Last updated: June 26, 2024

Privacy Policy

This Privacy Policy explains how we collect, use, and protect your personal information. It provides details on your rights and our responsibilities to ensure your data is handled securely and transparently.

Introduction

This Privacy Policy applies to the website www.lupinum.com, operated by "Lupinum OG". It informs about the processing of personal data on our website.

Responsible Parties

Matthias Amon

Gschirm 47, 3300 Amstetten
Tel.: +43 681 20303240
Email: matthias@lupinum.com

Romana Netzberger

Innerzaun 26, 3321 Kollmitzberg
Tel.: +43 699 11313844
Email: romi@lupinum.com

Specific Details on Data Processing

To meet our obligations under the General Data Protection Regulation (GDPR), we hereby inform you about the specific details of data processing on our website:

  • Types of processed data: We collect various types of personal data from you, including but not limited to your name, email address, IP address, and other information you provide to us through contact forms or other interactions on our website.
  • Storage duration: Your personal data is stored only as long as necessary for the purposes for which it was collected or to comply with legal requirements. After this period, your data will be deleted or anonymized.
  • Purposes of data processing: The data we collect is used for various purposes, including processing your requests, providing our services, improving our website and services, and complying with legal obligations.

Lawful Basis for Processing

We process your personal data based on the following legal grounds:

  1. Consent: For example, when you fill out our contact form or agree to receive marketing communications.
  2. Contractual Necessity: When processing is necessary to fulfill a contract with you or to take steps at your request before entering into a contract.
  3. Legal Obligation: When we need to process your data to comply with a legal obligation.
  4. Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

For each type of data processing, we ensure that at least one of these legal bases applies.

Your Rights Under GDPR

Under the GDPR, you have the following rights:

  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure ('right to be forgotten')
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights related to automated decision-making including profiling

To exercise any of these rights, please contact us using the details provided at the beginning of this policy. We will respond to your request within one month.

International Data Transfers

Some of our external third parties are based outside the European Economic Area (EEA), so their processing of your personal data may involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Where we rely on consent as the legal basis for processing your personal data, you have the right to withdraw this consent at any time. You can do this by contacting us using the details provided at the beginning of this policy.

For electronic marketing communications, you can also withdraw consent by clicking on the "unsubscribe" link in any marketing email we send you.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Children's Data

Our website is not intended for children under the age of 16, and we do not knowingly collect data relating to children. If you become aware that your child has provided us with personal data without your consent, please contact us using the details provided at the beginning of this policy.

Data Processor Agreements

We have agreements in place with all our data processors (including Basin, Vercel, Cloudflare, and CRISP) to ensure they process your personal data only on our instructions and in compliance with the GDPR.

Data Breach Notification

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We will notify you without undue delay and within 72 hours of becoming aware of the breach.

Right to Complain to the Supervisory Authority

You have the right to file a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority depends on your place of residence, your workplace, or the location of the alleged violation. A list of national data protection authorities can be found on the website of the European Data Protection Board.

Our website has been developed in consideration of the GDPR and with respect for user privacy. We deliberately refrain from user tracking and the use of cookies that would require consent. Therefore, no cookie banner is required on our website.

We only use technologies that are necessary for the operation of the website and do not store or process personal data. This allows us to offer you a privacy-friendly experience without compromising your privacy.

Changes to Our Privacy Policy

We reserve the right to adapt this privacy policy to ensure that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. Your subsequent visits will then be subject to the new privacy policy.

Contact via Basin (Moonshot Ventures, Inc.)

Data Collection and Processing

When using the contact form on our website, the entered data (name, email address, message content, date and time of submission) is sent to Basin, an external service provider, for processing. This data is used exclusively for the purpose of processing and responding to your inquiry.

The processing of the data is based on your consent according to Art. 6 Para. 1 lit. a GDPR, via a checkbox in the contact form.

Transfer and Storage

The data is stored with Basin for as long as necessary to process your request or until you revoke your consent for storage. Basin is subject to its own privacy policies, over which we have no influence. For more information on data processing by Basin (Moonshot Ventures, Inc.), please refer to Basin's Privacy Policy.

Hosting by Vercel

Our website is operated by Vercel, a cloud hosting service of the American company Vercel Inc., located at 340 S Lemon Ave #4133, Walnut, CA 91789, USA.

Data Protection and Data Processing in the USA

Vercel processes some of your data in the USA. The European Court of Justice does not consider the USA to have a level of data protection comparable to that of the EU. This means there may be risks to your data.

Protection of Your Data

To protect your data, Vercel uses so-called standard contractual clauses. These are approved by the EU Commission and are intended to ensure that your data is protected in the USA according to European standards. Vercel has committed to comply with these standards.

For more information on these clauses, please refer to the EU Commission Implementing Decision and Vercel's Data Processing Addendum.

Details on data processing by Vercel can be found in Vercel's Privacy Policy.

Embedded YouTube Videos

YouTube videos are embedded on our website. These are integrated in the enhanced privacy mode, which means that no data about you as a user is transferred to YouTube if you do not play the videos. Only when you confirm the playback of the videos, data is sent to YouTube. We have no influence on this data transfer. YouTube is a service of Alphabet Inc. Google Privacy Policy.

Cloudflare Stream for Embedded Videos

We use Cloudflare Stream to embed videos on our website. Cloudflare may collect usage data for the played videos, but this is not personal data.

Plausible Analytics

We use Plausible Analytics for anonymized website statistics. Plausible does not set cookies and does not collect personal data. Only aggregated data such as page views and countries of origin are collected.

CRISP Chatbot

We use the CRISP Chatbot on our website for customer service and support. CRISP is a service of Crisp IM SAS, a French company based at 2 Boulevard de Launay, 44100 Nantes, France.

Data Processing by CRISP

CRISP processes data in compliance with GDPR. Here are some important points to note:

  • Data Storage Location: All CRISP data is stored on servers in the European Union. Messaging data is located in the Netherlands, while plugin data is stored in Germany.
  • Types of Stored Data: CRISP may store the following data from end users:
    • Email address (if provided by the end user)
    • Phone number (if provided by the end user)
    • Message history
    • Date and time of last activity
    • Profile information (from publicly accessible data on the internet)
  • Data Usage: CRISP uses this data exclusively to provide the chat service and does not share or sell user data.
  • Data Protection Rights: CRISP respects all data protection rights under GDPR, including the right to access, rectification, deletion, and data portability.

Your Rights and Responsibilities

As a user of our chat service, you have the right to:

  • Obtain information about your stored data
  • Request correction or deletion of your data
  • Object to the processing of your data

Please note that sensitive information should not be shared via chat. If this happens accidentally, please contact us immediately for deletion of this data.

CRISP Data Protection Officer

CRISP has appointed a Data Protection Officer who can be reached at dpo@crisp.chat.

For more information on data processing by CRISP, please refer to their Privacy Policy.