Privacy Policy – Swat.io

Privacy Policy for Customers of Swat.io

Privacy Policy

In this privacy policy we would like to inform you about the processing of personal data of clients of our Social Media Management Software (hereinafter the “Platform”).

Controller and Contact

Data processing activity’s controller is

Swat.io GmbH

Schönbrunner Straße 213-215/3.OG

1120 Vienna

Austria

FN 348798p, Commercial Court Vienna (Handelsgericht Wien)

Our designated data protection officer is Gerald Goldgruber, MA.

For questions and concerns regarding privacy, please contact us at privacy@swat.io.

Purposes and legal basis for data processing

We process your personal data

in order to take steps at your request prior to entering into a contract (Art 6 para 1 (b) GDPR), namely
- - if you contact us in order to initiate a contractual relationship (e.g. preparation of an offer).

in order to perform a contract (Art 6 para 1 (b) GDPR), namely of the user agreement concluded between you and us. This includes
- - the operation and provision of our Platform;
  - the provision of service and support services in connection with our Platform; as well as
  - proper billing and invoicing.

in order to comply with legal obligations to which we are subject to (Art 6 para 1 (c) GDPR), namely
- - keeping proper accounting records;
  - the fulfillment of legal retention obligations (e.g. for accounting reasons); as well as
  - the fulfillment of official and/or judicial requests (z.B. surrender of data to law enforcement agencies).

based on our legitimate interests (Art 6 para 1 (f) GDPR), namely
- - prevention, detection and defense of abusive use of our Platform;
  - detection and fixing of software bugs on our Platform;
  - collecting and processing client feedback;
  - cross-team collaboration of the controller’s employees;
  - development, design and improvement of our products; and
  - analysis of user behavior as well as improvement of our offers on our Platform.

Recipients of personal data

In order to fulfill these above listed purposes, it may be necessary to disclose your personal data to following third parties:

Recipient	Purpose	Legal basis for transfer	Location of data processing	Legal basis for transfer to a third country
Amazon Web Services EMEA SARL	Hosting of our IT-systems	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	EU (Luxembourg)	No transfer to third countries
tecRacer GmbH & Co. KG,	Hosting of Managed Servcies (Hosting management of Amazon Web Services)	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	EU (Germany)	No transfer to third countries
Aircall SAS	Communication via telephone for internal collaboration	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	EU (France)	No transfer to third countries
Aircall SAS	Communication via telephone with our clients	Steps at your request prior to entering into a contract (Art 6 para 1 (b) GDPR)	EU (France)	No transfer to third countries
SatisMeter s.r.o.	Collecting and managing client feedback	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	EU (Czech Republic)	No transfer to third countries
stereosense GmbH (“involve.me”)	Colleting and managing of client surveys for quality improvement	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	EU (Austria)	No transfer to third countries
Mag. Alexandra Ludvik	Tax consulting services	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional consulting services in connection with tax and fiscal issues	EU (Austria)	No transfer to third countries
KWR Karasek Wietrzyk Rechtsanwälte GmbH	Attorneys at law	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional consulting services in connection with legal issues	EU (Austria)	No transfer to third countries
TwentyThree ApS	Tool for conducting Live Webinars	Steps at your request prior to entering into a contract (Art 6 para 1 (b) GDPR)	EU (Denmark)	No transfer to third countries
Dreamdata.io ApS	Tool for Optimization of Marketing and Sales performance	Legitimate interests (Art 6 para 1 lit f GDPR): use of professional IT-infrastructure	EU (Denmark)	No transfer to third countries
Sentry.io	Error analysis for troubleshooting and improvement of service quality	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA (Location of data storage: EU)	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Google Cloud EMEA Limited	Office-Tools, Tools for collaboration („Collaboration Tools“) and use of an e-Mail platform	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA (Location of data storage: EU)	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
HubSpot, Inc.	Organization, Management, Design and Administration of Marketing activities	Steps at your request prior to entering into a contract (Art 6 para 1 (b) GDPR)	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
HubSpot, Inc.		Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA
CHARGEBEE INC.	Accounting, receivables management and billing	To perform a contract (Art 6 para 1 (b) GDPR) for proper billing and invoicing	USA (location of data storage EU [Germany])	Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Active Campaign LLC (formerly Wildbit LLC)	Automatic invoicing	Overriding legitimate interests (Art 6 para 1 lit f GDPR): Use of professional IT infrastructure	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art. 46 para. 2 lit c GDPR) including supplementary measures
ProductBoard, Inc.	Organization of product development and product design	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Intercom R&D Unlimited Company	Communication with our clients	To perform a contract (Art 6 para 1 (b) GDPR) for the provision of service and support services in connection with our Platform	USA (registered office in EU [Ireland])	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Intercom R&D Unlimited Company	Communication for internal collaboration	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA (registered office in EU [Ireland])
G2.com Inc.	Review and Rating of Software Platforms	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
BUILDSCALE INC. OPERATING (Vidyard)	Providing Training videos	Steps at your request prior to entering into a contract (Art 6 para 1 (b) GDPR)	USA (registered office in Canada)	Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Stripe Payments Europe Ltd.	Online Payment Provider	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA (registered office in EU [Ireland])	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
PayPal (Europe) S.à r.l. et Cie, S.C.A	Online Payment Provider	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA (registered office in EU [Luxembourg])	Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Arcade Software, Inc.	Offering interactive Demos of our software on our website and in the product	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): use of professional IT-infrastructure	USA	Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures

In the event of a legal obligation, we transmit personal data to public bodies and institutions (e.g. law enforcement agencies, courts).

We have proper security procedures are in place to protect the confidentiality of your data.
Further details can be found in our Technical organizational measures which can be requested via privacy@swat.io

Google Drive Integration:

For users of our Google Drive Integration in Swat.io: Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.

The data which is collected for the usage of Google Drive integration is about what you have provided in your upload which is limited in the format of Media data only.

We may access on behalf of our customers, the following categories of personal data when they use Google Drive Integration:

Individual Photos / Videos users actively selects to send to Swat.io

YouTube API Services:

Please note if you connect a Youtube Channel we use YouTube API Services. YouTube API Services (i.e. data from YouTube).

For the usage of the YouTube API Services the terms of service and privacy policy are listed below:
https://www.youtube.com/static?template=terms
http://www.google.com/policies/privacy

We may access on behalf of our customers the following categories of personal data when you use YouTube API Services:
Your own channel data, analytics to your channel’s performance, your own videos including their metadata/KPIs, comments (user profiles and messages) to videos you created

In addition to Swat.io GmbH normal procedure for deleting stored data, you can revoke Swat.io GmbH access to your data via the Google security settings page at https://security.google.com/settings/security/permissions

Facebook API Services:

To use Facebook API services, you can find the terms of service and privacy policy at the following links:
https://www.facebook.com/terms.php
https://www.facebook.com/privacy/policy/

Facebook Community Guidelines:
https://www.facebook.com/communitystandards

Facebook Advertising Policies:
https://www.facebook.com/policies/ads

When you use Facebook API services, we may access the following categories of personal data on behalf of our clients:
Channel data, performance analytics, posts (including their metadata/KPIs), comments (user profiles, messages, media attachments) on posts you have created or been mentioned in, and private messages related to your account.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://www.facebook.com/settings/?tab=applications

Instagram API Services:

To use Instagram API services, you can find the terms of service and privacy policy at the following links:

https://instagram.com/legal/terms
https://privacycenter.instagram.com/policy

When you use Instagram API services, we may access the following categories of personal data on behalf of our clients:
Channel data, performance analytics, posts (including their metadata/KPIs), comments (user profiles, messages, media attachments) on posts you have created or been mentioned in, and private messages related to your account.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://www.facebook.com/settings/?tab=applications

X API Services:

To use X API services, you can find the terms of service and privacy policy at the following links:
https://x.com/en/tos
https://x.com/en/privacy

When you use X API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, posts (including their metadata/KPIs), comments (user profiles, messages, media attachments) on posts you have created or been mentioned in, and private messages related to your account.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://x.com/settings/connected_apps

LinkedIn API Services:

To use LinkedIn API services, you can find the terms of service, privacy policy, and user agreement at the following links:
https://www.linkedin.com/legal/l/service-terms?
https://www.linkedin.com/legal/privacy-policy
User Agreement:
https://www.linkedin.com/legal/user-agreement

When you use LinkedIn API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, posts (including their metadata/KPIs), comments (user profiles, messages, media attachments) on posts you have created or in threads where you are mentioned.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://www.linkedin.com/mypreferences/d/data-sharing-for-permitted-services

Pinterest API Services:

To use Pinterest API services, you can find the terms of service, privacy policy, and community guidelines at the following links:
https://policy.pinterest.com/en/terms-of-service
https://policy.pinterest.com/en/privacy-policy
Community guidelines:
https://policy.pinterest.com/en/community-guidelines

When you use Pinterest API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, and your own Pins, including their metadata/KPIs.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://at.pinterest.com/settings/security

TikTok API Services:

To use TikTok API services, you can find the terms of service and privacy policy at the following links:
https://www.tiktok.com/legal/page/eea/terms-of-service/en
https://www.tiktok.com/legal/page/eea/privacy-policy/en

When you use TikTok API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, own videos (including their metadata/KPIs), and comments (user profiles and messages) on videos you have created.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://myaccount.google.com/connections

WhatsApp API Services:

To use WhatsApp API services, you can find the terms of service and privacy policy at the following links:
https://www.whatsapp.com/legal/business-terms
https://www.whatsapp.com/legal/privacy-policy
https://app.messengerpeople.dev/settings/oauth-apps/

When you use WhatsApp API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, private messages (user profiles, messages, media attachments.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://app.messengerpeople.dev/settings/oauth-apps/

Google My Business API Services:

To use Google My Business API services, you can find the terms of service and privacy policy at the following links:
https://support.google.com/business/answer/7667250?hl=en
https://policies.google.com/privacy

When you use Google My Business API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data and reviews (user profiles and messages) about your business.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://security.google.com/settings/security/permissions

Threads API Services:

To use Threads API services, you can find the terms of service and privacy policy at the following links:
https://help.instagram.com/769983657850450
https://help.instagram.com/515230437301944

When you use Threads API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, posts (including their metadata/KPIs), comments (user profiles, messages, media attachments) on posts you have created.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://www.facebook.com/settings/?tab=applications

Bluesky API Services:

To use Bluesky API services, you can find the terms of service, privacy policy, and community guidelines at the following links:
https://bsky.social/about/support/tos
https://bsky.social/about/support/privacy-policy
Community Guidelines:
https://bsky.social/about/support/community-guidelines

When you use Bluesky API services, we may access the following categories of personal data on behalf of our clients:
Your own channel data, performance analytics, posts (including their metadata/KPIs), comments (user profiles, messages, media attachments) on posts you have created or threads in which you are mentioned.

In addition to Swat.io GmbH’s regular data deletion process, you can revoke Swat.io GmbH's access to your data at https://bsky.app/settings/app-passwords

Processing period

We store and process your personal data only as long as this is necessary for the fulfillment of the respective processing purpose. We process the personal data necessary for the performance of the contract in any case for the duration of the business relationship and beyond in accordance with the statutory retention and documentation obligations. These are seven years for business correspondence and other business letters (§ 212 UGB). In individual cases, for example in the case of pending official or court proceedings, this storage period may also be longer than seven years, provided that this is of significance for the responsible party as an entrepreneur (§ 212 (1) last sentence UGB). In the event of foreseeable legal disputes, your personal data may also be stored for longer, in any case until the expiry of the relevant limitation periods for legal claims.

Rights of the data subject

As a data subject, you have the rights described below. If we have reasonable doubt about the identity of your person in the context of exercising one of the data subject rights, we may request additional information from you that is necessary to confirm the identity of your person.

For those rights that are asserted by means of a request, the time limit to comply with these requests is one month by law.

Right of access – Art 15 GDPR

You have the right to obtain information about the personal data we process concerning you at any time. The right to obtain information also includes the right to receive a copy of the data, provided that this does not affect the rights and freedoms of other persons. For the creation of such a data copy, we may charge you a reasonable fee based on the administrative costs.

Right to rectification – Art 16 GDPR

You have the right to obtain the rectification of inaccurate personal data concerning yourself and to have incomplete personal data completed.

Right to erasure – Art 17 GDPR

You have the right to obtain the erasure of personal data concerning you. However, this right to erasure does not apply to the extent that processing is necessary

for exercising the right of freedom of expression and information; or
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
for reasons of public interest in the area of public health; or
for archiving purposes in public interest, scientific or historical research purposes, or statistical purposes, where erasure is likely to make impossible, or at least seriously impair, the achievement of the purposes underlying the processing; or
for the establishment, exercise or defense of legal claims.

Right to restriction of processing – Art 18 GDPR

You have the right to obtain the restriction of processing where at least one of the following applies:

the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; or
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
you have objected to processing pursuant to Art 21 para pending the verification whether the legitimate grounds of the controller override yours.

If you have exercised your right to restriction of processing, we may process this personal data - with the exception of the storage of such data - only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

Right to object – Art 21 GDPR

You have the right to object to processing that is carried out on the basis of an overriding legitimate interest on our part or on the part of a third party (pursuant to Art 6 para 1 (f) GDPR). In the event of an objection, we will no longer process your data unless the processing serves the establishment, exercise or defense of legal claims or we demonstrate compelling legitimate grounds for the processing that override your interests.

An objection to the processing of personal data for direct marketing purposes is possible at any time and will result in us no longer being allowed to process your data for this purpose in any case.

Right to data portability – Art 20 GDPR

In principle, you also have the right to receive the data a structured, common and machine-readable format and to transfer this data to another controller. However, the right to data portability only exists if the processing is based on your consent or on a contract and the processing is carried out with the help of automated processes.

Right to lodge a complaint with a supervisory authority – Art 77 GDPR

If you believe that the processing of your data is unlawful and in breach of the GDPR, you have the right to lodge a complaint with the competent data protection authority. The jurisdiction depends on your place of residence or place of work.

You can reach the Austrian supervisory authority:

Österreichische Datenschutzbehörde

Barichgasse 40-42

1030 Vienna, Austria

dsb@dsb.gv.at

Privacy Policy for Website Users

Privacy policy

In this privacy policy, we inform you about our data processing activities in connection with our website www.swat.io as well as the contact options offered on this website (point 2) and about our data processing activities in connection with submitting an application to us (point 3).

Controller and contact possibility

Controller of the data processing activities is

Swat.io GmbH

Schönbrunner Straße 213-215/3^rd floor

1120 Vienna

FN 348798p, Commercial Court Vienna

Our data protection officer is Gerald Goldgruber, MA.

For questions and concerns regarding data protection you can reach us at privacy@swat.io.

Users of our website

Processing purposes and legal bases

We process your personal data

Based on your consent (§ 165 para 3 TKG 2021 and Art 6 para 1 lit a DSGVO)
- - for the analysis of user behavior and the improvement of our offers (for the use of cookies, see point 2.d)
  - for the (re-)identification of users for the purpose of playing out personalized advertising (for the use of cookies, see point 2.d)

in order to take steps at your request prior to entering into a contract (Art 6 para 1 lit b DSGVO).
- - if you contact us via our contact forms, our chat system, by e-mail or by telephone in order to obtain information about our products
on the basis of legitimate interests (Art 6 para 1 lit f DSGVO), namely
- - for the prevention of and defense against attacks on the technical infrastructure of our website;
  - for the prevention, detection and prevention of the misuse of our website;
  - for communicating with you via our contact form, provided that the communication does not serve the purpose of carrying out pre-contractual measures;

Recipient

In order to achieve these intended purposes, it may be necessary to disclose your personal data to third parties:

Recipient	Purpose	Legal basis for the transfer	Location / place of data processing	Basis for transfer to a third country
Amazon Web Services EMEA SARL	Website hosting	Overriding legitimate interests (Art 6 para 1 lit f GDPR): Use of professional IT infrastructure	EU (Germany)	No third country transfer
Hotjar Ltd	Analysis of user behavior on our website as well as offering a possibility for feedback by users	Consent (§ 165 para 3 TKG 2021, and Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	EU (Malta)	No third country transfer Explicit consent in the cookie banner (Art. 49 para 1 lit a GDPR)
Facebook Ireland Limited	(Re-)identification of users for the purpose of displaying personalized advertisements	Consent (§ 165 para 3 TKG 2021, and Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	EU (Ireland) and transfer to group companies (USA)	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art. 46 para. 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art. 49 para. 1 lit a GDPR)
LinkedIn Ireland Unlimited	Display of profile content on the website for advertising purposes, identification of users for the purpose of personalized advertising	Consent (§ 165 para 3 TKG 2021, and Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	EU (Ireland) and transfer to group companies (USA)	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art 46 para 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art 49 para 1 lit a GDPR)
Twitter International Company	Display of profile content on the website for advertising purposes, identification of users for the purpose of personalized advertising	Consent (§ 165 para 3 TKG 2021, and Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	USA	Standard contractual clauses (Art 46 para 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art 49 para 1 lit a GDPR)
Pinterest Europe Ltd.	Display of content on the website for advertising purposes, identification of users for the purpose of displaying personalized advertisements	Consent (§ 165 para 3 TKG 2021, Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	EU (Ireland) and transfer to group companies (USA)	Standard contractual clauses (Art 46 para 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art 49 para 1 lit a GDPR)
Microsoft Ireland Operations Limited	Identification of users for the purpose of displaying personalized advertising	Consent (§ 165 para 3 TKG 2021, Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	EU (Ireland) and transfer to group companies (USA)	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art 46 para 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art 49 para 1 lit a GDPR)
TwentyThree ApS	Tool for conducting Live Webinars	Legitimate interests (Art 6 para 1 lit f GDPR): use of professional IT-infrastructure	EU (Denmark)	No transfer to third countries
Varify GmbH	A/B testing of landing pages and landing page elements for user-oriented optimization of the website	Legitimate interests (Art 6 para 1 lit f GDPR): use of professional IT-infrastructure	EU (Germany)	No transfer to third countries
Dreamdata.io ApS	Tool for Optimization of Marketing and Sales performance	Legitimate interests (Art 6 para 1 lit f GDPR): use of professional IT-infrastructure	EU (Denmark)	No transfer to third countries
Cheq AI Technologies LTD	Prevention and defense against attacks on the technical infrastructure of our website; prevention, detection and prevention of misuse of our website	Overriding legitimate interests (Art 6 para 1 lit f GDPR): Use of professional IT infrastructure	Israel	Adequacy decision of 01/31/2011 (2011/61/EU)
HubSpot, Inc	(Re-)identification of users for the purpose of displaying personalized advertisements	Overriding legitimate interests (Art 6 para 1 lit f GDPR): Use of professional IT infrastructure	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art 46 para 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art 49 para 1 lit a GDPR)
Intercom Inc	Internal communication	Overriding legitimate interests (Art 6 para 1 lit f GDPR): Use of professional IT infrastructure	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art. 46 para. 2 lit c GDPR) including supplementary measures
G2.com Inc.	Review and Rating of Software Platforms	Prevailing legitimate interests (Art 6 para 1 lit f GDPR): use of professional IT-infrastructure	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures
Google LLC	Analysis of user behavior on our website	Consent (§ 165 para 3 TKG 2021, and Art 6 para 1 lit a GDPR): Analysis of user behavior to improve our website	USA	Adequacy decision from 10^th of July 2023 including DPF-certification. Further apply the current Standard contractual clauses (Art 46 para 2 lit c GDPR) including supplementary measures as well as explicit consent in the cookie banner (Art 49 para 1 lit a GDPR)
Arcade Software, Inc.	Offering interactive Demos of our software on our website and in the product	Prevailing legitimate interests (Art 6 para 1 (f) GDPR): Use of professional IT-infrastructure	USA	Standard data protection clauses (Art 46 para 2 (c) GDPR) together with supplementary measures

In case of a legal obligation, we transmit personal data to public authorities and institutions (e.g., law enforcement agencies, courts).

Processing period

We store and process your personal data as long as this is necessary for the fulfillment of the purpose of processing.

Personal data in connection with the use of the contact form will be stored for a period of seven years for reasons of corporate law (212 of the Austrian Commercial Code). In individual cases, for example in the case of pending official or court proceedings, this storage period may also be longer than seven years. In the event of foreseeable legal disputes, your personal data may also be stored for longer, in any case until the expiry of the relevant limitation periods for legal claims.

Cookies

When using our website, we set cookies to temporarily store certain information. Some cookies are (technically) necessary for the operation of our website and are set in any case. Other cookies are not absolutely necessary for the operation of the website, but serve, for example, to increase user-friendliness or to analyze user behavior.

Details about the individual cookies can be found via the link "Individual cookie settings" in our cookie banner.

Application at Swat.io

Processing purposes and legal bases

We process your personal data

in order to take steps at your request prior to entering into a service contract (Art 6 para 1 lit b GDPR)
on the basis of legitimate interests (Art 6 para 1 lit f GDPR), namely
- - the exercise of and defense against legal claims (in particular with regard to the Equal Treatment Act)
on the basis of your consent (Art 6 para 1 lit a GDPR) to keep records of your application documents

Recipient

In order to achieve these intended purposes, it may be necessary to disclose your personal data to third parties:

Recipient	Purpose	Legal basis for the transfer	Location / place of data processing	Basis for transfer to a third country
Personio SE & Co. KG	Use of the applicant Management Software in connection with the implementation of the application process	Overriding legitimate interests (Art. 6 para.1 lit f GDPR): initiation of a contractual relationship, use of professional IT infrastructure	EU (Germany)	No third country transfer
Amazon Web Services EMEA SARL	Hosting of the applicant management system	Overriding legitimate interests (Art 6 para 1 lit f GDPR): Use of professional IT infrastructure	EU (Germany)	No third country transfer

In the event of a legal obligation, we transmit personal data to public bodies and institutions (e.g., law enforcement agencies, courts).

Processing period

In the event that your application is rejected, we will store your application documents for a period of seven months from the date of notification of rejection (§§ 15 para 1, 29 para 1 Austrian Equal Treatment Act (Gleichbehandlungsgesetz) plus one month).

If you give us consent to keep a record of your application documents, we will store them for the processing period covered by the consent or at the latest until you revoke your consent.

Rights of data subjects

As a data subject, you are entitled to the rights described below. If we have reasonable doubt about the identity of your person in the context of exercising one of the data subject rights, we may request additional information from you that is necessary to confirm the identity of your person.

For those rights that are asserted by means of a request, we have one month to comply with it.

Right to information according to Art. 15 GDPR

You have the right to request information about the personal data we process concerning you at any time. The right to information also includes the right to receive a copy of the data, provided that this does not affect the rights and freedoms of other persons. For the creation of such a data copy, we may charge you a reasonable fee based on the administrative costs.

Right to rectification according to Art. 16 GDPR

You have the right to request that inaccurate data concerning you be corrected or completed.

Right to deletion according to Art. 17 GDPR

In principle, you have the right to request the deletion of data concerning you. However, this right of deletion does not exist if the processing is necessary

for the right to freedom of expression and information; or
for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
for reasons of public interest in the field of public health; or
for archiving, scientific or historical research purposes in the public interest, or for statistical purposes, where erasure is likely to make impossible, or at least seriously jeopardize, the achievement of the purposes underlying the processing; or
for the assertion, exercise or defense of legal claims.

Right to restriction of processing according to Art. 18 GDPR

You have the right to request the restriction of processing, provided that at least one of the following conditions is met:

the accuracy of the personal data is contested by you for a period enabling the controller to verify the accuracy of the personal data; or
the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data; or
the controller no longer needs the personal data for the purposes of the processing, but you need it for the assertion, exercise or defense of legal claims; or
after having filed an objection pursuant to Art 21 (1) GDPR, as long as it has not yet been determined whether the legitimate grounds of the controller outweigh your interests.

If you have exercised your right to restrict processing, we may process this personal data - with the exception of the storage of such data - only with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

Right of objection according to Art. 21 GDPR

You have the right to object to processing that is carried out on the basis of an overriding legitimate interest on our part or on the part of a third party (pursuant to Art. 6 para. 1 lit f GDPR). In the event of an objection, we will no longer process your data unless the processing serves the assertion, exercise or defense of legal claims or we demonstrate compelling legitimate grounds for the processing that override your interests.

An objection to the processing of personal data for direct marketing purposes is possible at any time and will result in us no longer being allowed to process your data for this purpose in any case.

Right to data portability according to Art. 20 GDPR

In principle, you also have the right to receive the transfer of the data you have provided in a structured, common and machine-readable format and to transfer this data to another controller. However, the right to data portability only exists if the processing is based on your consent or on a contract and the processing is carried out with the help of automated processes.

Right to complain according to Art. 77 GDPR

If you believe that the processing of your data is unlawful and in breach GDPR, you have the right to file a complaint with the competent data protection authority. The jurisdiction depends on your place of residence or place of work.

You can reach the Austrian data protection authority at

Austrian Data Protection Authority

Barichgasse 40-42

1030 Vienna

dsb@dsb.gv.at