Privacy policy
Privacy Policy (General Data Protection Regulation)
MindTech FlexCo
Hüttelbergstrasse 119/2
A-1140 Vienna
Austria
Last updated: July 21, 2025
1. Introduction and Scope
These privacy provisions inform you about the nature, scope and purpose of the processing of personal data within our online offering and associated websites, features and content (collectively referred to as “online offering” or “website”). MindTech FlexCo is a software development company based in Austria.
We place the highest importance on the protection of your data and the preservation of your privacy. The processing of your personal data takes place exclusively on the basis of the legal provisions of the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Telecommunications Act 2021 (TKG 2021).
2. Controller for Data Processing
The controller within the meaning of the GDPR and other national data protection laws of the Member States and other data protection regulations is:
MindTech FlexCo
Hüttelbergstrasse 119/2
A-1140 Vienna
Austria
Email: [email protected]
3. General Principles of Data Processing
We process personal data according to the following principles:
- Lawfulness, fairness and transparency: Processing takes place in a lawful, honest and comprehensible manner.
- Purpose limitation: Data is only collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimisation: We collect only data that is necessary and appropriate for the processing purposes.
- Accuracy: Personal data must be factually correct and, where necessary, kept up to date. Inaccurate data are promptly deleted or corrected.
- Storage limitation: Data is only stored as long as necessary for the processing purposes or required by law.
- Integrity and confidentiality (security): Processing is carried out in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing as well as accidental loss, destruction or damage.
- Accountability: We are responsible for compliance with these principles and must be able to demonstrate it.
4. Categories of Processed Data
We process the following categories of personal data:
- Contact data: name/company, business address, email address, phone number.
- Contract data: order details, VAT-ID number, bank details, credit card data, customer service inquiries.
- Usage data: IP address, cookie IDs, visited pages, clicks, behavioural data on the website.
- Content data: texts, documents and files you provide or that are processed as part of our services.
- Employee data: (if relevant for internal administration) name, contact details, etc.
5. Purposes and Legal Bases of Data Processing
We process your personal data for the following purposes and based on the stated legal bases:
To fulfil contracts or carry out pre-contractual measures (Art. 6(1)(b) GDPR):
- Provision of our software development services.
- Handling customer relationships, quotations and invoicing.
- Communication in the context of contract execution.
- Management of customer databases.
Based on your consent (Art. 6(1)(a) GDPR):
- For marketing and analysis purposes, e.g. Google Analytics and Facebook Pixel,
- For storing technically non-essential cookies on your device.
- When you voluntarily provide data (e.g. via contact forms) to handle your inquiries.
To comply with legal obligations (Art. 6(1)(c) GDPR):
- Storage of accounting records and invoices according to tax and commercial law requirements.
- Compliance with reporting and disclosure obligations to authorities.
To safeguard our legitimate interests (Art. 6(1)(f) GDPR):
- Ensuring operation and security of our website and IT systems (e.g. via Cloudflare).
- Improving our services and products.
- Efficient communication and handling of customer inquiries.
- Management of internal user accounts and technical logs.
6. Recipients of Data and Third-Party Services
We engage various service providers (processors) who process personal data on our behalf. We have concluded appropriate data processing agreements (DPAs) pursuant to Art. 28 GDPR to ensure protection of your data, including with:
- Cloudflare (CDN, DDoS protection, WAF): processes IP addresses, traffic data and system configuration details.
- Google Analytics: collects IP addresses (possibly anonymised), cookie IDs and behavioural data.
- Facebook Pixel (Meta Pixel): collects IP addresses, cookie IDs, visited pages and clicks, based on your explicit consent via our cookie banner.
7. International Data Transfers
Use of US-based services (Cloudflare, Google Analytics, Facebook Pixel) involves transfer of personal data to the United States. Under the “Schrems II” ruling, Standard Contractual Clauses (SCCs) alone may not ensure adequate protection due to U.S. surveillance laws.
We conduct a Transfer Impact Assessment (TIA) for each such service and implement additional safeguards where needed (e.g. EU data localization, client-side encryption).
8. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to enhance user experience and provide certain functions:
- Technically necessary cookies: required for core website operation (e.g. cart, login status). No consent required.
- Technically non-essential cookies: used for analytics, marketing, personalization (e.g. Google Analytics, Facebook Pixel); require your explicit consent via cookie banner.
Our cookie banner meets TKG 2021 and GDPR requirements:
- Consent obtained before setting non-essential cookies.
- Voluntary and transparent consent; informed and specific.
- Equal visibility of reject and accept options; no nudging.
- Granular consent by category.
- Consent revocable at any time; see banner for details.
9. Your Rights as Data Subject
You have the following comprehensive rights under GDPR:
- Right to information (Art. 13, 14)
- Right of access (Art. 15): request confirmation if we process your data and receive a copy
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (“right to be forgotten”, Art. 17)
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21): e.g. processing based on legitimate interests or direct marketing
- Right to withdraw consent (Art. 7(3)): does not affect lawfulness of prior processing
- Right to lodge complaint with supervisory authority (Art. 77): in Austria, the Data Protection Authority (DSB).
You may exercise these rights at any time via the contact details provided above. We will respond promptly, at the latest within one month of receipt.
10. Data Retention Periods
Personal data is retained only for as long as required by processing purposes or legal obligations:
- Accounting records and invoices: typically 7 years.
- Documents related to real estate (VAT law): 10 years.
- Documents connected to electronically supplied services (OSS): 10 years.
- Contract-related data: retention follows statutory or contractual limitation periods (e.g. warranty 2-3 years, purchase claims 3 years, liability 3 or 30 years).
- Analytical data: retention is minimized and depends on tool configuration.
After expiry of retention periods, data is deleted or anonymised.
11. Technical and Organisational Measures (TOMs)
We implement appropriate technical and organisational measures to ensure the security of personal data and protect it against unauthorised access, loss or destruction, including: • Physical access control (locks, alarms, visitor registration)
- Access control (secure VPN, encryption, strong passwords, user profiles)
- Usage control (role-based permissions, logging, privacy-compliant data disposal)
- Transfer control (email encryption, secure transport containers)
- Input control (logging of data changes linked to user IDs)
- Order control (processor agreements, written instructions, audit rights)
- Availability control (backups, UPS, fire protection)
- Separation control (segregated processing, adjusted database permissions)
12. Data Protection Officer
MindTech FlexCo is currently not legally required to appoint a Data Protection Officer (DPO), as our core business does not involve extensive monitoring of individuals or processing of sensitive data as a primary activity.
Nonetheless, we take data protection very seriously and are available to answer any questions regarding data protection. You can reach us at the contact details above.