Privacy Policy

Last updated: April 20, 2026 Version: 1.0

This Privacy Policy describes how Bitstem GmbH ("Bitstem", "we", "us") processes personal data in connection with the Bitstem website at [https://www.bitstem.com] and the associated customer area (together, the "Portal"). It applies to visitors, registered users, and authorised representatives of customer organisations.

Processing is carried out in accordance with Regulation (EU) 2016/679 (the "GDPR" / "DSGVO"), the Austrian Data Protection Act (Datenschutzgesetz, "DSG"), and § 165 of the Austrian Telecommunications Act 2021 (TKG 2021) where applicable.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

Bitstem GmbH
Bahnhofstrasse 9, 3464 Hausleiten, Austria
Commercial Register: FN 408547f, LG Korneuburg
VAT ID: ATU68384125
Email: office@bitstem.com

A Data Protection Officer has not been appointed; appointment is not mandatory under Art. 37 GDPR or § 5 DSG for our processing activities. Data protection enquiries may be directed to the email address above.

2. Categories of Data, Purposes, and Legal Bases

2.1 Visiting the website

When you access the Portal, the following data is processed automatically by the web server and held in server logs:

• IP address (truncated where feasible);
• date and time of the request;
• requested URL and HTTP method;
• HTTP status code and response size;
• referring URL, where transmitted;
• user agent string.

Purpose: operation and security of the Portal; detection and investigation of attacks and misuse; troubleshooting. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and functioning website). Retention: server logs are retained for [up to 14 days] and then deleted, unless a concrete suspicion requires longer retention for the investigation of a specific incident.

2.2 Account registration and operation

When an organisation administrator registers an organisation account, we process:

• organisation data: legal name, registered address, country, and (where provided) VAT ID;
• personal data of the administrator: first and last name, email address, role within the organisation, password (stored only as a salted hash);
• the explicit confirmations of acceptance of the Terms of Use, acknowledgement of this Privacy Policy, and authorisation to register on behalf of the organisation, including timestamp.

When an invited user registers, we process: first and last name, email address, password (stored only as a salted hash), the inviting organisation, and the corresponding consent confirmations and timestamps.

For the operation of accounts we additionally process: email confirmation status, login timestamps, session identifiers, password reset tokens, audit records of administrative actions (in particular invitations, seat assignments, and revocations).

Purpose: establishing and operating the user relationship; authentication; license seat administration; audit and accountability. Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures); for audit records additionally Art. 6(1)(f) GDPR (legitimate interest in security and traceability of administrative actions); Art. 6(1)(c) GDPR insofar as accountability obligations under the GDPR itself apply. Retention: for the duration of the account; on deletion of the account, account data is erased without undue delay, with the exception of data subject to statutory retention obligations (see Section 6).

2.3 VAT validation

Where a VAT ID is provided, it is validated against the European Commission's VIES service. The validation request and result (valid / invalid, name and address as returned by VIES) are stored together with the organisation record.

Purpose: verification of business status and correct application of VAT (in particular reverse-charge for intra-Community B2B supplies). Legal basis: Art. 6(1)(c) GDPR (compliance with tax obligations under the Austrian UStG and corresponding EU rules). Recipient: European Commission (VIES).

2.4 License management and software downloads

For the assignment of seats to users, the management of license entitlements, and the provision of installers, we process: assignments of users to seats, timestamps of activation and revocation, downloaded artefact and version, and (where transmitted by the client) the device identifier or fingerprint used by the licensed software.

Purpose: technical and contractual enforcement of license entitlements; provision of the contractually owed functionality; protection against unauthorised use. Legal basis: Art. 6(1)(b) GDPR (performance of the license relationship); Art. 6(1)(f) GDPR (legitimate interest in protection against license circumvention).

2.5 Communication

If you contact us by email or via a contact form, we process the data you provide (in particular your email address and the content of your message) in order to respond.

Purpose: handling of enquiries. Legal basis: Art. 6(1)(b) GDPR for enquiries relating to a contract or its initiation; otherwise Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). Retention: for as long as necessary to handle the enquiry and any follow-up, and thereafter in accordance with statutory retention obligations.

2.6 Bot protection

The Portal uses Friendly Captcha (or a comparable privacy-preserving alternative) on public-facing forms (in particular registration, login, password reset, and contact). Friendly Captcha performs a cryptographic proof-of-work in the user's browser; no behavioural tracking or third-party cookies are set.

Purpose: protection of forms against automated abuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting our infrastructure from automated attacks and spam). Provider: Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee/Germany. A data processing agreement under Art. 28 GDPR is in place. Where personal data is processed (limited technical data such as IP address), processing takes place within the EEA.

2.7 Cookies and similar technologies

The Portal uses only cookies and comparable storage technologies that are strictly necessary for the operation of the requested service (in particular session cookies for authentication and CSRF protection). For these, no consent under § 165 TKG 2021 is required, as they fall within the exception for storage that is "strictly necessary" for the service expressly requested by the user.

We do not use analytics, advertising, profiling, or other non-essential cookies. Should this change in future, we will obtain prior consent in line with § 165 TKG 2021 and Art. 6(1)(a) GDPR.

3. Recipients and Processors

Personal data is disclosed only to the extent necessary. Recipients fall into the following categories:

• Hosting and infrastructure: Scaleway S.A.S., France (EEA). Acts as processor under Art. 28 GDPR.
• Email delivery: Scaleway S.A.S., France (EEA). Acts as processor under Art. 28 GDPR.
• Bot protection: Friendly Captcha GmbH, Germany (see Section 2.6).
• VAT validation: European Commission (VIES) (see Section 2.3).
• Tax advisor and auditor: bound by professional secrecy; receives data to the extent required for statutory accounting and tax purposes.
• Authorities and courts: where we are legally obliged to disclose data.

A list of processors with whom data processing agreements under Art. 28 GDPR are in place is available on request.

4. International Transfers

Personal data is processed within the European Economic Area (EEA) wherever possible. Should processing outside the EEA become necessary in future (for example through a payment processor), it will be carried out only on the basis of an adequacy decision of the European Commission under Art. 45 GDPR or on the basis of suitable safeguards under Art. 46 GDPR, in particular the EU Standard Contractual Clauses, supplemented where required by additional technical and organisational measures.

5. Sources of Data

We process data that you provide to us directly when registering, when using the Portal, and when communicating with us. In the case of invited users, basic data (in particular email address) is initially provided to us by the inviting organisation administrator.

In the case of VAT validation, data is additionally received from the VIES service of the European Commission.

6. Retention Periods

We retain personal data only for as long as necessary for the purposes set out above. The following statutory retention periods apply in particular:

• Records relevant for accounting and tax purposes (in particular invoices, license purchase records, and related correspondence): seven years under § 132 BAO and § 212 UGB, in specific cases longer (e.g. land-related transactions: 22 years).
• Server logs: see Section 2.1.
• Account data: for the duration of the account, then erased without undue delay subject to the above.
• Audit records of administrative actions in the Portal: for the duration of the account and a reasonable period thereafter for evidentiary purposes, but not longer than three years from the action, unless required for the establishment, exercise, or defence of legal claims.

7. Your Rights

Subject to the conditions set out in the GDPR, you have the following rights regarding your personal data:

• Access (Art. 15 GDPR): to obtain confirmation as to whether personal data concerning you is being processed and, if so, a copy of that data along with the prescribed information.
• Rectification (Art. 16 GDPR): to have inaccurate data corrected and incomplete data completed.
• Erasure (Art. 17 GDPR): to have your data erased where one of the grounds set out in Art. 17(1) GDPR applies and no exception under Art. 17(3) GDPR (in particular legal retention obligations) prevails.
• Restriction of processing (Art. 18 GDPR).
• Data portability (Art. 20 GDPR): to receive the data you have provided to us in a structured, commonly used, and machine-readable format, where the processing is based on consent or on a contract and is carried out by automated means.
• Objection (Art. 21 GDPR): to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR.
• Withdrawal of consent (Art. 7(3) GDPR): where processing is based on consent, you may withdraw your consent at any time with effect for the future.

To exercise these rights, please contact us at the address set out in Section 1. We may need to verify your identity before responding.

You also have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Bitstem is:

Österreichische Datenschutzbehörde Barichgasse 40–42, 1030 Wien, Austria Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at Web: https://www.dsb.gv.at

8. Obligation to Provide Data

The provision of personal data for the registration and operation of an account is neither legally nor contractually required, but is necessary for the conclusion of the contract and the use of the Portal. Without the data marked as required, an account cannot be created or operated.

9. Automated Decision-Making

We do not use automated decision-making within the meaning of Art. 22 GDPR, including profiling.

10. Security

We implement appropriate technical and organisational measures under Art. 32 GDPR to protect personal data against unauthorised access, alteration, disclosure, and loss. These include in particular transport encryption (TLS), encryption of credentials at rest (salted password hashing), access controls, logging of administrative actions, regular updates, and backup procedures.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our processing or in the applicable law. The current version is always available at [https://www.bitstem.com/privacy]. Material changes will be communicated to registered users by email or by prominent notice in the Portal.