Data Processing Agreement and Privacy Policy

Last update: August 15, 2019

Data Processing Agreement

This website is provided and owned by vrisch multimediaproduction GmbH (hereinafter referred to as “vrisch”), an Austrian company with registered address at Hainburger Straße 17/12, 1030 Vienna, company registered at the court Handelsgericht Wien with the commercial register nr.: FN 508006v.

vrisch may update this Data Processing Agreement at any time, without notification to you, and you should review this Data Processing Agreement from time to time by accessing the Site. Your continued use of the Site shall be deemed irrevocable acceptance of any such revisions.

1. Scope and subject matter of the agreement
This Data Processing (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under vrisch’s Terms of Service (the “TOS”). This DPA is an amendment to the TOS and is effective upon its incorporation into the TOS, which incorporation may be specified in an Order or an executed amendment to the TOS. Upon its incorporation into the TOS, the DPA will form a part of the TOS. For a more detailed overview of all the services used and data processed please visit our privacy policy section.

2. Definitions
In this agreement:
a. « Services » means the services provided to the Customer under the TOS ;
b. « Personal data » means any information relating to an identified or identifiable natural person (‘data subject’);
c. « Customer », « controller » or « you » means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
d. « Processor », « vrisch » or « we » means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
e. « Process/processing » means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ;
f. « Sub-processor » or « Sub-contractor » means a third party subcontractor engaged by the processor which, as part of the subcontractor’s role of delivering the Services, Processes Personal Data of the Customer ;
g. « Technical and organisational security measures » means those measures aimed to ensure a level of security appropriate to the risk including inter alia the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
h. “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, and their Member states, applicable to the Processing of Personal Data under the Agreement.

3. Application of this agreement
This agreement shall apply to:
a. all Data sent from the date of this agreement by the Customer to vrisch for Processing;
b. all Data accessed by the vrisch on the authority of the Customer for Processing from the date of this agreement; and
c. all Data otherwise received by vrisch for Processing on the Customer’s behalf; in relation to the Services.

4. Categories of Personal Data and purpose of the Personal Data Processing
In order to execute the Agreement, and in particular to perform the Services on behalf of Customer, Customer authorizes and requests that vrisch process the following Personal Data: Customer Information: information that we may collect from your use of the vrisch web sites and your interactions with us offline such as :Contact information: name, home address, telephone or mobile number, email address, and passwords. Services Data: data that resides on vrisch, customer or third-party systems to which vrisch has provided access to perform services.Data stored and processed by users, such as geographical location and the history of operations performed by users. Log File Information: Three types of logs are saved by vrisch’s system: Connection logs which are essentially logs from each request to each application. These connection logs may include information such as the web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks, domain names, landing pages, pages viewed and other such information. The second type of logs is analytics, which is produced by each application of our customers. vrisch does not have control over the content of these logs. The control of application logs as Personal Data remains with the Customer. Timeline event logs which are a record of alerts and notifications that can help vrisch to identify and diagnose the source of current system problems and help predict future problems. vrisch processes Customer information according to the terms of its Privacy policy, and treats services data as confidential in accordance with the terms of your order for services.Categories of Data Subjects: Data subjects include Customer’s representatives and end-users, such as employees, job applicants, contractors, collaborators, partners, and customers of the Customer. Data subjects also may include individuals attempting to communicate or transfer Personal Data to users of the Services.

5. Responsibility of vrisch
vrisch shall Process Personal Data solely for the provision of the Services, and agrees to:

(a) Process and use Personal Data for the purposes set forth in this Agreement or only on documented instructions from the Customer and for no other purpose except with the express prior written consent of the Customer, or

(b) Not divulge Data to third parties except to those of its employees, agents and subcontractors who are engaged in the Processing of the Data and are subject to the binding obligations or except as may be required by any law or regulation;

(c) Implement appropriate technical and organizational measures to safeguard the Data from unauthorized or unlawful Processing or accidental loss, destruction or damage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and to the nature of the Data to be protected;

(d) Inform the Customer as soon as possible in the event of the exercise by Data Subjects of any of their rights under the data protection laws in relation to the Data, and, if necessary, assists the Customer in complying with the obligation to respond to those requests in consideration of the undertakings provided in article 7 ;

(e) Not Process or transfer the Data outside of the European Union except with the express prior written authority of the Customer and ensure that such transfers are made in compliance with appropriate law.

6. Responsibility of the Customer
The Service Customer, as Data controller, must accept responsibility for abiding by the applicable data protection legislation. Notably, the Customer has an obligation to assess the lawfulness of the processing of personal data stored on the Site.The Customer agrees that it shall ensure compliance at all times with the applicable data protection law, and, in particular, the Customer shall ensure that any disclosure of Personal Data made by it to vrisch is made with the data subject’s consent or is otherwise lawful. The control of Personal Data remains with the Customer, and as between the Customer and vrisch, the Customer will at all times remain the Data controller for the purposes of the Services, the TOS, and this Data Processing Agreement. The Customer is responsible for compliance with its obligations as Data controller under the applicable data protection Law, in particular for justification of any transmission of Personal Data to vrisch (including providing any required notices and obtaining any required consents), and for its decisions concerning the Processing and use of the data.

7. Cross Border and Onward Data Transfer
vrisch treats all Personal Data in a manner consistent with the requirements of the applicable data protection Law and this Data Processing Agreement in all locations globally.Some data is stored by vrisch in data hosting centers located in California, United States managed by its subcontractor Webflow, Inc.398 11th Street, 2nd FloorSan Francisco, CA 94103
Analytics: With respect to data processed and stored by its subcontractor Webflow, Inc. in data centers in the United States of America for analytics purposes when you visit our websitet, vrisch shall ensure compliance to Process Personal Data originating from the European Economic Area (EEA) and/or Switzerland according to the relevant EU-US Privacy Shield Principles.Webflow is certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and complies with applicable laws to provide an adequate level of data protection for your Personal Information. With respect to Personal Data stored by vrisch in data centers in the EEA shall ensure compliance of its Sub-processors with the requirements of the applicable data protection law as follows:
(i) vrisch has entered into contracts with Sub-processors which provide that the Sub-processor will undertake data protection and confidentiality obligations consistent with applicable data protection laws;
(ii) further, where a Subprocessor processes Personal Data in or from a country that has not received an “adequacy” finding, vrisch will require the Subprocessor to execute Model Clauses incorporating security requirements consistent with those of this DPA.For a more detailed overview of all the services used and data processed please visit our privacy policy section.

9. Subprocessing
vrisch shall not subcontract any of its processing operations performed on behalf of the Customer under the Agreement and the TOS without the prior written consent of the Customer.Where vrisch subcontracts its obligations under the Agreement, with the consent of the Customer, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on vrisch under the Agreement. Where the subprocessor fails to fulfill its data protection obligations under such written agreement vrisch shall not be liable to the Customer for the performance of the sub-processor’s obligations under such agreement.The Customer as Data controller may request that vrisch audit the Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Data Controller in obtaining a third-party audit report concerning Subprocessor’s operations) to ensure compliance with such obligations. The Controller also will be entitled, upon written request, to receive copies of the relevant terms of vrisch’s agreement with Subprocessors that may process Personal Data, unless the agreement contains confidential information, in which case the vrisch may provide a redacted version of the agreement.The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Customer is established.

10. Technical and Organizational Measures
When Processing Personal Data on behalf of Customer in connection with the Services, vrisch shall ensure that it implements and maintains compliance with appropriate technical and organizational security measures for the Processing of such data. Accordingly, vrisch will implement the following measures:
a. To prevent unauthorized persons from gaining access to data processing systems in which Personal Data are Processed (physical access control), vrisch’s sub-processors such as Webflow, Inc. shall take measures to prevent physical access, such as security personnel and secured buildings and factory premises.
b. To prevent data processing systems from being used without authorization (system access control), the following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and logging of access on several levels.
c. To ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and that Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing and/or after storage (data access control), Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced.
d. To ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control), vrisch will comply with the following requirements: Except as otherwise specified for the Cloud Services, transfers of data outside the Service environment are encrypted (HTTPS). The content of communications (including sender and recipient addresses) sent through some email or messaging services may not be encrypted once received through such services. Data Controller is solely responsible for the results of its decision to use non-encrypted communications or transmissions.

11. Incident Management and Breach Notification
vrisch evaluates and responds to incidents that create suspicion of unauthorized access to or handling of Personal Data.The Customer is informed of such incidents and, depending on the nature of the activity, defines escalation paths and response teams to address those incidents. vrisch will work with the Customer, with the appropriate technical teams and, where necessary, with outside law enforcement to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of the Services environment, and to establish root causes and remediation steps.vrisch operations staff is instructed on responding to incidents where handling of personal data may have been unauthorized.vrisch shall notify the Customer without undue delay after becoming aware of a personal data breach. vrisch shall promptly investigate any security breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, vrisch will provide Data Controller with a description of the security breach, the type of data that was the subject of the breach, and other information Data Controller may reasonably request concerning the affected persons. The parties agree to coordinate in good faith in developing the content of any related public statements or any required notices for the affected persons.

12. Legally Required Disclosures
Except as otherwise required by law, vrisch will promptly notify the Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“demand”) that it receives and which relates to the Personal Data vrisch is Processing on Customer’s behalf. At Customer’s request, vrisch will provide reasonable information in its possession that may be responsive to the demand and any assistance reasonably required for the Customer to respond to the demand in a timely manner. The Customer acknowledges that vrisch has no responsibility to interact directly with the entity making the demand.

13. Obligation after the termination of personal data processing servicesThe parties agree that on the termination of the provision of data processing services, vrisch will make available for retrieval or otherwise will return Customer’s Personal Data stored in the Platform environment, unless legislation imposed upon the parties prevents it from returning or destroying all or part of the personal data transferred. In that case, the parties warrant that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.14. Governing lawThis agreement will be governed by Austrian law.

Privacy Policy

The services are provided by vrisch multimediaproduction GmbH (hereinafter referred to as “vrisch”), an Austrian company with registered address at Hainburger Straße 17/12, 1030 Vienna, company registered at the court Handelsgericht Wien with the commercial register nr.: FN 508006v.vrisch may update this Privacy Policy at any time, without notification to you, and you should review these Privacy Policy from time to time by accessing the Site. Your continued use of the Site shall be deemed irrevocable acceptance of any such revisions.

1. Purpose
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our website and the choices you have associated with that data.We use your data to provide and improve our services. By using our website, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from Terms and Conditions.

2. Definitions
Personal Data Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).Usage Data Usage Data is data collected automatically either generated by the use of the website or from the website infrastructure itself (for example, the duration of a page visit).Cookies Cookies are small pieces of data stored on a User’s device.Data Controller Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.For the purpose of this Privacy Policy, we are a Data Controller of your data.Data Processor (or Service Providers) Data Processor (or Service Provider) means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.We may use the services of various Service Providers in order to process your data more effectively.Data Subject Data Subject is any living individual who is the subject of Personal Data.User The User is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

3. Information Collection And Use
We collect several different types of information for various purposes to provide and improve our Service to you.

4. Types of Data Collected
Personal Data While using our website, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to:
– Email address
– First name and last name
– Phone number
– Address, State, Province, ZIP/Postal code, City
– Cookies and Usage Data
– IP address

We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send. However, some of the Personal Data we ask you to provide is mandatory for a service and intended to protect against fraud and other illicit activities. If you decline to provide it, we may not be able to provide that service to you.Usage Data We may also collect information how the website is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.Tracking & Cookies Data We use cookies and similar tracking technologies to track the activity on our website and hold certain information. We record the IP address as a protection mechanism against potentially fraudulent activity.Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our services.You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.Examples of Cookies we use:– Session Cookies. We use Session Cookies operational purposes of our website. – Preference Cookies. We use Preference Cookies to remember your preferences and various settings. – Security Cookies. We use Security Cookies for security purposes.

5. Use of Data
Vrisch Multimediaproduktion GmbH uses the collected data for various purposes:– To provide and maintain our services. – To notify you about changes to our services. – To provide customer support. – To gather analysis or valuable information so that we can improve our services. – To monitor the usage of our website. – To detect, prevent and address technical issues. – To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.

6. Retention of Data
vrisch Multimediaproduktion GmbH will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.Vrisch Multimediaproduktion GmbH will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

7. Transfer Of Data
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.If you are located outside Austria and choose to provide information to us, please note that we transfer the data, including Personal Data, to Austria and process it there.Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.Vrisch Multimediaproduktion GmbH will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

8. Disclosure Of Data
Business Transaction If vrisch Multimediaproduktion GmbH is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.Disclosure for Law Enforcement Under certain circumstances, vrisch Multimediaproduktion GmbH may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).Legal Requirements Vrisch Multimediaproduktion GmbH may disclose your Personal Data in the good faith belief that such action is necessary to:– To comply with a legal obligation. – To protect and defend the rights or property of vrisch Multimediaproduktion GmbH. – To prevent or investigate possible wrongdoing in connection with our services. – To protect the personal safety of users of the Service or the public. – To protect against legal liability.

9. Security Of Data
The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

10. “Do Not Track” Signals
We do not support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

11. Your Rights
Vrisch Multimediaproduktion GmbH aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.Whenever made possible, you can update your Personal Data directly within your account settings section. If you are unable to change your Personal Data, please contact us to make the required changes.If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.In certain circumstances, you have the right:To access and receive a copy of the Personal Data we hold about you To rectify any Personal Data held about you that is inaccurate To request the deletion of Personal Data held about you You have the right to data portability for the information you provide to vrisch Multimediaproduktion GmbH. You can request to obtain a copy of your Personal Data in a commonly used electronic format so that you can manage and move it.Please note that we may ask you to verify your identity before responding to such requests.

12. Service Providers
We may employ third party companies and individuals to facilitate our website performance and services (“Service Providers”), to assist us in analyzing how our website is used.These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

13. Analytics
We may use third-party Service Providers to monitor and analyze the use of our Service.Google AnalyticsGoogle Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity.Personal Data collected: Cookies and Usage Data. Place of processing: United States. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page:

14. Behavioral Remarketing
Vrisch Multimediaproduktion GmbH uses remarketing services to advertise on third party websites to you after you visited our website. We and our third-party vendors use cookies to inform, optimize and serve ads based on your past visits to our website.Google AdsGoogle Ads remarketing service is provided by Google Inc.You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: also recommends installing the Google Analytics Opt-out Browser Add-on – – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.Personal Data collected: Cookies and Usage Data. Place of processing: United States. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: remarketing service is provided by Facebook Inc.You can learn more about interest-based advertising from Facebook by visiting this page: opt-out from Facebook’s interest-based ads follow these instructions from Facebook: adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance. You can also opt-out from Facebook and other participating companies through the Digital Advertising Alliance in the USA, the Digital Advertising Alliance of Canada in Canada or the European Interactive Digital Advertising Alliance in Europe, or opt-out using your mobile device settings.Personal Data collected: Cookies and Usage Data. Place of processing: United States. For more information on the privacy practices of Facebook, please visit Facebook’s Data Policy:

15. Hosting and backend infrastructure
This type of service has the purpose of hosting Data and files that enable this website to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this website. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

16. User database management
This type of service allows the Owner to build user profiles by starting from an email address, a personal name, or other information that the User provides to this website, as well as to track User activities through analytics features. This Personal Data may also be matched with publicly available information about the User (such as social networks’ profiles) and used to build private profiles that the Owner can display and use for improving this website. Some of these services may also enable the sending of timed messages to the User, such as emails based on specific actions performed on this website.

17. Links To Other Sites
Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

18. Children’s Privacy
Our Service does not address anyone under the age of 18 (“Children”).We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

19. Changes To This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy.You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

20. Security
We will strive to prevent unauthorized access to your personal information, however, no data transmission over the internet is guaranteed to be 100% secure. We will continue to enhance security procedures as new technologies and procedures become available.Please remember that you control what personal information you provide while using our website. Always be careful and responsible regarding your personal information. We are not responsible for, and cannot control, the use by others of any information which you provide to them and you should use caution in selecting the personal information you provide to others through the Site. Similarly, we cannot assume any responsibility for the content of any personal information or other information which you receive from other users through the Site, and you release vrisch and its subsidiaries and affiliates and each of their employees, officers, and directors from any and all liability in connection with the contents of any personal information or other information which you may receive using our website. We cannot guarantee, or assume any responsibility for verifying, the accuracy of the personal information or other information provided by any third party. You release vrisch and its subsidiaries and affiliates and each of their employees, officers, and directors from any and all liability in connection with the use of such personal information or other information of others.

21. Privacy Officer
If you have any questions about this Privacy Policy, please contact us:Any questions or complaints about vrisch’s collection, use or disclosure of personal information through the website should be directed to the Privacy Officer at

22. Contact Us
If you have any questions about this Privacy Policy, please contact us by email: