Privacy Policy

We, Weingut Stift Göttweig GmbH (contact details see the section "Controller"), operate the website https://www.weingutstiftgoettweig.at and place great value on protecting your personal data and privacy.

This privacy policy explains which categories of personal data we collect, for what purposes and on which legal bases we process the data, how long we store it and which rights you have. We naturally comply with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

The controller responsible for processing your personal data is:

Weingut Stift Göttweig GmbH

Phone: +43 2732 801440

Email: office@weingutstiftgoettweig.at

Website: https://www.weingutstiftgoettweig.at

We have not appointed a data protection officer because no statutory obligation exists. Please contact us via the channels above with any privacy-related questions.

This privacy policy applies to the online offering available at https://www.weingutstiftgoettweig.at including all related subpages, features and content.

It also covers our communication with you (e.g. by email or telephone). External links to third-party websites are not covered; those providers are responsible for their own content and privacy practices.

• Personal data: Any information relating to an identified or identifiable natural person (e.g. name, address, email address, IP address, usage behaviour).
• Data subject: Any identified or identifiable natural person whose personal data is processed.
• Processing: Any operation performed on personal data, such as collection, storage, use, disclosure or erasure.
• Controller: The natural or legal person which determines the purposes and means of processing personal data.
• Processor: A natural or legal person which processes personal data on behalf of the controller.
• Recipient: A natural or legal person to whom personal data is disclosed.
• Third party: Any natural or legal person other than the data subject, controller or processor who is authorised to process personal data.
• Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes signifying agreement to the processing of personal data.

• Consent (Art. 6 para. 1 lit. a GDPR): You have explicitly granted us permission for a specific purpose (e.g. newsletter, optional analytics cookies).
• Performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR): Processing is necessary to perform a contract with you or to carry out pre-contractual steps (e.g. responding to enquiries, fulfilling orders).
• Legal obligation (Art. 6 para. 1 lit. c GDPR): Processing is required to comply with legal obligations (e.g. retention duties under the Austrian Commercial Code or Fiscal Code).
• Legitimate interests (Art. 6 para. 1 lit. f GDPR): Processing is necessary for our legitimate interests or those of a third party, provided your interests or fundamental rights and freedoms do not override them (e.g. ensuring IT security, replying to general enquiries, enforcing legal claims).

We store personal data only for as long as necessary to fulfil the respective purposes or as required by statutory retention periods. Afterwards, the data is erased, blocked or anonymised in accordance with legal requirements, unless further storage is needed for contractual or statutory reasons.

• Access (Art. 15 GDPR): Obtain confirmation whether personal data concerning you is processed and receive a copy of the data.
• Rectification (Art. 16 GDPR): Request the immediate correction of inaccurate personal data or the completion of incomplete data.
• Erasure (Art. 17 GDPR): Request deletion of your data provided no statutory retention obligations apply.
• Restriction of processing (Art. 18 GDPR): Request restriction of processing under the conditions set out in the GDPR.
• Data portability (Art. 20 GDPR): Receive the data you provided in a structured, commonly used and machine-readable format and transmit it to another controller.
• Objection (Art. 21 GDPR): Object to processing based on Art. 6 para. 1 lit. e or lit. f GDPR on grounds relating to your particular situation. You may object to direct marketing at any time.
• Withdrawal of consent (Art. 7 para. 3 GDPR): Withdraw any consent with future effect at any time.
• Complaint (Art. 77 GDPR): Lodge a complaint with a supervisory authority, e.g. the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, phone: +43 1 52 152-0, email: dsb@dsb.gv.at.

To exercise your rights, contact the controller. We may request additional information to verify your identity.

Personal data is transferred to countries outside the European Union or European Economic Area (third countries) only if this is necessary to perform our services, you have consented, legal obligations require it or appropriate safeguards ensure adequate protection.

When cooperating with service providers in the United States (e.g. Cloudflare, Mailchimp, PostHog), we rely on adequacy decisions such as the EU-U.S. Data Privacy Framework (where the provider is certified) or the EU Commission's Standard Contractual Clauses together with additional protective measures. Nevertheless, U.S. authorities may access data. By granting consent you also agree to a possible transfer to the USA pursuant to Art. 49 para. 1 lit. a GDPR.

• TLS/SSL encryption of our website to secure data in transit.
• Access, entry and access control measures for our systems.
• Data minimisation as well as pseudonymisation or anonymisation where feasible.
• Regular review, assessment and updating of security measures.
• Training and confidentiality commitments for our staff.
• Careful selection and monitoring of processors.

Despite all safeguards, data transmission over the internet can expose security gaps. Absolute protection cannot be guaranteed.

Our website uses cookies and comparable technologies (e.g. local storage) to provide essential functions and create a convenient user experience. Cookies do not harm your device.

• Strictly necessary cookies: Required for the website to function properly (e.g. language selection, security features). Legal basis is our legitimate interest in operating a user-friendly website (Art. 6 para. 1 lit. f GDPR) or, where applicable, the performance of a contract.
• Functional or optional cookies: Used only after you have given consent and designed to improve the usability of our offering (Art. 6 para. 1 lit. a GDPR).
• Analytics and marketing cookies: Set only with your consent. We currently do not use analytics or marketing cookies without your approval; PostHog (see below) is activated solely after you consent.

Upon your first visit a consent tool asks for your preferences regarding optional cookies. You can change or withdraw your consent at any time via the "Cookie settings" link in the footer. You may also block or delete cookies in your browser settings; this can limit certain functions of the site.

We host this website with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner processes personal data (server log files) on our behalf to deliver the website, ensure stability and maintain security.

• Browser type and version
• Operating system used
• Referrer URL
• IP address of the requesting device
• Date and time of the server request
• Requested files and data volume
• HTTP status code

Log data is used solely to guarantee trouble-free operations and to prevent attacks. The data is erased or anonymised after short retention periods. Legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner.

To deliver static assets quickly and store media we use services provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare processes technical connection data (e.g. IP address, access time, protocol information) to deliver content, improve performance and provide security features such as DDoS protection.

The legal basis is our legitimate interest in a performant and secure presentation of our website (Art. 6 para. 1 lit. f GDPR). Cloudflare is certified under the EU-U.S. Data Privacy Framework and we have concluded Standard Contractual Clauses.

If you subscribe to our newsletter, we process your email address and, optionally, your name to send you updates. Subscription uses a double opt-in process: you will receive a confirmation email in which you must verify your registration.

We rely on the Mailchimp API provided by The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. Mailchimp processes your data on our behalf to manage and dispatch newsletters and to compile statistics (e.g. open and click rates) so we can tailor our communications.

The legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Section 174 TKG 2021. You may withdraw consent at any time with future effect by using the unsubscribe link in any newsletter or by contacting us. Mailchimp relies on Standard Contractual Clauses and certification under the EU-U.S. Data Privacy Framework for transfers to the USA.

We plan to use the product analytics tool PostHog provided by PostHog Inc., 220 Sansome St, San Francisco, CA 94104, USA, to understand how visitors interact with our website and to improve our features.

Depending on the configuration, PostHog processes usage data such as pages visited, interactions, browser and device information, IP addresses (shortened or anonymised), approximate location data and event data. Sensitive input fields are not recorded; session replay functionality is only enabled with strict masking.

PostHog is activated solely after you consent to analytics cookies in the consent banner. The legal basis is therefore your consent pursuant to Art. 6 para. 1 lit. a GDPR. Data transfers to the USA rely on Standard Contractual Clauses and, where applicable, certification under the EU-U.S. Data Privacy Framework. You may withdraw consent at any time via the cookie settings.

If you contact us by email, phone or form, we process the information you provide (e.g. name, contact details, message content) solely to handle your enquiry and any follow-up.

Where the enquiry relates to contract performance or pre-contractual steps, the legal basis is Art. 6 para. 1 lit. b GDPR. In all other cases, processing is based on our legitimate interest in efficiently processing requests (Art. 6 para. 1 lit. f GDPR).

We delete the data once your concern has been resolved unless statutory retention obligations apply.

We engage carefully selected service providers (e.g. hosting, newsletter delivery, analytics) as processors. Each provider is bound by a data processing agreement pursuant to Art. 28 GDPR. Personal data is disclosed to third parties only where required by law, if you have consented or if it is necessary to assert legal claims.

We may update this privacy policy if legal requirements, technical developments or changes to our services make this necessary. The version published on this page is the current one.