DATA PRIVACY

Introduction and Overview

We have written this privacy statement (version 08/18/2022-112089499) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (data for short) we as the controller – and the processors (e.g. providers) commissioned by us – process, will process in the future and what lawful options you have. The terms used are to be understood as gender-neutral.

To change your cookie settings click here: Cookie-settings

 

Scope of application

This data protection declaration applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (order processors). By personal data, we mean information within the meaning of Art. 4 No. 1 DSGVO, such as a person’s name, e-mail address and postal address. The processing of personal data ensures that we can offer and invoice our services and products, whether online or offline. The scope of this privacy policy includes:

 

• all online presences (websites, online stores) that we operate
• social media presences and email communications
• mobile apps for smartphones and other devices

In short, the data protection declaration applies to all areas in which personal data is processed in the company via the aforementioned channels in a structured manner. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

 

Legal basis

In the following privacy statement, we provide you with transparent information on the legal principles and regulations, i.e. the legal bases of the General Data Protection Regulation, which enable us to process personal data.As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016.You can, of course, read this General Data Protection Regulation of the EU online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

 

We only process your data if at least one of the following conditions applies:

 

Consent (Article 6(1)(a) DSGVO): You have given us your consent to process data for a specific purpose. An example would be the storage of your entered data of a contact form.

Contract (Article 6(1) lit. b DSGVO): In order to fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we need personal information in advance.

Legal obligation (Article 6(1)(c) DSGVO): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to keep invoices for accounting purposes. These usually contain personal data.

Legitimate interests (Article 6(1)(f) DSGVO): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website in a secure and economically efficient manner. This processing is therefore a legitimate interest.

Other conditions, such as the performance of recordings in the public interest and the exercise of official authority, as well as the protection of vital interests, do not generally arise for us. If such a legal basis should nevertheless be relevant, it will be indicated at the appropriate place.

 

In addition to the EU Regulation, national laws also apply:

1. In Austria, this is the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act), or DSG for short.
2. In Germany, the Federal Data Protection Act, or BDSG for short, applies.
3. If other regional or national laws apply, we will inform you about them in the following sections.

 

Contact details of the responsible person

If you have any questions regarding data protection or the processing of personal data, please find below the contact details of the responsible person, Kerstin Wagner.

E-mail: office@wavance.com

Phone: +43 681 20808810

Imprint: https://www.wavance.com/en/imprint

Storage period

The fact that we only store personal data for as long as is absolutely necessary for the provision of our services and products applies as a general criterion at our company. This means that we delete personal data as soon as the reason for processing the data no longer exists. In some cases, we are required by law to store certain data even after the original purpose has ceased to exist, for example for accounting purposes.

Should you wish your data to be deleted or revoke your consent to data processing, the data will be deleted as soon as possible and insofar as there is no obligation to store it.

We will inform you about the specific duration of the respective data processing below, provided we have further information on this.

 

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can complain to the supervisory authority. For Austria, this is the data protection authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Austria Data Protection Authority

Head: Mag. Dr. Andrea Jelinek

Address: Barichgasse 40-42, 1030 Vienna

Telephone number: +43 1 52 152-0

E-mail address: dsb@dsb.gv.at

Website: https://www.dsb.gv.at/

 

Data transfer to third countries

We only transfer or process data to countries outside the EU (third countries) if you consent to this processing, if this is required by law or contractually necessary, and in any case only to the extent that this is generally permitted. Your consent is in most cases the most important reason that we have data processed in third countries. Processing personal data in third countries such as the U.S., where many software vendors provide services and have their server locations, may mean that personal data is processed and stored in unexpected ways.

We explicitly point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. Data processing by US services (such as Google Analytics) may result in data not being processed and stored anonymously, where applicable. Furthermore, US government authorities may be able to access individual data. In addition, it may happen that collected data is linked to data from other services of the same provider, if you have a corresponding user account. Where possible, we try to use server locations within the EU, if this is offered.

We will inform you in more detail about data transfer to third countries, if applicable, at the appropriate places in this privacy policy.

 

Data processing security

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. In this way, we make it as difficult as possible, within the scope of our possibilities, for third parties to infer personal information from our data.

Article 25 of the GDPR refers to “data protection by technical design and by data protection-friendly default settings” and thus means that both software (e.g., forms) and hardware (e.g., access to the server room) are always designed with security in mind and that appropriate measures are taken. In the following, we will go into more detail on specific measures, if necessary.

 

TLS encryption with https

TLS, encryption and https sound very technical and they are. We use HTTPS (Hypertext Transfer Protocol Secure stands for “secure hypertext transfer protocol”) to transfer data tap-proof on the Internet.This means that the complete transfer of all data from your browser to our web server is secured – no one can “listen in”.

In this way, we have introduced an additional layer of security and comply with data protection by design of technology (Article 25(1) DSGVO). By using TLS (Transport Layer Security), an encryption protocol for secure data transfer on the Internet, we can ensure the protection of confidential data.You can recognize the use of this data transfer protection by the small lock symbol at the top left of the browser, to the left of the Internet address (e.g. beispielseite.de) and the use of the scheme https (instead of http) as part of our Internet address.If you would like to know more about encryption, we recommend a Google search for “Hypertext Transfer Protocol Secure wiki” to get good links to further information.

 

Order processing agreement (AVV)

In this section, we’d like to explain what a contract processing agreement is and why it’s needed. Because the word “order processing agreement” is quite a mouthful, we will also use just the acronym AVV more often here in the text. Like most companies, we do not work alone, but also use the services of other companies or individuals ourselves.  Through the involvement of various companies or service providers, it may be that we pass on personal data for processing. These partners then act as processors with whom we conclude a contract, the so-called order processing agreement (AVV). The most important thing for you to know is that the processing of your personal data is carried out exclusively according to our instructions and must be regulated by the GCU.

 

Who are processors?

As a company and website owner, we are responsible for all data that we process from you. In addition to the responsible parties, there may also be so-called processors. This includes any company or person that processes personal data on our behalf. More precisely and according to the GDPR definition: any natural or legal person, authority, institution or other body that processes personal data on our behalf is considered a processor. Consequently, processors can be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft, for example.

For a better understanding of the terminology, here is an overview of the three roles in the GDPR:

Data subject (you as a customer or interested party) → Controller (we as a company and client) → Processor (service provider such as web hoster or cloud provider).

 

Content of an order processing agreement

• As mentioned above, we have concluded an AVV with our partners who act as processors. This states, first and foremost, that the processor will process the data to be processed exclusively in accordance with the GDPR. The contract must be concluded in writing, although in this context the electronic conclusion of the contract is also considered “in writing”. Only on the basis of the contract will the processing of personal data take place. The contract must contain the following:
• Commitment to us as the controller
• Obligations and rights of the data controller
• Categories of data subjects
• Nature of the personal data
• Nature and purpose of the data processing
• Subject and duration of data processing
• Place of performance of the data processing

Furthermore, the contract contains all obligations of the processor. The most important obligations are:

• to ensure data security measures
• to take possible technical and organizational measures to protect the rights of the data subject
• to keep a data processing directory
• cooperate with the data protection supervisory authority upon its request
• carry out a risk analysis in relation to the personal data received.

Sub-processors may only be engaged with the written consent of the data controller.

You can see what such an AVV looks like in concrete terms, for example, at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html. A sample contract is presented here.

What are cookies?

Our website uses HTTP cookies to store user-specific data. Below we explain what cookies are and why they are used to help you better understand the following privacy policy.

Whenever you browse the Internet, you use a browser. Popular browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.

One thing can’t be denied: Cookies are really useful little helpers. Almost all websites use cookies. More precisely, they are HTTP cookies, as there are other cookies for other applications. HTTP cookies are small files that are stored on your computer by our website. These cookie files are automatically placed in the cookie folder, effectively the “brain” of your browser. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.

Cookies store certain user data about you, such as language or personal page settings. When you return to our site, your browser transmits the “user-related” information back to our site. Thanks to cookies, our site knows who you are and offers you the setting you are used to. In some browsers each cookie has its own file, in others, such as Firefox, all cookies are stored in a single file.

The following graphic shows a possible interaction between a web browser, such as Chrome, and the web server. In this case, the web browser requests a website and receives a cookie back from the server, which the browser uses again as soon as another page is requested.

There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, third-party cookies are created by partner websites (e.g. Google Analytics). Each cookie must be evaluated individually, as each cookie stores different data. Also, the expiration time of a cookie varies from a few minutes to a few years. Cookies are not software programs and do not contain viruses, Trojans or other “pests”. Cookies also cannot access information on your PC.

To change your cookie settings click here: Cookie-settings

 

Web Analytics

Web Analytics Summary 👥 Data subjects: Visitors to the website. 🤝 Purpose: Evaluation of visitor information to optimize the web offer. 📓 Data processed: Access statistics containing data such as access locations, device data, access duration and time, navigation behavior, click behavior, and IP addresses. More details on this can be found with the respective web analytics tool used. 📅 Storage duration: depending on the web analytics tool used. Legal basis: Art. 6 para. 1 lit. a DSGVO (Consent), Art. 6 para. 1 lit. f DSGVO (Legitimate Interests).

What is Web Analytics?

We use software on our website to evaluate the behavior of website visitors, known as web analytics for short. This involves collecting data that the respective analytic tool provider (also called tracking tool) stores, manages and processes. The data is used to create analyses of user behavior on our website and made available to us as the website operator. In addition, most tools offer various testing options. For example, we can test which offers or content are best received by our visitors. To do this, we show you two different offers for a limited period of time. After the test (so-called A/B test), we know which product or content our website visitors find more interesting. For such test procedures, as for other analytics procedures, user profiles can also be created and the data stored in cookies.

Right of objection

You also have the right and the possibility to revoke your consent to the use of cookies or third-party providers at any time. This works either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection through cookies by managing, disabling or deleting cookies in your browser.

Legal basis

The use of web analytics requires your consent, which we have obtained with our cookie popup. According to Art. 6 (1) lit. a DSGVO (consent), this consent constitutes the legal basis for the processing of personal data, as may occur during the collection by web analytics tools.

In addition to consent, there is a legitimate interest on our part to analyze the behavior of website visitors and thus to improve our offer technically and economically. With the help of web analytics, we detect website errors, can identify attacks and improve economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f DSGVO (Legitimate Interests). Nevertheless, we only use the tools insofar as you have given your consent.

Since web analytics tools use cookies, we also recommend that you read our general privacy policy on cookies. To find out exactly which of your data is stored and processed, you should read the privacy statements of the respective tools.

Information on specific web analytics tools, if available, can be found in the following sections.

 

Google Tag Manager Data Privacy

Google Tag Manager Data Privacy Summary

👥 Data subjects: Visitors to the website

🤝 Purpose: Organization of the individual tracking tools.

📓 Data processed: Google Tag Manager does not store any data itself. The data is collected by the tags of the web analytics tools used.

📅 Storage duration: depending on the web analytics tool used.

⚖️ Legal basis: Art. 6 para. 1 lit. a DSGVO (Consent), Art. 6 para. 1 lit. f DSGVO (Legitimate Interests).

To change your cookie settings click here: Cookie-settings

What is the Google Tag Manager?

For our website we use the Google Tag Manager of the company Google Inc. For the European area the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This Tag Manager is one of many helpful marketing products from Google. Through Google Tag Manager, we can centrally incorporate and manage code sections from various tracking tools that we use on our website.

In this privacy statement, we want to explain in more detail what Google Tag Manager does, why we use it, and in what form data is processed.

Google Tag Manager is an organizational tool that allows us to incorporate and manage website tags centrally and via a user interface. Tags are small sections of code that, for example, record (track) your activities on our website. For this purpose, JavaScript code sections are inserted into the source code of our page. The tags often come from Google-internal products such as Google Ads or Google Analytics, but tags from other companies can also be included and managed via the manager. Such tags perform different tasks. They can collect browser data, feed marketing tools with data, embed buttons, set cookies and also track users across multiple websites.

 

Why do we use Google Tag Manager for our website?

As the saying goes, organization is half the battle! And of course, this also applies to the maintenance of our website. In order to make our website as good as possible for you and all the people who are interested in our products and services, we need various tracking tools such as Google Analytics. The collected data from these tools show us what you are most interested in, where we can improve our services and which people we should still show our offers to. And for this tracking to work, we need to embed appropriate JavaScript codes into our website. In principle, we could include each code section of each tracking tool separately in our source code. However, this requires a relatively large amount of time and it’s easy to lose track. That’s why we use the Google Tag Manager. We can easily incorporate the necessary scripts and manage them from one place. Moreover, Google Tag Manager offers an easy-to-use interface and you don’t need any programming skills. This is how we manage to keep order in our tag jungle.

 

What data is stored by Google Tag Manager?

The Tag Manager itself is a domain that does not set any cookies or store any data. It acts as a mere “manager” of the implemented tags. The data is collected by the individual tags of the various web analytics tools. The data is virtually passed through to the individual tracking tools in the Google Tag Manager and is not stored.

However, the situation is quite different with the embedded tags of the various web analytics tools, such as Google Analytics. Depending on the analysis tool, various data about your web behavior is usually collected, stored and processed with the help of cookies. For this, please read our privacy texts on the individual analysis and tracking tools that we use on our website.

In the account settings of the Tag Manager, we have allowed Google to receive anonymized data from us. However, this is only about the use and usage of our Tag Manager and not your data stored via the code sections. We allow Google and others to receive selected data in anonymized form. We thus consent to the anonymous sharing of our website data. Which summarized and anonymous data is forwarded exactly, we could not find out – despite long research. In any case, Google deletes all information that could identify our website. Google combines the data with hundreds of other anonymous website data and creates user trends as part of benchmarking measures. Benchmarking compares our own results with those of our competitors. Processes can be optimized on the basis of the information collected.

 

How long and where is the data stored?

When Google stores data, this data is stored on Google’s own servers. The servers are distributed all over the world. Most of them are located in America. You can find out exactly where Google servers are located at https://www.google.com/about/datacenters/inside/locations/?hl=de.

 

How can I delete my data or prevent data storage?

The Google Tag Manager itself does not set cookies, but manages tags from various tracking websites. In our privacy texts for the individual tracking tools, you will find detailed information on how to delete or manage your data.

Please note that when using this tool, data from you may also be stored and processed outside the EU. Most third countries (including the USA) are not considered secure under current European data protection law. Data to insecure third countries may therefore not simply be transferred, stored and processed there unless there are suitable guarantees (such as EU standard contractual clauses) between us and the non-European service provider.

 

Legal basis

The use of Google Tag Manager requires your consent, which we have obtained with our cookie popup. According to Art. 6 (1) lit. a DSGVO (consent), this consent constitutes the legal basis for the processing of personal data as it may occur during the collection by web analytics tools.

In addition to consent, there is a legitimate interest on our part in analyzing the behavior of website visitors and thus improving our offer technically and economically. With the help of Google Tag Managers can improve the economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f DSGVO (Legitimate Interests). Nevertheless, we only use the Google Tag Manager if you have given your consent.

Google also processes data from you in the USA, among other places. We would like to point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may be associated with various risks to the legality and security of data processing.

Google uses so-called standard contractual clauses (= Art. 46. para. 2 and 3 DSGVO) as the basis for data processing for recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or a data transfer there. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Google Ads Data Processing Terms, which correspond to the standard contractual clauses and also apply to Google Tag Manager, can be found at https://business.safety.google/adsprocessorterms/.

 

If you want to learn more about Google Tag Manager, we recommend the FAQs at https://www.google.com/intl/de/tagmanager/faq.html.

 

Google Analytics Data Privacy

What is Google Analytics?

We use the analysis tracking tool Google Analytics (GA) of the American company Google Inc. on our website. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics collects data about your actions on our website. For example, when you click on a link, this action is stored in a cookie and sent to Google Analytics. Using the reports we receive from Google Analytics, we can better tailor our website and service to your preferences. In the following, we will go into more detail about the tracking tool and, in particular, inform you about what data is stored and how you can prevent this.

Google Analytics is a tracking tool used to analyze traffic to our website. In order for Google Analytics to work, a tracking code is built into the code of our website. When you visit our website, this code records various actions you take on our website. Once you leave our website, this data is sent to the Google Analytics servers and stored there.Was ist Google Analytics?

To change your cookie settings click here: Cookie-settings

What data is stored by Google Analytics?

Google Analytics uses a tracking code to create a random, unique ID associated with your browser cookie. This is how Google Analytics recognizes you as a new user. The next time you visit our site, you will be recognized as a “returning” user. All collected data is stored together with this user ID. This makes it possible to evaluate pseudonymous user profiles.

In order to analyze our website with Google Analytics, a property ID must be inserted into the tracking code. The data is then stored in the corresponding property. For each newly created property, the Google Analytics 4 property is standard. Alternatively, you can also create the Universal Analytics property. Depending on the property used, data is stored for different lengths of time.

Labels such as cookies and app instance IDs are used to measure your interactions on our website. Interactions are all types of actions you take on our website. If you also use other Google systems (such as a Google account), data generated through Google Analytics may be linked to third-party cookies. Google does not share Google Analytics data unless we, as the website operator, authorize it. Exceptions may occur if required by law.

The following cookies are used by Google Analytics:

Name: _ga

Value: 2.1326744211.152112089499-5

Purpose: By default, analytics.js uses the _ga cookie to store the user ID. Basically, it is used to distinguish website visitors.

Expiration date: after 2 years

 

Name: _gid

Value : 2.1687193234.152112089499-1

Purpose: The cookie is also used to distinguish the website visitors.

Expiration date: after 24 hours

 

Name: _gat_gtag_UA_<property-id>

Value: 1

Intended use: used to lower the request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_ <property-id>.

Expiration date: after 1 minute

 

Name: AMP_TOKEN

Value: not specified

Purpose: The cookie has a token that can be used to retrieve a user ID from the AMP client ID service. Other possible values indicate a logout, a request, or an error.

Expiration date: after 30 seconds up to one year.

 

Name: __utma

Value: 1564498958.1564498958.1564498958.1

Purpose: This cookie is used to track your behavior on the website and measure performance. The cookie is updated every time information is sent to Google Analytics.

Expiration date: after 2 years

 

Name: __utmt

Value: 1

Purpose: The cookie is used like _gat_gtag_UA_<property-id> to throttle the request rate.

Expiration date: after 10 minutes

 

Name: __utmb

Value: 3.10.1564498958

Purpose: This cookie is used to determine new sessions. It is updated every time new data or info is sent to Google Analytics.

Expiration date: after 30 minutes

 

Name: __utmc

Value: 167421564

Purpose: This cookie is used to set new sessions for returning visitors. This is a session cookie and is only stored until you close the browser again.

Expiration date: After you close the browser.

 

Name: __utmz

Value: m|utmccn=(referral)|utmcmd=referral|utmcct=/

Purpose: The cookie is used to identify the source of traffic to our website. That is, the cookie stores from where you came to our website. This may have been another page or an advertisement.

Expiration date: after 6 months

 

Name: __utmv

Value: not specified

Purpose: The cookie is used to store custom user data. It is updated whenever information is sent to Google Analytics.

Expiration date: after 2 years

 

Note: This enumeration cannot claim to be complete, as Google is always changing the choice of their cookies as well.

 

Google Analytics IP anonymization

We have implemented Google Analytics IP address anonymization on this website. This feature was developed by Google to enable this website to comply with applicable data protection regulations and recommendations of local data protection authorities if they prohibit storage of the full IP address. The anonymization or masking of the IP takes place as soon as the IP addresses arrive at the Google Analytics data collection network and before any storage or processing of the data takes place.

More information on IP anonymization can be found at https://support.google.com/analytics/answer/2763052?hl=de.

 

BorlabsCookie Privacy Policy

We use BorlabsCookie on our website, which is, among other things, a tool for storing your cookie consent. The service provider is the German company Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg, Germany. You can learn more about the data processed through the use of BorlabsCookie in the Privacy Policy at https://de.borlabs.io/datenschutz/.

 

 

 

Calendly privacy policy

 

We use Calendly, a planning and organization tool, for our website. The service provider is the American company Calendly LCC, 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, USA.

Calendly also processes data in the USA, among other places. We would like to point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may be associated with various risks to the legality and security of data processing.

As a basis for data processing with recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular the USA) or a data transfer there, Calendly uses standard contractual clauses approved by the EU Commission (= Art. 46. para. 2 and 3 DSGVO). These clauses oblige Calendly to comply with the EU level of data protection when processing relevant data also outside the EU. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the clauses, among others, here: https://germany.representation.ec.europa.eu/index_de

You can learn more about the data processed through the use of Calendly in the privacy policy at https://calendly.com/de/privacy.

Calendly order processing agreement (AVV)

We have concluded an order processing agreement (AVV) with Calendly in accordance with Article 28 of the General Data Protection Regulation (GDPR). You can read more about what exactly an AVV is and, in particular, what must be included in an AVV in our general section “Order Processing Agreement (AVV)”.

This contract is required by law because Calendly processes personal data on our behalf. It clarifies that Calendly may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the order processing agreement (AVV) at https://calendly.com/de/dpa.