Privacy Policy

3. Definitions

Personal data means any information relating to an identified or identifiable natural person. This includes in particular name, email address, telephone number, IP address, usage data, contract data, payment data, and content entered by users into our platform insofar as it allows conclusions to be drawn about individuals.

Processing means any operation performed on personal data, including collection, storage, use, transmission, disclosure, deletion or evaluation.

Controller means the entity that determines the purposes and means of processing.

Processor means the entity that processes personal data on behalf of a controller.

4. Role of Thelixis e.U.

a) Controller

We act as controller when we process personal data for our own purposes, in particular for:

• Operating our website
• Handling inquiries
• Concluding and managing contracts
• Invoicing and accounting
• Payment processing
• Direct communication with prospective and existing customers
• Fulfilling legal obligations
• IT security, abuse prevention and system administration
• Marketing, where permitted or consented to

b) Processor

Where customers use our SaaS platform and enter personal data of their own end customers, employees, leads, applicants, business partners or other third parties into the platform, we generally process such data as a processor within the meaning of Art. 28 GDPR.

In this case, the respective customer remains the controller responsible for the lawfulness of processing, the selection of data, the purposes of processing, informing data subjects and safeguarding data subject rights.

A data processing agreement (DPA) pursuant to Art. 28 GDPR is a mandatory part of the contractual relationship with business customers who process personal data within the platform. The DPA can be downloaded directly as a PDF: Download DPA (PDF). For questions please contact office@iia-analysis.at.

5. Categories of Data

5.1 Website and Access Data

• IP address
• Date and time of access
• Pages visited
• Browser type and version
• Operating system
• Referrer URL
• Technical device information
• Log files
• Cookie and consent information

5.2 Contact and Communication Data

• Name
• Email address
• Telephone number
• Company
• Function or role
• Content of messages
• Communication history

5.3 Contract and Customer Data

• Name/company
• Billing address
• VAT number
• Contract data
• Booked services
• Duration of use
• Payment status
• Support requests
• Contract correspondence

5.4 User Account Data

• Name
• Email address
• User role
• Login data
• Password in encrypted form
• Organisation affiliation
• Permissions
• Authentication data
• Usage log data

5.5 SaaS Usage Data

• Login timestamps
• Features used
• System events
• Analysis and dashboard activity
• Uploaded or entered content
• Queries, prompts or inputs in AI features
• Results, evaluations and generated content
• Technical error and security logs

5.6 Customer Data within the Platform

Customers may upload, capture or analyse their own data within our SaaS platform. Depending on use, this data may contain personal data.

• Customer data
• Lead data
• Company data with personal reference
• Sales data
• Communication data
• Transaction data
• Analysis and reporting data
• Other content provided by the customer

The customer is responsible for entering only data into the platform that may be lawfully processed.

5.7 Payment and Billing Data

• Invoice data
• Payment information
• Transaction status
• Accounting data
• Tax-relevant information

Payment data may be processed by external payment service providers. The specific payment providers used are named in this policy or during the payment process.

6. Purposes of Processing

• Providing the website
• Providing, operating and developing the SaaS platform
• Setting up and managing user accounts
• Authentication and access control
• Concluding and performing contracts
• Customer support
• Invoicing and payment processing
• Providing analysis, reporting and AI features
• Technical stability and security
• Error analysis and abuse detection
• Logging of security-relevant events
• Compliance with statutory retention and documentation obligations
• Communication with prospects, customers and business partners
• Improving usability and product quality
• Marketing and newsletters, where permitted or consented to
• Asserting, exercising or defending legal claims

7. Legal Bases for Processing

a) Art. 6(1)(b) GDPR

Performance of a contract and pre-contractual measures, in particular for providing our SaaS services, setting up user accounts, customer communication, preparation of offers, contract processing and support.

b) Art. 6(1)(c) GDPR

Legal obligation, in particular tax, corporate law, accounting and statutory retention obligations.

c) Art. 6(1)(f) GDPR

Legitimate interest, in particular IT security, abuse prevention, system administration, error analysis, product improvement, direct marketing within the permitted scope, documentation of business processes and defence of legal claims.

d) Art. 6(1)(a) GDPR

Consent, in particular for optional cookies, tracking technologies, newsletters and certain marketing measures. Any consent given can be withdrawn at any time with effect for the future.

e) Art. 28 GDPR

Where we process personal data on behalf of our customers within the SaaS platform, processing is based on a data processing agreement pursuant to Art. 28 GDPR.

8. AI Features and Processing by Artificial Intelligence

Our SaaS platform may include AI-supported features, such as for data analysis, pattern recognition, summaries, forecasts, recommendations, structuring or decision support.

8.1 Nature of AI Processing

• Analysis of entered or uploaded data
• Processing of prompts and queries
• Generation of texts, summaries, reports or recommendations
• Classification, structuring or prioritisation of information
• Support with data-based evaluations
• Detection of patterns and relationships
• Creation of forecasts or action proposals

8.2 No Solely Automated Decision-Making with Legal Effect

Our AI features are generally designed as support and analysis tools. They are not intended to subject data subjects to solely automated decisions that have legal effects on them or similarly significantly affect them.

8.3 Customer Responsibility for AI Inputs

Customers and users may only enter personal data into AI features that they are authorised to process. Special categories of personal data pursuant to Art. 9 GDPR may only be processed if an explicit legal basis exists and this is contractually permitted.

8.4 Data Minimisation, Prompt Processing and Deletion Concept

We recommend avoiding, anonymising or pseudonymising personal data as far as possible when using AI features. Internally, the following principles are binding:

• Data minimisation: Only the minimised content necessary for the respective analysis request is transmitted to the AI infrastructure. Original documents (PDFs, images) remain in the platform and are not forwarded to external AI services.
• Prompt logging: Prompts and AI requests are logged within the platform for error analysis and system improvement purposes. This log data is deleted after a maximum of 90 days.
• Deletion concept: AI-generated results and analyses are deleted together with the associated customer data after the contractually agreed retention period or upon the customer's request.
• Access controls: Access to AI logs and processed content is restricted to authorised personnel and is audit-logged.
• No training use: Customer data is not used for training own or third-party AI models. This is contractually excluded with AWS Bedrock (DPA).

8.5 Use of Third-Party AI Providers

Where external AI service providers are used for AI features, this is only done on the basis of appropriate contractual agreements.

• Amazon Web Services EMEA SARL (AWS Bedrock)
• Registered office: Luxembourg (EU)
• Server location: eu-central-1, Frankfurt am Main, Germany
• Purpose: Providing AI-supported analysis and generation features via Anthropic's Claude model
• Data categories: Processed prompts, extracted and structured content excerpts and technical usage data (e.g. timestamps, request metadata). No transmission of original PDFs or original image files.
• Third-country transfer: none. AI processing is carried out exclusively within the EU on AWS infrastructure in Frankfurt (eu-central-1).
• Storage period at the provider: exclusively to the technically required extent for API operation. AWS Bedrock does not permanently store prompts and responses and does not use them for model training.
• Use for training purposes: contractually excluded. AWS guarantees within the AWS Data Processing Addendum (DPA) that customer data is not used to train AI models.
• Data processing agreement: yes, based on the AWS Data Processing Addendum pursuant to Art. 28 GDPR.

The model used (Claude by Anthropic) is provided via AWS Bedrock infrastructure. No direct data transmission to Anthropic, PBC (USA) takes place.

8.6 Training of AI Models

Personal customer data is not used for training own or third-party AI models without a separate legal basis and without explicit contractual provision.

8.7 Transparency for AI-Generated Content

Where content is generated or substantially modified by AI, this may be indicated within the platform.

9. Cookies and Similar Technologies

9.1 Technically Necessary Cookies

Technically necessary cookies are required to provide the website and platform securely and functionally.

• Login and authentication
• Shopping basket or order process, where applicable
• Security
• Language settings
• Consent management
• Session management

Processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR or for contract performance pursuant to Art. 6(1)(b) GDPR.

9.2 Optional Cookies

Optional cookies, in particular for analysis, marketing or external media, are only set where corresponding consent has been given.

9.3 Cookie Overview

session
Provider: Thelixis e.U.
Purpose: Login session, authentication, user role, security token, language setting
Category: Technically necessary
Retention: Until end of browser session (session cookie) or maximum 7 days when actively logged in; after 24 hours of inactivity
Legal basis: Art. 6(1)(b) and (f) GDPR

cf_clearance, _cf_bm (only when Cloudflare Turnstile is active)
Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA – Server location Frankfurt (EU)
Purpose: Bot protection and abuse prevention (Cloudflare Turnstile) on the registration form
Category: Technically necessary
Retention: Session or up to 30 minutes
Legal basis: Art. 6(1)(f) GDPR
Third-country transfer: Cloudflare processes data on the basis of EU Standard Contractual Clauses (SCCs)

No further cookies are currently set. No analysis, marketing or tracking cookies are used.

10. Web Analytics and Tracking

We do not use external web analytics or tracking services (such as Google Analytics, Matomo Cloud or Plausible Cloud). In particular, Google Analytics is not used on this website.

We operate our own first-party telemetry (IIA Landing Telemetry, server-side):

• Provider: Thelixis e.U.
• Purpose: Analysis of website usage (e.g. page views, registration interest) and improvement of our offering
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our website); optional analytics events only with consent pursuant to Art. 6(1)(a) GDPR
• Third-country transfer: none; all analytics data is processed and stored exclusively within our own platform on Render infrastructure in Frankfurt
• Retention: Raw data maximum 90 days; aggregated evaluations without personal reference longer

11. Sub-processors and Technical Service Providers

We use the following processors and sub-processors. Data processing agreements (DPAs) have been concluded with all service providers where required.

Hosting & Infrastructure: Render
Provider: Render Services, Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA
Server location: Frankfurt, Germany (EU West)
Purpose: Hosting of web application, databases, storage, network infrastructure
Legal basis: Art. 6(1)(b) and (f) GDPR
Third country: USA – Render Data Processing Agreement + EU Standard Contractual Clauses (SCCs) pursuant to EU Commission Decision 2021/914
DPA: render.com/privacy

AI Infrastructure: Amazon Web Services (AWS Bedrock)
Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg
Server location: eu-central-1, Frankfurt am Main, Germany (EU)
Purpose: AI inference via AWS Bedrock (Claude model by Anthropic)
Legal basis: Art. 6(1)(b) and (f) GDPR
Third country: none – processing exclusively within the EU
DPA: AWS Data Processing Addendum (GDPR-compliant)

Email Delivery: Brevo
Provider: Sendinblue SAS (Brevo), 55 rue d'Amsterdam, 75008 Paris, France
Purpose: Transactional emails (registration confirmations, notifications, CRM emails)
Legal basis: Art. 6(1)(b) and (f) GDPR
Third country: none – registered in the EU (France)
DPA: Brevo Data Processing Agreement

Payment Processing: Stripe
Provider: Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
Purpose: Payment processing, subscription management, invoicing
Legal basis: Art. 6(1)(b) GDPR
Third country: none – registered in the EU (Ireland)
DPA: Stripe Data Processing Agreement

Security & Bot Protection: Cloudflare Turnstile
Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Server location: Frankfurt (EU)
Purpose: Bot protection on the registration form (Cloudflare Turnstile – no tracking cookies)
Legal basis: Art. 6(1)(f) GDPR
Third country: USA – EU Standard Contractual Clauses (SCCs)

Accounting: BMD NTCS
Provider: BMD Software GmbH, Pfenningbergstraße 89, 4040 Linz, Austria
Purpose: Accounting, invoicing, tax records
Legal basis: Art. 6(1)(c) GDPR (legal obligation)
Third country: none – registered in Austria (EU)

12. Recipients of Personal Data

Personal data may be transferred — to the extent necessary — to the following categories of recipients:

• Hosting and cloud service providers
• IT and maintenance service providers
• AI service providers
• Payment service providers
• Accounting and tax advisors
• Legal advisors
• Communication and email service providers
• CRM or support systems
• Analytics and monitoring services
• Authorities and courts, where required by law
• Other service providers required to provide our services

13. Third-Country Transfers

Personal data is only transferred to countries outside the EEA where the conditions of Art. 44 et seq. GDPR are met.

The following third-country transfers currently exist:

• Render Services, Inc. (USA): Transfer on the basis of EU Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914). Data processing takes place on servers in Frankfurt (EU).
• Cloudflare, Inc. (USA): Transfer on the basis of EU Standard Contractual Clauses (SCCs). Bot-protection processing on servers in Frankfurt (EU).

All other service providers used (AWS EMEA, Brevo/Sendinblue, Stripe Europe, BMD) are registered within the EU/EEA. No transfer to third countries by these providers takes place within the scope of our engagement.

14. Retention Periods

We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.

• Contract and invoice data: 7 years from the end of the financial year (§ 132 BAO, § 212 UGB)
• Communication data (email, contact form): up to 3 years from last contact (general civil law limitation period)
• User account data: for the duration of the active account; after deletion or termination maximum 30 days, then permanently deleted; tax-relevant data excluded
• Log files / system logs: 90 days, then automatically deleted
• AI log data (prompts, requests): maximum 90 days
• Support data: up to 3 years after completion of processing
• Data within the SaaS platform (customer data): as per customer contract; after contract end or upon request, deletion within 30 days
• Login sessions (session cookie): maximum 7 days; after 24 hours of inactivity
• Application data: maximum 6 months after completion of the application process
• Telemetry / web analytics (first-party): raw data maximum 90 days; aggregated evaluations without personal reference longer

15. Data Security

We implement appropriate technical and organisational measures to protect personal data.

• Access controls
• Authentication and authorisation concepts
• Encryption during transmission
• Encryption or pseudonymisation where appropriate
• Logging of security-relevant events
• Regular backups
• Updates and security measures
• Separate tenant and customer data areas where technically provided
• Confidentiality obligations
• Selection of reliable service providers
• Measures for availability and resilience of systems
• Procedures for restoring data
• Ongoing review and improvement of security measures

16. Data Subject Rights

Data subjects have the following rights under the GDPR:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Right to withdraw consent
• Right not to be subject to an unlawful solely automated decision

To exercise these rights, a message to the following address is sufficient: office@iia-analysis.at

Where we process personal data solely as a processor on behalf of a customer, we generally forward data subject requests to the respective controller or assist them in accordance with the data processing agreement.

17. Withdrawal of Consent

Any consent given may be withdrawn at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal is not affected.

18. Right to Object

Data subjects have the right to object at any time, on grounds relating to their particular situation, to processing of personal data where processing is based on Art. 6(1)(e) or (f) GDPR.

In the case of direct marketing, an objection may be lodged at any time without giving reasons.

19. Right to Lodge a Complaint with a Supervisory Authority

If you consider that the processing of your personal data infringes data protection law, you have the right to lodge a complaint with a supervisory authority.

The competent authority in Austria is:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40–42
1030 Vienna
Austria
Website: www.dsb.gv.at

20. Obligation to Provide Data

The provision of certain personal data is required for the conclusion and performance of a contract. Without this data we may not be able to provide our services in full or at all.

The provision of data for marketing, optional cookies or certain analytics functions is voluntary.

21. Automated Decision-Making

We do not make solely automated decisions within the meaning of Art. 22 GDPR that have legal effects on data subjects or similarly significantly affect them.

Where AI features generate recommendations, assessments, analyses or forecasts, these serve as decision support and do not replace independent human review.

22. Newsletter and Direct Marketing

Where you subscribe to our newsletter or consent to receiving electronic advertising, we process your email address and, where applicable, your name to send the relevant information.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR or — where permitted by law — our legitimate interest pursuant to Art. 6(1)(f) GDPR.

You may unsubscribe from the newsletter at any time or object to the use of your data for marketing purposes.

23. Contact

Where you contact us by email, contact form or other means, we process the data you provide to handle your inquiry and for follow-up questions.

The legal basis is Art. 6(1)(b), Art. 6(1)(f) or Art. 6(1)(c) GDPR depending on the subject matter of the inquiry.

24. Customer Account and Platform Access

Use of our SaaS platform may require the creation of a customer or user account. In doing so, we process in particular registration data, login data, roles, permissions and usage logs.

Processing is carried out for contract performance, access control, platform security and traceability of system events.

25. Support and Error Analysis

In the context of support requests, we may process personal data required to handle the respective matter.

Where access to customer data within the platform is required, this is carried out only to the extent necessary, for a specific purpose, and with appropriate confidentiality and security measures.

26. Confidentiality

All persons who handle personal data at our company or on our behalf are bound by confidentiality obligations or are subject to corresponding statutory professional secrecy obligations.

27. Changes to this Privacy Policy

We reserve the right to update this privacy policy where legal, technical or organisational changes arise.

The current version is always published on our website.