Introduction and Overview

We have drafted this Privacy Policy (version 21.11.2025-123082061) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (in short, data) we, as the controller - and the processors commissioned by us (e.g. hosting providers) - process now and will process in the future, and which lawful options you have. All terms used are to be understood as gender-neutral.

In short: We provide you with comprehensive information about the data we process about you.

Privacy policies usually sound very technical and use legal terminology. This Privacy Policy, however, is intended to describe the most important points for you as simply and transparently as possible. Where this serves transparency, technical terms are explained in a user-friendly way, links to further information are provided and, where appropriate, graphics are used. In clear and simple language, we inform you that, in the course of our business activities, we only process personal data where there is an appropriate legal basis for doing so. This is certainly not possible if one provides the shortest, least clear and purely legal-technical explanations, as is often the standard on the internet when it comes to data protection. We hope you find the following explanations interesting and informative and that there may be one or two pieces of information that are new to you.

If you still have questions, we kindly ask you to contact the responsible office named below or in the imprint, to follow the links provided and to seek further information on third-party websites. You will also of course find our contact details in the imprint.

Back to top

Scope

This Privacy Policy applies to all personal data processed by us in our company and to all personal data processed by companies commissioned by us (processors). By personal data we mean information within the meaning of Article 4(1) GDPR such as, for example, the name, email address and postal address of a person. The processing of personal data ensures that we can offer and bill our services and products, whether online or offline. The scope of this Privacy Policy covers:

• all online presences (websites, online shops) that we operate
• social media presences and email communication
• mobile apps for smartphones and other devices

In short: This Privacy Policy applies to all areas in which personal data in our company is processed in a structured manner via the channels mentioned. Should we enter into legal relationships with you outside these channels, we will inform you separately where appropriate.

Back to top

Legal Bases

In this Privacy Policy, we provide you with transparent information on the legal principles and provisions, i.e. the legal bases of the General Data Protection Regulation, which allow us to process personal data.

With regard to EU law, we refer in particular to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data entered by you in a contact form.
2. Contract (Article 6(1)(b) GDPR): In order to fulfil a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we need personal information in advance.
3. Legal obligation (Article 6(1)(c) GDPR): Where we are subject to a legal obligation, we process your data. For example, we are legally obliged to retain invoices for accounting purposes. These usually contain personal data.
4. Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we must process certain data in order to be able to operate our website securely and in an economically efficient manner. This processing therefore constitutes a legitimate interest.

Other legal bases such as processing in the public interest or in the exercise of official authority and for the protection of vital interests generally do not arise in our case. In the event that such a legal basis should nevertheless be relevant, it will be indicated at the corresponding point.

In addition to the EU Regulation, national laws also apply:

• In Austria, this is the Federal Act concerning the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), abbreviated to DSG.
• In Germany, the Federal Data Protection Act (Bundesdatenschutzgesetz), abbreviated to BDSG, applies.

If further regional or national laws apply, we will inform you about this in the following sections.

Back to top

Contact Details of the Controller

If you have questions about data protection or the processing of personal data, you will find the contact details of the controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) below:

Dr. Csaba György Beleznai
Forstnergasse 9/3A/33, 1220 Vienna
Austria
E-mail: info@shape2shade.com
Telephone: +43 670 409 9929
Imprint: https://www.shape2shade.com/impressum/

Back to top

Storage Period

As a general rule, we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for the data processing no longer applies. In some cases, we are legally obliged to retain certain data even after the original purpose has ceased to apply, for example for accounting purposes.

If you request the deletion of your data or withdraw your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it.

Where we have more detailed information on the specific duration of the respective data processing, we will inform you of this in the corresponding sections below.

Back to top

Rights under the General Data Protection Regulation

Pursuant to Articles 13 and 14 GDPR, we inform you about the following rights you have in order to ensure fair and transparent processing of data:

• Under Article 15 GDPR, you have the right to obtain confirmation as to whether or not we are processing data concerning you. If this is the case, you have the right to obtain a copy of the data and to be informed of the following:
  • the purposes for which we carry out the processing;
  • the categories, i.e. the types of data being processed;
  • the recipients of the data and, where data are transferred to third countries, how the security of the data is ensured;
  • the period for which the data will be stored;
  • the existence of the right to rectification, erasure or restriction of processing and the right to object to such processing;
  • that you have the right to lodge a complaint with a supervisory authority (you will find links to these authorities below);
  • the source of the data, if we did not collect it from you;
  • whether profiling is carried out, i.e. whether data is automatically evaluated in order to create a personal profile about you.
• Under Article 16 GDPR, you have the right to rectification of data, which means that we must correct data if you find errors.
• Under Article 17 GDPR, you have the right to erasure ("right to be forgotten"), which means that you may request the deletion of your data.
• Under Article 18 GDPR, you have the right to restriction of processing, which means that we may only store the data but not continue to use it.
• Under Article 20 GDPR, you have the right to data portability, which means that we must provide you, upon request, with your data in a commonly used format.
• Under Article 21 GDPR, you have the right to object, which, once exercised, will result in a change to the processing.
  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interests), you may object to the processing. We will then examine as quickly as possible whether we can legally uphold this objection.
  • Where data is processed for direct marketing purposes, you may object to this type of data processing at any time. We may then no longer use your data for direct marketing.
  • Where data is processed for profiling purposes, you may object to this type of data processing at any time. We may then no longer use your data for profiling.
• Under Article 22 GDPR, you have, under certain circumstances, the right not to be subject to a decision based solely on automated processing (for example profiling).
• Under Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority. This means that you can complain to the data protection authority at any time if you believe that the processing of personal data concerning you infringes the GDPR.

In short: You have rights – do not hesitate to contact the responsible office listed above at our company!

If you believe that the processing of your data violates data protection law or that your data protection rights have been infringed in any other way, you can lodge a complaint with the supervisory authority. In Austria, this is the data protection authority, whose website you can find at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible:

Austrian Data Protection Authority
Head: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Vienna
Telephone: +43 1 52 152-0
E-mail address: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Back to top

Security of Data Processing

In order to protect personal data, we have implemented both technical and organisational measures. Wherever possible, we encrypt or pseudonymise personal data. This makes it as difficult as possible, within the scope of our possibilities, for third parties to derive personal information from our data.

Article 25 GDPR refers to "data protection by design and by default" and means that, when it comes to both software (e.g. forms) and hardware (e.g. access to the server room), security must always be taken into account and appropriate measures must be implemented. Where necessary, we will go into more detail about specific measures below.

TLS encryption with https

TLS, encryption and https sound very technical and they are. We use HTTPS (Hypertext Transfer Protocol Secure, which stands for "secure hypertext transfer protocol") to transmit data securely over the internet.

This means that the complete transmission of all data from your browser to our web server is secured – no one can "listen in".

By doing so, we have introduced an additional layer of security and comply with data protection by design (Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the internet, we can ensure the protection of confidential data.

You can recognise the use of this secure data transmission by the small padlock symbol in the upper left corner of the browser, to the left of the internet address (e.g. beispielseite.de) and the use of the https scheme (instead of http) as part of our internet address.

If you would like to know more about encryption, we recommend that you search for "Hypertext Transfer Protocol Secure wiki" in a search engine to find good links to further information.

Back to top

Communication

If you contact us and communicate by telephone, email or online form, personal data may be processed.

The data is processed for the handling and processing of your enquiry and the related business transaction. The data is stored for as long as is necessary for these purposes and/or for as long as required by law.

Data subjects

All persons who contact us via the communication channels provided by us are affected by the processing operations mentioned.

Telephone

If you call us, the call data will be stored in pseudonymised form on the respective terminal device and at the telecommunications provider used. In addition, data such as name and telephone number may subsequently be sent by email and stored for the purpose of responding to the enquiry. The data will be deleted as soon as the business case has been concluded and legal provisions permit deletion.

Email

If you communicate with us by email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and data will be stored on the email server. The data will be deleted as soon as the business case has been concluded and legal provisions permit deletion.

Online forms

If you communicate with us via online form, data will be stored on our web server and may be forwarded to one of our email addresses. The data will be deleted as soon as the business case has been concluded and legal provisions permit deletion.

Legal bases

The processing of the data is based on the following legal bases:

• Art. 6(1)(a) GDPR (consent): You give us your consent to store your data and to use it further for purposes relating to the business case;
• Art. 6(1)(b) GDPR (contract): Processing is necessary for the performance of a contract with you or a processor such as the telecommunications provider, or we must process the data for pre-contractual activities, such as preparing an offer;
• Art. 6(1)(f) GDPR (legitimate interests): We have a legitimate interest in conducting customer enquiries and business communication in a professional setting. To this end, certain technical facilities such as email programs, exchange servers and mobile network operators are necessary in order to be able to conduct communication efficiently.

Back to top

Data Processing Agreement (DPA)

In this section, we explain what a data processing agreement is and why it is needed. Because the term "data processing agreement" (in German: Auftragsverarbeitungsvertrag, AVV) is quite a mouthful, we will use the abbreviation DPA in the text below. Like most companies, we do not work alone, but also make use of services provided by other companies or individuals. By including various companies or service providers, it may be necessary for us to pass on personal data for processing. These partners then act as processors with whom we conclude a contract, the so-called data processing agreement (DPA). The most important thing for you to know is that the processing of your personal data takes place exclusively in accordance with our instructions and must be governed by the DPA.

Who are processors?

As a company and website operator, we are responsible for all data that we process about you. In addition to the controller, there may also be so-called processors. This term covers any company or person who processes personal data on our behalf. More precisely, and in accordance with the GDPR definition: any natural or legal person, public authority, agency or other body which processes personal data on our behalf is considered a processor. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers or large companies such as Google or Microsoft.

To make the terminology easier to understand, here is an overview of the three roles under the GDPR:

Data subject (you as customer or interested party) ? Controller (we as company and client) ? Processor (service provider such as web host or cloud provider)

Content of a data processing agreement

As already mentioned above, we have concluded a DPA with our partners who act as processors. The agreement stipulates, first and foremost, that the processor will process the data to be processed exclusively in accordance with the GDPR. The agreement must be made in writing; however, in this context, electronic conclusion of the agreement is also deemed to be "in writing". The processing of personal data may only take place on the basis of this agreement. The agreement must contain the following:

• obligation to follow our instructions as the controller
• obligations and rights of the controller
• categories of data subjects
• type of personal data
• nature and purpose of data processing
• subject matter and duration of data processing
• place of data processing

Furthermore, the agreement contains all obligations of the processor. The most important obligations are:

• to ensure data security measures
• to take appropriate technical and organisational measures to protect the rights of the data subjects
• to maintain a record of processing activities
• to cooperate with the data protection supervisory authority upon request
• to carry out a risk analysis with regard to the personal data received
• to engage sub-processors only with the prior written authorisation of the controller

You can see what such a DPA may look like, for example, at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html, where a model agreement is presented.

Source: Created with the Privacy Policy Generator by AdSimple

Back to top