Privacy Policy

1. Controller

The controller responsible for data processing under applicable data protection laws is:

Klemens Ullmann-Marx e.U.
Oldenburggasse 62i
1230 Vienna
Austria

office@ull.at

2. General Information on Data Processing

Protecting your personal data is important to us.

We process personal data exclusively in accordance with the applicable data protection laws, in particular the GDPR, the Austrian Data Protection Act and the revised Swiss Federal Act on Data Protection (revFADP).

This privacy policy explains the nature, scope and purpose of the processing of personal data when using the Akeyo platform.

3. Roles & Responsibilities

Akeyo is a B2B platform and is intended exclusively for partners such as companies, operators and organizations.

Partners are the data controllers vis-a-vis their end customers.

Akeyo processes personal data of end customers exclusively on behalf of the respective partner as a data processor.

The details of the processing on behalf are governed by a separate data processing agreement.

4. Processed Data

4.1 Partner Data

When using the platform, we process in particular:

  • Company name
  • Contact person
  • Email address
  • Phone number
  • Access credentials
  • Billing and contract information

Purpose: Contract performance, support, operation of the platform

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract)

4.2 End Customer Data (on behalf of the partner)

In the context of bookings, the following data may be processed:

  • Name
  • Email address
  • Phone number
  • Booking period
  • Payment status
  • Access status

Purpose: Booking processing, payment reconciliation, access authorization

Legal basis: Art. 6 para. 1 lit. b GDPR

Role: Processing on behalf of the partner

5. Payment Processing (Stripe)

We use the following payment service provider to process online payments:

Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Grand Canal Dock
Dublin, Ireland

Stripe processes payment data as an independent controller.

Akeyo itself does not store complete payment data such as credit card numbers.

Further information: https://stripe.com/privacy

6. Access Systems

To provide time-limited access rights, personal data may be transmitted to providers of electronic access systems where technically required.

Purpose: Access authorization and management

Legal basis: Art. 6 para. 1 lit. b GDPR

7. Cookies, Tracking and Consent

Akeyo uses only technically necessary cookies required for operating the platform, for example session cookies and CSRF protection.

For web analytics (see section 8) we use Matomo in a data-minimising configuration: no cookies, no local storage and no fingerprinting.

A cookie or consent banner is therefore not required, because:

  • no information is stored on or accessed from your device beyond what is strictly necessary to provide the service you requested (Section 165 (3) of the Austrian Telecommunications Act 2021, Article 5 (3) of the ePrivacy Directive);
  • the remaining data processing (Matomo, server logs) is carried out on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) and does not require consent.

Should this configuration change, we will update this privacy policy and obtain consent where required.

8. Web Analytics (Matomo, self-hosted)

We use Matomo (open source) on our own server (statfish.ull.at) to analyse usage. Data does not leave our infrastructure and is not shared with third parties.

The configuration is data-minimising:

  • no cookies and no local storage (cookieless tracking)
  • IP address anonymisation (last octets masked)
  • the browser "Do Not Track" setting is respected
  • no cross-site tracking, no profiling
  • short retention of raw data (max. 6 months)

Purpose: audience measurement, improvement of content and usability of the website

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in statistical evaluation of website visits)

Objection: enable the "Do Not Track" setting in your browser; Matomo will then not evaluate your visit.

9. Server Logs

When accessing the platform, the following data is collected automatically:

  • IP address
  • Date and time
  • Browser type and version
  • Operating system
  • Referrer URL

This data is used for system security and error analysis, is not merged with other data sources, and is deleted regularly.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

10. Data Sharing and Service Providers

We use carefully selected service providers to operate the platform:

  • Hosting and infrastructure: Hetzner Online GmbH, 91710 Gunzenhausen, Germany (incl. backup storage). Data centre location Germany.
  • Email delivery: own mail server of the operator (mail.ull.at), operated on Hetzner infrastructure.
  • Payment service provider: Stripe Payments Europe Ltd. (Ireland); contractually engaged directly by the respective partner.
  • Access system: EVVA Sicherheitstechnologie GmbH (AirKey, Austria); contractually engaged directly by the respective partner.
  • Disclosure to authorities where required by law.

No further disclosure takes place.

11. Transfers to Third Countries

Switzerland benefits from an adequacy decision of the European Commission; transfers between the EU and Switzerland do not require additional safeguards.

If service providers outside the EU, EEA or Switzerland are used, this is done exclusively subject to appropriate safeguards, for example standard contractual clauses.

12. Retention Period

Personal data is stored only as long as necessary for the respective purposes or as long as statutory retention obligations apply (in particular Section 132 of the Austrian Federal Fiscal Code: 7 years for data relevant for invoicing).

13. Rights of Data Subjects

Data subjects have in particular the right to:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • Object to processing

Requests may be sent to: office@ull.at

Swiss data subjects enjoy the corresponding rights under the revised Swiss Federal Act on Data Protection (revFADP, in particular Art. 25 et seq.).

14. Changes to This Privacy Policy

We reserve the right to amend this privacy policy if required for legal or technical reasons.