With this privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the course of providing our services and in particular on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender-specific.

Adrian Hufnagl

Bindergasse 11/30, 1090 Vienna, Austria

E-Mail: hello@cyberhoof.at

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests of the controller or a third party, unless such interests are overridden by the interests, fundamental rights and freedoms of the data subject which require the protection of personal data.

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to data as well as access, input, disclosure, availability assurance and segregation. We have also established procedures to ensure the exercise of data subject rights, deletion of data and responses to data compromise. Furthermore, we consider the protection of personal data already during development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and data protection-friendly default settings.

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosure or transfer of data to other persons, entities or companies (which can be identified by the postal address of the respective provider or if the privacy policy expressly refers to data transfers to third countries), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.

This dual protection ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should changes occur within the DPF framework, the standard contractual clauses will take effect as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For individual service providers, we inform you whether they are certified under the DPF and whether standard contractual clauses exist. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, appropriate security measures apply, in particular standard contractual clauses, express consent or legally required transfers. Information on third country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission.

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or no further legal grounds for processing exist. This concerns cases in which the original processing purpose ceases to apply or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that specifically applies to certain processing processes.

Where multiple retention period or deletion period specifications apply to a datum, the longest period shall always apply. Data that is no longer stored for the originally intended purpose but due to legal requirements or other reasons will only be processed for the reasons that justify its retention.

As a data subject under the GDPR, you have various rights, which arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw any consent given at any time.
• Right of access: You have the right to obtain confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased without undue delay, or alternatively to request restriction of processing of the data in accordance with legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

Cookies are functions that store information on end devices of users and read it from them. Cookies can also be used for various purposes, such as functionality, security and comfort of online services as well as for creating analyses of visitor flows. We use cookies in accordance with legal requirements. We obtain the prior consent of users where required. If consent is not necessary, we rely on our legitimate interests. This applies if storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online services. Consent can be revoked at any time. We provide clear information about its scope and which cookies are used.

Information on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

When contacting us (e.g. by post, contact form, email, telephone or via social media) as well as within the framework of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.

We point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and resulting interests. These may in turn be used to place advertisements inside and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which usage behavior and user interests are stored. Furthermore, data may also be stored in usage profiles regardless of the devices used by users (especially if they are members of the respective platforms and are logged in there).

For a detailed presentation of the respective forms of processing and the options to object (opt-out), we refer to the privacy statements and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be most effectively asserted with the providers. Only the latter have access to user data and can take appropriate measures and provide information directly. Should you nevertheless need help, you can contact us.

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please check the information before contacting us.

This section provides you with an overview of the terms used in this privacy policy. Where terms are legally defined, their legal definitions apply. The following explanations, on the other hand, are primarily intended to aid understanding.

• Content data: Content data includes information generated in the course of creating, editing and publishing content of all kinds. This category of data may include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates.
• Contact data: Contact data is essential information that enables communication with persons or organizations. It includes telephone numbers, postal addresses and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.
• Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about how data is processed, transmitted and managed. Meta data, also known as data about data, includes information that describes the context, origin and structure of other data. They can include information about file size, creation date, author of a document and change histories. Communication data captures the exchange of information between users via various channels, such as email traffic, call logs, messages on social networks and chat histories, including the persons involved, time stamps and transmission paths. Procedural data describes the processes and procedures within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used to track and verify operations.
• Usage data: Usage data refers to information that captures how users interact with digital products, services or platforms. This data includes a wide range of information that shows how users use applications, which features they prefer, how long they stay on certain pages and what paths they navigate through an application. Usage data can also include frequency of use, time stamps of activities, IP addresses, device information and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences and potential problem areas within digital offerings.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as time stamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data is often used to analyze system problems, monitor security or create performance reports.
• Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, be it collection, evaluation, storage, transmission or deletion.