Data protection & IT security

Planfred conforms to the GDPR – your data belongs to you! Your data is safe with us.

We make sure of this with the highest security standards:

  • Planfred runs on Amazon AWS. The computing centres used are certified according to ISO 27001 and are located exclusively within the EU.

  • All data transfer takes place exclusively via encrypted connections.

  • We monitor our systems permanently and constantly update all components to ensure maximum security.

  • All data storage devices are designed to be redundant and synchronise in real time.

  • Complete backups of the database are created every 12 hours and stored encrypted.

  • File storage on the highly redundant Amazon AWS S3 storage service in the best-quality storage class All files are stored encrypted.

Agreement to order processing

Would you like to complete a contract with PLANFRED GmbH for order processing according to Art. 28 GDPR?

Please send an e-mail to privacy@planfred.com and we’ll send you the order processing contract as soon as possible. Return a copy of the completed contract to us by e-mail (privacy@planfred.com) or by mail to PLANFRED Gmbh, Billrothstrasse 29 / Top 6, 1190 Vienna, Austria.

Data protection declaration (information obligation declaration)

This data protection declaration explains the type, scope, and purpose of personal data processing to you (referred to briefly in the following as “data”) within our online services and the websites, functions, contents, and external online services connected with this, e.g. our social media profile (referred to in the following mutually as the “online services”). In regard to the terms that are used, e.g. “personal data” or its “processing”, we refer to the definitions in Art. 4 of the general data protection regulation (GDPR).

Contact person concerning data protection

Responsible within the context of the general data protection regulation and other national data protection laws of the member states and other legal data protection provisions is:

PLANFRED GmbH
Billrothstrasse 29
1190 Vienna, Austria

E-Mail: info@planfred.com
Telephone: +43 1 9974470-2

In case of questions or recommendations involving data protection, please contact:
DI Maximilian Schmid, MSc maximilian.schmid@planfred.com

Types of data to be processed

  • Master data (e.g., names, addresses).

  • Contact data (e.g. e-mail, telephone numbers).

  • Content data (e.g. text input, photographs, videos, documents, plans).

  • Contract data (e.g. contractual object, duration, customer category).

  • Payment data (e.g. bank connection, payment history).

  • Usage data (e.g. visited websites, interest in content, access times).

  • Meta/communication data (e.g. device information, IP addresses).

Processing special categories of data (Art. 9 Para. 1 GDPR):

  • Essentially, no special categories of data are processed, unless these are provided by the user for processing, e.g. entered into online forms.

Categories of persons affected by processing

  • Customers/interests/suppliers.

  • Visitors and users of the online services.

In the following, we also refer to affected persons collectively as “users”.

Purpose of processing

  • To provide the online services, their contents, and functions.

  • Provision of contractual services, support service, and customer care.

  • Responding to contact inquiries and communication with users.

1. Relevant legal basis

According to the scope of Art. 13 GDPR, we hereby indicate the legal basis of our data processing to you. If the legal basis is not indicated in the data protection declaration, the following shall apply: The legal basis for collection of consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR; the legal basis for processing to fulfil our services and the execution of contractual measures and responding to inquiries is Art. 6 Para. 1 lit. b GDPR; the legal basis for processing to fulfil our legal obligations is Art. 6 Para. 1 lit. c GDPR, and the legal basis for processing to preserve our justified interests is Art. 6 Para. 1 lit. f GDPR. If case critical interests of the affected person or another natural person make personal data processing required, Art. 6 Para. 1 lit. d GDPR shall serve as the legal basis.

2. Changes and updates to the data protection declaration

We request that you inform yourself regularly about the contents of our data protection declaration. We adjust the data protection declaration as soon as the changes to the data processing completed by us make this necessary. We inform you as soon changes require cooperative action on your behalf (e.g. consent) or another individual notification is required.

3. Safety precautions

3.1. According to Art. 32 GDPR and according to the state of the art, implementation costs, and the type, scope, circumstances, and the purpose of processing and the different probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, suitable technical and organisational measures required to ensure a level of protection suitable for the risk; in particular, these measures include ensuring confidentiality, integrity, and availability of data by inspecting physical access to the data, as well as access, input, forwarding, back up, availability, and separation affecting it. Furthermore, we have set up processes that ensure preservation of rights of affected persons, deletion of data, and reaction to danger to data. Furthermore, we already consider protection of personal data during the development, selection of hardware, software, and processes according to the principle of data protection through technical design and data protection-friendly settings (Art. 25 GDPR).

3.2. In particular, the safety measures include encrypted transfer of data between your browser and our server.

4. Cooperation with order processors and third parties

4.1. If we reveal data to other persons and companies over the course of our processing (order processors and third parties), transmit them to these parties, or otherwise grant them access to the data, this shall only take place on the basis of legal person (e.g. if transmission of data to third parties like payment service providers is required according to Art. 6 Para. 1 lit. b GDPR for contract fulfilment), if you have agreed to this, an obligation prescribes this, or on the basis of our justified interests (e.g. in case of use of auxiliary agents, web hosting services, etc.).

4.2. If we employ third parties to process data on the basis of a so-called “order processing contract”, this shall take place on the basis of Art. 28 GDPR.

5. Transmission to non-EU countries

If we process data in a non-EU country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or if this takes place within the scope of utilisation of services from third parties or in case of disclosure or transmission to third parties, this shall only take place to fulfil our (pre) contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our justified interests. Legal or contractual permissions reserved, we shall only process or have data processed in a non-EU country in case of presence of special requirements as per Art. 44 ff. GDPR. Therefore, processing shall take place on the basis of special guarantees, such as officially acknowledged specification of a data protection level corresponding with that of the EU (e.g. for the USA via the “Privacy Shield”) or observation of officially acknowledged special contractual obligations (so-called “standard contract provisions”).

6. Rights of affected persons

6.1. You have the right to demand confirmation about whether data affecting you are processed and to receive information about this data and additional information and a copy of the data according to Art. 15 GDPR.

6.2. According to Art. 16 GDPR, you have the right to demand the completion of data affecting you or correction of incorrect data affecting you.

6.3. According to Art. 17 GDPR, you have the right to demand data affecting you to be deleted immediately or, alternatively according to Art. 18 GDPR, to demand limitation of data processing.

6.4. You have the right to demand to receive data affecting you that you have already provided to us according to Art. 20 GDPR and to demand its transmission to another responsible person.

6.5. Furthermore, according to Art. 77 GDPR, your have the right to submit a complaint to the responsible supervisory authority.

7. Right of revocation

You have the right to revoke your consent according to Art. 7 Para. 3 GDPR effective for the future.

8. Right of objection

You may object to processing data affecting you at any time, according to Art. 21 GDPR. Objection against purposes involving direct marketing in particular is possible.

9. Cookies and right to object to direct advertising

We set temporary and permanent cookies, i.e. small files that are saved on the devices of users (for a declaration of the term and the function, please refer to the last section of this data protection declaration). Cookies are partially used for security or they are required for operation of our online service (e.g. to display the website) or to save the user’s decision when the cookie banner is displayed. In addition to this, we or our technology partners also place cookies for range measurement and marketing purposes, which the user is informed about over the course of the data protection declaration.

In particular, a general objection against the use of cookies for online marketing purposes in case of tracking is explained via the US American website https://www.aboutads.info/choices/ and the EU website https://www.youronlinechoices.com/ . Furthermore, storage of cookies by switching them off is possible in the browser settings. Please note that not all functions of this online service may be used in this case.

10. Deletion of data

10.1. The data processed by us are deleted or limited in terms of processing according to Art. 17 and 18 GDPR. Provided nothing else is indicated explicitly within the scope of this data protection declaration, data saved with us will be deleted as soon as they are no longer required for their intended purpose and no other legal obligations prevent deletion. Provided the data are not deleted because they are required for other purposes and legally permitted purposes, their processing shall be limited. In this case, the data are blocked and not processed for other purposes. For example, this applies to date that must be stored for commercial or legal tax reasons.

10.2. According to legal specifications, storage in particular takes place for 7 years according to Section 132 Para. 1 BAO (accounting documents, receipts/invoices, accounts, receipts, business papers, listing income and expenses, etc.), for 22 years in connection with real property and for 10 years for documents in connection with electronically provided services, telecommunications, radio and television services that are provided to non-entrepreneurs in EU member states and used for the Mini-One-Stop-Shop (MOSS).

11. Customer registration

11.1. We process master data (e.g. names and addresses and contact data for users), contract data (e.g. services that are used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services according to Art. 6 Para. 1 lit b. GDPR. The input indicated as required in the online forms are required for contract completion.

11.2. Users may optionally create a user account, where they may view their orders in particular. The required fields are indicated to the user within the scope of registration. The user accounts are not public and cannot be indexed by search engines. If the user has cancelled their user account, their data will be deleted with regard to the user account, unless their storage is necessary due to commercial or legal taxation reasons according to Art. 6 Para. 1 lit. c GDPR. It is the user’s responsibility to back up their data prior to the end of the contract following termination. We shall be entitled to delete all user data saved during the contractual period irrevocably.

11.3. Within the scope of registration, new long-ins, and use of our online services, we save the IP address and the time of the respective user action. Storage takes place on the basis of our justified interests, as well as protecting the user against abuse and other unauthorised use. This data is generally not forwarded to third parties, unless they are required for us to pursue our interests or if there is an applicable legal obligation in this case according to Art. 6 Para. 1 lit. c GDPR.

11.4. We process usage data (e.g. the websites of our online services that are visited, interest in our products) and content data (e.g. input in the contact form or user profile) for advertising purposes in a user profile to display product notifications to the user based the services they have used up until then.

11.5. Deletion takes place following expiry of legal guarantee and comparable obligations, and the requirement for storing data is checked every three years; in case of legal archiving obligations, deletion takes places following their expiry (end of of legal commercial (7 years) and legal taxation (10 years) storage requirement); specifications in the customer account remain until they are deleted.

12. Contact

12.1. In case contact with us is made (via the contact form or e-mail), the user’s information is processed to respond to the contact inquiry and its completion according to Art. 6 Para. 1 lit. b) GDPR.

12.2. The user’s information is able to be stored in our customer relationship management system ("CRM System") or a comparable inquiry organising system.

12.3. We use the CRM system “Pipedrive” from the provider Pipedrive OU (Paldiski mnt 80, Tallinn 10617, Estonia) on the basis of our justified interests (efficient and speedy processing of user inquiries). In this case, we have completed a contract with Pipedrive featuring standard contractual provisions that obligate Pipedrive to process user data according to our instructions only and to adhere to the data protection level in the EU. Pipedrive is also certified according to the Privacy Shield agreement and hereby offers an additional guarantee to adhere to European data protection laws.

12.4. We delete inquiries if they are no longer required. We check this requirement every two years; inquiries from customers that possess a customer account are saved permanently, and refer to the customer account information for deletion. In case of legal archiving obligations, deletion takes places following their expiry (end of of legal commercial (7 years) and legal taxation (10 years) storage requirement).

13. Collection of access data and log files

13.1. On the basis of our justified interests within the context of Art. 6 Para. 1 lit. f. GDPR, we collect data about access to the server, where our services are located (so-called server log files). The access data includes the name of the website, file, date and time access, data quantity transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

13.2. Log file information is saved for safety reasons (e.g. to clarify abuse and fraud activities) for a duration of maximum 6 months and then deleted. Data that require additional storage for purposes of proof are excepted from deletion until final clarification of the respective incident.

14. Social media webpages

14.1. On the basis of our justified interests within the context of Art. 6 Para. 1 lit. f. GDPR, we operate webpages on social networks and platforms to be able to communicate there with active customers, interested parties, and to inform them about our services there. When respective networks and platforms are accessed, the terms of service and data processing guidelines of the respective operators apply.

14.2. If nothing else is specified within the scope of our data protection declaration, we shall process user data that the users submit to us via social networks and platforms, e.g. writing comments on our webpages or sending us messages.

15. Cookies & range measurement

15.1. Cookies include information that is transferred from our web server or third-party web servers to the user’s web browser, where they are stored for access later. Cookies may refer to small files or other types of information storage.

15.2. We use “session cookies” that are only stored for the duration of the current visit to our website (e.g. to store your login status or the shopping cart function, which essentially enable use of our online service). A session cookie features a randomly created identification number, a so-called ‘session ID’. A cookie also features information about its origin and the storage duration. These cookies may be stored in other data. Session cookies are deleted in you have ended use of our online service and log yourself out or close the browser.

15.3. The user is informed regarding use of cookies within the scope of pseudonymous range measurement and within the scope of this data protection declaration.

15.4. If the user would not like cookies to be saved on their computer, you are requested to deactivate this option in the system settings of your browser. Stored cookies can be deleted in the system settings for the browser. The exclusion of cookies may cause function limitations in the online service.

15.5. You may object to the use of cookies that are used for range measurement and advertising purposes via the deactivation page of the network advertising initiative ( https://optout.networkadvertising.org/ ) and additionally via the American website ( https://www.aboutads.info/choices ) or the European website ( https://www.youronlinechoices.com/uk/your-ad-choices/ ).

16. Google Analytics

16.1. Based on our justified interests (i.e. interest in the analysis, optimisation, and commercial operation of our online service within the context of Art. 6 Para. 1 lit. f. GDPR) we use Google Analytics, a web service provided by Google LLC (“Google”). Google uses cookies. The information created by the cookie concerning use of the online service by the user is normally transferred to a Google server in the USA and stored there.

16.2. Google is also certified according to the Privacy Shield agreement and hereby offers an additional guarantee to adhere to European data protection laws ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).

16.3. Google uses this information on our behalf to evaluate use of our online service by the user, to create reports regarding activities involving this online service, and to provide us additional services connected with the use of the online service and Internet usage. In this case, the processed data may be used to create pseudonym use profiles for the user.

16.4. We only use Google Analytics with active IP anonymisation. This means that the IP address of the user is abbreviated by Google within the member states of the European Union or in another contractual state of the agreement on the European Economic Area. The full IP address is only transmitted to a Google server in the USA and shortened there in exceptional cases.

16.5. The IP address provided by the user’s browser is not combined with other data from Google. Users may prevent storage of cookies with the corresponding setting in your browser software; users may also prevent collection of data by the cookie and related to your use of the online services by Google and processing of this data by Google by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=de .

16.6. Additional information about data use by Google, settings, and the possibility to object are provided on Google’s websites: https://www.google.com/intl/de/policies/privacy/partners  (“data use by Google through your use of websites or apps of our partners”), https://policies.google.com/technologies/ads (“data use for advertising purposes”), https://adssettings.google.com/authenticated (“manage information that Google use to display advertising to you”).

16.7. Furthermore, personal data is anonymised after expiry of 26 months or deleted

17. Google re/marketing services

17.1. Based on our justified interests (i.e. interest in the analysis, optimisation, and commercial operation of our online service within the context of Art. 6 Para. 1 lit. f. GDPR) we use the marketing and remarketing services (Google marketing services in brief), a web service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

17.2. Google is also certified according to the Privacy Shield agreement and hereby offers an additional guarantee to adhere to European data protection laws ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).

17.3. Google marketing services enable us to display advertisements more specifically for and on our website, and to present users only those advertisements that potentially correspond with their interests. When a user is displayed advertisements for products that they have shown interest in on other websites, this is referred to as “remarketing”. For this purpose, accessing our or another website that features active Google marketing services executes code directly via Google, and so-called (re)marketing tags (invisible graphics or code, also referred to “web beacons") that are embedded in the website. With their help, an individual cookie may be set on the user’s device, i.e. a small file is saved (instead of cookies, comparable technology may also be used). Cookies may be set by different von domains, including by google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file records which websites the user has visited, which contents they are interested in, and which services they clicked on, plus technical information about their browser and operating system, referring websites, visiting time, and other information about using the online service. The user’s IP address is also recorded, although within the scope of Google Analytics, we note that the IP address within member states of the European Union or in other contractual states of the agreement on the European Economic Area are abbreviated and only transmitted completely in to Google servers in the USA and shortened there in exceptional cases. The IP address will not be combined with the user’s data from other Google services. This information may also be combined with other information of this kind by Google from other sources. When the user visits other websites, advertisements matched according to their interests may also be displayed.

17.4. The user’s data are processed using a pseudonym within the scope of Google Marketing Services. For this reason, Google does store and process the name or email address of the user, for example, but rather processes the relevant data cookie-related within a pseudonymous user profile. For this reason, the advertisements are not managed and displayed for a specifically identified person from Google’s perspective, but rather for the cookie owner, independent of who the cookie owner is. This does not apply, if a user has explicitly allowed Google to process this data without pseudonymisation. Information about the user collected via Google Marketing Services are transmitted to Google and stored on Google’s servers in the USA.

17.5. The Google Marketing Services we use also include the online advertising program “Google AdWords”. In case of Google AdWords, every AdWords customer receives a different “conversion cookie”. Cookies are therefore not able to be followed via the websites of AdWords customers. The information collected with the help of the cookie is used to create conversion statistics for AdWords customers, who have decided to utilise conversion tracking. AdWords customers learn about the overall number of users, who have clicked their advertisement and were forwarded to a page featuring a conversion tracking tag. Nevertheless, they not no contain information that enables the user to be personally identified.

17.6. More information about data usage for marketing purposes by Google is available on the overview page: https://policies.google.com/technologies/ads , and Google’s data protection declaration is available at https://policies.google.com/privacy .

17.7. If you would like to object to advertising from Google Marketing Services, then you may use Google’s settings and opt-out options: https://adssettings.google.com/authenticated .

18. Web push notifications:

We provide news and updates on our sites via web push notifications.

To benefit from this free service, operated with our push provider WonderPush ( https://www.wonderpush.com/ ), you must first subscribe by clicking on an authorization request controlled by your browser and your device when you visit our website.

The navigation data that we could store and process in order to operate this service and send you relevant messages is anonymized and kept on WonderPush servers for a maximum of 90 days and never shared to third parties. We do not store any recognizable data, neither IP address about you or your device in connection with the push notification service.

You can stop receiving our web push notifications at any time by unsubscribing.

Here is how to manage your web push subscription and to delete associated data ( https://docs.wonderpush.com/docs/manage-your-data-and-unsubscribe-from-web-push-notifications )

Version: 8th July, 2022