Skip to content

Privacy Policy

Proplex GmbH

Status: July 21, 2025


1. Introduction and Scope

These data protection provisions inform you about the nature, extent, and purpose of the processing of personal data within our online offering and the associated websites, functions, and content (hereinafter collectively referred to as "online offering" or "website"). Proplex GmbH is a software development company based in Austria.

We attach the utmost importance to the protection of your data and the preservation of your privacy. The processing of your personal data is carried out exclusively on the basis of the legal provisions of the General Data Protection Regulation (GDPR) of the European Union and the Austrian Data Protection Act (DSG) as well as the Telecommunications Act 2021 (TKG 2021).


2. Controller for Data Processing

The controller in the sense of the GDPR and other national data protection laws of the member states as well as other data protection provisions is:

Proplex GmbH
Seestraße 21
A-9500 Villach
Austria

Email: office@proplex.io


3. General Principles of Data Processing

We process personal data according to the following principles:

  • Lawfulness, fairness, and transparency: Processing is carried out lawfully, fairly, and in a transparent manner for the data subject.
  • Purpose limitation: Data is collected only for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimization: We collect only data that is necessary and appropriate for the respective processing purposes.
  • Accuracy: Personal data must be factually correct and, where necessary, kept up to date. Inaccurate data will be deleted or rectified without delay.
  • Storage limitation: Data will be stored only as long as necessary for the purposes for which it is processed.
  • Integrity and confidentiality (security): Processing is carried out in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Accountability: We are responsible for compliance with the aforementioned principles and must be able to demonstrate this.


4. Categories of Processed Data

We process the following categories of personal data:

  • Contact data: Name/company, business address, email address, telephone number.
  • Contract data: Order data, VAT ID number, bank details, credit card data, customer service inquiries.
  • Usage data: IP address, cookie IDs, pages visited, clicks, behavioral data on the website.
  • Content data: Texts, documents, and files that you provide to us or that are processed as part of our services.
  • Employee data: (as far as relevant for internal administration) Name, contact data, etc.


5. Purposes and Legal Bases of Data Processing

We process your personal data for the following purposes and on the basis of the stated legal bases:

  • For the fulfillment of contracts or the implementation of pre-contractual measures (Art. 6 Para. 1 lit. b GDPR):
    • Provision of our software development services.
    • Processing of customer relationships, offer creation, and invoicing (e.g., via Invoice Ninja).
    • Communication within the framework of contract processing.
    • Management of customer databases.
  • Based on your consent (Art. 6 Para. 1 lit. a GDPR):
    • For marketing and analysis purposes, such as the use of Google Analytics and Facebook Pixel to track user behavior and enable targeted advertising.
    • For storing technically unnecessary cookies on your device.
    • If you voluntarily provide us with data, e.g., via contact forms, to process your inquiries.
  • For compliance with a legal obligation (Art. 6 Para. 1 lit. c GDPR):
    • Storage of accounting records and invoices in accordance with tax and commercial law regulations.
    • Fulfillment of information and reporting obligations towards authorities.
  • For the protection of legitimate interests (Art. 6 Para. 1 lit. f GDPR):
    • Ensuring the operation and security of our website and IT systems (e.g., through Cloudflare).
    • Improvement of our services and products.
    • Efficient communication and processing of customer inquiries.
    • Management of internal user accounts and technical logs.


6. Recipients of Data and Third-Party Services

We use various service providers (processors) who process personal data on our behalf. We have concluded corresponding data processing agreements (DPAs) with these service providers in accordance with Art. 28 GDPR to ensure the protection of your data.

  • Cloudflare: We use Cloudflare as a Content Delivery Network (CDN) and for security services (DDoS protection, WAF). Cloudflare processes IP addresses, traffic data, and system configuration information to improve the security and performance of our website.
  • Google Analytics: We use Google Analytics for web analysis. IP addresses (possibly anonymized), cookie IDs, and behavioral data are collected. Important note: The Austrian Data Protection Authority (DSB) has classified the use of Google Analytics in its standard configuration as non-compliant with the GDPR, as US surveillance laws allow access to data. We are working to either switch to a GDPR-compliant alternative or implement extreme anonymization measures that ensure no personal data leaves the EU.
  • Facebook Pixel: We use the Meta Pixel (Facebook Pixel) for advertising purposes and to measure advertising effectiveness. This involves collecting information such as IP addresses, cookie IDs, pages visited, and clicks. For the use of the Facebook Pixel, we obtain your explicit consent via our cookie banner.
  • Payload CMS: As a Content Management System (CMS), Payload CMS stores data relevant for the operation of our software solutions, such as customer names, contact details, and content. The data is stored in a database, the hosting location of which is crucial. We ensure that a DPA has been concluded with the hosting provider of the database.
  • Google Drive: We use Google Drive for storing and sharing documents and files that may potentially contain personal data. As Google is a US company, data transfers to the USA are involved. We recommend the use of client-side encryption for sensitive data to minimize the risk of access by US authorities.
  • Invoice Ninja: We use Invoice Ninja for invoicing and customer management. Customer data such as names, addresses, contact details, bank details, and order data are processed. Invoice Ninja is a US company, and we have concluded a DPA with them.


7. International Data Transfers

When using US-based services (Cloudflare, Google Analytics, Facebook Pixel, Google Drive, Invoice Ninja), personal data is transferred to the United States. Following the "Schrems II" ruling of the European Court of Justice and the subsequent decisions of the Austrian Data Protection Authority, standard contractual clauses (SCCs) alone are often not sufficient to ensure an adequate level of protection, as US surveillance laws allow far-reaching government access.

We conduct a Transfer Impact Assessment (TIA) for each of these services to evaluate the risks of access by US authorities and, if necessary, implement additional protective measures (so-called "supplementary measures"). This may include the use of EU data localization options or client-side encryption.


8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve the user experience and provide certain functions.

  • Technically necessary cookies: These cookies are essential for the basic operation of our website (e.g., for the shopping cart, login status). No consent is required for these cookies.
  • Technically unnecessary cookies: These include cookies for analysis, marketing, and personalization purposes (e.g., Google Analytics, Facebook Pixel). For these cookies, we obtain your explicit consent via our cookie banner.

Requirements for our cookie banner:

Our cookie banner is designed to meet the strict requirements of the TKG 2021 and the GDPR:

  • Prior consent: No technically unnecessary cookies are set before you have given your consent.
  • Voluntariness and transparency: Your consent must be voluntary, specific, informed, and unambiguous. We clearly inform you for what purpose consent is given.
  • Equality of options: The option to reject cookies is as prominent and easy to choose on the first level of the banner as the option to accept all cookies. There are no "nudging" practices that pressure you into consenting.
  • Granular selection: You have the option to give or reject your consent separately for different categories of cookies (e.g., analysis, marketing).
  • Withdrawal option: You can easily withdraw your consent at any time. Information on this can be found in our cookie banner and in this data protection policy.


9. Your Rights as a Data Subject

As a data subject, you have comprehensive rights regarding your personal data in accordance with the GDPR:

  • Right to information (Art. 13, 14 GDPR): You have the right to receive comprehensive information about the processing of your data.
  • Right of access (Art. 15 GDPR): You can request confirmation as to whether we process personal data concerning you and have the right to access this data as well as a copy of the data.
  • Right to rectification (Art. 16 GDPR): You have the right to request the immediate rectification of inaccurate or the completion ofRight to rectification (Art. 16 GDPR): You have the right to request the immediate rectification of inaccurate or the completion of incomplete personal data.
  • Right to erasure ("right to be forgotten") (Art. 17 GDPR): You can request the immediate erasure of your data under certain conditions, e.g., if the data is no longer necessary for the purposes for which it was collected or you withdraw your consent.
  • Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing of your data under certain circumstances.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format and to transmit this data to another controller.
  • Right to object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data, especially if the processing is based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent (Art. 7 Para. 3 GDPR): If processing is based on your consent, you have the right to withdraw this consent at any time with effect for the future. The lawfulness of processing carried out based on consent before its withdrawal remains unaffected.
  • Right to lodge a complaint with the supervisory authority (Art. 77 GDPR): If you believe that the processing of your data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is the Data Protection Authority (DSB).

To exercise your rights, you can contact us at any time using the contact details provided above. We will respond to your request without undue delay, and in any event within one month of receipt.


10. Data Retention Periods

We store your personal data only for as long as is necessary for the respective processing purposes or as required by statutory retention obligations.

  • Accounting records and receipts/invoices: Generally 7 years.
  • Documents related to real estate (Value Added Tax Act): Years.
  • Documents related to electronically supplied services (OSS): 10 years.
  • Contract-related data: Retention periods depend on the respective contractual and statutory limitation periods (e.g., warranty 2-3 years, purchase price claims 3 years, damages 3 or 30 years).
  • Analysis data: The retention period for analysis data is minimized and depends on the settings in the respective analysis tools.

After the respective periods have expired, the data will be deleted or anonymized.


11. Technical and Organizational Measures (TOMs)

We have implemented appropriate technical and organizational measures to ensure the security of your personal data and to protect it against unauthorized access, loss, or destruction. These include, among others:

  • Access control (physical): Measures that prevent physical access to data processing systems (e.g., security locks, alarm systems, visitor registration).
  • Access control (system): Measures that prevent unauthorized access to data processing systems (e.g., secure VPN connections, encryption of data carriers, strong password policies, user profiles).
  • Data access control: Measures that ensure only authorized persons can access specific data (e.g., authorization concepts, logging of access, data destruction in compliance with data protection).
  • Disclosure control: Measures that prevent unauthorized disclosure of data (e.g., email encryption, secure transport containers).
  • Input control: Measures that enable the retrospective verification of data changes (e.g., logging of inputs, individual usernames).
  • Job control: Measures to ensure processing by processors in accordance with instructions (e.g., careful selection of service providers, written instructions, control rights).
  • Availability control: Measures to protect against data loss or destruction (e.g., backups, UPS, fire protection).
  • Separation control: Measures for the separate processing of data collected for different purposes (e.g., client separation, adapted database rights).


12. Data Protection Officer

According to current assessment, Proplex GmbH is not legally obliged to appoint a Data Protection Officer (DPO), as our core activity as a software development company generally does not involve the extensive regular and systematic monitoring of data subjects or the extensive processing of sensitive data as its main purpose.

Nevertheless, we take data protection very seriously and are happy to answer any questions you may have about data protection. You can reach us at any time using the contact details provided above.