Privacy Notice
// Privacy notice of ROARK GmbH under Articles 13 and 14 GDPR, including purposes, legal bases, recipients, and data subject rights.
This privacy notice explains how ROARK GmbH processes personal data in connection with this website and our B2B SaaS services.
Controller
ROARK GmbH
Bossigasse 24/8
1130 Vienna
Austria
Managing Director: Juliamarie Curto
Managing Director: Marcello Curto
Email: datenschutz@roark.at
Phone: +43 660 375 8455
Further company details are available in the Imprint.
Data protection roles
- For this website and our own business processes, we act as controller under Art. 4(7) GDPR.
- For personal data processed in our SaaS by our customers, we generally act as processor under Art. 28 GDPR.
- A data processing agreement is part of the SaaS setup. A template is available at DPA / AVV.
Categories of data subjects and personal data
- Visitors of this website
- Contact persons of prospects, customers and partners
- Users of our B2B SaaS applications
Depending on usage, we may process in particular:
- Master data (for example name, company, business contact details)
- Communication data (for example email content and metadata)
- Usage and log data (for example IP address, timestamp, URL, user agent)
- Contract and billing data
- Customer data and content processed in the SaaS
Processing activities, purposes, legal bases and retention
| Processing activity | Purpose | Data categories | Legal basis | Retention |
|---|---|---|---|---|
| Website delivery (server logs) | Stability, security, troubleshooting | IP address, URL, timestamp, user agent, referrer | Art. 6(1)(f) GDPR | Usually short-term; longer only for security incidents |
Language preference (NEXT_LOCALE) | Delivery of selected language | Language code, technical cookie data | Section 165(3) Austrian TKG 2021, Art. 6(1)(f) GDPR | Up to 12 months or until deleted in browser |
| Email communication | Handling requests, pre-contractual and customer communication | Contact data, message content, metadata | Art. 6(1)(b) and Art. 6(1)(f) GDPR | Until request completion, then according to legal/contractual obligations |
| B2B SaaS contract performance | Provision of agreed SaaS functions | Account, usage, content and configuration data | Art. 6(1)(b) GDPR | During contract term, then deletion according to contract/DPA |
| Compliance, legal defense and accounting | Compliance with legal duties and defense of claims | Contract, billing and communication data | Art. 6(1)(c) and Art. 6(1)(f) GDPR | Statutory retention (in particular 7 years under BAO/UGB), longer only for disputes |
Cookies
We do not use tracking, marketing or profiling cookies. Only the technically required cookie NEXT_LOCALE may be set to store your language preference.
Recipients and processors
We use the following providers. Where required, we have concluded data processing agreements under Art. 28 GDPR.
| Provider | Purpose | Data categories | Role | Processing location | Third-country transfer / safeguard | Retention | DPA status |
|---|---|---|---|---|---|---|---|
| Hetzner | Infrastructure hosting services | Usage and log data | Processor | EU (mainly Germany/Finland) | No transfer initiated by us via this service | Based on contract setup; deletion per contract/DPA | In place |
| Convex | Cloud platform services | Account, usage and content data | Processor | EU and additional regions depending on project configuration | SCC and contractual safeguards under provider terms | Based on provider/project settings; deletion per contract/DPA | In place |
| Microsoft Azure | Cloud platform services | Account, usage and content data | Processor | EU and additional regions depending on configuration | SCC and additional safeguards under Microsoft DPA | Based on provider/project settings | In place |
| Amazon Web Services | Cloud and communication services | Communication data, usage data and related metadata | Processor | EU and additional regions depending on configuration | SCC and contractual safeguards under AWS DPA | Based on provider/project settings | In place |
| Vercel | Web hosting and delivery services | Request and log data | Processor | EU and additional regions depending on delivery setup | SCC and additional safeguards under Vercel DPA | Based on provider/project settings | In place |
| bunny.net | DNS and edge delivery services | DNS requests and technical metadata | Processor | EU and global edge locations depending on routing | SCC and contractual safeguards under provider terms | Based on provider/project settings | In place |
| netcup | Infrastructure hosting and domain services | Usage/log data, domain administration data, billing-related data | Processor or independent controller depending on process | EU (mainly Germany) | No transfer initiated by us via this service | According to project, registrar and tax law retention periods | In place where processor relationship applies |
| Migadu | Email services | Email content and metadata, contact data | Processor | Switzerland and, where applicable, additional locations via subprocessors | Switzerland adequacy decision; otherwise SCC | Based on mailbox and contract settings | In place |
Infrastructure data flow
- The above providers are used for hosting, cloud platform operation, communication, DNS/edge delivery and domain services.
Subprocessors
The current subprocessors of the above providers are listed in their official subprocessor and privacy pages. Material changes to our own subprocessor setup are communicated to contractual partners according to the agreed contract mechanism.
Disclosure to additional recipients
Beyond the above, data is disclosed only
- where legally permitted,
- where required to perform a contract,
- where we are legally obliged, or
- where you have provided consent.
Retention and deletion
We retain personal data only for as long as necessary for the applicable purposes. After that, data is deleted or anonymized unless statutory retention obligations apply.
In Austria, relevant retention obligations may arise in particular under BAO and UGB (typically 7 years for accounting-related records).
Security
We implement appropriate technical and organizational measures under Art. 32 GDPR to protect personal data against loss, unauthorized access and manipulation.
Your rights
Under the GDPR, you have in particular the right to
- access (Art. 15 GDPR)
- rectification (Art. 16 GDPR)
- erasure (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
- withdraw consent for future processing (Art. 7(3) GDPR)
To exercise your rights, please contact us at datenschutz@roark.at.
Right to lodge a complaint
You may lodge a complaint with a data protection supervisory authority. In Austria, the competent authority is:
Austrian Data Protection Authority (Datenschutzbehoerde)
Barichgasse 40-42
1030 Vienna
Website: https://www.dsb.gv.at/
Email: dsb@dsb.gv.at
Updates to this privacy notice
We update this privacy notice where processing activities, legal requirements or service providers materially change.