Privacy Notice – Ulmenbründl Compass

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Larissa Dorrer
Sachsendorf 24
3474 Sachsendorf
Austria

Email: gut@ulmenbruendl.at

For any data protection–related inquiries, you may contact me at the email address listed above.

There is no legal obligation to appoint a data protection officer; therefore, no data protection officer has been designated.

2. Collection and Processing of Personal Data

2.1 Processed Data

When purchasing the digital product “Ulmenbründl Compass”, the following personal data are processed:

  • First and last name
  • Billing address
  • Email address
  • Payment information
  • Information about purchased products
  • Order and download history

2.2 Purpose and Legal Basis of Processing

The processing of the above-mentioned personal data is carried out for the purpose of:

  • Processing the purchase contract
  • Providing the digital product
  • Invoicing and accounting
  • Communication related to the purchase

The legal basis for processing is Art. 6(1)(b) GDPR (performance of a contract).

Where processing is necessary to comply with legal obligations (e.g. tax and commercial law retention requirements), it is carried out on the basis of Art. 6(1)(c) GDPR.

2.3 Obligation to Provide Data

The provision of the above-mentioned personal data is required for the conclusion and execution of the contract.
Without this data, the purchase of the digital product is not possible.

2.4 Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

2.5 Information on the Right of Withdrawal for Digital Content

For digital content, the statutory right of withdrawal pursuant to § 18 of the Austrian Distance and Off-Premises Contracts Act (FAGG) may expire once the execution of the contract has begun (e.g. provision of the download) and the data subject has expressly agreed that performance of the contract may begin before the expiry of the withdrawal period.

3. Payment Service Providers

To process payments, external payment service providers are used. Depending on the selected payment method, personal data may be transferred to the following providers:

  • Stripe
  • PayPal
  • Klarna
  • EPS
  • Credit and debit card providers

The transfer of data takes place exclusively for the purpose of payment processing. Only data necessary for this purpose are transmitted.

Where payment service providers act as processors, corresponding agreements pursuant to Art. 28 GDPR have been concluded.
Where payment service providers act as independent controllers, data processing is carried out under their own responsibility. In such cases, the respective privacy policies of the payment service providers apply.

4. Storage and Retention

Personal data are stored only for as long as necessary for the respective processing purposes or as required by statutory retention obligations.

Invoice and accounting data are retained for 7 years in accordance with tax law requirements.

Contract and order data are stored for the duration of contract performance and beyond in accordance with statutory retention obligations.

Email addresses are used for the transmission of invoices, purchase confirmations, and legally required product-related information.

No newsletters or promotional communications are sent unless explicit consent has been given.

After the purpose of processing ceases to apply or statutory retention periods expire, the data are deleted or anonymized.

Appropriate technical and organizational security measures in accordance with Art. 32 GDPR are implemented to protect personal data against loss, misuse, or unauthorized access.

5. Technical Service Providers and Hosting

The website and sales infrastructure are hosted by a provider located within the European Union (Hostinger).

In addition, technical service providers (e.g. hosting, sales, or platform providers) may be used who process personal data exclusively within the scope of data processing agreements pursuant to Art. 28 GDPR.

6. Fonts

If fonts are used, they are integrated locally.
No connection to external font provider servers is established, and no personal data are transmitted to third parties in this context.

7. Data Disclosure and Third-Country Transfers

Personal data are disclosed only to the extent necessary for contract performance or compliance with legal obligations, in particular to:

  • Payment service providers
  • Accounting and tax advisors
  • Technical service providers

When using certain payment service providers, it may be technically necessary to transfer personal data to third countries (e.g. the United States).
Such transfers take place only where technically required by the respective payment service provider.

In these cases, data transfers are carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular through the conclusion of Standard Contractual Clauses.

8. Rights of Data Subjects

Data subjects have the following rights under the GDPR at any time:

  • Right of access to processed personal data
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”), insofar as no statutory retention obligations apply
  • Right to restriction of processing
  • Right to data portability
  • Right to object to the processing of personal data

The right to object applies insofar as processing is not strictly necessary for contract performance or required by law (e.g. invoicing).

To exercise these rights, contact can be made at any time using the email address provided above.

In addition, data subjects have the right to lodge a complaint with the competent supervisory authority.
In Austria, this is the Austrian Data Protection Authority.

9. Scope of Application

These privacy notices apply exclusively to the sale and use of the digital product “Ulmenbründl Compass”.

Separate privacy notices may apply to other offerings, in particular coaching, consulting, or accompaniment formats.