Privacy

Privacy Policy

How bikeryOS handles personal data on this marketing website and within the platform — written for an Austrian and EU (DACH) context and built around our GDPR-first design.

Last updated: [DATE PLACEHOLDER — set before launch]

Template notice: this policy is a starting template and must be reviewed and completed by qualified legal counsel before launch. Placeholders (controller details, sub-processors, dates) must be replaced.

Data controller

The controller responsible for processing personal data is bikeryOS GmbH — replace before launch, [street and number], [postal code and city], Austria. Email: privacy@bikeryos.example — replace before launch.

Where bikeryOS processes personal data on behalf of a dealer using the platform, that dealer is the controller and bikeryOS acts as a processor under a data processing agreement. Each tenant's data is strictly isolated from every other tenant.

What data we process and why

On this marketing website we process only the minimum necessary to deliver the pages and respond to enquiries. We do not run advertising trackers or analytics profiling on this site.

Within the platform, dealers process customer and operational data to run their business. Typical categories include:

  • Contact and enquiry data when you email us to request a demo (name, email address, message content).
  • Customer master data inside the platform: name, contact details, address, date of birth where relevant.
  • Operational records: quotes, orders, owned bicycles and their serial numbers, workshop jobs, test rides and complaints.
  • Consent records: marketing and data consent, with version and timestamp.
  • Technical data strictly required to serve the website securely.

Legal bases

We process personal data on the legal bases set out in Article 6 GDPR:

  • Performance of a contract or pre-contractual steps — for example handling your demo request or providing the platform.
  • Consent — for marketing communications, which you can withdraw at any time.
  • Legal obligation — for example Austrian fiscal record-keeping (RKSV) and tax law.
  • Legitimate interests — for example keeping the website and platform secure, where these do not override your rights.

Marketing consent is explicit, versioned and auditable. We store the version of the consent text you agreed to together with a timestamp, and we keep proof of double opt-in where it applies.

Outbound marketing messages are only sent after this consent is checked, in line with the Austrian prohibition on unsolicited messages (§107 TKG) and data protection law (DSG/DSGVO). You can withdraw consent at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Access — obtain confirmation of, and a copy of, the data we hold about you.
  • Rectification — have inaccurate or incomplete data corrected.
  • Erasure — have your data deleted, subject to the legal retention noted below.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection and restriction — object to, or restrict, certain processing.
  • Withdraw consent — at any time, for processing based on consent.
  • Lodge a complaint — with the Austrian Data Protection Authority (Datenschutzbehörde) or your local supervisory authority.

Fiscal retention vs. the right to erasure

Austrian law requires fiscal records to be retained for seven years (RKSV and tax law). This can conflict with the GDPR right to erasure.

bikeryOS resolves this by separating personal data from the fiscal record. When you exercise the right to be forgotten, the personal data in the transaction log is tombstoned or crypto-shredded, while the financial and fiscal skeleton required by law is preserved. In other words, the receipt and its legally mandated figures remain, but the personal identifiers attached to them are rendered unrecoverable.

Processors and sub-processors

We use a small number of service providers (processors) under data processing agreements. A current list is maintained and provided on request. Placeholder categories — replace with the actual providers before launch:

  • Cloud hosting and infrastructure — [provider placeholder].
  • Fiscalization signing service (RKSV) — [provider placeholder, e.g. A-Trust or equivalent].
  • Payment processing — [provider placeholder].
  • Messaging and email delivery (email, SMS, messaging channels) — [provider placeholder].
  • AI assistance provider for advisory features — [provider placeholder].

International transfers

We aim to keep personal data within the European Economic Area. Where a processor involves a transfer to a third country, we rely on an appropriate safeguard under Chapter V GDPR — such as an adequacy decision or the EU Standard Contractual Clauses — and complete the relevant detail before launch.

Cookies and local storage

This website does not use advertising or tracking cookies. The only client-side storage we use is a single localStorage entry that remembers your chosen interface language so the site loads in your preferred language on your next visit.

This language preference stays in your browser, is not used to identify you, and you can clear it at any time through your browser settings.

Data retention

We keep personal data only as long as necessary for the purpose it was collected for, or as required by law. Enquiry data from demo requests is kept for as long as needed to handle your request and any follow-up. Fiscal records are retained for the legally mandated seven-year period as described above, with personal identifiers separable for erasure.

Contact for privacy requests

To exercise your rights or ask a privacy question, contact us at privacy@bikeryos.example — replace before launch. We respond to requests within the time limits set by the GDPR.

Reminder: this document is a template and must be reviewed by qualified legal counsel, and all placeholders completed, before it is published.