Privacy Policy

Introduction

This Privacy Policy applies to the website www.lupinum.com, operated by "Lupinum OG". It informs about the processing of personal data on our website.

Responsible Parties

Matthias Amon

Gschirm 47, 3300 Amstetten
Tel.: +43 681 20303240
Email: matthias@lupinum.com

Romana Netzberger

Innerzaun 26/1, 3321 Kollmitzberg
Tel.: +43 699 11313844
Email: romi@lupinum.com

Specific Details on Data Processing

To meet our obligations under the General Data Protection Regulation (GDPR), we hereby inform you about the specific details of data processing on our website:

• Types of processed data: We collect various types of personal data from you, including but not limited to your name, email address, IP address, and other information you provide to us through contact forms or other interactions on our website.
• Storage duration: Your personal data is stored only as long as necessary for the purposes for which it was collected or to comply with legal requirements. After this period, your data will be deleted or anonymized.
• Purposes of data processing: The data we collect is used for various purposes, including processing your requests, providing our services, improving our website and services, and complying with legal obligations.

Lawful Basis for Processing

We process your personal data based on the following legal grounds:

1. Consent: For example, when you fill out our contact form or agree to receive marketing communications.
2. Contractual Necessity: When processing is necessary to fulfill a contract with you or to take steps at your request before entering into a contract.
3. Legal Obligation: When we need to process your data to comply with a legal obligation.
4. Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

For each type of data processing, we ensure that at least one of these legal bases applies.

Your Rights Under GDPR

Under the GDPR, you have the following rights:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure ('right to be forgotten')
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decision-making including profiling

To exercise any of these rights, please contact us using the details provided at the beginning of this policy. We will respond to your request within one month.

International Data Transfers

Some of our external third parties are based outside the European Economic Area (EEA), so their processing of your personal data may involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Consent

Where we rely on consent as the legal basis for processing your personal data, you have the right to withdraw this consent at any time. You can do this by contacting us using the details provided at the beginning of this policy.

For electronic marketing communications, you can also withdraw consent by clicking on the "unsubscribe" link in any marketing email we send you.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Children's Data

Our website is not intended for children under the age of 16, and we do not knowingly collect data relating to children. If you become aware that your child has provided us with personal data without your consent, please contact us using the details provided at the beginning of this policy.

Data Processor Agreements

We have agreements in place with all our data processors (including Basin, Vercel, Cloudflare, and CRISP) to ensure they process your personal data only on our instructions and in compliance with the GDPR.

Data Breach Notification

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We will notify you without undue delay and within 72 hours of becoming aware of the breach.

Right to Complain to the Supervisory Authority

You have the right to file a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority depends on your place of residence, your workplace, or the location of the alleged violation. A list of national data protection authorities can be found on the website of the European Data Protection Board.

Why We Don't Display a Cookie Banner

Our website has been developed in consideration of the GDPR and with respect for user privacy. We deliberately refrain from user tracking and the use of cookies that would require consent. Therefore, no cookie banner is required on our website.

We only use technologies that are necessary for the operation of the website and do not store or process personal data. This allows us to offer you a privacy-friendly experience without compromising your privacy.

Changes to Our Privacy Policy

We reserve the right to adapt this privacy policy to ensure that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. Your subsequent visits will then be subject to the new privacy policy.

Contact via Basin (Moonshot Ventures, Inc.)

Data Collection and Processing

When using the contact form on our website, the entered data (name, email address, message content, date and time of submission) is sent to Basin, an external service provider, for processing. This data is used exclusively for the purpose of processing and responding to your inquiry.

Legal Basis

The processing of the data is based on your consent according to Art. 6 Para. 1 lit. a GDPR, via a checkbox in the contact form.

Transfer and Storage

The data is stored with Basin for as long as necessary to process your request or until you revoke your consent for storage. Basin is subject to its own privacy policies, over which we have no influence. For more information on data processing by Basin (Moonshot Ventures, Inc.), please refer to Basin's Privacy Policy.

Hosting by Vercel

Our website is operated by Vercel, a cloud hosting service of the American company Vercel Inc., located at 340 S Lemon Ave #4133, Walnut, CA 91789, USA.

Data Protection and Data Processing in the USA

Vercel processes some of your data in the USA. The European Court of Justice does not consider the USA to have a level of data protection comparable to that of the EU. This means there may be risks to your data.

Protection of Your Data

To protect your data, Vercel uses so-called standard contractual clauses. These are approved by the EU Commission and are intended to ensure that your data is protected in the USA according to European standards. Vercel has committed to comply with these standards.

For more information on these clauses, please refer to the EU Commission Implementing Decision and Vercel's Data Processing Addendum.

Details on data processing by Vercel can be found in Vercel's Privacy Policy.

Embedded YouTube Videos

YouTube videos are embedded on our website. These are integrated in the enhanced privacy mode, which means that no data about you as a user is transferred to YouTube if you do not play the videos. Only when you confirm the playback of the videos, data is sent to YouTube. We have no influence on this data transfer. YouTube is a service of Alphabet Inc. Google Privacy Policy.

Cloudflare Stream for Embedded Videos

We use Cloudflare Stream to embed videos on our website. Cloudflare may collect usage data for the played videos, but this is not personal data.

Plausible Analytics

We use Plausible Analytics for anonymized website statistics. Plausible does not set cookies and does not collect personal data. Only aggregated data such as page views and countries of origin are collected.

Brevo Conversations Chatbot

We use the Brevo Conversations Chatbot on our website for customer service and support. This service allows us to communicate with our website visitors in real-time and respond to inquiries. Below, we explain how the chatbot functions and how data is processed.

Data Processing by the Brevo Chatbot

The Brevo Conversations Chatbot sets technical cookies that are necessary for the operation of the chat. These cookies do not store any personal data unless you voluntarily provide it and consent to its processing.

Key Points on Data Processing:

• Data Storage: No personal data is stored until you actively provide it through the chat window (e.g., name, email address). Consent for the processing of this data is explicitly obtained before any data is processed.
• Types of Data Stored: The chatbot may store the following data if voluntarily provided:
  • Email address
  • Name
  • Message content
• Purpose of Data Processing: The collected data is used solely to process your inquiries and improve our customer service. Your data will not be used for marketing purposes unless you have explicitly consented to it.
• Cookies: The chatbot sets functional cookies that are necessary for the chat functionality. These cookies are technically required and do not contain personal data.

Your Rights and Responsibilities

As a user of our chat service, you have the right to:

• Request information about your stored data
• Request the correction or deletion of your data
• Object to the processing of your data

Please do not share sensitive or confidential information through the chat. If this happens accidentally, please contact us immediately so we can remove the data.

Brevo’s Data Protection Officer

Brevo has appointed a Data Protection Officer who can be contacted at dpo@brevo.com. For more information on data processing by Brevo, please refer to their Privacy Policy.

Social Media Presence

We are present on various social media platforms to communicate with you and inform you about our services. When you interact with our company pages, we share responsibility with the respective social network for certain data processing activities. You can contact us directly with any questions about our social media presence.

Facebook

The social network facebook.com is operated by Meta Platforms Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. The data protection controller for users in the EU is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (both: "Meta").

When you visit our Facebook profile, Meta's privacy policy applies. The collected data is used for analyzing user behavior and for advertising purposes. Meta can link the data with your personal Facebook account if you are logged into Facebook.

For more information about data protection on Facebook, please visit:

• Facebook Privacy Policy
• Information about Facebook and GDPR

Instagram

Instagram is part of Meta Platforms Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. The data protection controller for users in the EU is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When you visit our Instagram profile, Instagram/Meta's privacy policy applies. When using Instagram, data is processed according to Instagram's privacy policy and can be linked to your Instagram account if you are logged in.

For more information about data protection on Instagram, please visit:

• Instagram Privacy Policy
• Meta Cookie Policy

LinkedIn

The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn").

When you visit or interact with our LinkedIn company page (e.g., through comments, likes), your data is processed by both us and LinkedIn as part of LinkedIn's features. Please note that when interacting with public company pages, your data related to these interactions may be published.

For more information about data protection on LinkedIn, please visit:

• LinkedIn Privacy Policy
• Opt-Out Options

X (formerly Twitter)

The social network x.com is operated by Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA ("X").

When you visit our X profile, X's privacy policy applies. X processes your data according to its own privacy policies.

For more information about data protection on X, please visit:

• X Privacy Policy

Bluesky

We are also present on Bluesky. Please note that when using our Bluesky profile, Bluesky's privacy policy applies.

When you interact with our Bluesky profile, your data is processed by Bluesky according to their privacy policies. Your data related to these interactions may become publicly visible.

For current information about data protection on Bluesky, we recommend consulting the privacy policies directly on the Bluesky platform:

• Bluesky Privacy Policy

General Information about Social Media

Please note when using social networks:

• Your data may be processed outside the EU, where a lower level of data protection may exist.
• Your user data may be used for advertising purposes and market research.
• Platform operators can create user profiles and analyze your behavior.
• You can adjust privacy settings in the settings of your respective social media account.

By using our social media profiles, you accept the privacy policies of the respective platform. The platform operators are primarily responsible for data processing through the social media platforms and their privacy practices. We have no influence on the type and extent of data collected by the social media platforms and their further processing.

However, we remain responsible for the design of our social media profiles and the content we share there. We are also responsible under data protection law for data processing initiated by us, especially when using analysis functions or when communicating directly with you through our social media channels.

We recommend that you regularly inform yourself about the current privacy policies of the respective platforms.