Platform
Product Packages
Implementation
Resources
Implementation
Company
English
Login
Book a demo
Platform
Product Packages
Product Implementation
Resources
Implementation
Company
English
Login
Legal

Data Privacy & Processing Information

Updated:
31 October 2024
table of contents
Heading 2
Heading 3
Heading 4

PREAMBLE

This document states HYDROGRID’s Data Privacy & Processing Information, relating to the use of HYDROGRID’s public company website.

1.     Processing activities

  • Provision of information about goods or services of the Controller for customers[1], interested parties and visitors,
  • Contract performance vis-à-vis customers.

2.    Controller        

HYDROGRID GmbH, FN [Business Register Number] 459688m, Walcherstrsse, 11a/13, 1020 Vienna,Austria here after referred to as “Controller”.

3.     Contact details of the Controller

privacy@hydrogrid.ai

4.     Purposes of data processing

4.1. For Performance or Preparation of the Contract  

4.1.1. Keeping retrievable information about services of the controller for customers and interested persons.

4.1.2. Provision of communication channels for disseminating contents and servicing the customer relationship.

4.1.3. Fulfilment of the contractual obligations under the service contracts.

4.2. For (Overriding) Legitimate Interest          

4.2.1. Dissemination/presentation of (advertising) information for services and events of the Controller by means of direct marketing (“marketing purposes”), to the extent permitted by law.

4.2.2. Maintaining and enhancing customer satisfaction and customer retention through an analysis of user behaviour with the aim of improving the service offer by use of GoogleAnalytics.

4.2.3. Providing customers with a newsletter on the statutory basis of Section 107 (3) of the AustrianTelecommunications Act [TKG] with the option to opt out at any time.

4.2.4. Transmission of electronic identification data of the user to third-party providers to include contents by posts in social networks (e.g. YouTube) and other applications (e.g. GoogleMaps).

4.3. For Consent

4.3.1. Providing customers with a newsletter on the basis of consent with the option to opt out at any time.

5.     Legal basis for data processing

5.1. Performance of the Contract

5.1.1. Online: The use of the online services (HYDROGRID's company website) of the Controller is based on a contract as defined in Art. 6 (1) (b) GDPR; a registration relationship is established upon registration.

5.1.2. Conclusion of contracts: In the case of acquisition of services, the Controller's data processing is based on the contract concluded from time to time and serves the purpose of performance of the contract.

5.2. Additional services: Consent: The Controller will obtain the customer's express consent to specific services (e.g. newsletters). Such consent may be withdrawn at any time with effect for the future.

5.3. Overriding legitimate interests (see Section 6).

6.     Description of (overriding) legitimate interests for the purposes  

6.1.  Of IT Security: The Controller will store the IP addresses of mere visitors of the website (HYDROGRID company website) for a period of max. three(3) months in order to defend targeted attacks in the form of server overloads(denial of service attacks) or prevent other damage to the systems. The Controller has an overriding legitimate interest in such data processing for the purpose of maintaining the functionality of its online services (Recital 49 GDPR).

6.2.  Of Dissemination of Information / Direct Marketing: The Controller will process customer data (except for data of children or special categories of personal data as defined in Art. 9 GDPR (“sensitive data”)) including to use them for direct marketing of (other) offers of the Controller. The Controller has a legitimate interest in processing personal data for direct marketing purposes (last sentence of Recital 47 GDPR). Only customer data will be processed which the Controller possesses under a contractual relationship and for which the storage period has not expired yet. This will not extend the storage period. The primary aim of data processing is to solicit customers. In this regard the Controller relies on its freedom to carry on a business (Art.6 of the Austrian Basic Law [Staatsgrundgesetz/StGG]) and its freedom to communicate, both of which are protected by conventions (in particular Art.10 of the European Convention on Human Rights (ECHR), which also protects advertising measures) and constitutional law, and on the rights:

  • To send advertising by mail;
  • To send electronic mail upon consent as defined in Section 107 (3) TKG.

 When using such data the Controller shall meet the requirements of communication law, in particular Section 107 TKG.

7.     Change of purpose      

7.1. Dissemination of information / direct marketing: The Controller advises that it will process personal data of the customer also for disseminating information and for direct marketing. In this way, the Controller wants to advise its own goods and services. For that purpose, the data will be made available to no third party under its responsibility. There is no incompatibility with the purpose of the original collection of data. The customer may object to the use of his personal data for the purpose of direct marketing at any time and without having to state reasons.

8.     Evaluating personal aspects of the customer  

There will be no evaluation of personal aspects of the customer.

9.     Obligation to provide data  

The customer is under no obligation to provide data.

10.  Automated decision-making  

The customer is subject to no automated decision-making which would become legallyeffective vis-à-vis him or her.  

11.  Processed types of data        

11.1. Personal Data provided by the Customer  

  • Name, academic degree
  • Company name
  • Phone number
  • E-mail address  

11.2. Additionally Personal Data collected by the Controller

  • Requested file (name and URL)
  • Amount of data transferred to requesting device
  • Status message of request(success, failure)
  • Identification data of browser, together with operation system used
  • Website from which request was sent (if the access was made via a link)
  • Information on account use(e.g. date created, number of logins, date of the last request)
  • Information on software use(e.g. use of provided options)

11.3.  Customer Data provided by the Customer

  • Customer’s billing postal address
  • Customer’s billing email address
  • Customer’s legal data
  • Customer’s operational email address
  • Individual power plant’s name
  • Individual power plant’s topology
  • Individual power plant’s static technical data
  • Individual power plant’s historical sensor data
  • Individual power plant’s live sensor data

11.4.  Processors

 Automated Expense System

  • Spendesk SAS, 51, rue de Londres, 75008 Paris, France / European Union

Automated Invoicing System

  • Maxio Inc., 6525 The Corners Pkwy NW, Suite 500 Peachtree Corners, Georgia30092, United States of America.

Marketing & Business Intelligence

  • Canva Pty Ltd, 110Kippax St, Surry Hills, NSW, 2010, Australia.
  • Databox Inc., 6 Liberty Square, PMB #471, Boston, Massachusetts02109, United States of America.
  • Google Analytics, Alphabet Inc., 1600 Amphitheatre Parkway, MountainView, CA 94043, United States of America.
  • Google Tag Manager, Alphabet Inc., 1600 Amphitheatre Parkway,Mountain View, California 94043, United States of America.

Consent Mode framework implemented to obtain user consent.

  • Hotjar Ltd., Dragonara Business Centre, 5th floor,Dragonara Road, Paceville St Julian's STJ 3141, Malta / European Union
  • Mailchimp for Email Campaigns, TheRocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia30308, United States of America.
  • Microsoft Advertising, Microsoft Cooperation, 1 Microsoft Way, Redmond, Washington 98052, United States of America.

Customer Relationship Management:

  • Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia / European Union

Map Visualization

  • Google Maps (including “anonymize IP”): Alphabet Inc., 1600Amphitheatre Parkway, Mountain View, California 94043, United States ofAmerica.

Digital communications

  • Slack Technologies LLC., 50 Fremont Street, San Francisco,California, 94105 United States of America.
  • Microsoft Teams, MicrosoftCorporation, Microsoft Cooperation, 1 Microsoft Way, Redmond, Washington 98052, UnitedStates of America. Data residency of Controller’ data set to EuropeanUnion

Controller’s self-hosted servers:

  • File and data hosting: Internex GmbH, Lagerstraße 15, 3950Gmünd, Austria / European Union
  • VOIPphone system: Techbold technology group AG, DresdnerStr. 89, 1200 Wien, Austria / EuropeanUnion
  • Production Data Warehouse: Internex GmbH, Lagerstraße 15, 3950Gmünd, Austria /European Union
  • Microsoft Exchange Server: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany / European Union

Ticketing and KnowledgeManagement:

  • Atlassian. Pty Ltd, Level 6, 341 George Street, Sydney, NSW 2000, Australia. Data residency of Controller’ data set to European Union

Website Provider:

  • Webflow, Inc., 398 11th Street,2nd Floor, San Francisco, California 94103, United States of America

The Controller expressly reserves the right to use more processors. They will thenbe stated in the updated data protection information after the start of their use. Processing of such data by processors shall be made in the Controller’s responsibility.

12.  Internal recipients      

  • System administrator
  • Departments (Commercial,Operations, Product Development)
  • Management    

13.  Transfer to third countries In the course of data processing

The following personal data will be transmitted to countries outside the EU:

Country: USA

Application: MailChimp (Standard  Contractual Clauses)

Type of Personal Data: Name, E-mail address (if  the user signed up with MailChimp)

Application: Databox (Standard  Contractual Clauses)

Type of Personal Data: Online identifiers,  including cookie identifiers, IP addresses and device identifiers, name,  E-mail-address, company name

Application: Slack (Standard  Contractual Clauses)

Type of Personal Data: Name, E-mail address,  company name

Application: Google Analytics (Standard  Contractual Clauses)

Type of Personal Data: Online identifiers,  including cookie identifiers, IP addresses and device identifiers

Application: Maxio (Standard  Contractual Clauses)

Type of Personal Data: Customer billing e-mail  address, customer billing postal address, customer legal data

Application: Slack (Standard  Contractual Clauses)

Type of Personal Data: Individual power plant’s name

 Check up-to-date details on our Cookie Policy here.

14.  Presence in social media channels

14.1.  The Controller informs that for the purposes of advertising and communication with customers in social media channels, it keeps independent online presences available. In connection with such online presence customer data may be processed outside the European Union, which increases the risk of a data protection breach. To the extent that they are resident in the USA the providers of social media channels have submitted to Standard Contractual Clauses.

Such online presence is kept available in the technical environment of the relevant social media operator. The social media operators will then use the customer's visit to the online presence for their own purposes, in particular for sending out (interest based) advertising. The social media operators use the visit to store cookies on the customer's terminal device, to retrieve existing cookies/identifiers, to draw conclusions from the user behaviour regarding the customer's interests and thus to enhance the user profile which has been established for the customer or the identifier. The aims to send out interest based advertising to the customer, which may also bedone on websites of third-party providers visited at a later point in time.

Processing personal data of the customer is based on the overriding legitimate interests of the Controller in advertising measures and communication with the customer, which is protected by conventions and constitutional law through the freedom to carry on a business (Art. 6 of theAustrian Basic Law [Staatsgrundgesetz/StGG]) and the freedom to communicate(in particular Art. 10 ECHR, which also protects advertising measures).If the customers are users of social media channels, data processing may also be covered by the customer's consent.

The Controller advises that it has no access whatsoever to the customer's data. Thus, the Controller recommends customers contact the social media channel directly if they want to assert their rights to access, rectification, erasure, restriction, objection or data portability. Users of social media channels may also make changes in their privacy settings themselves. If necessary, the Controller will provide assistance to the customer.  

14.2. Additional information is available to the customer at:

14.2.1. LinkedIn

·     LinkedIn Ireland UnlimitedCompany, Wilton Place, Dublin 2, Ireland

·     Privacy policy: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy

15.  Storage period

15.1.  Legal basis of the statutory obligation (in particular invoice data): to the extent that there is a legal obligation to retain data, inparticular as defined in Section 132 (1) of the Austrian Fiscal Code [BAO],(accounting) relevant data will be processed in any case up to the end of thestatutory retention period (currently generally seven (7) years from the end of the business year in which the data was created).

16.  Rights of the data subject

Art 15 GDPR  "Access"

The customer shall have  the right to obtain confirmation as to whether or not and to what extent his/her  personal data is being processed.

Art 16 GDPR "Rectification"

The customer shall have  the right to obtain without undue delay the rectification of inaccurate  personal data or to have it completed. 

Art 17 GDPR "Erasure"

The customer shall have  the right to obtain the erasure of personal data without undue delay as long  as the reasons stated in Art 17(1) GDPR are fulfilled.  

Art 18 GDPR "Restriction"

The customer shall have  the right to obtain restriction of processing of personal data as long as the  reasons stated in Art 18(1) GDPR are fulfilled.  

Art 21 GDPR "Objection"

The customer shall have  the right to object to the processing of his/her personal data on the basis  of overriding legitimate interest.  

Art 20 GDPR "Data  portability"

The customer shall have  the right to receive the advised personal data concerning him in a  structured, commonly used and machine-readable format.

Art 15  GDPR "Access"

The customer shall have  the right to obtain confirmation as to whether or not and to what extent his/her  personal data is being processed.

Art 16 GDPR "Rectification"

The customer shall have  the right to obtain without undue delay the rectification of inaccurate  personal data or to have it completed. 

Art 17 GDPR "Erasure"  

The customer shall have  the right to obtain the erasure of personal data without undue delay as long  as the reasons stated in Art 17(1) GDPR are fulfilled.  

 17.  Right to lodge a complaint  

17.1. Art 77 GDPR Section 24 of theAustrian Data Protection Act [Datenschutzgesetz/DSG]: Each customer shall have the right to lodge a complaint with the supervisory authority if he/she is of the opinion that the processing of personal data relating to him infringes thisRegulation.

18.  Supervisory authority

Österreichische Datenschutzbehörde [Austrian Data Protection Authority]

Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at

[1] If only the masculine form is used for describing natural persons in this dataprotection information, it shall refer to both women and men equally. If a term is used for a specific natural person, the respective gender-specific form mustbe used. The term customer refers to both consumers and entrepreneurs.