Privacy Notice

(version as of February 5th 2019)

Download pdf version here to save or print this privacy notice.

Section 1 – Introduction

a. This Privacy Notice (this "Notice") explains which personal data are collected when you visit our websites or (our "Website") and how this data is processed by EOX IT Services GmbH as the data controller ("EOX" or "we").

b. This Notice is addressed to any visitor of our Website ("data subject" or "you").

c. We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national data protection laws. Unless otherwise defined in this Notice, the terms used herein shall have the same meaning as defined in the GDPR.

Section 2 – What Personal Data We Collect and How We Use It

a. When you use our Website we may process those personal data which you voluntarily provide to us (e.g. by means of our product order forms or the EOxCloudless Bot).

b. However, you can also visit our Website without actively providing us with information about you. In this case we collect certain data that your browser transmits to our website server (i.e. log files) as well as data that we collect via the use of cookies and similar technologies.

c. The following explanations shall serve to inform you about the different ways we may collect personal data about you on our Website and for what lawful purposes we may use them.

d. Personal data you actively disclose to us

  1. When you actively communicate with us via our Website, we process those personal data that you voluntarily provide to us. In particular, this relates to our following services:

    A. B2B Web Shop: When you choose to purchase one of our products via our Website we ask you to provide certain mandatory information about you and/or your company to complete your order (e.g. name, company, VAT number, address, email, order details and payment information such as credit card or invoice details). Unless communicated otherwise to you, we process these data exclusively for the purpose of processing your order, facilitating your payment and delivering our product (Legal basis: Art 6(1) lit b GDPR – performance of contract).

    B. Email contacts and EOxCloudless Bot: You may decide to get in touch with us via one of the email contacts or the chatbot function ("EOxCloudless Bot") provided on our Website. A chatbot is an artificial intelligence (AI) program that simulates interactive human conversation by using key pre-calculated user phrases and text-based signals. When you choose to contact us via our email contacts or the EOxCloudless Bot the personal data you provide to us (e.g. name, email address and your correspondence data) will be processed for the purpose of creating a contact file, answering your questions, fulfilling your requests or otherwise communicating with you (Legal basis: Art 6(1) lit b and f GDPR – performance of (pre-)contractual duties and legitimate interest in adequate customer relationship management). The EOxCloudless Bot is hosted by HubSpot, Inc., acting as a data processor on our behalf (see Section 3 below).

    C. Marketing Emails: If you subscribe to our marketing Email list via the website or otherwise provide us with your business contact details, we may send you publications, event invitations and/or news which may be of interest to you (Legal basis: Art 6(1) lit b and f GDPR – performance of (pre-)contractual duties and legitimate interest in adequate customer relationship management).

  2. Some of the data we request in connection with our above services may be marked as mandatory fields. You are not required to provide these data. However, without providing this information we may not be able to process your request or provide our services.

e. Log files

  1. You may also visit our Website without actively providing us with information about you. In this case we collect certain data that your browser transmits to our website server (i.e. log files).

  2. Our log files contain the following information: (i) date and time of retrieval of our Website, (ii) type, version and settings of your web-browser, (iii) your operating system and internet service provider, (iv) requested pages and files, (v) website used prior to visiting our Website as well as (vi) your IP-address. The IP address is a specific number assigned to your computer which enables your device to communicate in a network using the Internet Protocol (IP). IP addresses may qualify as personal data as they technically allow the identification of the user in certain circumstances.

  3. The processing of these log files is necessary for us to maintain the functionality, stability and security of our Website. We may also process them for the purpose of forensic investigations in the case of a security incident or in order to generate user traffic statistics.

    Legal basis: Art 6(1) lit f GDPR – legitimate interest in developing and maintaining the functionality, stability and security of our Website.

f. Cookies

  1. In addition, this Website uses cookies. These are small text files that may be placed on your device while browsing our Website which store certain information about you. Cookies cannot access, read or modify other data stored on your device. When we refer to "cookies" we include other technologies with similar purposes, such as pixel tags.

  2. We use two types of cookies on our Website:

    A. Necessary cookies: Without necessary cookies the proper functioning of our Website would not be possible or only to a limited extent. Necessary cookies are used to save your information during the checkout process in our web shop and to properly process your provided payment information. In addition, necessary cookies are used to store your optional cookie consent (see below), session preferences and settings (e.g. for the EOxCloudless Bot). The use of necessary cookies on our Website is possible without your consent. However, you can deactivate cookies at any time by modifying your browser settings. Legal basis: Art 6(1) lit f GDPR (legitimate interest)

    B. Optional cookies: These types of cookies may be used to improve our Website, optimize your user experience or analyze user behavior. Optional cookies are used by our web analytics software Matomo (see Section 2(g) below). Optional cookies are also placed by our data processor HubSpot, Inc.1 ("third party cookie") which tracks visitors using browser cookies. Every time you land on our Website, HubSpot will check for an existing tracking cookie. If one does not exist, a cookie will be associated with you and will log every page visited moving forward. These third party cookies are used for the purpose of analyzing visitors’ behavior as well as optimizing visitors’ experience and marketing campaigns. Optional cookies may also be placed by external advertising companies ("third party cookies"). Optional cookies will only be used upon your consent which you may provide by clicking "OK" on our Website’s cookie banner. This consent can be withdrawn at any time with effect for the future. Legal basis: Art 6(1) a GDPR (consent)

g. Web Analytics – Matomo

  1. In case you have consented to the use of cookies by us, this Website uses the open source software Matomo, a web analytics software developed by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. Matomo uses cookies to help the Website analyze how users use the site.

  2. The information generated by the cookie about your use of our Website (including your IP address and the URLs of the accessed pages) will be stored by EOX and will not be disclosed to third parties. Your IP addresses is made anonymous by truncating it.

  3. We will use this information for the purpose of evaluating your use of our Website, compiling reports on website activity and providing other services relating to website activity and internet usage. We will not associate your IP address with any other data held by us.

  4. Our processing using the Matomo software is based on your consent which you may provide by clicking "OK" on our Website’s cookie banner (Art 6(1) lit a GDPR). This consent can be withdrawn at any time with effect for the future. You may also refuse the use of cookies by selecting the appropriate settings on your browser (see Section 2(h) below). However, please note that if you do this, you may not be able to use the full functionality of this Website.

h. How to control and manage the use of cookies

  1. By clicking on the "OK"-button in the Website’s cookie banner you agree to the use of optional cookies on our Website. Your consent can be withdrawn (for all or individual cookies) at any time with effect for the future by directing your request to

  2. You may also refuse the use of cookies by selecting the appropriate settings on your browser or by deleting the cookies from the device and browser. Most browsers accept cookies automatically, but you can alter the settings of your browser to erase cookies or prevent automatic acceptance if you prefer. Generally you have the option to see what cookies have been placed and delete them individually, block third party cookies or cookies from particular sites, accept all cookies, to be notified when a cookie is issued or reject all cookies. Visit the ‘options’ or ‘preferences’ menu on your browser to change settings, and check the following links for more browser-specific information:

    Cookie settings in Internet Explorer:

    Cookie settings in Firefox:

    Cookie settings in Chrome:

    Cookie settings in Safari:

  3. You should be aware that any preferences will be lost, if you delete all cookies and many websites will not work properly or you will lose some functionality. We do not recommend turning cookies off when using our website for these reasons.

Section 3 – To Whom We May Disclose Your Personal Data

a. For the above mentioned purposes we may share your personal data with the following recipients:

  1. IT service providers who provide hosting, maintenance and security services as well as certain functionalities for our Website and/or internal business activities

  2. dedicated servers providers

  3. payment service providers

  4. accounting service providers

  5. log collection and monitoring service providers

  6. Where disclosure is required (i) by law or regulation or (ii) to establish, exercise or defend legal claims, we may also disclose personal data to a competent authority, such as supervisory, regulatory or criminal authorities, courts of law or other third parties who advise us in this context (e.g. lawyers or forensics experts).

b. Some of these recipients may be located in countries outside the EU/EEA for which an adequate level of data protection has not yet been established by the EU Commission. In particular, this may include our IT service providers (e.g. HubSpot, Inc.1, Stripe Payments Europe, Ltd.2 and Slack Technologies, Inc.3), who may transfer personal data to third countries, including the United States of America, in the context of providing data processing services to us. It should be noted that the level of data protection in such countries may not be the same as within the EU/EEA. Also, subject to local laws and regulations data may be accessible to local authorities or courts.

c. However, where personal data is transferred to such third countries we ensure that your rights are protected in accordance with the GDPR. This includes the selection of recipients who are certified under recognized protection mechanisms pursuant to Art 45 GDPR (such as HubSpot, Stripe and Slack who are certified under the EU-U.S. Privacy Shield Framework) and/or the conclusion of the EU Commission’s standard contractual clauses for the transfer of personal data (Art 46(2) lit c GDPR). Further details on the implemented safeguards as well as copies of the respective agreements are available on request at

Section 4 – How Long We Keep Your Personal Data

a. Log files (see Section 2(e) above) are generally kept for a period of less than a year. Beyond this time period log files will only be stored for the purpose of investigating irregularities or security incidents in our system.

b. Cookies (see Section 2(f) above) are usually valid for a short term (a day, a week or a month), though in some cases they may remain valid for up to 2 years.

c. Data which you voluntarily provide to us is generally retained for as long as this is necessary for the fulfillment of the purpose for which they were obtained. Thus, in any case we process your personal data for the duration of our contractual or service relationship with you (see Section 2(d) above). Beyond this time period we keep your personal data to comply with statutory retention obligations (e.g. to fulfill the seven year retention obligation under applicable tax and company law). Where necessary we may also keep your data for as long as potential legal claims against us are not yet time-barred; for certain claims the statutory limitation period may be up to 30 years.

d. As soon as there are no legitimate grounds for the further storage of personal data available, they will either be deleted or made anonymous.

Section 5 – Your Rights as a Data Subject

a. As a data subject you have inter alia the following rights under the statutory conditions:

  1. to check whether and what kind of personal data we hold about you and to request copies of such data (right of access)

  2. to request correction, supplementation or deletion of your personal data that is inaccurate or processed in non-compliance with applicable requirements (right to rectification and erasure)

  3. to request us to restrict the processing of your personal data (right to restriction)

  4. in certain circumstances, to object for legitimate reasons to the processing of your personal data or to revoke consent previously granted for the processing (right to object or withdraw consent)

  5. to receive the personal data you provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller (right to data portability)

b. We do not process your personal data for the purpose of taking decisions based solely on automated processing, including profiling, which produce legal effects concerning you (Art 22 GDPR).

c. To exercise any of the above rights kindly send an email to In addition, you have the right to lodge a complaint with a supervisory authority, if you believe your data protection rights have been violated. For Austria the competent authority is the Data Protection Authority (Datenschutzbehörde).

Section 6 – Updates to this Notice

a. We may update this Notice to reflect legal, technical or business changes. When we update this Notice, we will take reasonable steps to inform you about the changes made. You will find the date of the "last update" at the beginning of this Notice.

Section 7 – Disclaimer

a. The Website contains links to third-party websites. We have no control over the content or privacy practices of these other websites. Please read the respective data protection provisions of other websites that you visit.

Section 8 – Our Contact Details

a. Should you have any requests or questions in relation to the processing of your personal data by us, kindly address them to

b. Our office address is: Thurngasse 8/4, 1090 Wien, Austria