1. Responsible Party

The party responsible for data processing on this website is:

Ungiftig FlexCo
Talgasse 43, 2620 Neunkirchen, Niederösterreich, Austria
Email: servus@ungiftig.at
Phone: +43 720 732 583

For enquiries with a German operational connection, the affiliated Ungiftig UG (haftungsbeschränkt), Graf-Salm-Straße, 94036 Passau, Germany acts as joint controller. Details on the corporate structure are set out in the Legal Notice.

2. Hosting

This website is operated via a self-managed Coolify server on infrastructure provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner processes personal data (IP addresses, access times) on our behalf as part of the technical provision of the website. The data centres are located in Germany. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of the website). A data processing agreement (DPA) with Hetzner is in place.

3. Data Collection on This Website

Server log files

Each time this website is accessed, the following data is automatically recorded and stored in server log files:

  • IP address of the requesting device
  • Date and time of access
  • Page accessed (URL) and referrer URL
  • Browser type and operating system
  • Data volume transferred and HTTP status code

This data is used to ensure operation and to detect attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security of the website). Log files are automatically deleted after 30 days.

Cookies

This website uses only technically necessary cookies (e.g. banner-dismiss state). No marketing or tracking cookies are set. The legal basis is Art. 6(1)(f) GDPR.

Contact requests

If you contact us by email or via a booking form (Calendly), your details (name, email address, message content) are stored for the purpose of processing the enquiry and in case of follow-up questions. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). Contact data is deleted after the enquiry is concluded and any statutory retention periods have expired (typically 7 years under Austrian tax and commercial law).

Location reports (interactive map)

Users can report asbestos contamination sites via the form on /en/asbestos-locations/. The following data is processed:

  • Location data (GPS coordinates of the reported site): displayed publicly on the map.
  • Photos (detail and wide shot, optionally lab report): displayed publicly after approval.
  • Email address (optional): used exclusively for follow-up queries and never displayed publicly.
  • IP address: stored for abuse prevention (rate limiting) and never displayed publicly.
  • Place name and description: displayed publicly.

Legal basis: Art. 6(1)(a) GDPR (consent via checkbox on the form). Consent may be withdrawn at any time by email to servus@ungiftig.at. Photos and location data are deleted upon withdrawal. Processing is carried out by Ungiftig FlexCo (controller) on servers of Hetzner Online GmbH in Germany.

Quiz guesses

On /en/asbestos-identification/ users can submit guesses on rock samples. Two storage locations are used:

  • Local in the browser: your own guesses are stored in localStorage so they reappear on later visits. This data does not leave the browser and is not visible to us.
  • Anonymous aggregation on our server (db.ungiftig.at): so that the aggregated guesses of all participants can be shown at the end of the round, each individual guess is sent to our server. Only the following is transmitted: sample ID, the chosen answer (rock, minerals, percentage) and a random per-browser identifier (UUID) generated client-side and stored in localStorage. No name, email address or user account is transmitted.

The random per-browser identifier is not personal data within the meaning of Art. 4(1) GDPR, but it allows us to detect repeated voting from the same browser and keep the aggregation clean. It can be reset at any time by clearing browser data. IP addresses are not persistently stored for this function (they are necessarily visible at the TCP layer but are not linked to the guess records).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in aggregated evaluation of the guesses to demonstrate the didactic effect of the quiz). The db.ungiftig.at server is operated by Ungiftig FlexCo itself (Coolify infrastructure on Hetzner Online GmbH, Germany).

4. Web Analytics

This website uses Umami (umami.is), a privacy-friendly, cookieless analytics tool. Umami is self-hosted on our own infrastructure (umami.m-m-m.at), not with a third-party provider. No personal data is transmitted to third parties. Umami collects:

  • Page views (which pages are visited)
  • Referrer (which page the visitor came from)
  • Browser and device type (aggregated)
  • Country (derived from the IP address, but without storing the IP address)

Umami does not set cookies and does not store IP addresses. Individual visitors are not identifiable. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in analysing website usage to improve the service).

5. Your Rights (Art. 15 to 21 GDPR)

You have the following rights with regard to your personal data held by the responsible party:

  • Access (Art. 15 GDPR): You may request information about the data we hold about you.
  • Rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligation applies.
  • Restriction of processing (Art. 18 GDPR): You may request that the processing of your data be restricted.
  • Data portability (Art. 20 GDPR): You may request that we transmit your data to you in a commonly used, machine-readable format.
  • Objection (Art. 21 GDPR): You may object to the processing of your data based on Art. 6(1)(f) GDPR at any time.

To exercise your rights, please contact servus@ungiftig.at.

6. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

  • For Austria: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Wien, dsb.gv.at
  • For Germany: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, lda.bayern.de