Privacy Policy

Status: April 28, 2025

This privacy policy informs you in accordance with the General Data Protection Regulation (“GDPR”), the Austrian Telecommunications Act 2021 (“TKG 2021”), and all other applicable data protection regulations about which personal data we process, for what purposes this is done, and what rights you have. It applies to all presences of Latoo.labs GmbH under the domain latoo.at as well as the associated subdomains (collectively “Website”).

1. Controller

Latoo.labs GmbH FN 565855 s Kraußstraße 16, 4020 Linz, Austria Email: office@latoo.at Website: https://www.latoo.at

2. Data Protection Officer

Ing. Richard Söser Kraußstraße 16, 4020 Linz, Austria Email: datenschutz@latoo.at

3. Definition of Terms

The terms used in this declaration (e.g., personal data, processing) correspond to the definitions in Art. 4 GDPR.

4. Legal Bases for Processing (Art. 6 GDPR)

Legal Basis	Typical Processing	Balancing of Interests (for lit. f)
Consent (Art. 6(1)(a))	Statistics, marketing & convenience cookies; Google Analytics 4 (GA4); Meta Pixel; Google Maps; Newsletter	–
Contract / pre-contractual measures (lit. b)	Processing of contact requests, contract execution	–
Legal obligation (lit. c)	Tax & commercial law retention obligations	–
Legitimate interest (lit. f)	IT security (server logs, firewall), performance optimization (caching), legally compliant management of cookie consents	Our interest in security and functionality outweighs, as only technically necessary data is processed in a short period (cf. § 7) and anonymization/pseudonymization occurs where possible.

A detailed internal balancing of interests according to the guideline of the Data Protection Conference (DSK, DE) can be provided upon request.

5. Categories of Processed Data

Category	Examples
Access/usage data	IP address (shortened only in log files and GA4), date/time, requested URL, referrer URL, browser agent, operating system
Communication data	Name, email address, phone number, message content
Contract data	Order, payment, and invoice information
Newsletter data	Email address, opt-in timestamp, IP address
Analysis data	Page views, click behavior, source channels (GA4)

6. Purposes of Processing

• Operation & security of the website (server logs, firewall, caching)
• Optimization of user experience (performance caching, convenience cookies)
• Reach, statistics & marketing analysis (GA4, Meta Pixel)
• Communication & request processing (contact form, email)
• Direct marketing (newsletter via rapidmail)
• Fulfillment of legal obligations (retention, accountability)

7. Automatic Data Collection When Visiting the Website

Data Type	Purpose	Legal Basis	Recipients	Storage Duration & Justification
Server log data	Ensuring server operation, attack detection	Legitimate interest	Mittwald CM Service GmbH & Co. KG (DE)	14 days – required to analyze security-relevant incidents retrospectively and report to authorities if necessary
Server-side caching (Redis)	Performance optimization (anonymized)	Legitimate interest	–	Temporary storage up to 7 days, then automatic overwriting

8. TLS Encryption & Technical Security Measures (Art. 32 GDPR)

We use TLS 1.3 (HTTPS) and implement the following TOMs, among others: firewall & IDS, regular patch management, access control (least privilege, MFA), encryption of data at rest (backups), and pseudonymization of test/development data.

9. Cookies & Consent Management

We use the Borlabs cookie banner in opt-in mode. Necessary cookies are set immediately (legitimate interest). Statistics, marketing, and convenience cookies only after active consent. You can change your selection at any time via Cookie Settings.

10. Analysis & Marketing Tools (Risk-Based Approach)

Note: We critically monitor the case law and statements of European supervisory authorities. Should GA4 or Meta Pixel be declared incompatible with EU law, we will immediately deactivate or replace these services.

10.1. Google Analytics 4 (with shortened IP only)

• Provider: Google Ireland Ltd., Dublin / Google LLC, USA
• Data Processing Agreement: Google Data Processing Terms + SCC
• Transfer Guarantee: EU-US Data Privacy Framework (DPF) and SCC (fallback) incl. Transfer Impact Assessment (TIA) & server-side encryption
• Legal Basis: Consent (opt-in)
• Storage Duration: 14 months (property setting)
• Opt-out: via Cookie Settings or browser add-on

10.2. Meta Pixel

• Provider: Meta Platforms Ireland Ltd., Dublin / Meta Platforms Inc., USA
• Joint Controllership: Joint Controller Addendum (Art. 26 GDPR) – full text available here
• Risk Mitigation: Event deduplication, advanced matching deactivated, data filter for EU data
• Legal Basis: Consent
• Cookie Storage Duration: up to 90 days
• Opt-out: Cookie Settings or FB settings

10.3. Google Maps (embedded)

Only loaded after your consent (consent). Transfer guarantee as above.

11. Contact (Art. 6(1)(b) GDPR)

Data	Purpose	Storage Duration
Name, email, phone, message	Answering your inquiry, quote preparation	6 months after final processing

12. Newsletter (Art. 6(1)(a) GDPR)

• Service Provider: rapidmail GmbH, Freiburg (DE) – data processing agreement
• Double opt-in with logging
• Revocation: at any time via unsubscribe link or email to datenschutz@latoo.at
• Log Data: Retention up to 3 years to defend against legal claims (§ 24(4) UWG)

13. Recipients & Data Processors (Art. 28 GDPR)

Category	Recipient / Location	Legal Basis / Guarantee
Hosting	Mittwald CM Service GmbH & Co. KG, DE	DPA
Newsletter	rapidmail GmbH, DE	DPA
Web Analytics	Google Ireland Ltd., IE / Google LLC, USA	DPA, SCC, DPF + TIA
Marketing	Meta Platforms Ireland Ltd., IE / Meta Platforms Inc., USA	Joint Controller, SCC, DPF + TIA

A detailed list is available upon request.

14. Data Transfers to Third Countries

We base data transfers to the USA primarily on Standard Contractual Clauses (SCC) together with TIA and additional technical measures (e.g., end-to-end encryption). Our service providers’ participation in the EU-US Data Privacy Framework serves only as an additional guarantee. Should SCC or DPF not withstand judicial concerns, we will suspend the transfer or choose EU-based alternatives.

15. Storage Periods

Data Category	Duration	Deletion Concept
Server log files	14 days	Automatic rotation / overwriting
Contact requests	6 months	Manual deletion by support
Newsletter recipients	Until revocation + 3 years (log)	Automated flagging + cron deletion
Contract & invoice data	7 years (§ 132 BAO)	Archiving, then deletion
Application documents	6 months or 3 years with evidence	GDPR-compliant HR deletion routine

16. No Automated Decision-Making / Profiling (Art. 22 GDPR)

We do not use automated decision-making processes that have legal effect or similarly significant impacts on you. Any reach-related statistics segments (e.g., in GA4) are used exclusively for anonymous performance measurement and have no individual effect.

17. Your Rights (Art. 15 – 22 GDPR)

You have the right at any time to access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. Contact: datenschutz@latoo.at. In case of doubt about your identity, we may request additional information. Right to lodge a complaint: Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at.

18. Obligation to Provide Personal Data

The provision of personal data is generally voluntary. However, without certain information (e.g., contact or contract data), we cannot provide the respective services.

19. Data Protection for Minors

Our online offering is not directed at persons under 14 years of age. Should we become aware of personal data of minors, we will delete it immediately.

20. External Links

This website may contain links to external sites. The respective operator is responsible for their content and data protection practices.

21. Changes to This Privacy Policy

We reserve the right to adapt this declaration to accommodate changed legal situations, technical developments, or new services. The version published here at the time of your next visit applies.

© 2025 Latoo.labs GmbH – All rights reserved.