Privacy Policy
Last updated: March 8, 2024

1. Legal Basis for Processing

   The controller may process personal data only if at least one of the following conditions applies:

   • Users have given their consent for one or more specific purposes
   • Processing is necessary for the performance of a contract
   • Processing is necessary for compliance with a legal obligation
   • Processing is necessary for the performance of a task carried out in the public interest
   • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

2. What Data We Process

   We process the following categories of personal data:

   • Master data (name, address, contact details)
   • Email address
   • Payment data
   • Usage data (visited websites, access times)
   • Uploaded files (for processing in the program)
   • Meta/communication data (device information, IP addresses)

3. Details on Processed Data

   The types of personal data that this application processes itself or through third parties include:

   • Device information
   • Usage data
   • User ID
   • Geography/Region
   • Number of users and sessions
   • Session duration
   • App opens and updates
   • Operating systems
   • First and last name
   • Email address
   • Crash reports
   • Unique device identifiers (UUID)
   • Billing address
   • Diagnostic and tracking data
   • Geographic position
   • Language

4. Services Used and Third-Party Providers

   We use the following services to provide our application:

   Details on data processing by these services can be found in the respective privacy policies of the providers.

5. Push Notifications

   This application may send push notifications to the user. You can usually disable these in your device settings. Please note that disabling push notifications may affect the functionality of the application.

6. How We Collect Your Information:

   We collect/receive information about you in the following ways:

   1. When a user completes the registration form or otherwise submits personal information
   2. Interaction with the website
   3. From public sources

7. How We Use Your Information:

   We will use the information collected about you for the following purposes:

   1. Marketing/Advertising
   2. Creating a user account
   3. Collecting customer feedback
   4. Payment processing
   5. Support
   6. Managing customer orders
   7. Managing user accounts

   If we want to use your information for another purpose, we will ask for your consent and use your information only after receiving your consent and then only for the purpose or purposes for which you gave your consent, unless we are legally required to do otherwise.

8. How We Share Your Information:

   We will not share your personal information with third parties without your consent, except under limited circumstances as described below:

   1. Advertising services
   2. Marketing agencies
   3. Analytics
   4. Payment recovery services
   5. Data collection & processing

   We require such third parties to use the personal information transferred to them only for the purpose for which it was transferred and not to retain it for longer than necessary for fulfilling that purpose.

   We may also disclose your personal information for the following reasons: (1) to comply with applicable law, regulations, court orders, or other legal process; (2) to enforce your agreements with us, including this Privacy Policy; or (3) to respond to claims that your use of the service violates third party rights. If the service or our company merges with or is acquired by another company, your information will be one of the assets transferred to the new owner.

9. Retention of Your Information:

   We will retain your personal information with us for 90 days to 2 years after users terminate their accounts or as long as we need it to fulfill the purposes detailed in this Privacy Policy. We may need to retain certain information for longer periods, such as for accounting/reporting under applicable law or for other legitimate reasons such as enforcement of legal claims, fraud prevention, etc. Anonymous residual information and aggregated information that does not identify you (directly or indirectly) may be stored indefinitely.

10. Your Rights:

    Depending on applicable law, you may have the right to access, correct, or delete your personal data, obtain a copy of your personal data, restrict or object to the active processing of your data, ask us to transfer your personal data to another entity (port), withdraw any consent you gave us to process your data, the right to file a complaint with a statutory authority, and such other rights as may be relevant under applicable laws. To exercise these rights, you can write to us at [email protected]. We will respond to your request in accordance with applicable law.

    You can opt out of direct marketing communications or the profiling we carry out for marketing purposes by writing to us at [email protected].

    Please note that if you do not allow us to collect or process the required personal information or withdraw the consent to process the same for the required purposes, you may not be able to access or use the services for which your information was sought.

11. Cookies etc.

    To learn more about how we use these and your choices regarding these tracking technologies, please read ourCookie Policy.

12. Security:

    The security of your information is important to us and we will take appropriate security measures to prevent the loss, misuse, or unauthorized alteration of your information under our control. However, given the inherent risks, we cannot guarantee absolute security and consequently, we cannot ensure or warrant the security of any information you transmit to us and you do so at your own risk.

13. Third-Party Links & Use of Your Information:

    Our service may contain links to other websites that are not operated by us. This Privacy Policy does not address the privacy policy and other practices of any third parties, including any third party operating any website or service that may be accessible via a link in the service. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party websites or services.

14. Complaint/Privacy Officer:

    If you have any questions or concerns regarding the processing of your information available with us, you can contact our complaints officer by email at Heyqq GmbH, Wasagasse 23, Email: [email protected]. We will address your concerns in accordance with applicable law.

15. International Data Transfers

    When we transfer data to third parties outside the EU/EEA, this is only done on the basis of an adequacy decision by the EU Commission or using EU standard contractual clauses and appropriate additional guarantees in accordance with Art. 44 ff GDPR.

16. Your Rights Under GDPR

    You have the following rights regarding your personal data:

    • Right to access (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR)
    • Right to object (Art. 21 GDPR)
    • Right to withdraw consent (Art. 7 Para. 3 GDPR)
    • Right to lodge a complaint with supervisory authority (Art. 77 GDPR)

    Competent supervisory authority in Austria: Austrian Data Protection Authority Barichgasse 40-42 1030 Vienna Email: [email protected]

17. Automated Decision Making

    We do not use automated decision-making or profiling that has legal effects on you or similarly significantly affects you.

18. Technical and Organizational Measures

    We implement the following security measures to protect your data:

    • Data transmission encryption (HTTPS/TLS)
    • Access control and authentication systems
    • Regular security and privacy training for our employees
    • Pseudonymization and encryption of personal data where technically possible
    • Regular backups to ensure availability
    • Regular review and evaluation of security measures

19. Data Processing by Third Parties

    We use the following processors for providing our services. Appropriate contracts according to Art. 28 GDPR have been concluded with all processors:

    1. Vercel (Hosting & Infrastructure)

    Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
    Processed data:

    • IP addresses
    • Technical usage data
    • Access times
    • HTTP header information

    Purpose: Hosting and delivery of the website
    Legal basis: Art. 6 Para. 1 lit. f GDPR (Legitimate interest)
    Storage location: EU (Frankfurt)

    2. Google Cloud Storage

    Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Processed data:

    • Uploaded PDF documents (encrypted)
    • File metadata
    • Temporary processing data

    Purpose: Secure storage and processing of documents
    Legal basis: Art. 6 Para. 1 lit. b GDPR (Contract performance)
    Storage location: EU (Belgium)

    3. Google Firebase Firestore

    Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Processed data:

    • User profiles
    • Authentication data
    • Usage logs
    • Document references

    Purpose: User management and document organization
    Legal basis: Art. 6 Para. 1 lit. b GDPR (Contract performance)
    Storage location: EU (Frankfurt)

    4. PostHog Analytics

    Provider: PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA
    Processed data:

    • Anonymized IP addresses
    • Usage statistics
    • Click paths
    • Device information
    • Page views

    Purpose: Analysis of user behavior to improve the service
    Legal basis: Art. 6 Para. 1 lit. a GDPR (Consent via cookie banner)
    Storage location: EU (with EU standard contractual clauses)

    5. Microsoft Azure (AI Services)

    Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
    Processed data:

    • Text content from PDF documents
    • Processing requests
    • Temporary analysis data
    • Technical metadata

    Purpose: AI-powered document analysis and processing
    Legal basis: Art. 6 Para. 1 lit. b GDPR (Contract performance)
    Storage location: EU (Netherlands)

    6. Google Gemini

    Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Processed data:

    • Text inputs and queries
    • Generated content
    • Usage patterns
    • Technical metadata

    Purpose: AI-powered content generation and analysis
    Legal basis: Art. 6 Para. 1 lit. b GDPR (Contract performance)
    Storage location: EU

    7. Google Analytics

    Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Processed data:

    • Usage behavior
    • IP addresses (anonymized)
    • Device information
    • Geographic location
    • Referral sources

    Purpose: Website analytics and user behavior analysis
    Legal basis: Art. 6 Para. 1 lit. a GDPR (Consent via cookie banner)
    Storage location: EU

    8. Lemon Squeezy (Payment Processing)

    Provider: Lemon Squeezy LLC, 222 South Main Street Suite 500, Salt Lake City, UT 84101, USA
    Processed data:

    • Name and email address
    • Payment data
    • Billing address
    • Transaction data
    • Order history
    • IP address
    • Device information for fraud protection

    Purpose: Payment processing, invoicing and fraud protection
    Legal basis: Art. 6 Para. 1 lit. b GDPR (Contract performance), Art. 6 Para. 1 lit. c GDPR (Legal obligation)
    Storage location: USA (with EU standard contractual clauses)
    Special features: Lemon Squeezy acts as Merchant of Record (MoR) and is responsible for:

    9. Email Octopus (Email Marketing)

    Provider: EmailOctopus Ltd., 86-90 Paul Street, London, EC2A 4NE, UK
    Processed data:

    • Email address
    • Name (optional)
    • Registration time
    • Email opens and clicks (if not disabled)
    • IP address at registration

    Purpose: Newsletter delivery and email marketing
    Legal basis: Art. 6 Para. 1 lit. a GDPR (Consent)
    Storage location: EU (Amazon AWS Ireland)
    Special features: Tracking pixels and link tracking can be disabled

    • Tax calculation and payment
    • Compliance with payment regulations
    • Processing refunds
    • Customer service for payment issues

    Retention period: 7 years according to tax law requirements
    Privacy information: Privacy Policy and Data Processing Agreement

    Data transfers to third countries only occur on the basis of:

    • EU standard contractual clauses (Art. 46 Para. 2 lit. c GDPR)
    • Adequacy decisions by the EU Commission
    • Binding corporate rules (BCR, Art. 47 GDPR)
    • Additional technical protection measures (encryption, pseudonymization)

    You have the right to request a copy of the guarantees for data transfer to third countries. Contact us at [email protected].

20. Storage Duration and Deletion

    We store your data only as long as necessary for the stated purposes:

    • Customer data: 7 years after last business case (according to tax retention obligations)
    • Applicant data: 6 months after rejection
    • Log data: 90 days
    • Newsletter subscriptions: Until withdrawal
    • Contract data: 7 years after contract end

21. Categorization of Processed Data

    Category	Examples	Is Collected
    A. Identifiers	Contact information such as name, pseudonym, postal address, telephone or mobile number, unique personal identifiers, online identifiers, IP address, email address and account name	YES
    B. Personal Information	Name, contact information, education, employment, employment history and financial information	YES
    C. Protected Classification Characteristics	Gender and date of birth	NO
    D. Commercial Information	Transaction data, purchase history, financial data and payment information	NO
    E. Biometric Information	Fingerprints and voice recordings	NO
    F. Internet or Network Activity	Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, and systems	NO
    G. Location Data	Device location	NO
    H. Audiovisual Information	Images and audio, video, or call recordings related to our business activities	NO
    I. Professional Information	Business contact details, job title, work history and professional qualifications	NO
    J. Educational Information	Student records and directory information	NO
    K. Derived Information	Inferences drawn from the personal information collected above to create a profile about preferences and characteristics	NO
    L. Sensitive Personal Information	Special categories of personal data under Article 9 of the GDPR	NO

    This overview transparently shows which types of data we process. We limit ourselves to the necessary minimum and only process data that is required for the provision of our services.

22. Minor Protection

    Our services are primarily aimed at individuals aged 16 and older. Individuals under 16 years of age should not submit personal data to us without the consent of a parent or legal guardian.

23. Changes to this Privacy Policy

    We reserve the right to adjust this privacy policy to ensure that it always meets current legal requirements or to implement changes to our services, e.g., with the introduction of new services. The new privacy policy will apply to your next visit.

24. Right to Object

    If your personal data is processed based on legitimate interests, you have the right to object to the processing. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.