1. Data Controller / Verantwortlicher
Austrian Pharma Services ("APS")
Email: datenschutz@austrianpharmaservices.com
APS is the controller within the meaning of Art. 4(7) GDPR / DSGVO for the processing of personal data described in this policy.
2. Data We Collect
2.1 Account Data
When you register, we collect:
- Name, email address, organisation name
- Hashed password (or SSO identity via Keycloak)
- Subscription tier and billing information (processed by Stripe)
2.2 Usage Data
We automatically collect:
- IP address, browser type, operating system
- Pages visited, features used, search queries within the Service
- Timestamps of access and session duration
2.3 User-Generated Data
- Watchlist configurations, alert preferences, saved filters
- Notes or annotations you add to regulatory events
3. Legal Basis for Processing (Art. 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Account creation and Service delivery | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
4. Data Processors and Third Parties
We share personal data with the following categories of processors, all bound by data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Hostinger / Hetzner | Server hosting and infrastructure | EU (Lithuania / Germany) |
| Stripe | Payment processing and subscription management | EU / US (EU SCCs in place) |
| OpenAI | Automated event analysis and summarisation | US (EU SCCs in place) |
| Keycloak (self-hosted) | Identity and access management (SSO) | EU (Germany, Hetzner) |
No personal data is sold to third parties. Data transfers outside the EU/EEA are safeguarded by Standard Contractual Clauses (SCCs) or adequacy decisions pursuant to Art. 46 GDPR.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Usage/analytics data | 12 months (anonymised thereafter) |
| Billing and invoice data | 7 years (Austrian tax law, BAO § 132) |
| Server access logs | 90 days |
| Support correspondence | 3 years after resolution |
6. Your Rights (Art. 15–22 GDPR)
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of your personal data
- Rectification (Art. 16): Correct inaccurate or incomplete data
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Restriction (Art. 18): Request restricted processing under certain conditions
- Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing
To exercise these rights, contact us at datenschutz@austrianpharmaservices.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, www.dsb.gv.at).
7. Cookies and Tracking
7.1 Essential Cookies
We use strictly necessary cookies for session management and authentication. These do not require consent under Art. 5(3) ePrivacy Directive.
| Cookie | Purpose | Duration |
|---|---|---|
| session_token | User authentication | Session / 24 hours |
| PHPSESSID | Server-side session | Session |
7.2 Analytics Cookies
We currently do not use third-party analytics or tracking cookies. If this changes, we will update this policy and implement a consent mechanism in accordance with GDPR and the Austrian Telecommunications Act (TKG 2021).
7.3 Local Storage
We use browser local storage to persist user preferences (e.g., selected filters, UI settings). This data remains on your device and is not transmitted to our servers.
8. Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Password hashing with bcrypt
- Role-based access control
- Regular security updates and monitoring
- Data processing agreements with all sub-processors
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "last updated" date at the top of this page indicates the most recent revision.
10. Contact / Kontakt
Austrian Pharma Services
Data Protection Inquiries / Datenschutzanfragen:
datenschutz@austrianpharmaservices.com