Privacy policy

Our data security principles

• We try to reduce the amount of collected data to what is necessary for providing our services
• We communicate internally only via encrypted communication
• Unsafe communication (like email) is switched to secure communication as quickly as possible
• All our mobile hard drives are encrypted
• Unencrypted USB-sticks are used sparingly and only for public data (e.g. presentations).
• If technically possible, all our mobile devices are encrypted.
• Anything which cannot be encrypted is locked away and inaccessible to anyone outside of the company.

Controller

Neurohr Bytes Software e.U.
Contact details see "Processor".

Controller's Data Protection Officer

KITTL4web | Inh. Udo B. S. KITTL
Contact details see "Processor's Data Protection Officer".

Processor

Ing. Philipp Neurohr, BSc, MSc

Neurohr Bytes Software e.U.

Web: neurohr.bytes.software

Email: [email protected]

Burgenland: Mogersdorf 6, 8382 Mogersdorf, Austria

Tel: +43-680-2311-673

UID: ATU70020158 | FN: 443581a

Court of jurisdiction Graz, Austria

Report a vulnerability: Coordinated Vulnerability Disclosure (CVD) Policy

Next to our company internal servers Neurohr Bytes Software e.U. has servers with following providers:

internex GmbH

Alserbachstraße 30

1090 Wien

Österreich

Firmenbuchnummer: 342171v

UID: ATU65604535

Ledl.net GmbH

Domaintechnik.at

Lederergasse 6

5204 Straßwalchen

Österreich

Firmenbuchnummer: FN 258818s

UID: ATU 61529037

In order to defend servers against DDoS attacks selected services and services under attack use Cloudflare, if the sensitivity of the processed data allows this measure.

Cloudflare Germany GmbH

Rosental 7

80331 München

Deutschland

+49 89 25552276

Transparency report

Processor's Data Protection Officer

KITTL4web | Inh. Udo B. S. KITTL

Web: www.kittl4web.at

E-mail: [email protected]

Öblarn 71

8960 Öblarn

Telephone: +43 660 232 82 27

TEL/Fax: +43 3684 20387

internex GmbH:

[email protected]

Ledl.net GmbH:

Franz Reischenböck

Stv: Fabian Ledl

Capture

Your data is captured personally by our employees, or provided by you via this portal.

Access and usage

Our employees can access your data via access controlled, two-factor authenticated, portal interfaces.

Storage

On production environments your data is stored on servers in our control.

On archival systems your data is stored on encrypted hard drives and locked servers. Our employees have no direct access to these storages during regular operation.

Disposal and archives

In production environments your data is deleted on request.

Your data is automatically deleted if you close your account.

On archival systems data is kept for up to 10 years (see below).

Your individual data cannot be deleted from (database) backups because of technical limitations. Only named individuals of the controller and processors, with a special clearance and after completing an internal data protection training, can access these backups.

Backups are only accessed in order to restore services, find errors, or provide data for reasonable and valid in law demands by public offices and courts of justice. We will never use backups for any form of marketing analysis, or in order to restore data you wanted to be deleted.

If data is provided to courts of justice and public offices, this is only done in accordance with our Data Protection Officer. If we are not prohibited by law, we will always try to contact you to inform you about such data release.

Database backups of the portal are kept for 10 years.

Invoicing data is kept for 10 years.

Log files of the portal are kept for up to 90 days.

IP addresses of failed and successful login attempts are kept for up to 90 days.

Browser platforms, names and versions, which were used during login attempts, are kept for up to 90 days.

Other backups of the portal are kept for up to 90 days.

Transmission within member states of the European Union and countries with an Adequacy decisions on the basis of article 45 of Regulation (EU) 2016/679

Your data is transmitted for following reasons:

Communication: e.g. letters, emails, telephone

Contract fulfilment: e.g. bank account

Demands from public offices and courts of justice if reasonable and valid in law: We will comply with demands valid in law.

If data is provided to courts of justice and public offices, this is only done in accordance with our Data Protection Officer. If we are not prohibited by law, we will always try to contact you to inform you about such data release.

Transmission to non-member countries

There is no planed transmission of your data to non-member countries or international organisations, with the exception of your personal demands (e.g. contact address in a non-member country).

Cookies and external services

Information regarding the EU directive 2009/136/EC
This online tool uses Cookies, Cloudflare and hCaptcha to provide the best possible functionality, to improve the service and to protect the portal from attacks.

When you visit our portal you will receive some cookies necessary for the provision of the portal's services

XSRF-TOKEN: This cookie helps us to battle Cross-Site-Request-Forgery (Wikipedia) .

laravel_token: This cookie is also used to battle Cross-Site-Request-Forgery (Technical reference) .

portal_name_session: This is a secure and encrypted cookie storing all volatile data of your session.

remember_web_random_string: This cookie is set if you check the "Remember login" button during login.

browser_authentication: This cookie is set to reduce the amount of CAPTCHA-challenges in the current browser.

If necessary

Cloudflare: In order to defend servers against DDoS attacks selected services and services under attack use Cloudflare, if the sensitivity of the processed data allows this measure.

Several cookies for hcaptcha.com: These cookies are set by hCaptcha at the latest if the login form is shown. hCaptcha are the picture challenges you have to solve before being able to login. This prevents attackers from accessing your account just by testing random password until one matches. hCaptcha data security notice

Several cookies for vimeo.com: This cookies are set when a Vimeo video or preview is loaded on the page. Vimeo's Cookie Policy

Several cookies for youtube.com: This cookies are set when a YouTube video or preview is loaded on the page. YouTube data security notice

__stripe_mid: Fraud prevention by the payment provider Stripe. Stripe's Cookie Policy

Matomo: On pages which use our Matomo analysis:

• _pk_ref
• _pk_cvar
• _pk_id
• _pk_ses
• _pk_hsr
• matomo_sessid
• mtm_consent, mtm_consent_removed and mtm_cookie_consent
• matomo_ignore, when you exclude yourself from being tracked (opt-out)

These are used to store your tracking preferences and if you allow us to analyse your visits, pseudonyms to recognise your browser. Please visit Matomo for up-to-date information.

Tips for privacy aware browsing

In order to block so-called tracking-cookies we suggest that you use DuckDuckGo, both the app, as well as the browser extention.

As alternative, or in addition, we can recommend the browser extension Privacy Badger, which also sends Do Not Track signals to each website, if requested (see below).

Do Not Track (DNT) policy

dnt-policy.txt

Our software respects Do Not Track signals sent by your browser and takes care that external services are only connected with explicit permission. This can lead to limited functionality and additional user interactions: Videos don't autoplay, payment providers are not available, registration is not possible, if an external CAPTCHA-service is required as additional security, etc.
Permission is given per service, i.e. if you allow one video to play then all videos from that external provider are allowed to play in your current session.