Privacy Policy

Responsible within the meaning of the GDPR is:

PASit software GmbH, Staudach 10, 4863 Seewalchen, Austria

Phone +43 7662 299 98 0, E-mail: office@bau-master.com

Data Protection Officer:

Gernot Schiffermayer, MLS, G&S Schiffermayer Consulting GmbH, Schönfeldweg 32, 9061 Klagenfurt-Wölfnitz, Austria

Phone +43 660 65 106 77, E-mail: office@schiffermayer.eu

This privacy policy applies to the use of our website bau-master.com, to contact requests (e.g. contact form, email) and to the use of our software BauMaster (e.g. trial access or ongoing customer relationship).

Personal data is any information that makes you identifiable as a person (e.g. name, email address, IP address).

Data subject is any person whose data is processed.

Processing means everything that is done with data (collecting, storing, using, sharing, deleting).

Consent is your voluntary agreement to the processing of your data.

In particular, you have the right to access, rectification, erasure, restriction of processing, data portability, and objection to certain processing activities.

If processing is based on your consent, you may withdraw it at any time with effect for the future. This does not affect the lawfulness of processing carried out prior to the withdrawal.

Right to object (Art. 21 GDPR): If we process data on the basis of our legitimate interests, you may object for reasons arising from your particular situation. You may also object at any time to the processing of your personal data for direct marketing purposes.

Note on legal restrictions: Please note that data subject rights under the GDPR may be subject to legal restrictions in individual cases (e.g. if exercising them would impair the fulfillment of legal obligations).

For inquiries, simply send an email to office@schiffermayer.eu. To process your request as efficiently and quickly as possible, please indicate in what factual context you believe your personal data is being used. If necessary, we will ask for suitable information or proof of clear identification so that we can securely assign your request.

4.1 Information on the Right to Lodge a Complaint

If you believe that we have violated data protection law, you may lodge a complaint with the Austrian Data Protection Authority. You can find the contact information here: dsb.gv.at. Alternatively, you may direct your inquiry via email to office@schiffermayer.eu, the Data Protection Officer at PASit software GmbH.

In many cases, the processing of your data is based on a legal obligation or is necessary for the fulfillment of a contract or as part of pre-contractual measures. In addition, the processing of your personal data is often based on consent.

5.1 Visiting our website (technically necessary)

When you access our website, our web server processes certain information for technical reasons (so-called server log files), e.g., date/time, URL/referrer, status code, browser information, IP address.

• Purpose: Operation of the website, error analysis, IT security
• Legal basis: legitimate interest (Art. 6(1)(f) GDPR)
• Retention period: typically up to 14 days, unless security-related clarification is required for a longer period

5.2 Contact requests (e.g., contact form, email)

When you write to us, we process the data you provide (typically name, email address, telephone number, and the content of your message).

• Purpose: Processing/responding, follow-up questions, documentation
• Legal basis: depending on context, contract/pre-contract (Art. 6(1)(b) GDPR) or consent (Art. 6(1)(a) GDPR)
• Retention period: as long as necessary; beyond that, only within the scope of legal obligations or for the enforcement/defense of legal claims

5.3 Cookies, consent, and similar technologies

We use various cookies and similar technologies (e.g., local storage) on our website to provide basic functions, analyze usage, and optimize our content and advertising measures. The tools for each cookie category are listed directly on the website.

Necessary cookies are used for basic functions, security, and the technical provision of the website.

Performance/analytics cookies and marketing cookies are generally only used if you have actively given us your consent (exception: Google Tag Manager is listed under necessary cookies).

Third-party providers / third countries (e.g., USA)

Cookies/similar technologies may also result in personal data being processed by us and by third-party providers (e.g., providers of analytics or advertising services). These third-party providers may be based in third countries (e.g., USA) or process data there. For certain third countries, there may be no adequate level of data protection within the meaning of the GDPR. Therefore, there may be a risk that authorities in the third country access data and that no effective legal remedies are available against this.

Consent, withdrawal, and settings

If you click “Accept all cookies” or activate individual categories, you consent to the use of the respective technologies and – depending on the services used – to any transfer to recipients in third countries.

You can withdraw or change your consent at any time with effect for the future via the cookie preferences. Necessary cookies generally cannot be deactivated because they are essential for the operation of the website. Further details on the cookies and similar technologies currently in use (e.g., name, purpose, and retention period) can also be found in the cookie preferences on our website.

5.4 Use of our software / BauMaster trial access

When you use BauMaster (e.g., via trial access or as a customer), we process personal data to provide, operate, secure, and support the software and to further develop it.

What data may be collected?

Depending on usage and role (e.g., administrator, user, contact person), the following data may be processed in particular:

• Account and contact data: Name, email address, telephone number, company, role/function, language settings.
• Login and security data: Access credentials (usually encrypted/secured), login times, technical security information.
• Usage and device data: e.g., browser used, operating system, device identifiers, IP address, timestamp.
• Content/project data in BauMaster: Data that you (or authorized persons in your company) enter or upload in BauMaster (e.g., project information, protocols, photos, documents, notes).
• Support and communication data: Contents of support requests, emails, chat histories, or screenshots if you provide them to us for error analysis.

What do we use this data for?

• Provision of software and functions: User management, authentication, synchronization, storage and display of your content.
• Operation and security: Protection against misuse, attack defense, error analysis, stability and performance monitoring.
• Customer support and assistance: Processing of requests, assistance with technical problems.
• Billing and contract processing (for customers): as necessary for contract fulfillment and compliance with legal obligations.

Legal bases

• Contract/pre-contract (Art. 6(1)(b) GDPR)
• Legal obligation (Art. 6(1)(c) GDPR)
• Legitimate interest (Art. 6(1)(f) GDPR)
• Consent (Art. 6(1)(a) GDPR), if we obtain this in a specific case

Retention period / deletion

We fundamentally only store personal data for as long as necessary for the purposes mentioned above.

• We typically store data from trial access and usage for the duration of the trial access/contract. When a trial access ends or a cancellation occurs, our deletion script provides for a safety period of 180 days before your data is permanently and irrevocably deleted.
• Beyond that, we only store data as required by statutory retention obligations or limitation periods, or when necessary for the defense/establishment of legal claims.

Details on recipients and service providers/tools used can be found in sections 6 and 9 as well as in the respective tool details below.

5.5 Newsletter (Zoho Campaigns)

When you subscribe to our newsletter, we process your personal data to regularly send you information about BauMaster (e.g., product news, updates, invitations, and offers) by email.

What data do we process?

• Master data: Your email address and, if applicable, your name if you provide it.
• Proof of registration: Time of registration and confirmation (double opt-in) as well as technical log data to be able to prove your consent.
• Performance metrics: We evaluate whether a newsletter was opened and whether links were clicked (aggregated open and click rates). We do not use individual click tracking for marketing purposes via website tracking/cookies.

Purposes of processing

• Sending the newsletter
• Measuring and improving content (open and click rates)

Legal basis

• Newsletter dispatch and performance measurement: Consent (Art. 6(1)(a) GDPR)
• Logging/proof of your consent (double opt-in): legitimate interest (Art. 6(1)(f) GDPR), so that we can document lawful registration

Recipients / service providers

Dispatch and analysis are carried out via Zoho Campaigns (ZOHO One) as a service provider (data processor).

Retention period

We fundamentally store your newsletter data until you withdraw your consent (unsubscribe). We retain log data for proof of consent beyond that for as long as necessary for documentation and for the defense/establishment of legal claims.

Withdrawal / unsubscription

You can withdraw your consent at any time with effect for the future by using the unsubscribe link in each newsletter or by contacting us. The withdrawal does not affect the lawfulness of processing carried out up to that point.

5.6 Direct marketing / CRM communication (Zoho CRM, BauMaster App)

We process personal data of prospects and customers to communicate with you as part of the business relationship or for contract initiation. Contact may be made by email or telephone, for example, and is documented in our CRM. Emails can also be sent from the BauMaster app.

What data do we process?

• Contact data: Name, email address, telephone number, company, function/role
• Communication data: Contents and metadata of emails/messages, conversation notes, contact and transaction history
• Organizational data: e.g., responsibilities, status (prospect/customer), appointment references

Purposes of processing

• Responding to inquiries and coordination as part of contract initiation
• Customer communication (e.g., information on use, processing, changes)
• Direct marketing within the legal framework (e.g., product information)

Legal basis

• Contract/pre-contract (Art. 6(1)(b) GDPR)
• Legitimate interest (Art. 6(1)(f) GDPR), particularly in customer care and direct marketing

Retention period

We fundamentally store the data for as long as necessary for communication and (pre-)contractual processing. Beyond that, storage only occurs within the scope of legal obligations or for the defense/establishment of legal claims. Upon request, all customer data in ZOHO CRM can be manually deleted.

Objection

You may object at any time to the processing of your personal data for direct marketing purposes (Art. 21 GDPR).

5.7 Appointment booking (Zoho Bookings)

When you book an appointment via our website or via a link (e.g., consultation, demo, support), we process your data for appointment organization and execution.

What data do we process?

• Name and contact details (e.g., email, telephone number if applicable)
• Appointment data (date/time, time zone, service booked)
• Free text/notes that you provide when booking, if applicable

Purposes of processing

• Appointment scheduling and execution
• Preparation and conducting of the meeting

Legal basis

• Contract/pre-contract (Art. 6(1)(b) GDPR)
• Legitimate interest (Art. 6(1)(f) GDPR) in efficient appointment organization

Retention period

We store the data for as long as necessary for appointment execution, and beyond that only within the scope of legal obligations or for the defense/establishment of legal claims.

We fundamentally do not simply pass on personal data to third parties. A transfer/disclosure only occurs when it is necessary and a legal basis exists, for example:

• to service providers (data processors) who process data exclusively according to our instructions (in particular IT/hosting, maintenance, analysis/monitoring, support, CRM/communication, marketing tools depending on consent)
• to partners/recipients, insofar as this is necessary for contract fulfillment (e.g., payment/billing service providers, shipping/communication – depending on the specific process)
• to authorities/courts, if we are legally obligated to do so

Insofar as service providers act as data processors for us, this is done on the basis of a contract pursuant to Art. 28 GDPR (data processing), if required.

6.1 Data Transfer to Third Countries (e.g., USA)

Some services/providers may process data outside the EU/EEA (e.g., in the USA) or use sub-processors in third countries. When we use such services, we ensure the necessary protective mechanisms pursuant to GDPR (e.g., adequacy decision, standard contractual clauses, additional measures).

Despite protective mechanisms, there may be a risk in individual cases that authorities in the third country obtain access to data.

Specific information on recipient countries, protective mechanisms and – where available – storage periods can be found in the overview (Section 9) as well as in the detailed information on selected tools.

6.2 No Automated Decisions (Note on Art. 22 GDPR)

We do not make solely automated decisions within the meaning of Art. 22 GDPR that have legal effect on you or similarly significantly affect you.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, we implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your personal data against loss, destruction, manipulation and unauthorized access.

These include in particular:

• Pseudonymization and encryption of personal data (in particular transport encryption, e.g., TLS)
• Measures to ensure the confidentiality, integrity, availability and resilience of systems and services
• Access controls and authorization concepts
• Backups and procedures for rapid restoration of data availability in the event of incidents
• Regular review, assessment and evaluation of the effectiveness of security measures

Please treat access credentials confidentially and protect end devices from unauthorized access.

We will update this privacy policy when our website, processes, or the legal situation changes.

Internal Systems (self-hosted / own infrastructure)

For the operation of our website and individual functions (e.g., content and learning area), we also use systems that are operated by ourselves (self-hosted). In this case, no independent transfer of personal data to the manufacturer of the respective software takes place.

The technical data arising in this context (in particular server/access logs, and error logs if applicable) are processed as part of the technical operation via our hosting and IT service providers as data processors (e.g., hosting/IT for the website or infrastructure hosting).

The following tool sections contain the essential information for each processing operation (purpose, data types, legal basis, recipient/third country, storage period, and revocation/objection).

flexbit (Website‑Hosting/IT)

Operator:	flexbit
Place of processing:	Österreich (Gurten, AT)
Third country transfer:	no
Operator’s privacy policy:	https://flexbit.at/impressum/
Purpose of processing:	Technical operation, hosting, maintenance and IT support of the website
Legal basis:	Art. 6(1)(b) GDPR (Contract) and/or Art. 6(1)(f) GDPR (Operation/Security)
Data transmitted:	Server/Access logs, technical diagnostic data if applicable; content only insofar as necessary for operation/support
Data subjects:	Website users; contact persons in support cases
Retention period:	According to purpose; logs typically time-limited; otherwise project/contract duration + legal obligation
Note:	Data processing pursuant to Art. 28 GDPR (DPA).

next layer (App‑Hosting)

Operator:	next layer, Wien
Place of processing:	Austria (Data centers in Vienna)
Third country transfer:	no
Operator’s privacy policy:	https://www.nextlayer.at/datenschutz/
Purpose of processing:	Hosting/operation of the BauMaster infrastructure
Legal basis:	Art. 6(1)(b) GDPR (Contract) and/or Art. 6(1)(f) GDPR (Operation/Security)
Data transmitted:	Server/Access logs, technical diagnostic data, infrastructure metadata if applicable
Data subjects:	Users of the app/services (indirectly via technical data)
Retention period:	According to purpose; logs typically time-limited; otherwise contract/project duration + legal obligations
Note:	Data processing pursuant to Art. 28 GDPR (DPA)

Google Analytics

Operator:	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Place of processing:	Irland, EU, USA
Third country transfer:	yes
Operator’s privacy policy:	https://policies.google.com/privacy?hl=de
Purpose of processing:	Reach measurement / usage analysis (statistics)
Legal basis:	Art. 6(1)(a) GDPR (Consent)
Data transmitted:	Online identifiers (Cookies/IDs), usage/interaction data, device/browser information, IP address if applicable (depending on configuration)
Data subjects:	Website users
Retention period:	Google Analytics stores cookies in your web browser for a period of two years from your last visit. The retention period of data stored by the operator is described in more detail in its privacy policy.
Note:	Google processes the data on website usage on our behalf and is contractually committed to measures to ensure the security and confidentiality of the processed data.

Google Tag Manager

Operator:	Google Ireland Limited
Place of processing:	Irland, EU, USA
Third country transfer:	yes
Operator’s privacy policy:	https://policies.google.com/privacy?hl=de
Purpose of processing:	Technical integration/control of website tags (container)
Legal basis:	Depending on loaded tags; analysis/marketing tags typically only with consent; necessary cookies
Data transmitted:	HTTP request logs; additionally dependent on the tags integrated in the container
Data subjects:	Website users
Retention period:	According to Google, HTTP request logs are deleted within 14 days.
Note:

Google Search Console

Operator:	Google Ireland Limited
Place of processing:	Irland, EU, USA
Third country transfer:	yes
Operator’s privacy policy:	https://policies.google.com/privacy?hl=de
Purpose of processing:	Technical analysis/optimization of website performance in Google Search
Legal basis:	Art. 6(1)(f) GDPR (Legitimate interest: error analysis/optimization)
Data transmitted:	Aggregated performance/search data
Data subjects:	Website users (indirectly, typically aggregated data)
Retention period:	Performance data in Search Console: typically available for 16 months.
Note:	Objection possible insofar as processing is based on legitimate interest (Art. 21 GDPR).

Google Ads

Operator:	Google Ireland Limited (ggf. Google LLC)
Place of processing:	Irland, EU, USA
Third country transfer:	yes
Operator’s privacy policy:	https://support.google.com/google-ads/answer/12929169?hl=de#
Purpose of processing:	Advertising, conversion measurement, attribution
Legal basis:	Art. 6(1)(a) GDPR (Consent)
Data transmitted:	Online identifiers (e.g. gcl), usage/interaction data, IP address if applicable, conversion events
Data subjects:	Website users
Retention period:	Reporting data: available for up to 11 years, conversion cookies (gcl): typically 90 days.
Note:	Consent can be revoked at any time via cookie preferences.

Google Firebase

Operator:	Google (Firebase)
Place of processing:	Irland, EU, USA
Third country transfer:	yes
Operator’s privacy policy:	https://firebase.google.com/support/privacy
Purpose of processing:	App functions (e.g. push notifications) and analysis/monitoring if applicable
Legal basis:	Necessary app functions: Art. 6(1)(b) GDPR; Analytics/Tracking (if used): Art. 6(1)(a) GDPR
Data transmitted:	Device/app information, online identifiers if applicable, push tokens, usage/event data if applicable (per module)
Data subjects:	Users of the BauMaster App
Retention period:	If Firebase/GA4 Analytics is used: up to 14 months
Note:	Only basic modules are used.

LoopedIn (Website)

Operator:	LoopedIn
Place of processing:	EU
Third country transfer:	yes
Operator’s privacy policy:	https://www.loopedin.io/privacy
Purpose of processing:	Ideas/Roadmap Tool, Product Feedback
Legal basis:	Consent (Art. 6(1)(a) GDPR)
Data transmitted:	Feedback/communication content; contact details if applicable; technical metadata (e.g. IP address) per use
Data subjects:	Website users
Retention period:	not known
Note:	Data processing only with personal entry

Zoho One (CRM, E-Mail-Marketing)

Operator:	Zoho
Place of processing:	EU
Third country transfer:	no
Operator’s privacy policy:	https://www.zoho.com/de/privacy.html
Purpose of processing:	CRM/customer management, communication, email marketing, billing (depending on modules)
Legal basis:	Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR; if applicable Art. 6(1)(f) GDPR
Data transmitted:	Contact/master data, communication content, contract/billing data if applicable
Data subjects:	Customers/Prospects
Retention period:	After cancellation, deletion from active database in the next cleanup (up to 6 months), backups for another 3 months.
Note:	Data can be deleted immediately upon request. Order processing in accordance with Art. 28 GDPR (DPA); unsubscribe link in every newsletter

Involve.me (Website)

Operator:	Involve.me
Place of processing:	EU
Third country transfer:	no
Operator’s privacy policy:	https://www.involve.me/privacy
Purpose of processing:	Forms/Surveys
Legal basis:	Art. 6(1)(a) GDPR or Art. 6(1)(b) GDPR (depending on form purpose)
Data transmitted:	Form/survey inputs, contact details (per form), technical metadata
Data subjects:	Website users
Retention period:	by default
Note:	Deletion of individual entries is done manually

Vimeo

Operator:	Vimeo
Place of processing:	USA and other countries
Third country transfer:	yes
Operator’s privacy policy:	https://vimeo.com/legal/privacy/policy
Purpose of proessing:	Video embedding
Legal basis:	Art. 6(1)(a) GDPR (Consent) for marketing/tracking-relevant cookies
Data transmitted:	Technical data (e.g. IP address), device/browser information, cookies/IDs if applicable (depending on embedding mode)
Data subjects:	Users of the website/app who load embedded videos
Retention period:	As long as account exists
Note:	Withdrawal of consent (if required) is possible via cookie preferences.

Userflow (BauMaster App)

Operator:	Userflow
Place of processing:	EU
Third country transfer:	nein
Operator’s privacy policy:	https://www.userflow.com/policies/privacy
Purpose of processing:	In‑App Ankündigungen/ Kommunikation (User‑Guidance)
Legal basis:	Art. 6 Abs. 1 lit. f DSGVO (Einwilligung)
Data transmitted:	Nutzungs-/Interaktionsdaten, ggf. Online‑Kennungen/IDs
Data subjects:	Nutzer der BauMaster App
Retention period:	Solange Account bei BauMaster besteht
Note:

PostHog (Produktanalyse)

Operator:	PostHog Cloud EU
Place of processing:	EU
Third country transfer:	no
Operator’s privacy policy:	https://posthog.com/privacy
Purpose of processing:	Product/usage analysis to improve the app
Legal basis:	Art. 6(1)(a) GDPR (Consent)
Data transmitted:	Usage/event data, device information, IDs
Data subjects:	Users of the app/web
Retention period:	Cloud: typically 1 year (Free)
Note:

Microsoft Teams (Meetings)

Operator:	Microsoft (Tenant‑abhängig)
Place of processing:	EU
Third country transfer:	no
Operator’s privacy policy:	https://privacy.microsoft.com/de-de/privacystatement
Purpose of processing:	Online meetings/communication
Legal basis:	Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR (depending on context)
Data transmitted:	Meeting/participation data; if applicable chat/files/metadata
Data subjects:	Meeting participants
Retention period:	according to general Microsoft guidelines
Note:

Zoom (Meetings/Webinars)

Operator:	Zoom
Place of processing:	EU
Third country transfer:	possible
Operator’s privacy policy:	https://www.zoom.com/en/trust/privacy/privacy-statement/
Purpose of processing:	Online meetings/webinars, recordings if applicable
Legal basis:	Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR (depending on context)
Data transmitted:	Account/participation data, meeting metadata; if applicable audio/video/chat/content during recording
Data subjects:	Meeting participants
Retention period:	Cloud Recordings: as long as active account
Note:	Recordings are deleted internally on an annual basis

Zoho Desk (Support)

Operator:	Zoho
Place of processing:	EU
Third country transfer:	no
Operator’s privacy policy:	https://www.zoho.com/privacy.html
Purpose of processing:	Support/Ticketing, Online Help
Legal basis:	Art. 6(1)(b) GDPR (Contract/Pre-contract) and/or Art. 6(1)(f) GDPR
Data transmitted:	Contact/master data, support communication content, ticket metadata
Data subjects:	Customers/Prospects/Users (Support Requests)
Retention period:	After cancellation, deletion from active DB in the next cleanup (up to 6 months), backups another 3 months.
Note:	Data processing agreement pursuant to Art. 28 GDPR (DPA)

Zoho Bookings (Appointment Scheduling)

Operator:	Zoho
Place of processing:	EU
Third country transfer:	no
Operator’s privacy policy:	https://www.zoho.com/privacy.html
Purpose of processing:	Online appointment scheduling, Personal training
Legal basis:	Art. 6(1)(b) GDPR
Data transmitted:	Contact details, such as name and email, notes
Data subjects:	Customers/Prospects
Retention period:	After cancellation, deletion from active DB in the next cleanup (up to 6 months), backups another 3 months.
Note:	Data processing agreement pursuant to Art. 28 GDPR (DPA)