Privacy Policy

Protecting your personal data is very important to me. I process your data exclusively on the basis of the applicable legal provisions (GDPR, TKG 2021). In this privacy policy, I inform you about the most important aspects of data processing in connection with my website as well as my business activities (client projects).

1. Controller

Ing. Julian Lamplmair   Reitern 21/2   4213 Unterweitersdorf   Austria

E-mail: [email protected]

2. Website hosting (GitHub Pages) & log files

Provider / recipient: GitHub B.V., Prins Bernhardplein 200, 1097JB Amsterdam, Netherlands (GitHub Pages / GitHub services) and, where applicable, GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA.

Purpose: Provision of the website, ensuring stability and security, and error analysis.

Processed data:

• IP address of the requesting device
• date and time of access
• name and URL of the requested file
• browser and operating system used
• referrer URL (previously visited page)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable provision of the website).

Third-country transfer: Where processing takes place in the USA, GitHub, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Retention period: I do not store my own permanent copies of server log files. Where log data is available to me for error analysis or security checks (e.g. short extracts), it is retained for a maximum of 14 days and then deleted or anonymized. Retention by GitHub depends on the provider’s policies and technical settings / policies (e.g. security and operational logs) and may vary depending on the selected service level (see “Further information”).

Further information: GitHub Privacy Statement

3. Content Delivery Network & security (Cloudflare)

Provider / recipient: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA

Purpose: Secure and performant delivery of the website (CDN), protection against attacks (e.g. DDoS), detection of malicious bots, and stability / security analysis.

Processed data:

• IP address
• system configuration information
• traffic and log data (access / requests)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error-free and secure provision and protection against cyberattacks).

Third-country transfer: Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Retention period: I do not store my own permanent copies of Cloudflare request logs. Where log data / analytics are available to me for security or operational analyses (e.g. to defend against attacks), they are retained for a maximum of 30 days and then deleted or anonymized. Retention by Cloudflare depends on the provider’s policies and technical settings / policies (e.g. security and operational logs) and may vary depending on the selected service level (see “Further information”).

Further information: Cloudflare Privacy Statement

4. Cookies & similar technologies

Technologies: This website does not use any analytics, tracking, or advertising cookies. For technical delivery and basic usability of the website, the following technologies are used:

• Technically necessary cookies set by hosting / CDN / security functions (e.g. bot / abuse protection)

Purpose: Maintaining secure operation (e.g. protection against attacks) and technical delivery of the content.

Note: These cookies are used only to the extent they are technically necessary for security and operation.

• Local storage technologies (localStorage)

Purpose: Storing the language and theme selection to display the website in a user-friendly way.

Note: The data is stored until it is deleted in the browser (by the user) or until the language / theme setting is changed / reset.

• Temporary local storage technologies (sessionStorage)

Purpose: Storing the technical navigation history within the website (e.g. previous / next page) as a stack to keep navigation and UX consistent.

Note: The data applies only to the current tab / browser context and is deleted when the tab / browser window is closed; it may be lost when the page is reloaded.

• The History API (history.state)

Purpose: Technical navigation within the website (scroll position, sidebar state).

Note: The data applies only to the current tab / browser context and may be lost when the page is reloaded or the tab is closed.

• Caching via browser / HTTP cache (Cache-Control header)

Purpose: Performance and reduced network usage by temporarily caching static files in the browser cache.

Note: The browser stores copies of static files in accordance with Cache-Control. The data is stored until it is deleted in the browser (by the user) or until the cache duration expires.

Processed data: Typically technical information (e.g. state / configuration values) and, where applicable, security-related identifiers as part of technically necessary protection mechanisms.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a user-friendly and technically stable website).

Consent / banner notice (TKG 2021): Storing information on your device and / or accessing information stored on your device is, pursuant to Section 165(3) TKG 2021, generally only permitted with your consent. Consent is not required insofar as the use is strictly necessary to provide the service you explicitly requested and / or for secure operation. For any cookies / technologies beyond what is technically necessary, I would obtain your consent in advance.

5. Client projects & contract processing

Purpose: Provision of contractual services (e.g. software development / consulting), project handling, communication, billing, and compliance with legal obligations (e.g. accounting).

Processed data: Master and contact data as well as contract-related data (e.g. project details, correspondence, payment information).

Requirement to provide data: Providing the data marked as required is necessary to process your request and / or to initiate / perform the contract. Without this data, I generally cannot process your request or carry out the contract.

Legal bases:

• Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures)
• Art. 6(1)(c) GDPR (legal obligation, e.g. retention obligations under BAO / UGB)

Systems used / recipients:

• Odoo Online (SaaS) – Odoo S.A., Chaussée de Namur 40, 1367 Grand-Rosière, Belgium (customer relationships, project planning, invoicing). Processing in the hosting region selected by me (e.g. Europe); Odoo may use sub-service providers (sub-processors).

Further information: Odoo Privacy Statement

• Financial institutions (bank transfer) – N26 Bank SE, Voltairestraße 8, 10179 Berlin, Germany (my account-holding bank).

Purpose: Receipt of payments via SEPA transfer (primary payment method) and processing of payment transactions.

Data disclosure: As part of bank transfers, payment data (e.g. IBAN, name, amount, currency, execution date, payment reference and, where applicable, BIC) is processed between the involved banking institutions.

• Stripe (online payment) – Stripe (depending on the Stripe service used), e.g. Stripe Technology Europe, Limited, One Wilton Park, Wilton Place, Dublin 2, Ireland and Stripe, Inc., USA.

Purpose: Processing of online payments, provided you choose this payment option and / or where it is offered / required for certain services (e.g. SaaS / subscription models).

Note: Payment takes place via an external website hosted by Stripe (link in invoice / e-mail).

Third-country transfer: Where processing takes place in the USA, Stripe, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Further information: Stripe Privacy Policy

• Google Workspace – Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (e-mail, calendar / appointment organization, depending on the project documents / file storage and collaboration, e.g. Drive / Docs). Where available, I also use AI features within Google Workspace (e.g. Gemini) to support work steps (e.g. drafts, summaries). Depending on usage, content from e-mails, documents, or inputs may be processed insofar as this is necessary for the respective function. Google does not use Workspace customer data to train / improve generative AI models outside your Workspace domain without your permission.

Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Further information: Google Privacy Statement

• GitHub (code repositories & AI development tools) – GitHub B.V., Prins Bernhardplein 200, 1097JB Amsterdam, Netherlands and, where applicable, GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA.

Purpose: Hosting of repositories, collaboration (e.g. issues / pull requests), and improving code quality through the AI assistance service "GitHub Copilot". When using Copilot, code snippets, prompts, and telemetry data are temporarily transmitted to GitHub.

Data protection guarantee (Zero Data Retention): I exclusively use the "Business" version for AI services. The provider contractually guarantees a strict "Zero Data Retention" policy. This means that project-specific data, code snippets, and inputs are immediately deleted after processing, are not permanently stored, and are explicitly not used for training AI models.

Third-country transfer: Where processing takes place in the USA, GitHub, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Further information: GitHub Privacy Statement

Use of service providers / subcontractors (sub-processors): To fulfil the contract, I may engage carefully selected service providers or subcontractors. Where such parties process personal data on my behalf, this is done on the basis of a data processing agreement in accordance with Art. 28 GDPR (or comparable contractual obligations); the service providers are contractually bound to confidentiality.

Disclosure to third parties: Data is disclosed only if necessary for contract processing (e.g. banks for payment processing), if I am legally obliged to do so (e.g. to the tax authority), or if required for proper processing (e.g. to my tax advisor).

Retention period: I store data from contractual relationships (including data processed in Odoo and Google Workspace) at least for the duration of statutory retention periods. In Austria, this is generally 7 years for tax-relevant documents pursuant to § 132 BAO. Beyond that, I store data only for as long as necessary for contract processing, documentation, or the assertion / defense of legal claims.

6. Contact

6.1 Contact by e-mail

Purpose: Processing your request and communication.

Processed data: Name, e-mail address, and the content of your request and correspondence.

Legal basis: Art. 6(1)(b) GDPR (initiation / performance) or Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

Provider / recipient / third-country transfer: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Processing may also take place on servers in the USA. Google is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Retention period: As long as necessary for processing; business-relevant correspondence and documents generally up to 7 years (e.g. under UGB / BAO).

Further information: Google Privacy Statement

6.2 Contact via WhatsApp Business

Purpose: Communication with interested parties and customers.

Note (voluntary use / alternative contact option): Contact via WhatsApp is voluntary. You can always contact me alternatively by e-mail at [email protected]. Please do not transmit sensitive personal data via WhatsApp (e.g. health data, ID data, payment / credit card data) or other highly confidential information.

Processed data: Phone number, username, message content and, where applicable, transmitted media; additionally metadata (e.g. IP address, device information) within the provider’s area of responsibility.

Legal basis: Art. 6(1)(b) GDPR (initiation / performance) or Art. 6(1)(f) GDPR (legitimate interest in communication).

Provider / recipient / third-country transfer: WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Processing of metadata may also take place on servers in the USA. The parent company Meta Platforms, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Retention period: As long as necessary for processing; business-relevant correspondence and documents generally up to 7 years (e.g. under UGB / BAO).

Further information: WhatsApp Privacy Statement (EEA)

7. Appointment booking

Provider / recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google Calendar as part of Google Workspace)

Purpose: Planning, conducting, and documenting appointments.

How it works: I use redirect links (e.g. via appointment.jle.systems). The booking tool is not embedded in my website. By clicking the link, you leave my website and switch to Google’s area of responsibility (e.g. calendar.google.com).

When accessing the redirect link, strictly necessary log data (e.g. IP address, time, requested URL) may be processed in accordance with section 3 (Cloudflare); only afterwards will the redirect to Google occur.

Processed data: During appointment booking: name, e-mail address, desired time slot, and, where applicable, additional information in a free-text field; additionally technical data (e.g. IP address) within Google’s area of responsibility.

Legal basis: Art. 6(1)(b) GDPR (performance / initiation of a contract) and / or Art. 6(1)(f) GDPR (legitimate interest in efficient appointment management).

Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (DPF) (check status). If the certification ceases to apply, the transfer will be based on appropriate safeguards (e.g. Standard Contractual Clauses / SCC).

Retention period: Appointment and booking data is stored for as long as necessary to conduct the appointment and to comply with any statutory retention obligations.

Further information: Google Privacy Statement

8. Presence on social networks

Purpose: Public presentation of my services and communication with interested parties and customers.

Processed data: Depending on interaction, e.g. profile / account data, comments, likes, messages; as well as usage and tracking data within the platform operators’ area of responsibility.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in effective information and communication).

Provider / recipient / notes on responsibility: Where platforms provide me with statistical data (“Page Insights”), the platform operator and I may be jointly responsible for this processing (Art. 26 GDPR).

Platforms used:

• LinkedIn – LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland     Links: Privacy Policy, Opt-Out, Joint Controller Addendum

• Instagram & Threads – Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland     Links: Instagram Privacy, Threads Supplement, Page Controller Addendum

• Google Business Profile – Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland     Links: Google Privacy Statement, Google Business Profile Additional Terms

Third-country transfer: Depending on the platform, transfers to third countries (e.g. USA) may take place. Please refer to the respective platform’s privacy notices for details.

Retention period: I store data from interactions only insofar as it is necessary for communication. The platform operator’s own retention periods are governed by its respective policies.

9. Liability seal (exali AG)

Provider / recipient: exali AG, Franz-Kobinger-Straße 9, 86157 Augsburg, Germany.

Description and scope of data processing: This website uses an integration of the liability seal from exali AG. The graphic element of the seal is loaded dynamically from the servers of exali AG. Due to the technical architecture of the Internet, your IP address is processed in order to transmit the graphic to your browser. If you click on this seal, you will leave my website and be redirected to the servers of exali AG.

Purpose of data processing: The data processing serves the purpose of providing visually appealing proof of the legally required mandatory information regarding professional liability (e.g. pursuant to § 2 para. 1 DL-InfoV).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). My legitimate interest arises from the purpose of offering an appealing online presence and fulfilling my information obligations in a visually appealing manner.

Further information: exali Privacy Policy

10. Your rights

Data subject rights: You have the right of access, rectification, erasure, restriction of processing, data portability, objection, and—where applicable—withdrawal of consent. Withdrawal is relevant insofar as processing is based on your consent.

Right to object (Art. 21 GDPR): Where I process personal data on the basis of Art. 6(1)(f) GDPR (legitimate interests), you have the right to object at any time, on grounds relating to your particular situation, to such processing. I will then no longer process the personal data unless I can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. To exercise your right to object, simply send a message to [email protected].

Objection to direct marketing: If personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing. In this case, the personal data will no longer be processed for these purposes.

Note (processing based on legitimate interests): Processing based on Art. 6(1)(f) GDPR may in particular occur in the context of hosting / log files (section 2), CDN / security (section 3), cookies & similar technologies (section 4, where technically necessary identifiers are processed), contact (section 6, where Art. 6(1)(f) applies), social media presence (section 8), and the liability seal (section 9).

Right to lodge a complaint: If you believe that the processing of your data violates data protection law, you may contact me ([email protected]) or lodge a complaint with the Austrian Data Protection Authority ([email protected] / Österreichische Datenschutzbehörde, Barichgasse 40–42, 1030 Vienna, Austria).

11. Scope

This privacy policy applies to the website jle.systems (including subpages) and to personal data processed in the course of business contact or a contractual relationship (B2B / B2C). For external websites that are only linked (e.g. Google services), only their respective privacy policies apply. Additional services / products as well as separate (sub-)domains may have their own supplementary privacy information. In such cases, the respective supplementary privacy notices take precedence for the relevant service.

12. No automated decision-making

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.