Privacy Policy | GanttWork

Thank you for your interest in our company. The protection of your personal data is very important to us. Below we provide detailed information on how we handle your data in accordance with the European General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

1. Controller

The controller within the meaning of the GDPR is:

Fabricon Design e.U.

Am Anningerpark 2/1/31

2351 Wiener Neudorf, Austria

Email: info@ganttwork.at

Owner: Daniela Bartisch

If you have any questions about data protection, you can contact us at any time. A separate data protection officer has not been appointed, as the legal requirements for this are not met.

2. Collection and Storage of Personal Data

2.1 When Visiting Our Website

When you access our website, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called log file. The following information is collected without any action on your part and stored until it is automatically deleted:

IP address of the requesting device
Date and time of access
Name and URL of the retrieved file
Website from which access was made (referrer URL)
Browser used and, where applicable, the operating system of your device and the name of your access provider

The aforementioned data is processed for the following purposes: ensuring a smooth connection to the website, ensuring comfortable use of our website, evaluating system security and stability, and other administrative purposes. The legal basis for data processing is Art. 6(1)(f) GDPR. Our legitimate interest follows from the above-listed purposes. In no case do we use the collected data for the purpose of drawing conclusions about your person.

2.2 Registration and Use of GanttWork

When registering for our cloud service GanttWork, we collect the following personal data:

First and last name
Company name and company address
Email address
Phone number (optional)
Username and password (stored in encrypted form)
Billing information (for paid plans)

Processing is carried out on the basis of Art. 6(1)(b) GDPR, as this data is necessary for the performance of a contract or for the implementation of pre-contractual measures.

2.3 When Contacting Us

If you contact us by email or via a contact form, the data you provide (your email address, and where applicable your name and phone number) will be stored by us in order to answer your enquiry. We delete the data arising in this connection after storage is no longer necessary, or restrict processing if statutory retention obligations apply. The legal basis is Art. 6(1)(b) or (f) GDPR.

3. Purpose of Data Processing

We process your personal data for the following purposes:

Provision and operation of our cloud service GanttWork in accordance with the agreed terms of use
Responding to your enquiries and communicating with you
Contract processing and billing
Ensuring IT security and proper operation of our systems
Improving our services and developing new features
Fulfilment of legal obligations (e.g. tax retention requirements)
Assertion, exercise, or defence of legal claims

4. Disclosure of Data

Your personal data will not be transferred to third parties for purposes other than those listed below. We only share your personal data with third parties if:

You have given your express consent (Art. 6(1)(a) GDPR)
The disclosure is necessary for the performance of a contract with you (Art. 6(1)(b) GDPR)
There is a legal obligation to disclose (Art. 6(1)(c) GDPR)
The disclosure is necessary for the assertion, exercise, or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data (Art. 6(1)(f) GDPR)

In all other cases, your data will not be passed on to third parties. In particular, there is no sale of your data to third parties.

5. Cookies

Our website uses cookies. Cookies are small text files that your browser automatically creates and stores on your device when you visit our site. Cookies do not cause any damage to your device and do not contain viruses, trojans, or other malware.

5.1 Technically Necessary Cookies

We use technically necessary cookies to make our website more user-friendly. Some elements of our website require that the requesting browser can be identified even after a page change. Session information and language settings are stored in the cookies. These cookies are automatically deleted when you close your browser. The legal basis is Art. 6(1)(f) GDPR.

5.2 Functional Cookies

In addition, we use cookies to enable the use of our application (e.g. authentication cookies for the login area). These cookies are absolutely necessary for the provision of the service and are processed on the basis of Art. 6(1)(b) GDPR.

You can configure your browser to inform you about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of our website and in particular our application may be limited.

6. Web Analytics

We use the self-hosted, open-source web analytics software Umami (analytics.ganttwork.at) on our website. Umami is a privacy-friendly alternative to conventional analytics services and is characterised by the following features:

No cookies are set and no cookie banner is required
No personal data is collected or stored
IP addresses are not stored
There is no cross-website tracking
Data is processed exclusively on our own server in the EU
No data is shared with third parties

Umami only collects anonymised, aggregated usage statistics such as page views, time on site, browsers used, and countries of origin. This data is used solely to improve our website.

The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the analysis and optimisation of our website. Since Umami does not collect personal data and does not set cookies, separate consent is not required.

7. SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries you send to us as the site operator, or data you enter into our application. You can recognise an encrypted connection by the browser’s address line changing from “http://” to “https://” and by the lock icon in your browser bar. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties. All data transfers between your browser and our servers are exclusively encrypted.

8. Rights of Data Subjects

You have the following rights with regard to the personal data concerning you:

8.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, you have a right of access to this personal data and to the information specified in Art. 15 GDPR (processing purposes, categories of personal data, recipients, planned retention period, etc.).

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data concerning you and the completion of incomplete personal data.

8.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the erasure of personal data concerning you, provided that one of the grounds stated in Art. 17 GDPR applies, e.g. if the data is no longer necessary for the purposes pursued or you have withdrawn your consent. Please note that we may not be able to delete certain data immediately due to statutory retention obligations (e.g. tax law: 7 years).

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your personal data if one of the conditions set out in Art. 18 GDPR is met, e.g. if you contest the accuracy of your data, the processing is unlawful, or we no longer need the data.

8.5 Right to Object (Art. 21 GDPR)

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as there are grounds relating to your particular situation.

8.6 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out by automated means.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw consent once given to the processing of data at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent until the withdrawal.

8.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you infringes the GDPR. The competent supervisory authority for us is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, Phone: +43 1 52 152-0, Email: dsb@dsb.gv.at, Website: www.dsb.gv.at.

9. Commissioned Processing

For the provision of our cloud solution, we use processors who process your data on our behalf and in accordance with our instructions. We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with all processors, ensuring the careful handling of your data.

Upon request, we will be happy to provide you with a list of our processors. For customers who use GanttWork under a contract, we offer the conclusion of a data processing agreement.

10. Hosting

Our website and cloud application are hosted by netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany. netcup operates data centres in Germany within the European Union.

The use of netcup is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the reliable and secure presentation of our website and application. All data is stored and processed exclusively on servers within the European Union. There is no transfer to third countries.

We have concluded a data processing agreement (DPA) pursuant to Art. 28 GDPR with netcup. Further information on data protection at netcup can be found at: https://www.netcup.de/kontakt/datenschutzerklaerung.php

11. Data Security

We take appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties. Our security measures include, but are not limited to:

Encryption of all data transfers using TLS/SSL
Encrypted storage of passwords (Bcrypt/Argon2)
Regular security updates and patches
Access control and authorisation systems
Regular data backups
Firewalls and network segmentation

Our security measures are continuously improved in line with technological developments.

12. Retention Periods

We store your personal data only for as long as is necessary for the fulfilment of the respective purposes or as required by statutory retention periods. The following periods apply in particular:

Account data: Until account deletion plus statutory retention periods
Contract data: 7 years after end of contract (pursuant to § 132 BAO)
Invoice data: 7 years (pursuant to § 132 BAO, § 212 UGB)
Server log files: Maximum 30 days
Contact enquiries: Until final processing plus 6 months

After expiry of the respective retention period, data is routinely deleted, provided it is no longer required for contract performance or contract initiation.

13. Changes to this Privacy Policy

We reserve the right to amend this privacy policy from time to time to ensure that it always complies with current legal requirements, or to implement changes to our services in the privacy policy, e.g. when introducing new services. Registered users will be informed of material changes by email. The current version of this privacy policy is always available at https://ganttwork.at/privacy.