Privacy Policy

Last updated: 19 April 2024 The protection of your personal data is very important to us, so we would like to list here all the information about the processing and storage of your data when you visit our website and in our companies.

In order to be able to use all the functions and services of our site, it is necessary to collect your personal data. However, processing and storage is only carried out in accordance with the legal guidelines and requirements of the General Data Protection Regulation (GDPR) and the Telecommunications Act (TKG 2021).

CONTROLLER GmbH Kaiserstrasse 89 1070 Vienna Austria You can find more information in the imprint.

All employees are obliged to maintain confidentiality and to handle your data properly and to enter it correctly into our data processing systems.


Data Protection Officer: SCALELINE Datenschutz - Mag.a iur. Elisa Drescher E-mail:


Note: To protect your data as comprehensively as possible from unwanted access, we take so-called technical and organisational measures and use an encryption process on our website. Your data is transmitted over the Internet from your computer to our computer and vice versa using so-called TLS encryption. TLS means "Transport Layer Security" and is an encryption protocol for data transmission on the Internet. You can usually recognise "TLS" by the fact that the lock symbol in the status bar of your browser is closed and the address begins with https://.


This website automatically collects and stores server log file information that your browser sends to us. These are

  • IP address of the user,
  • Date and time of access,
  • Type of request,
  • Customer information such as type and version,
  • Operating system of the user (device, OS version of the device),
  • Referrer information (i.e. the source of the access)

The legal basis for this data processing is the legitimate interest according to Art. 6 para. 1 lit. f) GDPR. The legitimate interest is based on being able to identify indications of unlawful use of our website (e.g. defence against hacker attacks) and to ensure a smooth connection setup. The collected data is stored in server log files, which your browser automatically transmits to us in encrypted form. We only save the server log files in the event of attacks on our server infrastructure or other legal violations. This longer storage period is based on our legitimate interest according to Art. 6 para. 1 lit. f) GDPR and only serves to preserve evidence.

We use "Vercel WebAnalytics" to anonymously compile statistics about visits to our website. When using Vercel Web Analytics, no personal identifiers are collected that track and match end-user data across different applications or websites. By default, Vercel Web Analytics uses only aggregated data that does not identify or re-identify client end users. Vercel Web Analytics does not collect or store information that would allow you to reconstruct an end user's browsing session across different applications or websites and/or personally identify an end user. Only a minimal amount of data is collected, which is only used for aggregate statistics.

We have concluded a data processing agreement (DPA) with the provider of this website, Vercel Inc. , based in the USA, in accordance with Art. 28 GDPR. This is a contract required by data protection law, which ensures that Vercel Inc. only processes the personal data of our website visitors according to our instructions and in compliance with the GDPR. Furthermore, standard contractual clauses have been contractually agreed, whereby Vercel Inc. guarantees that a level of data protection as within the European Union exists. Vercel Inc. uses the services of Amazon Web Services in the area of hosting and storage services as a subcontractor.

To optimise the loading time, we integrate the Content Delivery Network (CDN) of "unpkg" on this website. unpkg" is a public content delivery network (CDN) for the provision of content. The use or integration of "unpkg" is based on legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR. According to the developer of "unpkg", no personal data is processed or stored, and no IP address is stored.


For direct and uncomplicated contact, we offer the possibility to send us a message via chatarmin. By clicking on "Start Chat" you will be redirected to WhatsApp-Business and can start the chat with us from there.

The data processing in this context is based on the legal basis of contract performance or contract initiation according to Art. 6 para. 1 lit. b) GDPR. The chat via WhatsApp is not intended for you to exchange sensitive data such as health data, data on religious affiliation or data on ethical origin. Please do not transmit this sensitive data to us.

Any personal information that you provide to us in the context of an enquiry will, of course, be treated confidentially. We use the personal data you provide exclusively to process and respond to your enquiry. The legal basis for data processing is our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. This results from our interest in answering enquiries from our customers, business partners and interested parties and in promoting or maintaining customer satisfaction. A further legal basis for natural persons is the initiation or fulfilment of a contract in accordance with Art. 6 (1) (b) GDPR. In the context of the use of WhatsApp, WhatsApp Ireland Limited is the recipient of your data and we have concluded a DPA in accordance with Art. 28 GDPR. WhatsApp is a product of the Meta Companies (formerly Facebook Inc.). In the context of Messenger, your data will also be transferred to third countries outside the European Union for which no adequacy decision exists. The legal basis for the transfer of data to third countries such as the USA within the scope of use are standard contractual clauses according to Art. 46 para. 1 lit. c) GDPR.

All personal data that you send us with your enquiry will be deleted or anonymised by us no later than 2 years after the final reply to you, unless a contract is concluded. The retention period of 2 years is due to the fact that it may occasionally happen that you contact us again about the same matter after a reply and refer to the previous correspondence. Experience has shown that after 2 years no further queries follow our replies.


For the simplified booking of get-to-know appointments as well as for appointments per se, we offer the Calendly function of the provider Calendly LCC based in the USA, with which a DPA pursuant to Art. 28 GDPR has been concluded.

Calendly is an appointment booking tool that allows you to book an appointment with us directly. After booking, you will also receive an appointment confirmation by email.

Beyond that, I do not pass on your data to third parties. The legal basis for the booking is the implementation of pre-contractual measures according to Art. 6 para. 1 lit. b) GDPR. From a data protection perspective, the USA is an unsafe third country. The data transfer takes place on the basis of so-called standard contractual clauses, which have been issued by the European Commission.


We use cookies to facilitate and improve the use of our website. Cookies are small pieces of text information that can be stored on your computer or smartphone via the browser when you visit a website. This is used to recognise the website visitor. Cookies can also provide us with information about how you use our website so that we can continually improve the design of the website.

Cookies themselves do not contain any personal data about users, they only serve to uniquely identify what our customers find interesting and useful on our website. We also use "web beacons" (small graphic images, also known as "pixel tags" or "clear GIFs") on our website. They are used together with cookies to track general user behaviour on the website.

The legal basis for the processing of personal data using cookies and other technologies is your consent pursuant to Art. 6 (1) lit. a) GDPR, which you give us via the so-called "Consent Banner" as soon as you access our website for the first time.

We use cookies for the following purposes:

  • Technically necessary: These are cookies and similar methods without which you cannot use our services, for example to display our website correctly or to use functions you have requested.
  • Statistics: These techniques allow us to compile anonymous statistics on the use of our services. This allows us to determine, for example, how we can better adapt our website to the habits of our users.
  • Marketing: This enables us to show you advertising content tailored to you based on the analysis of your usage behaviour. Your usage behaviour can also be tracked across different websites, browsers or end devices using a user ID (unique identifier).

The data processed by necessary cookies are required for the purposes listed below to protect our legitimate interests and those of third parties in accordance with Art. 6 para. 1 lit. f) GDPR.

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your explicit and active consent in accordance with Art. 6 (1) a) GDPR. Via our so-called "Cookie Consent Tool", you can set yourself which cookie categories you wish to consent to when visiting our website.

Change Cookie Settings

Once cookies have been stored, you can delete them at any time via the settings of your web browser. You can also adjust the settings of your web browser so that no cookies are stored. In this case, not all functions of our website may be available.

We may use specialised service providers, in particular from the online marketing sector, as part of data processing (using cookies and similar techniques to process usage data). These process your data on our behalf as order processors, are carefully selected in each case and are contractually bound in accordance with Article 28 GDPR. All companies listed as providers in our Cookie Notice act as processors.

We may use specialised service providers, in particular from the online marketing sector, as part of data processing (using cookies and similar techniques to process usage data). These process your data on our behalf as order processors, are carefully selected in each case and are contractually bound in accordance with Article 28 GDPR. All companies listed as providers in our Cookie Notice act as so-called order processors.

We use the cookie consent technology of Borlabs Cookies to obtain your consent under data protection law for the storage of certain cookies on your end device or for the use of certain technologies and to document this in accordance with data protection law. The provider of this technology is Borlabs - Benjamin A. Bornschein ("Borlabs") with its registered office in Germany.

Borlabs sets a technically necessary cookie to store your data protection consents. The following information is stored in the Borlabs cookie:

  • Cookie Runtime
  • Cookie version
  • Domain and path of the website
  • Consents
  • UID (randomly generated ID, which according to Borlabs is not personally identifiable)

No data is transferred to Borlabs.

Borlabs is used to obtain the legally required consent for the use of cookies. The legal basis for this is our legitimate interest according to Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the legally secure documentation and verifiability of consents (Art. 6 para. 1 lit. c) GDPR), for the fulfilment of our accountability according to Art. 5 para. 2 GDPR.


This website uses Google Analytics if you give your consent within the meaning of Art. 6 para. 1 lit. a) GDPR and Art. 49 para. 1 lit. a) GDPR. This is a service provided by Google Ireland Limited ("Google"), a company incorporated and operated under the laws of Ireland (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC (USA) ("Google").

Google Analytics uses so-called "cookies". These are text files that are stored on your computer and enable an analysis of the use of the website by the user. The information acquired through the cookies about your usage behaviour of this website is usually transferred to a Google server in the USA and stored there. The data processing is also essentially carried out by Google. Both Google and, under certain circumstances, government authorities in the USA have access to this data. We have made the setting that your IP address is anonymised. The IP addresses are anonymised by Google, but within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.

The anonymised IP address transmitted by your browser as part of Google Analytics is linked to other data about you, such as search history, personal accounts, usage data from other devices and any other data Google may have about you.

We do not store user and event data.

You can view the cookies that are set in connection with Google Analytics in the list above:

You can revoke your consent at any time by making the corresponding settings directly via our banner. The user and event data will be deleted after 50 months.


This website uses the Google Signals function to extend statistics reports created with Google Analytics with a cross-device evaluation of visitor flows. When are Google Signals collected? Google Signals are only applied to users who are logged into a Google account during the sessions and have activated the "Personalized advertising" function in the Google account.

What information do we receive through Google Signals? Through Google Signals, we do not receive any deeper insights about specific individuals or ways to uniquely identify you or the device you are using. We only receive general demographic information from Google (gender, age group) and possible interests.

How can I deactivate Google Signals? If you would like to deactivate this function for yourself, you must do so proactively via the setting in your Google account. The link will take you to the change options in your Google account: []

For more information about Google Signals, visit Google's information page directly at: []

We use Google Ads with your consent in accordance with Art. 6 para. 1 lit. a GDPR in order to be able to show you advertisements on websites of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") and other third-party providers.

Our purpose is to show you advertising that is of interest to you and to make our website more interesting for you. With conversion tracking, we can determine how successful the individual advertising measures are. To do this, we use cookies that can be used to measure certain parameters for measuring reach, such as the display of ads or clicks by users. If users access our website via a Google ad, a cookie is stored by Google Ads on the corresponding end device. We only receive aggregated evaluations of user behaviour, on the basis of which we can determine which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising media.

You can find more information about cookies in the cookie list above.

For more information on the privacy of Google services, please visit: [](]


We use the Google Tag Manager of the provider Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

Through Google Tag Manager, website tags are managed through one interface. This allows us as marketers to manage website tags through one interface. Tags are small sections of code that, for example, record (track) your activities on our website. The Google Tag Manager itself does not set cookies, but ensures that other tags are activated, which in turn may collect data, such as Google Analytics. Google Analytics itself sets cookies. You can find more information on this in the chapter "Web tracking measures".

By implementing the Google Tag Manager, your IP address is transferred anonymously to Google. This may also result in data being transferred to Google servers in the USA. We have concluded an order processing contract with Google in accordance with Art. 28 GDPR and the data transfer to third countries, such as the USA, takes place on the basis of standard contractual clauses.

In the Tag Manager account settings, we have not allowed Google to receive anonymised data from us.

The storage period of the integrated tracking tools, such as Google Analytics, depends on the respective tool used, which is loaded via the Google Tag Manager.


Based on your voluntarily given consent according to Art. 6 para. 1 lit. a) and Art. 49 para. 1 lit. a) GDPR, we use Hotjar to better understand the needs of our users and to optimise this website, the experience of our website visitors and to create statistical evaluations about the website visitors. The provider of Hotjar is Hotjar Limited, based in Malta.

Hotjar is a technology service that helps us better understand our users' experiences (e.g. how much time they spend on which pages, which links they click on, what users like and don't like, etc.) and enables us to build and maintain our service based on user feedback.

Hotjar uses cookies and other technologies to collect data about the behaviour of our users and their devices. This includes a device's IP address (which is processed during your session and stored in anonymised form), device screen size, device type (unique device identifiers), browser information, geographical location (country only) and the preferred language in which our website is displayed. The specific cookies placed by Hotjar and their storage duration can be found in the cookie list above.

There is a contract with Hotjar for commissioned processing in accordance with Art. 28 GDPR and Hotjar stores information on our behalf in a pseudonymised user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.


The fonts from Adobe Fonts are used for uniform presentation. When you access this website, your browser loads the fonts according to your consent pursuant to Art. 6 Para. 1 lit. a) GDPR. The server is located in Germany and no direct connection to Adobe servers, for example in the USA, is established.

The provider of these fonts within the European Union is Adobe Systems Software Ireland Companies with its registered office in Ireland ("Adobe"). Adobe does not rule out the possibility that data may also be transferred to the USA, in particular to Adobe Systems Incorporated, based in San Jose, California. Standard contractual clauses exist for this. According to Adobe, no cookies are set for the provision of Adobe Fonts .

Data processing in the context of application procedures

In order to receive and manage the application and thus for the purpose of (possibly) establishing an employment relationship, you can send us your application documents by e-mail. The legal basis for this data processing is Art. 6 para. 1 lit. b) GDPR. In the context of the application process, we only collect the data from you that is required to establish the employment relationship with us.

Within our company, only those people who are involved in the decision-making process will have access to your personal data.

In the event of a successful application, your personal data will be stored for the duration of your employment relationship. In addition, after its termination, your tax-relevant data will be archived within the framework of the statutory retention periods. In the event of an unsuccessful application, your personal data will be deleted 7 months after the rejection.

Data processing of business partners and customers

1. Fulfilment of contractual obligations (Art. 6 para. 1 lit. b) GDPR)

The purposes of the data processing result from the implementation of pre-contractual measures and the fulfilment of the obligations from the concluded contract.

Furthermore, we receive contact details of contact persons in the company who are interested in our services from so-called recommendation and tip providers. These recommenders and tipsters are the source of your data (Art. 14 para. 2 lit. f) GDPR). For this purpose, we process the following personal data of contact persons: Your title, your first name and surname, your business e-mail address and, where indicated, your business telephone number. The legal basis for this data processing is the initiation of a contract.

b) Processing our contracts with customers

In order to process our contracts, we process master data such as your first and last name, your billing address and your billing and payment data. We use your e-mail address to digitally send our outgoing invoices (invoices to our customers) through our order processor Intuit Limited, which is based in the UK. The European Commission has issued an adequacy decision for data transfers to the UK. An adequacy decision provides a legal basis for the transfer of data to third countries such as the UK.

In addition, you can also process your payments via the payment service provider "PayPal" in the case of recurring debits. We provide this payment method as an additional option to enable easy processing of recurring debits for our customers. This corresponds to our legitimate interest in offering an efficient and secure payment method and is based on the legal basis of Art. 6 para. 1 lit. f) GDPR. In this context, we still pass on data to the payment service providers insofar as it is necessary for the fulfilment of the contract (Art. 6 para. 1 lit. b. GDPR). The processing via the payment providers is neither legally nor contractually required. Without the transmission of your personal data, we cannot carry out a payment via the payment providers. You then have the option of choosing a different payment method.

More information about PayPal: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 with registered office in Luxembourg. Data protection at PayPal:

The purposes of data processing result from legal requirements in individual cases. These legal obligations include, for example, the fulfilment of retention and identification obligations, e.g. within the framework of requirements for tax control and reporting obligations and data processing within the framework of requests from authorities.

3. To fulfil our legitimate interests (Art. 6 para. 1 lit. f GDPR)

We process the contact data of contact persons at customers, interested parties, suppliers and other business partners for communication by e-mail, telephone and post. The legal basis for the data processing is the legitimate interest according to Art. 6 (1) f) GDPR. The legitimate interest here results from the interest in carrying out or initiating the business relationship with customers, interested parties, suppliers and other business partners as well as the personal contact with contact persons.

As a matter of principle, we do not pass on the data to third parties. We use the order processor Microsoft Operations Limited, based in Ireland, to carry out communication by e-mail. We have an order processing agreement with this company in accordance with Art. 28 GDPR, including standard contractual clauses for the transfer of data to third countries. If contact persons at our customers also receive the invoice internally, we process their e-mail address for the digital transmission of our invoice to them for the service contract. Our order processor Intuit Limited, based in the UK, is used for this purpose. You can find more information on the transfer of data to Intuit under II. 1. of this data protection information.

Personal data is stored for the purpose of carrying out business relationships for as long as there is a legitimate interest in doing so. It may be necessary to process the personal data provided by you beyond the actual performance of the contract with business partners. The legitimate interests here are in particular the selection of suitable business partners, the fulfilment of compliance measures, assertion of legal claims, defence against liability claims, prevention of criminal offences and the settlement of damages resulting from the business relationship.

4. Who receives the personal data you provide?

Within the framework of the contractual relationships, we may also commission processors or service providers who may have access to your personal data. Compliance with data protection regulations is contractually ensured.

5. Retention period

The personal data will be kept for as long as necessary to fulfil the above purposes.

6. Data processing to document compliance with the GDPR

Insofar as your data is processed on the basis of consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR, we process your data exclusively for a specific purpose and after separate information in order to be able to prove, within the scope of the accountability incumbent upon us pursuant to Art. 5 (2) GDPR, that you have consented to the data processing in question.

Insofar as you assert data subject rights from the GDPR against us, we also process and store your data in order to be able to prove within the scope of accountability pursuant to Art. 5 (2) GDPR that we have complied with the GDPR when processing your request.

Operating social media presences

We maintain the following social media presences:


"LinkedIn" is operated by the European subsidiary LinkedIn Ireland Unlimited Company with its registered office in Ireland. The parent company LinkedIn Inc. is based in the USA.

Data processing by us:
a. Maintenance of the above-mentioned social media pages and placement of ads

The personal data entered on social media sites, such as comments, videos, pictures, likes, public messages, etc. are published by the respective social media platform. We reserve the right to delete content should this be necessary. If necessary, we share content on our site and contact you via the social media platform, for example via the messengers offered. In addition, we regularly place advertisements ("ads") via our social media pages. The legal basis for this data processing is the legitimate interest according to Art. 6 para. 1 lit. f) GDPR, which is in the interest of our public relations and communication.

b. Page Insights

The social media platforms provide anonymised statistics and insights that help us gain knowledge about the types of actions people take on our site (called "page insights"). These page insights are created based on certain information about people who have visited our site.

The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f) GDPR, which is based on obtaining information about the actions as well as visitors to our pages.

This processing of personal data is carried out by the social media platform and us as the so-called joint controller in accordance with Art. 26 GDPR. In the event of joint responsibility, a separate agreement must be concluded.


If you wish to object to certain data processing over which we have control (e.g. deletion of comments), please contact us using the contact details above.

Note: The provision of your data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide your personal data. The consequence of not providing it is that you will not be able to communicate or interact with us via our social media pages or participate in the competition. To contact us, please use the above-mentioned e-mail address.

Data processing by the operator of the social media platform:

In addition to us, there is also the operator of the social media platforms themselves. From a data protection perspective, this operator is also considered to be another data controller who carries out his/her own data processing. This means that the operator is also a separate responsible entity according to the GDPR. However, we have only limited influence on the data processing by the operator. At the points where we can exert influence (e.g. through parameterisation), we work towards data protection-compliant handling by the operator of the social media platform within the scope of our possibilities. In many places, however, we cannot influence the data processing by the operator of the social media platform and also do not know exactly what data they process. The respective operator will inform you about the processing of personal data in its own data protection declaration:


In the context of platform use, your personal data is usually also processed by the respective platform operator on servers in third countries, in particular in the USA and the United Kingdom. Certain third countries are granted a so-called adequacy decision by the European Commission. This means that the legal situation for the protection of privacy in these countries is comparable to that in the EU or the EEA. You can find more information on the current countries with an adequacy decision here. In all other cases, we conclude so-called standard contractual clauses with the platform operators for the transfer of personal data to third countries.

Note: The operator of the social media platform uses web tracking methods. The web tracking can also take place regardless of whether you are logged in or registered with the social media platform. As already explained, we can hardly influence the web tracking methods of the social media platform. For example, we cannot switch this off. Please be aware of this: It cannot be ruled out that the provider of the social media platform uses your profile and behavioural data, for example, to evaluate your habits or personal relationships and preferences, etc. We have no influence on the processing of your data by the provider of the social media platform.

Data subjects' rights

Your rights as a data subject

According to Art. 15 Para. 1 GDPR, you have the right to receive information about the personal data stored about you free of charge upon request. Furthermore, if the legal requirements are met, you have the right to correction (Art. 16 GDPR), deletion (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR) of your personal data. If you have provided the processed data yourself, you have a right to data transfer according to Art. 20 GDPR.

If the data processing is based on Art. 6 (1) e) or f) GDPR, you have the right to object pursuant to Art. 21 GDPR. If you object to data processing, this will not take place in the future unless the controller can demonstrate compelling legitimate grounds for further processing that outweigh the interest of the data subject in objecting.

If the data processing is based on consent pursuant to Art. 6 (1) a), Art. 9 (2) a) or Art. 49 (1) a) GDPR, you may revoke your consent at any time with effect for the future without affecting the lawfulness of the previous processing.

You also have the right to lodge a complaint with a data protection supervisory authority. In particular, you can lodge a complaint with a supervisory authority in the EU Member State where you live, work or where the alleged infringement took place

Contact details for the competent data protection authority in Austria:

No automated decision making

We do not carry out automatic decision-making or profiling.


Unless otherwise stated in the previous chapters, the provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. Failure to provide your personal data may mean that we are unable to respond to your enquiries, for example.

This data protection notice was created in cooperation with the consulting firm SCALELINE. The legal texts are subject to copyright.