Privacy Policy (Application)
This privacy policy provides you with all the information that we, PHH Rechtsanwält:innen GmbH, are required to provide under Austrian and European data protection laws, in particular based on the General Data Protection Regulation ("GDPR"), when processing personal data through the "FirmaDigital" platform.
1 CONTROLLER AND CONTACT PERSON
The controller within the meaning of the relevant data protection laws and the contact person for data protection matters is:
§ PHH Rechtsanwält:innen GmbH (hereinafter "PHH" or "we")
§ Address: Julius-Raab-Platz 4, 1010 Vienna
§ Contact person: Theresa Karall
§ Email: datenschutz@phh.at
For the collection and processing of data in connection with the use of ID-Austria (see point 2.2.1), the joint controllers within the meaning of the relevant data protection laws and the contact person for data protection matters are:
§ PHH Rechtsanwält:innen GmbH (see contact details above)
and
§ Infinity Vertigo GmbH
Address: Bergwald 43, 2812 Hollenthon
Contact person: Felix Häusler
Email: fx@firmadigital.at
You can contact us at the above address or by email.
2. PURPOSES OF DATA PROCESSING
We process your personal data when using the "FirmaDigital" platform for the following purposes:
§ To register as a user and to create a user account
§ To conclude contracts for legal advisory services (particularly in connection with the automatic creation of contract documents, establishment of companies or individual legal advisory services) and the fulfilment of associated pre-contractual and contractual obligations
§ To fulfill our professional obligations, which include information and identification obligations
§ To send out our newsletter
§ To ensure secure and user-friendly use and optimization of the "FirmaDigital" platform
§ To analyze user behavior on the "FirmaDigital" platform
§ To display content on the "FirmaDigital" platform
§ For marketing purposes (advertising optimization, user source attribution)
We collect the personal data required to fulfil the above-mentioned purposes either actively from you or automatically when you visit the "FirmaDigital" platform. If data is collected from other (third-party) data sources, we will inform you of this at the relevant point. For the provision of our legal advisory services, we collect all data that is mandatory and that you have voluntarily provided to us. Please note that the non-provision or incomplete provision of your personal data, which is necessary for the provision and fulfilment of our legal services, may under certain circumstances lead to the rejection of the mandate.
2.1 Registration as a User and Creating a User Account
If you are interested in using our services, you can register as a user and create a user account. The personal data collected for this purpose is processed on the legal basis of Article 6 para 1 lit b GDPR (fulfillment of pre-contractual or contractual obligations). Creating a user account allows you to prepare, save temporarily, and complete all steps associated with the products/legal advisory services we offer, as well as to contact us and make use of technical support.
2.2 Conclusion of Contracts for Legal Advisory Services
When concluding a contract for the provision of legal advice, as a law firm and your contractual partner, are required to collect all personal data about you that is necessary to provide you with diligent representation and to fulfil our pre-contractual and contractual obligations. Moreover, in the context of a contractual relationship, you may also disclose personal data of third parties to us. In these cases, we generally assume that you are authorized to disclose this data.
Personal data collected during the conclusion and fulfilment of the contract are processed on the legal basis of Article 6 para 1 lit b GDPR (fulfillment of pre-contractual or contractual obligations). In the course of our contractual fulfilment (in particular for the automatic creation of contractual documents and for the establishment of companies), we also use third-party services (e.g. software providers). We will inform you about the relevant data recipients under point 3 and about any related data transfers to third countries under point 4.
Furthermore, we as a law firm are obliged to collect certain personal data from you in order to fulfill our professional obligations, in particular to comply with compliance and anti-money laundering as well as anti-terrorism financing provisions. The personal data collected for the purpose of fulfilling our legal obligations is processed on the legal basis of Article 6 para 1 lit c GDPR (fulfillment of our legal obligations). We cannot provide our legal advisory services via "FirmaDigital" without the transfer of the personal data requested by us when concluding a contract.
2.2.1 ID-Austria
If you choose this identification option, we use the electronic identification system "ID-Austria" through our service provider Infinity Vertigo GmbH (see point 3.1). By signing in through "ID-Austria", the following personal data is transferred to us:
§ First name
§ Last name
§ Date of birth
§ Domain-specific personal identification number (bPK)
§ Identification level of electronic identity
§ Signature certificate
§ Main residence – registration address
§ Gender
§ Nationality
We process this data for the purpose of determining and verifying your identity and the authenticity of your identification document. The above-mentioned data is transferred to us on the legal basis of Article 6 para 1 lit a GDPR (consent); the further processing to determine and verify your identity is based on the legal basis of Article 6 para 1 lit c GDPR (fulfillment of our legal obligations). The details of your gender are processed in particular for automation purposes (in particular to address you in the contract documents created). This is done on the legal basis of Article 6 para 1 lit b GDPR (fulfillment of pre-contractual or contractual obligations).
If you choose this identification option, we cannot provide our legal advisory services via "FirmaDigital" without the transfer of the above-mentioned personal data requested by.
2.3 Newsletter
We are pleased if you register to receive our newsletter via the "FirmaDigital" platform. The personal data processed for the purpose and in the context of the registration and the newsletter mailing are processed on the legal basis of Article 6 para 1 lit a GDPR (consent). In this context, please note your right to withdraw your consent (see point 7.6).
2.4 Provision and Optimization of the "FirmaDigital" Platform
To ensure secure and user-friendly use and optimization of the "FirmaDigital" platform, we process the following data:
§ Login time
§ Login location
§ Device and browser information
This is based on Article 6 para 1 lit f GDPR (protecting our legitimate interests). Our legitimate interest in processing the data mentioned above lies in ensuring the security of the "FirmaDigital" platform, system stability and error correction, optimization of platform offerings, and fraud prevention and user protection.
2.5 Analysis of User Behavior on the "FirmaDigital" Platform
We use features and cookies from the service PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA ("PostHog") on the "FirmaDigital" platform to analyze and optimize user behavior and the user-friendliness of the "FirmaDigital" platform. The personal data collected for this purpose is processed on the legal basis of Article 6 para 1 lit a GDPR (consent). In this context, please note your right to withdraw your consent (see point 7.6). Without your consent to analyze user behavior, no data will be processed in this regard. We inform you about the related third-country data transfers under point 4. We provide information on cookies under point 5. More information on privacy at PostHog can be found at: https://posthog.com/privacy.
2.6 Displaying Content on the "FirmaDigital" Platform (YouTube)
We have included YouTube videos on the "FirmaDigital" platform to give you more information about our products and services. YouTube is a video portal provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google Ireland"). When embedding YouTube videos on the "FirmaDigital" platform, personal data may be processed. The processing of personal data in this regard is based on the legal ground of Article 6 para 1 lit a GDPR (consent). In this context, please note your right to withdraw your consent (see point 7.6). Without your consent, no data will be processed in this regard. YouTube videos will then neither be displayed nor played. We inform you about the related third-country data transfers under point 4. More information on privacy at on privacy at Google can be found at: https://policies.google.com/privacy?hl=en.
2.7 Marketing Activities (Advertising Optimization, User Source Attribution)
If you have given your consent, we use Google Analytics, a web analysis service provided by Google Ireland, on the "FirmaDigital" platform. The purpose of using Google Analytics is for marketing activities (advertising optimisation, user source attribution). When using Google Analytics, cookies are used and personal data is processed. The legal basis for this data processing is Article 6 para 1 lit a GDPR (consent). In this context, please note your right to withdraw your consent (see point 7.6). If you do not consent to such analysis of user behaviour, no data processing will take place. We inform you about the related third-country data transfers under point 4. We provide information on cookies under point 5. More information on privacy at on privacy at Google can be found at: https://policies.google.com/privacy?hl=en.
3. DISCLOSURE OF YOUR PERSONAL DATA
To fulfill the processing purposes specified above, it is necessary, among other things, to disclose your personal data to certain recipients. If listing specific recipients is not possible, the GDPR also permits us to specify categories of recipients. Data will be disclosed to the following recipients/categories of recipients:
§ IT service providers we use (e.g., hosting operators, software providers, and advertising providers)
§ Service providers we use for payment processing
§ Notaries
§ Courts and authorities
When transferring personal data to the above-mentioned recipients, personal data may occasionally also be transferred to third countries (i.e. countries outside the EU/EEA). Under point 4, we therefore also inform you about the basis on which we are authorized to do so.
3.1 Platform and Hosting Operator
The technical hosting of the "FirmaDigital" platform is operated by: Infinity Vertigo GmbH, Bergwald 43, 2812 Hollenthon. Server locations: Belgium/Netherlands/Finland.
We (PHH) are responsible for the content on the "FirmaDigital" platform. We have concluded the appropriate (data protection) agreements with our platform and hosting operator.
4. THIRD-COUNTRY DATA TRANSFER
When using certain service providers, personal data may be transferred to third countries (i.e. countries outside the EU/EEA). Proof of the appropriate guarantees listed below is available on request (see contact details under point 1).
4.1 PostHog Inc.
When using the analysis tool provided by PostHog, personal data is transfered to and processed by PostHog. The legal basis for this international data transfer and processing is the adequacy decision "EU-U.S. Data Privacy Framework" according to Article 45 GDPR, concluded between the European Commission and the US. PostHog is certified under the EU-U.S. Data Privacy Framework and is listed on the so-called Data Privacy Framework List (https://www.dataprivacyframework.gov/list). In addition, standard contractual clauses have been concluded between our hosting operator (see point 3.1) and PostHog. More information on privacy at PostHog can be found at: https://posthog.com/privacy.
4.2 Plus Five Five, Inc.
In order to send system emails (e.g., password recovery), we use the mail dispatch tool "Resend" from Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA ("Plus Five Five"). Personal data is thereby transferred to and processed by Plus Five Five. The legal basis for this international data transfer and processing is the standard contractual clauses concluded between our hosting operator (see point 3.1) and Plus Five Five. More information on privacy at Plus Five Five can be found at: https://resend.com/legal/privacy-policy.
4.3 Stripe Payments Europe, Limited
For the processing of payment, we use a service provided by Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland ("Stripe"). Personal data necessary for the processing of payment is transferred to and processed by Stripe. In the course of using Stripe, it cannot be excluded that the data necessary for payment processing may be transferred to a third country, including Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, California, 94080. The legal basis for this possible international data transfer and processing is the adequacy decision "EU-U.S. Data Privacy Framework" according to Article 45 GDPR, concluded between the European Commission and the US. Stripe, Inc. is certified under the EU-U.S. Data Privacy Framework and is listed on the so-called Data Privacy Framework List (https://www.dataprivacyframework.gov/list). In addition, standard contractual clauses have been concluded between our hosting operator (see point 3.1) and Stripe. More information on privacy at Stripe can be found at: https://stripe.com/en-at/privacy.
4.4 OpenAI Ireland Limited
As part of our contract fulfilment(automatic creation of contract documents and establishment of companies), specifically for company name conformity checks and suggesting improvements to business purpose, we use a service (specifically Chat Completion) from OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre 117-126, Sheriff Street, Upper, Dublin 1, Ireland, D01 YC43 ("Open AI"). Personal data is thereby transferred to and processed by OpenAI. The transferred data is deleted within 30 days and is not used for training purposes. In the course of using OpenAI, it cannot be excluded that data may be transferred to third countries. The legal grounds for possible international data transfers and processing are adequacy decisions, concluded between the European Commission and the respective third country, or standard contractual clauses concluded between the respective data processors. More information on privacy at OpenAI can be found at: https://openai.com/policies/privacy-policy.
4.5 Google Ireland Limited (YouTube)
When embedding YouTube videos on the "FirmaDigital" platform, personal data is transferred to and processed by Google Ireland. In the course of using YouTube, it cannot be excluded that data may be transferred to a third country, including Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA. The legal basis for possible international data transfers and processing are adequacy decisions, concluded between the European Commission and the respective third country (e.g., the adequacy decision "EU-U.S. Data Privacy Framework", concluded between the European Commission and the USA), or standard contractual clauses concluded between the respective data processors. Google LLC is certified under the EU-U.S. Data Privacy Framework and is listed on the so-called Data Privacy Framework List (https://www.dataprivacyframework.gov/list). More information on privacy at Google can be found at: https://policies.google.com/privacy?hl=en.
4.5 Google Analytics
When using Google Analytics of the service provider Google Ireland, personal data is transferred to and processed by Google Ireland. In the course of using Google Analytics, it cannot be excluded that data may be transferred to a third country, including Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA. The legal basis for possible international data transfers and processing are adequacy decisions, concluded between the European Commission and the respective third country (e.g., the adequacy decision "EU-U.S. Data Privacy Framework", concluded between the European Commission and the USA), or standard contractual clauses concluded between the respective data processors. Google LLC is certified under the EU-U.S. Data Privacy Framework and is listed on the so-called Data Privacy Framework List (https://www.dataprivacyframework.gov/list). More information on privacy at Google can be found at: https://policies.google.com/privacy?hl=de.
5. COOKIES
The "FirmaDigital" platform uses cookies. These are small text files that are stored on your device using the browser. Cookies can be stored for a certain duration or only during a session.
The processing of personal data when using cookies is based on the following legal basis:
· Technically necessary cookies are generally processed on the basis of an overriding legitimate interest according to Article 6 para 1 lit f GDPR in order to enbale us to safeguard comfortable usage of our "FirmaDigital" platform.
· Technically not necessary cookies are processed on the basis of your explicit consent according to Article 6 para 1 lit a GDPR / § 165 para 3 Telecommunications Act in the respective valid version ("TKG").
You have the right to withdraw your consent at any time or to restrict it to certain cookies. Withdrawing your consent does not affect the lawfulness of the processing carried out based on your consent before its withdrawal.
In this specific case, we use the following cookies:
| Cookie Name | Cookie Type | Purpose | Duration |
|---|---|---|---|
| _ga | analytics | Google Analytics for user tracking | 2 years |
| _ga_**** | analytics | Google Analytics session tracking | 2 years |
| ajs_anonymous_id | analytics | Identifies anonymous users for tracking | 1 years |
| ph_current_instance | analytics | Stores the PostHog server instance | 2 years |
| ph_current_project_name | analytics | Stores the name of the current PostHog project | 2 years |
| ph_current_project_token | analytics | PostHog project tracking | 2 years |
| ph_phc_****_posthog | analytics | Stores info about visitor behavior with PostHog | 2 years |
| ph_sTMFPsFhdP1Ssg_posthog | analytics | PostHog user tracking | 2 years |
| posthog_csrftoken | analytics | Protects against unauthorized or malicious requests | 1 years |
| sessionid | necessary | Used to manage the user's session | 1 years |
6. DATA STORAGE
We store your data to the following extent:
- Data we collect to fulfill pre-contractual and contractual obligations:
(a) 5 years after the contract ends according to our professional retention duties or as long as needed for (extra)judicial and administrative disputes or proceedings.
(b) 7 years for data subject to tax and/or corporate retention obligations (e.g., invoices, accounting data). - Data we collect to fulfill our professional obligations:
5 years after the contract ends or 10 years from the initial processing of personal data in accordance with our professional retention duties. - Data we collect for sending our newsletter:
Retained until you unsubscribe from our newsletter or until the newsletter service is discontinued. - Data we collect to create a user account:
Retained until you request deletion of your account or 5 years after the last account activity. - Data we collect to ensure secure and user-friendly use and optimization of the "FirmaDigital" platform:
Retained for 1 year. - Data collected for analyzing user behavior on the "FirmaDigital" platform:
Retained for 1 year.
The retention periods for cookies are listed under Section 5. The retention period related to the use of OpenAI is listed under Section 4.4.
7. DATA SUBJECT RIGHTS
You have the right to information, rectification, erasure, restriction of processing, data portability, withdrawal of consent, and the right to object to the processing of your data. If you wish to exercise one of these rights, you can contact us at any time using the contact details provided under Section 1.
If you believe that the processing of your data violates data protection law or your data protection rights have otherwise been infringed in any way, you may also contact us anytime using the contact details provided under Section 1 or lodge a complaint with the competent supervisory authority.
In Austria, this is:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
7.1 Right of Access
Upon request, we will provide information within the legally specified period about the data we hold about you. This information includes, among other things, the purpose of processing, the legal basis, and the type of processing. Your right to access is legally restricted under certain conditions. In such cases, we will explain the reasons to you.
7.2 Right to Rectification
You have the right to have incorrect or incomplete data corrected or supplemented. In some cases, we may require proof of your identity before fulfilling this right. Until your data is corrected or supplemented, you may also request the restriction of its processing.
7.3 Right to Erasure and Restriction
You have the right to request deletion of your data from us if and to the extent that:
- (i) The data is no longer needed for the purposes for which it was collected.
- (ii) The data was collected unlawfully.
- (iii) The processing is based on your consent, and you have withdrawn your consent.
If a statutory retention obligation exists, the data will only be erased after this period has expired. However, the data will be blocked from further use.
No right to erasure exists if the data cannot be deleted due to a legal obligation, or if data processing is necessary for asserting, exercising, or defending legal claims. In such cases, you have the right to restrict processing to the legally required extent.
7.4 Right to Data Portability
You have the right, insofar as this is technically possible, to have all the data we have stored about you transferred to a third party specified by you.
7.5 Right to Object
You may request us to stop processing your data when processing is based on our or another person's legitimate interest, and we cannot provide any overriding/mandatory legal reasons for the processing.
7.6 Right to Withdraw Consent
You can withdraw any consent given for the collection and processing of your personal data at any time with effect for the future, either entirely or partially. In such cases, we will promptly delete your data to the extent you request, or, where this is not legally permissible, restrict processing for use beyond the statutory requirements.
You can contact us at any time using the contact details provided under Section 1. Until withdrawal of consent, the processing of your data remains lawful.
8. CHANGES
We reserve the right to adapt and update this privacy policy as necessary, for example, due to legal changes.
All updates will be published on the "FirmaDigital" platform.
9. APPLICABILITY OF THE PRIVACY POLICY
This privacy policy only applies to data processing that takes place via the "FirmaDigital" platform.
It does not apply to:
- Websites, services, or products offered or promoted by other companies or individuals.
- Linked external websites.
If you access third-party services, their respective privacy policies will apply.