Privacy Policy

Introduction and Contact Details of the Controller

The protection of your personal data is important to us. In the following, we inform you in accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR) about the processing of your personal data by us and about the data protection claims and rights to which you are entitled. The controller for data processing within the meaning of the GDPR is:

Brink FlexCo
Messingstraße 32
5323 Ebenau
Austria

Email: hello@brink.guide

General Information on Data Processing

As a matter of principle, we process personal data of our users only to the extent necessary to provide a functional website as well as our content and services.

Legal Bases

The processing of your data is based on the following legal bases of the GDPR:

• Art. 6 (1) (a) GDPR as the legal basis for processing operations for which we obtain consent for a specific processing purpose (e.g., for marketing cookies or newsletter sign-ups).
• Art. 6 (1) (b) GDPR for processing necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (e.g., when registering for our service).
• Art. 6 (1) (c) GDPR where we are subject to a legal obligation by which processing of personal data is required (e.g., statutory retention obligations for tax purposes).
• Art. 6 (1) (f) GDPR for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (e.g., to ensure the IT security of our website).

Data Retention and Deletion

Your personal data will be deleted or blocked as soon as the purpose for which it was stored ceases to apply. Data may be stored for longer periods if this has been provided for by European or national legislators. This applies, for example, to the statutory retention periods for accounting records of 7 years pursuant to § 132 of the Austrian Federal Fiscal Code (BAO). Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or performance of a contract.

Data Processing Operations in Detail

3.1. Provision of the website and creation of log files

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. This data is stored in the log files of our server. The following data is collected:

• IP address of the user
• Date and time of access
• Website or resource accessed
• Website from which the user accessed our site (referrer URL)
• Information about the browser type and version used
• Operating system used

The data is stored in log files to ensure the functionality of the website. Furthermore, the data serves to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context.

The legal basis for the temporary storage of the data and the log files is our legitimate interest in providing a secure and functional website in accordance with Art. 6 (1) (f) GDPR.

The data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of collecting the data for the provision of the website, this is the case when the respective session has ended. In the case of storing the data in log files, this is the case after 14 days at the latest.

3.2. Use of cookies and similar storage technologies

Our website and our service use cookies as well as comparable client-side storage technologies such as Local Storage and Session Storage to store and retrieve data in the browser of your terminal device. Cookies are small text files, whereas Local and Session Storage store larger amounts of data directly in the browser. Session Storage data is deleted after the browser session is closed, while Local Storage data remains permanently.

These technologies serve to make our offer more user-friendly, effective, and secure.

We distinguish between technologies that are technically necessary and those used for analysis and marketing purposes.

Technically Necessary Storage

Some of these storage methods are strictly necessary for the basic operation of the website and the provision of essential functions. This includes, for example, storing your login status or your language setting (e.g., in a cookie, but also Local or Session Storage).

The use of these technically necessary technologies is based on our legitimate interest in a user-friendly and functional design of our online offer in accordance with Art. 6 (1) (f) GDPR in conjunction with Section 165 (3) of the Austrian Telecommunications Act 2021 (TKG 2021). Your consent is not required for this.

Analysis and Marketing Technologies

Furthermore, we use cookies and similar technologies from third-party providers on our website to statistically analyze the use of our website (Analysis) and to display advertising tailored to your interests (Marketing).

These technologies are used exclusively based on your express consent. The legal basis for this data processing is your consent in accordance with Art. 6 (1) (a) GDPR.

Specifically, we use the following services:

• Google Analytics and Google Ads Conversion Tracking
  We use Google Analytics and Google Ads, services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data may be transferred to Google LLC in the USA. We use these services to analyze user behavior (e.g., which pages are accessed, duration of stay) and to measure the success of our advertising campaigns on Google (Conversion Tracking). The data processed includes, among other things, your IP address (in truncated form), technical information about your browser/device, and your interactions on our website. The data transfer to the USA is based on Google LLC's certification under the EU-U.S. Data Privacy Framework (DPF) (adequacy decision pursuant to Art. 45 GDPR).
• Meta Pixel
  We use the Meta Pixel, a service of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Data may be transferred to Meta Platforms, Inc. in the USA. The Pixel enables us to measure the effectiveness of our advertisements on Meta's platforms (Facebook, Instagram) and to create target groups for future advertising campaigns (so-called Custom Audiences). Information about your use of our website is processed, which can be linked to your Meta account. The data transfer to the USA is based on the certification of Meta Platforms, Inc. under the EU-U.S. Data Privacy Framework (DPF) (adequacy decision pursuant to Art. 45 GDPR).
• LinkedIn Insight Tag
  We use the LinkedIn Insight Tag from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Data may be transferred to LinkedIn Corporation in the USA. This tool enables us to track the effectiveness of our advertising on LinkedIn and to show you more relevant content on LinkedIn. Data about your visit to our website is collected, which is pseudonymized and anonymized again after a short period. The data transfer to the USA is based on the certification of LinkedIn Corporation under the EU-U.S. Data Privacy Framework (DPF) (adequacy decision pursuant to Art. 45 GDPR).

Managing and Withdrawing Your Consent

You grant your consent for the use of non-essential technologies via our consent management tool (cookie banner). There you will also find detailed information about the individual providers, the technologies used, and their storage duration.

You can withdraw your given consent at any time with effect for the future. The option to withdraw and manage your settings can also be found in our consent management tool, which is usually permanently accessible via a link in the footer of our website. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You can also generally manage and restrict the storage of cookies and other data in the settings of your web browser.

3.3. Contract processing and use of the service

When you register for our services and conclude a contract with us, we process personal data that is necessary for the establishment, content design, processing, and amendment of the contractual relationship.

Categories of data processed:

As part of the contractual relationship, we process in particular the following data from you or the contact persons designated by you:

• Name and company
• Address
• Email address
• Value Added Tax Identification Number (VAT ID), if provided
• Contract and order data
• Payment information (this is primarily processed by our payment service provider)

Purpose and legal basis of the processing:

This data is processed for the fulfillment of our contractual obligations, in particular to provide your user account, to process payments, and to communicate within the scope of the contractual relationship. The legal basis for this is Art. 6 (1) (b) GDPR (performance of a contract).

Furthermore, we are subject to legal obligations that may require the processing of your data. This particularly concerns our accounting and tax retention obligations. The legal basis for this is Art. 6 (1) (c) GDPR.

Necessary service communication (transactional emails):

The performance of the contractual relationship also includes communication via transactional emails. This includes security-relevant notifications (e.g., for password resets), system-relevant information (e.g., about planned maintenance), as well as invoices and payment confirmations. These emails are an integral part of our service and serve to fulfill our contractual obligations (Art. 6 (1) (b) GDPR). An objection to receiving these strictly necessary service emails is therefore not possible as long as the contractual relationship exists.

Processing of usage data for service improvement:

To continuously improve our service, increase user-friendliness, and ensure security, we analyze how our service is used. In doing so, we may process technical usage data (e.g., frequency of use of certain features, technical performance data). This processing is based on our legitimate interest in optimizing and securely operating our offer in accordance with Art. 6 (1) (f) GDPR. We take care to analyze this data in aggregated or pseudonymized form where possible.

3.4. Email marketing (newsletter)

We use emails to get in touch with you. For the technical dispatch and administration of marketing emails, we use a specialized email marketing service provider. We have concluded a Data Processing Agreement (DPA) with this provider, which ensures the protection of your data in accordance with the requirements of the GDPR.

We distinguish between two types of sending promotional content:

Information for existing customers

If you conclude a contract with us, we reserve the right to use your provided email address to regularly send you information about our own, similar products and services, important updates to our service, or useful tips related to our offer.

This processing is based on our legitimate interest in maintaining customer relationships and direct marketing in accordance with Art. 6 (1) (f) GDPR in conjunction with Section 174 (4) of the Austrian Telecommunications Act 2021 (TKG 2021).

You can object to this use of your email address at any time without incurring any costs other than the transmission costs according to the basic rates. An unsubscribe link is provided at the end of every such email.

Newsletter subscription (consent)

On our website, you have the option to subscribe to our general newsletter to be informed about news and offers. This subscription is voluntary and is based exclusively on your express consent in accordance with Art. 6 (1) (a) GDPR.

To verify the authenticity of the subscription, we use the so-called double opt-in procedure. After subscribing, you will receive an email asking for confirmation. Only after this confirmation will you be added to the distribution list.

You can withdraw your given consent to receive the newsletter at any time with effect for the future. An unsubscribe link can be found at the end of each newsletter.

Recipients of Data and Transfers to Third Countries

As a general rule, your personal data is not transferred to third parties unless there is a legal basis for doing so or you have expressly consented.

Internal Recipients

Within our company, only those departments or employees who need your data to fulfill our contractual and statutory obligations will have access to it.

External Service Providers (Processors)

We use external service providers to deliver our services, who process data on our behalf and according to our instructions. These include service providers in the following categories:

• IT infrastructure, hosting, and platform management
• AI services for providing text and design functionalities
• Email dispatch and marketing automation
• Payment processing
• Customer support and ticket management

All service providers are carefully selected by us and are contractually bound as processors by a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR to treat your data confidentially and to process it only within the scope of our instructions. This also includes our service provider for accounting (currently BMD SYSTEMHAUS GesmbH, located in Austria), to whom we transfer contract and invoice data to fulfill our statutory bookkeeping and accounting obligations.

Data Transfers to Third Countries

The provision of our services requires the use of specialized service providers, some of whom are based outside the European Union (particularly in the USA). For data transfers to the USA, we pursue a dual strategy: We primarily rely on the EU Commission's adequacy decision for companies certified under the EU-U.S. Data Privacy Framework (DPF) (Art. 45 GDPR). For service providers that are not certified under the DPF (especially in the field of artificial intelligence) or as an additional safeguard, we use the Standard Contractual Clauses (SCCs) issued by the EU Commission as an appropriate safeguard (Art. 46 (2) (c) GDPR).

We transparently set out which legal basis applies to each service provider we use in the detailed list in Appendix 3 of our Data Processing Agreement (DPA) .

We would like to point out that, especially for transfers based on SCCs, a residual risk, particularly concerning possible access rights of U.S. security authorities, cannot be completely excluded.

Other Recipients

Furthermore, we may transfer your data to third parties such as legal advisors, tax consultants, or public authorities if we are legally obligated to do so or if it is necessary for the enforcement of our rights (legitimate interest pursuant to Art. 6 (1) (f) GDPR).

Your Rights as a Data Subject

With regard to your data processed by us, you are generally entitled to the following rights. To exercise any of these rights, please contact us using the contact details provided in Section 1.

• Right of access (Art. 15 GDPR): You have the right to request information at any time as to whether and what data we process from you.
• Right to rectification (Art. 16 GDPR): Should your data processed by us be incorrect or incomplete, you have the right to request its rectification or completion.
• Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data, especially if the purpose of the processing has ceased, consent has been withdrawn, or the processing was unlawful. This right is subject to statutory retention obligations.
• Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your data if you contest the accuracy of the data, the processing is unlawful but you oppose erasure, or if you have objected to the processing.
• Right to data portability (Art. 20 GDPR): You have the right to request that we provide you with the data you have provided to us in a structured, commonly used, and machine-readable format, provided that the processing is based on your consent or a contract and is carried out by automated means.
• Right to object (Art. 21 GDPR): If we process your data for the purposes of our legitimate interests (Art. 6 (1) (f) GDPR), you have the right to object to this processing at any time on grounds relating to your particular situation. This applies in particular to the processing of your data for direct marketing purposes.
• Right to withdraw consent: If the processing is based on your consent (Art. 6 (1) (a) GDPR), you can withdraw it at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal remains unaffected.
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): If you believe that the processing of your personal data violates the GDPR or other data protection provisions, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for us in Austria is:

Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40-42
1030 Vienna
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

Data Security

We take all necessary and appropriate technical and organizational security measures (TOMs) in accordance with the state of the art to protect your data from loss, destruction, unauthorized access, and manipulation. This includes, in particular, the use of standardized encryption methods (e.g., SSL/TLS) for our entire website to ensure the secure transmission of your data. Our internal systems are protected by access and authorization concepts to ensure that only authorized employees can access your data.

We would like to point out that data transmission on the internet (e.g., when communicating by email) can have security vulnerabilities. Complete protection of data from access by third parties is not possible.

Actuality and Amendment of this Privacy Policy

We reserve the right to adapt this Privacy Policy as needed to reflect changes in the legal situation or changes to our service and data processing. The version currently published on our website shall apply.