Privacy Policy
This is a non-binding convenience translation of our Privacy Policy. In case of discrepancies between the English and German versions, the German version is legally binding.
The protection of your personal data is of utmost importance to us. We process your data exclusively in accordance with statutory provisions (GDPR, Telecommunications Act 2003). This privacy policy provides an overview of the key aspects of data processing on our website.
1. General Information
For questr GmbH (“we” or “us”), as the controller responsible for processing personal data under the EU General Data Protection Regulation (GDPR), the protection of your personal data is a top priority. We strictly comply with the provisions of the GDPR, the Austrian Data Protection Act (DSG), and other national and European legal regulations, ensuring the highest level of transparency. We implement appropriate technical and organizational measures to keep your personal data secure.
We process personal data in accordance with the principles of lawfulness, fairness, transparency, accuracy, purpose limitation, data minimization, storage limitation, integrity, and confidentiality.
Please read this Privacy Policy carefully. If you have any questions or require further information, you may contact us at any time. Our contact details are provided in Section 2.
2. Data Controller
questr GmbH
Herrengasse 26/3/2
8010 Graz
office@questr.io
www.questr.io
3. Recipients
Depending on the specific data processing activity, your personal data may be shared with industry-standard service providers, such as postal service providers, lawyers, tax consultants, auditors, payment service providers, or other third parties. Since some of these service providers are engaged on a project-specific basis, it is not possible to provide a complete list of recipients in advance. In certain cases, joint controllership may apply when data is shared.
Depending on the purpose of processing, we may transfer your personal data to processors we have engaged, provided this is necessary for carrying out specific tasks. We carefully select our data processors to ensure compliance with data protection regulations. Additionally, we have entered into agreements with these processors to ensure that personal data is handled confidentially, carefully, and in accordance with applicable data protection laws.
4. Processing of Your Personal Data
Below, we describe how we process your personal data.
4.1. Categories of Personal Data
The following categories of personal data may be subject to processing, depending on the contractual relationship or processing purpose:
a) Personal Information: Name, company name, business designation, address, telephone number, email address, date of birth, etc.
b) Log Files: IP address, operating system, referrer URL, entry and exit pages, browser type, browser version, country, date and time of the server request, email data (sender/recipient IP address, email timestamps, mail servers, etc.).
c) Payment Data: Bank and credit card details, transfer information, etc.
d) Appointment Data: Date and time of scheduled (or requested) appointments, location, appointment title, etc.
4.2. Data Transfer to Our IT Service Provider
a) Processing of Personal Data
Our IT service provider has access to all of your personal data.
b) Purpose of Data Processing
This is necessary to ensure that our IT infrastructure is regularly maintained and that any technical issues are resolved.
c) Legal Basis for Data Processing
The processing of personal data is lawful under Article 6(1)(b) GDPR, meaning it is necessary for the performance of a contract, contract initiation, and/or the maintenance of contractual obligations.
Additionally, we have a legitimate interest under Article 6(1)(f) GDPR in ensuring that our IT infrastructure is properly maintained and secured to guarantee its functionality and security.
d) Recipient
TRONIC Innovation GmbH
Mariahilferstraße 24/7
8020 Graz
Data Processor
If you do not consent to your data being transferred to our IT service provider, we will be unable to offer our services to you.
4.3. Website Visitors
Besuchen Sie unsere Website, werden wir personenbezogene Daten von Ihnen verarbeiten.
a) Processing of Personal Data
Log Files
b) Purpose of Data Processing
We process your personal data to ensure the stability and functionality of our website, identify, analyze, and resolve potential issues, and prevent cyberattacks. This allows us to operate, maintain, and improve our website while also providing professional information to our visitors.
c) Legal Basis for Data Processing
Processing is based on our legitimate interest under Article 6(1)(f) GDPR. We have a legitimate interest in operating our website securely and efficiently to protect visitors and deliver website content as intended. No merging of log file data with other data sources occurs. To achieve these objectives, we rely on external service providers.
d) Recipients
- Hetzner Online GmbH
Industriestraße 25
91710 Gunzenhausen Deutschland
Data Processor - Intuition Machines, Inc.
350 Alabama St,
San Francisco CA 94110 - InnoCraft
7 Waterloo Quay PO625
6140 Wellington, New Zealand
Data Processor
If you do not consent to this data processing, please do not visit our website.
4.4. Contact and Communication
If you contact us via email, contact form, messenger, or any other means, we process your personal data as follows:
a) Processing of Personal Data
This includes your personal information, log files, and any other personal data you voluntarily provide to us.
b) Purpose of Data Processing
When you contact or communicate with us, we process the personal data you provide to handle your inquiry and for any necessary follow-ups.
c) Legal Basis for Data Processing
The lawfulness of data processing is based on Article 6(1)(b) GDPR, meaning that the processing of your personal data is necessary for carrying out pre-contractual measures or for the performance of a contract. In other cases, we process your personal data under Article 6(1)(f) GDPR, meaning that processing is based on our legitimate interest in handling your inquiry efficiently and ensuring fast and secure communication.
d) Recipient
Hetzner Online GmbH
Industriestraße 25,
91710 Gunzenhausen Deutschland
Data Processor
If you do not consent to the processing of your personal data, we will be unable to process your inquiry.
4.5. Business Partners and Customers
If you are a (prospective) business partner or customer, we process your personal data as follows:
a) Processing of Personal Data
We process personal information, log files, payment data, and data related to:
(i) The delivery of goods,
(ii) The provision of services, and/or
(iii) Other contractual agreements.
b) Purpose of Data Processing
Your personal data is processed to:
(i) Execute and fulfill contracts, including processing payments and asserting our claims related to the contract,
(ii) Enter into new contracts, and/or
(iii) Maintain existing contractual relationships.
Additionally, we may use your personal data for direct marketing purposes, meaning we may send you information about our products, services, company updates, and promotions.
We also process personal data as part of our corporate management activities, such as accounting and controlling.
c) Legal Basis for Data Processing
The lawfulness of data processing is based on Article 6(1)(b) GDPR, meaning that processing is necessary for the performance of a contract, pre-contractual measures, and/or maintaining contractual obligations. Furthermore, we are legally required to process certain personal data, for example, for anti-money laundering (AML) compliance.
We also have a legitimate interest under Article 6(1)(f) GDPR in processing personal data to ensure proper and efficient business operations, optimize processes, and offer our products and services. Additionally, we have a legitimate interest in processing your personal data for direct marketing to provide you with relevant offers and updates about our products, services, and company.
In some cases, direct marketing communication is sent based on your explicit consent.
When you place an order via our webshop, data processing is also based on our legitimate interest under Article 6(1)(f) GDPR to facilitate webshop transactions. For this purpose, your IP address is processed via session cookies.
d) Recipients
- Aut O’Mattic A8C Ireland Ltd.
Grand Canal Dock, 25 Herbert Pl Dublin
D02 AY86 Ireland
Data Processor - Stripe, Inc.
354 Oyster Point Boulevard,
South San Francisco, California, 94080
Data Controller
As part of our business relationship, you are only required to provide personal data necessary for establishing, executing, and terminating a business relationship or data that we are legally required to collect. Failure to provide such personal data may result in us being unable to enter into or fulfill a contract, and in some cases, we may be required to terminate an existing contract.
4.6. Customer Management
We process our customers’ personal data using the RZL and BMD software systems.
a) Processing of Personal Data
We process personal information, log files, payment data, appointment data, and other contract-related data (see Section 4.5).
b) Purpose of Data Processing
The processing is carried out to manage your user account, provide you with our services, and analyze your user behavior. Based on this analysis, we can improve our service, provide you with relevant offers and information, and suggest optimization measures.
c) Legal Basis for Data Processing
The lawfulness of data processing is based on Article 6(1)(b) GDPR, meaning that processing is necessary for the performance of a contract, pre-contractual measures, and/or maintaining contractual obligations. Additionally, we are legally required to process certain personal data, for example, for anti-money laundering (AML) compliance.
Furthermore, we have a legitimate interest under Article 6(1)(f) GDPR in processing personal data to provide comprehensive services, enhance our offerings, and supply you with relevant information about promotions and services (direct marketing).
d) Recipients
- RZL Software GmbH
Hannesgrub Nord 35
4911 Tumeltsham
Data Processor - BMD Systemhaus GmbH
Sierninger Straße 190
4400 Steyr
Data Processor
If you do not consent to the processing of your personal data, we may be unable to fulfill an existing contract.
4.7. Fan Pages
We operate so-called “fan pages” on various social media platforms. By clicking on the respective links, you will be redirected to our fan page on the relevant social media site.
a) Processing of Personal Data
We process all messages, likes, photos, content, and other interactions that you submit, share, add, or engage with on our social media pages, as well as your log files.
b) Purpose of Data Processing
The purpose of this data processing is to enhance our online presence across various social media channels and to provide you with information about our company, products, and services. Where the processing of personal data occurs as part of communication between you and us, it serves the purpose of processing customer feedback on our products and services and improving our offerings. Additionally, we aim to understand customer opinions and their interactions with our products and services to better meet their needs, provide optimal customer support, and facilitate discussions about our company. In this context, we may process personal data you have publicly shared on social media in connection with us.
c) Legal Basis for Data Processing
The lawfulness of data processing is based on our legitimate interest under Article 6(1)(f) GDPR in increasing our online presence, providing information to potential customers, and fulfilling the purposes outlined above. Additionally, data processing may be carried out for pre-contractual measures under Article 6(1)(b) GDPR. In some cases, we process your personal data based on your consent.
4.7.1. Joint Controllership with Facebook and Instagram
a) Name and Contact Information
Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
b) Privacy Policy
Privacy Policy
c) Information on Joint Controllership
Meta and we are joint controllers with regard to the processing of your personal data in connection with the fan page. The agreement governing joint controllership can be found here.
d) Recipient
Meta is also a recipient of your personal data.
4.7.2. Joint Controllership with LinkedIn
a) Name and Contact Information
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
b) Privacy Policy
Privacy Policy
c) Information on Joint Controllership
LinkedIn and we are joint controllers with regard to the processing of your personal data in connection with the fan page. The agreement governing joint controllership can be found here.
d) Recipient
LinkedIn is also a recipient of your personal data.
5. Processing of Special Categories of Data
No special categories of personal data are processed.
6. Cookies
6.1. General Information
When using our website www.questr.io, cookies and similar technologies (e.g., pixel tags) are used. A cookie is a small text file that is downloaded and stored on your device via your browser. Cookies serve to ensure the proper functioning of our website, enhance its functionality, optimize its performance, and make our services more user-friendly. Additionally, cookies may be used to collect statistical data and for marketing purposes.
With the exception of essential and certain functional cookies (see Section 6.2), cookies can be enabled or disabled via the Consent Manager on our website. Disabling cookies may restrict the functionality of our website.
Further details are available in our Consent Manager.
6.2. Types of Cookies
The least intrusive type of cookies are essential cookies (also known as necessary cookies). These cookies are technically required for the operation of our website. We use them without user consent, in accordance with § 165(3) of the Austrian Telecommunications Act (TKG) 2021. Essential cookies cannot be disabled.
There are also functional cookies (sometimes called comfort cookies). These cookies allow a website to remember user preferences, such as stored user IDs, granted consents, or selected languages, as well as other personalization settings. Functional cookies that are necessary for requested services are set without user consent, in accordance with § 165(3) TKG 2021. Necessary functional cookies cannot be disabled, including those related to digital shopping carts.
Additionally, analytics and performance cookies are used to monitor and enhance website functions and services. These cookies help detect usability issues, facilitate online surveys, track visitor numbers, and provide analytical metrics.
Session cookies are stored only for the duration of a session, while persistent cookies remain stored permanently or for their predefined retention period.
First-party cookies are set by us, while third-party cookies are set by external service providers.
More detailed information can be found in our Consent Manager.
6.3. Legal Basis
With the exception of essential and necessary functional cookies (see Section 6.2), cookies are set based on the user’s consent. Consent can be revoked at any time without providing a reason. The withdrawal of consent does not affect the lawfulness of data processing conducted prior to the withdrawal.
The withdrawal of consent for the processing of your personal data in connection with the storage of cookies can be exercised in particular by deleting the cookies in your browser settings or by withdrawing consent in our Consent Manager.
7. Data Transfers to Third Countries
Data transfers to a third country are permitted under the GDPR if the country in question has been deemed to provide an adequate level of data protection (a secure third country).
The European Commission has issued adequacy decisions for certain third countries, certifying that they provide an appropriate level of data protection. A list of these countries can be found at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
We only transfer your data to third countries for which an adequacy decision has been issued.
8. Data Retention
Unless a specific retention period has been communicated to you, we process and, in particular, store your personal data for as long as necessary to achieve the relevant processing purpose (e.g., contract fulfillment, handling your inquiry, etc.).
However, we will not delete your personal data if we are legally required to retain it, for example, under corporate or tax law obligations. Additionally, we retain your personal data for as long as you may assert claims against us. In this regard, we will continue to store any personal data necessary for legal defense. Under Austrian civil law (ABGB), the statutory limitation periods generally range from three to thirty years.
9. Confidentiality
All of our employees are bound by confidentiality obligations regarding any information entrusted to them or made known to them in the course of their employment. This obligation continues beyond the termination of their employment relationship.
10. Data Security
Data security is a top priority for us. We have implemented all necessary technical and organizational measures in accordance with Article 32 GDPR to ensure the security of data processing and to protect personal data against loss, destruction, unauthorized access, alteration, or disclosure. Our IT infrastructure meets current security standards and is subject to regular reviews.
Our website uses SSL (Secure Sockets Layer) encryption, an industry standard, to ensure the confidentiality of your personal data when transmitted over the internet. You can recognize an encrypted connection by the closed padlock symbol in your browser’s address bar.
Databases or records containing personal data may be compromised due to accidental breaches or unlawful access. If we become aware of a data breach, we will notify all affected individuals whose personal data may have been compromised. This notification will include a description of the measures taken to mitigate potential harm caused by the breach. Such notification will occur as soon as possible after the breach is discovered.
11. Information for Children
Our website and services are not intended for children under the age of 16. If we become aware that we have collected personal data from a child under 16 years old, we will take appropriate steps to delete such data as quickly as possible, unless we are legally required to retain it. If you believe we have collected information from or about a child under the age of 16, please contact us immediately.
12. Data Subject Rights / Contact
Under the GDPR, you have the following rights:
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (“right to be forgotten”) (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
If the processing of your personal data is based on your consent, you have the right to withdraw this consent at any time with immediate effect. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
The withdrawal of consent for cookie-based data processing can be exercised by deleting cookies in your browser settings or revoking consent via our website.
If you have questions about the processing of your personal data, wish to object to processing, withdraw previously granted consent, or feel that your data protection rights have been violated, please contact us.
Additionally, you have the right to lodge a complaint with the supervisory authority:
Austrian Data Protection Authority (Österreichische Datenschutzbehörde)
Barichgasse 40-42, 1030 Vienna
Email: dsb@dsb.gv.at
Effective Date: May 2, 2024