintenance, changes, and news regarding our service.

Processing in Third Countries: No.

Data Deletion: The newsletter can be stopped at any time via an unsubscribe link in each email or deactivated in the user's account. If the user unsubscribes from their account, they will also stop receiving emails.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Cookies are small files that are stored on the user's computer. Different data can be stored in cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to a website. Temporary cookies or session cookies or transient cookies are cookies that are deleted after the user leaves a website and closes their browser. In such a cookie, for example, the login status can be stored. Cookies are referred to as permanent or persistent if they are stored even after closing the browser. For example, the login status can be saved permanently.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The EU-US Privacy Shield is an informal agreement in the field of data protection law negotiated between the European Union and the United States of America. It consists of a set of guarantees from the US government and a decision by the EU Commission. Companies certified under the Privacy Shield offer a guarantee of compliance with European data protection law (https://www.privacyshield.gov).

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; for example, if an exact interest profile of the computer user is stored in a cookie, but not the user's name, then the data is pseudonymously processed. If your name is stored, for example, as part of your email address or your IP address is stored, then the processing is no longer pseudonymous.

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Third countries are countries in which the GDPR is not a directly applicable law, i.e., generally states that do not belong to the European Union (EU) or the European Economic Area (EEA).

Third parties means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.