1.1. Who is responsible for data processing?
Aurenix Solutions OG is solely responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR). No processing by other group companies or partnerships takes place.
1.2. What data is processed? Where does the data come from (data sources)?
1.2.1. Data collected from the data subject
Aurenix processes personal data that is collected directly from the data subject. Personal data is processed in particular when it is provided within the context of an existing or prospective business relationship (e.g., customers, prospective customers, suppliers, business partners, or in the course of support requests) for the performance of a contract or for the implementation of pre-contractual measures. In addition, Aurenix Solutions OG processes personal data:
• that is actively provided by the customer or the data subject themselves,
• that is necessary for compliance with a legal obligation,
• or for whose processing the data subject has given explicit consent for one or more specific purposes. The personal data processed includes, but is not limited to: Title, first and last name, email address, IP address(es), residential or business address(es), telephone number(s), other contact details, date of birth (if provided), contract and billing data (including information on contractual partners and their contact persons), company data, and other case-related information such as correspondence and communication data.
1.2.2. Data in the Context of Support Services
If support services are used, Aurenix processes the personal data generated in connection with the respective support request. This includes, in particular: Description of the problem, transmitted log files, attachments, screenshots, communication content, documentation of the problem resolution, and the contact details of the persons involved in the support request.
1.3. For what purposes and on what legal basis are personal data processed?
1.3.1. Fulfillment of contractual and pre-contractual obligations
Personal data is processed for the initiation, execution, and processing of contractual relationships, as well as for the provision of the products and services commissioned by the customer. The specific purpose of the data processing depends on the agreed scope of services. In particular, identification and contact data (e.g., name, address, email address, telephone number), contract, billing, inquiry, quotation, and order data, as well as other information required for the performance of the contract, are processed. Legal basis: Art. 6 para. 1 lit. b GDPR.
1.3.2. Fulfillment of legal obligations
Insofar as the processing of personal data is necessary for the fulfillment of legal obligations (e.g., company, tax, or commercial law retention and documentation obligations), this processing is carried out on the basis of legal requirements. Legal basis: Article 6(1)(c) GDPR.
1.3.3. Safeguarding legitimate interests
Aurenix processes personal data to the extent necessary to safeguard legitimate interests and provided that no overriding interests or fundamental rights of the data subject conflict. Legitimate interests include, in particular:
• ensuring proper operation, IT security, and the prevention of misuse,
• improving and further developing products and services,
• responding to inquiries and maintaining business relationships,
• informing customers and prospective customers about our own products, services, or relevant technical developments (direct marketing to the extent permitted by law). Data subjects have the right to object to this processing at any time on grounds relating to their particular situation. Legal basis: Article 6(1)(f) GDPR.
1.3.4. Processing Based on Consent
If consent is required for certain processing operations, processing will only take place for the expressly stated purposes (e.g., sending newsletters, information about events, or providing content). Consent can be withdrawn at any time with effect for the future. The lawfulness of the processing carried out before the withdrawal remains unaffected. Legal basis: Art. 6 para. 1 lit. a GDPR.
1.3.5. Processing in the Context of Support and Service
Personal data is processed in the context of support requests to the extent necessary for processing the request and for error analysis (e.g., contact details, communication content, log files, attachments, or screenshots). Legal basis: Art. 6 para. 1 lit. b and lit. f GDPR.
1.4. Who receives personal data?
Within Aurenix, only those individuals who require access to personal data to fulfill contractual or legal obligations, as well as to protect legitimate interests, are granted such access. Access is granted according to the principles of necessity and purpose limitation. Aurenix is the data controller for all processing operations. Aurenix is responsible for the complete administration, maintenance, configuration, and security of the infrastructure.
Use of Data Processors
For the technical provision of the server infrastructure, Aurenix uses the following external service providers:
• Hetzner Online GmbH Service: Data center and hosting services (server operation)
• sevDesk GmbH Service: Creation of quotes and invoices
• Stripe, Inc. Service: Collection of SEPA direct debit mandates
Hetzner acts exclusively as a data processor within the meaning of Article 28 GDPR. The processing of personal data is carried out exclusively on the instructions of Aurenix and only within the scope of the contractually agreed services. The data is processed on encrypted file systems; Aurenix is solely responsible for managing the encryption and accessing the content.
Other Recipients
In addition, personal data may be transferred to the following to the extent necessary:
• Tax advisors and auditors, insofar as this is necessary for fulfilling tax and commercial law obligations,
• Lawyers, courts, or public authorities, insofar as this is necessary for legal advice, enforcement of rights, or due to legal obligations. Obligations of Data Processors
All data processors are contractually obligated to process personal data exclusively for the specifically defined service provision and to implement appropriate technical and organizational measures in accordance with the GDPR. Transfers to Third Countries Personal data is generally not transferred to countries outside the European Union or the European Economic Area. Should such a transfer become necessary in a specific case, Aurenix will ensure in advance that an adequate level of data protection in accordance with Art. 44 et seq. GDPR is guaranteed (e.g., through standard contractual clauses).
1.5. How long is the data stored?
Aurenix processes and stores personal data only as long as necessary for the respective processing purposes.
Contract-related data
Personal data is stored for the duration of the entire business relationship, from the initial contract negotiation through contract execution to the termination of the contractual relationship. After termination of the contract, personal data is deleted unless statutory retention or documentation obligations prevent deletion. Such obligations arise in particular from:
• commercial and tax law retention obligations (generally 7 to 10 years),
• statutory limitation periods under European or national law (in individual cases up to 30 years).
Product and usage data
After termination of the contract, Aurenix Solutions OG provides the customer – if contractually stipulated – with the data they provided or generated for a limited period (e.g., 14 days). After this period, the instance and all data it contains will be irrevocably deleted, unless statutory retention obligations apply.
Data based on consent
Personal data processed based on consent pursuant to Art. 6 para. 1 lit. a GDPR (e.g., newsletters, event information) will be stored until consent is withdrawn, but for no longer than three years from the last active contact. Consent can be withdrawn at any time and will be effective for the future; the lawfulness of the processing carried out before the withdrawal remains unaffected.
Erasure and restriction
As soon as the respective purpose ceases to apply and no statutory retention obligations exist, the personal data will be erased or anonymized. If erasure is not possible, processing will be restricted to the legally permissible minimum.
1.6. Where is the data stored?
Aurenix stores data either on its own, self-operated hardware or on rented server infrastructure from the data center and hosting provider Hetzner Online GmbH. Regardless of the infrastructure model used, all data is stored exclusively on encrypted file systems.
Encryption takes place at the file system level; the cryptographic keys used for this purpose are managed exclusively by Aurenix and stored separately from the respective system. Neither external service providers nor subcontractors have access to the encryption keys or the contents of the stored data. Through these measures, Aurenix ensures that personal data is effectively protected against unauthorized access, even in the event of physical or technical access to the infrastructure.
1.7. What data protection rights do you have as a data subject?
You have the right to access, rectification, erasure, or restriction of processing of your stored personal data, the right to object to processing, and the right to data portability in accordance with the requirements of the General Data Protection Regulation (GDPR). If the processing of your personal data is based on your consent, you can withdraw this consent at any time. In the event of withdrawal, Aurenix Solutions OG will immediately cease the corresponding processing, unless legal or contractual obligations prevent erasure or restriction. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You can exercise your data subject rights via the following contact points:
• By email: office@aurenix.at
• By post: Aurenix Solutions OG, Schlossbergstraße 9/1/1, 2410 Hainburg an der Donau
Your rights must generally be asserted in writing. To prevent misuse, Aurenix Solutions OG is entitled to request suitable proof of identity in cases of reasonable doubt. Aurenix Solutions OG is entitled to continue processing personal data provided that it has been anonymized beforehand in such a way that it is no longer possible to associate it with a specific or identifiable person. Without prejudice to any other administrative or judicial remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular with the Austrian Data Protection Authority or another competent supervisory authority within the European Union.
1.8. Mandatory Provision of Personal Data
In the context of initiating, conducting, and processing a business relationship, as well as in the course of pre-contractual measures, the provision of personal data necessary for concluding and fulfilling the respective contractual relationship, or which Aurenix is legally obligated to process, is required. If this personal data is not provided, or not provided completely, this may result in the conclusion of a contract not being possible, or in contractual services – in particular the provision of products or services – not being provided, or not being provided properly.