PRIVACY POLICY

Last updated: January 2026

§ 1 Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act 2018 (DSG) is:

sophne e.U.

Schumannstr. 128, 4030 Linz, Austria

§ 2 General information on data processing

2.1 sophne e.U. processes personal data exclusively in accordance with the GDPR, the DSG 2018 and other applicable data protection regulations.

2.2 Personal data is collected only insofar as this is necessary for the performance of a contract, for the implementation of pre-contractual measures, for compliance with legal obligations or on the basis of consent.

2.3 Data is not stored for longer than is necessary for the respective processing purpose or insofar as statutory retention obligations apply.

§ 3 Data collected and purposes of processing

3.1 In the course of initiating and processing contracts, sophne e.U. processes in particular the following categories of data: name and contact details (address, email, telephone), payment and billing data, project data and correspondence, technical access data (e.g. server access credentials, API keys), as well as VAT identification numbers and company register data for business customers.

3.2 This data is processed on the basis of Art. 6(1)(b) GDPR (performance of a contract and pre-contractual measures), Art. 6(1)(c) GDPR (legal obligations, e.g. tax-law retention obligations under the Austrian Federal Fiscal Code and Austrian Commercial Code) and Art. 6(1)(f) GDPR (legitimate interests, e.g. asserting legal claims).

3.3 When visiting the website sophne.com, technical access data (IP address, browser, operating system, referrer URL, time of access) is processed. This is done on the basis of Art. 6(1)(f) GDPR to ensure the proper operation of the website.

3.4 Contact requests by email or contact form are processed for the purpose of handling the request (Art. 6(1)(b) or Art. 6(1)(f) GDPR). The data is deleted after final processing unless a contractual relationship is established.

§ 4 Storage period

4.1 Contract data and accounting documents are retained for seven years from the end of the relevant financial year in accordance with tax-law retention periods (§ 132 Austrian Federal Fiscal Code).

4.2 Data processed solely for pre-contractual measures (e.g. offers without contract conclusion) is deleted after three years unless statutory retention obligations apply.

4.3 Technical website access data is generally deleted automatically after 30 days.

§ 5 Disclosure of data to third parties

5.1 Personal data is generally not disclosed to third parties unless this is necessary for contract performance, required by law or based on express consent.

5.2 In the course of providing services and operating its own digital infrastructure, sophne e.U. uses the following processors and third-party service providers, which process personal data exclusively in accordance with the respective data processing agreements and privacy policies:

Google LLC (USA) — Google Analytics (website analytics), Google Search Console (search performance monitoring); data transfer to the USA on the basis of standard contractual clauses pursuant to Art. 46 GDPR; privacy information: policies.google.com/privacy

Microsoft Corporation (USA) — Microsoft Clarity (user behavior analytics, session recordings), Microsoft 365 (email, document management, communication); data transfer to the USA on the basis of standard contractual clauses pursuant to Art. 46 GDPR and the EU-U.S. Data Privacy Framework; privacy information: privacy.microsoft.com

Additional processors used in individual customer projects (e.g. hosting providers, cloud services) are documented on a project-specific basis in the respective data processing agreement pursuant to Art. 28 GDPR. The customer may request information at any time about which data is disclosed to which processors.

5.3 Data is transferred to third countries outside the EEA only if an adequate level of data protection is ensured (e.g. standard contractual clauses pursuant to Art. 46 GDPR or an adequacy decision by the European Commission).

5.4 Data is disclosed to authorities or courts only on the basis of legal obligations.

§ 6 Processing on behalf of customers

6.1 Where sophne e.U. acts as a processor within the meaning of Art. 4(8) GDPR in the course of providing consulting, design or development services, sophne e.U. enters into a data processing agreement with the customer pursuant to Art. 28 GDPR.

6.2 In the context of commissioned processing, sophne e.U. processes the customer’s personal data exclusively in accordance with the customer’s documented instructions and implements the technical and organisational measures required under Art. 32 GDPR to protect the data.

6.3 sophne e.U. maintains, pursuant to Art. 30(2) GDPR, a record of all processing activities carried out in the context of commissioned processing for customers. This record includes, in particular, information on the categories of data processed, processing purposes, processors used and technical and organisational safeguards. The record is made available to the competent supervisory authority upon request.

§ 7 Rights of data subjects

Data subjects have the following rights vis-à-vis sophne e.U., which they may exercise at any time in writing or by email:

7.1 Right of access (Art. 15 GDPR): You have the right to obtain information about the data stored about you, as well as about the purpose, origin, recipients and storage period.

7.2 Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data.

7.3 Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data, provided that no statutory retention obligations prevent this.

7.4 Right to restriction of processing (Art. 18 GDPR): You have the right to request restriction of the processing of your data if accuracy is contested, processing is unlawful or you object to deletion.

7.5 Right to data portability (Art. 20 GDPR): You have the right to receive the data concerning you in a structured, commonly used and machine-readable format or to request its transfer to another controller.

7.6 Right to object (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data based on a legitimate interest.

7.7 Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you have the right to withdraw that consent at any time with effect for the future.

7.8 Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with the Austrian Data Protection Authority (Barichgasse 40–42, 1030 Vienna; dsb@dsb.gv.at) if you believe that the processing of your data violates the GDPR.

To exercise your rights, please contact: office@sophne.com

§ 8 Data security

8.1 sophne e.U. implements appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect processed data against unauthorised access, loss, destruction or manipulation. These measures include, in particular, encrypted data transmission (SSL/TLS), access controls and regular security reviews.

8.2 In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the affected persons will be informed without undue delay pursuant to Art. 34 GDPR.

§ 9 Cookies and website analytics

9.1 The website sophne.com may use technically necessary cookies required for website operation. These cookies do not require consent and are set on the basis of Art. 6(1)(f) GDPR.

9.2 Where analytics or tracking tools are used, this is done only after the user has given express consent (Art. 6(1)(a) GDPR). Visitors are informed before such technologies are used and may withdraw their consent at any time.

9.3 Where analytics services are used, they are configured in a data-protection-compliant manner (e.g. IP anonymisation, no cross-device tracking without consent).

§ 10 Links to external websites

10.1 The website may contain links to external third-party websites. sophne e.U. is not responsible for data protection on those websites. Users are advised to read the respective privacy policies of the linked websites.

§ 11 Changes to this Privacy Policy

11.1 sophne e.U. reserves the right to amend this Privacy Policy in the event of changes to the legal situation, processing activities or for other reasons. The current version is available at sophne.com.

11.2 Material changes will be communicated to existing customers in good time by email.

§ 12 Applicable law and supervisory authority

12.1 Austrian law applies, taking the GDPR into account. The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna (dsb@dsb.gv.at; www.dsb.gv.at).

Created by sophne

©2026 sophne.com All rights reserved.