Privacy Policy
1. Controller
Controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG):
Ens Naturale e.U.Owner: Cosmin Birtalan
Neustiftgasse 101/1/10
1070 Vienna, Austria
Email: [email protected]
2. Data Protection Officer
A solo-founder setup does not trigger mandatory DPO appointment (§ 38 BDSG only applies for a German seat). For data-protection inquiries please contact the controller directly.
3. Collection and storage of personal data
3.1 Visiting the website (server log files)
When you visit our website, your browser automatically transmits the following to our hosting server:
- IP address of the requesting machine (truncated after processing)
- Date and time of access
- Name and URL of the requested file
- Website from which access takes place (referrer URL)
- Browser used and operating system
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in functional security + cyber security).
Retention: 7 days, then automatic deletion.
3.2 Orders (online checkout via Stripe)
Sales are made by Ens Naturale e.U.; payment is handled by the payment service provider Stripe via a hosted online checkout (details under section 4.1). When placing an order, the following data is collected via the order form / the Stripe checkout:
- Company name + address
- First and last name of contact person
- Email address
- Phone number (optional)
- VAT-ID (B2B, for reverse-charge)
- Billing and delivery address
- Kit selection + optional Multi-License upgrade
Flow:
- You select a kit and proceed to the Stripe-hosted checkout.
- You pay directly via Stripe (payment in advance); Stripe calculates VAT automatically (Stripe Tax).
- After payment confirmation we personalise your documents and provide them, together with the invoice, within 24 hours (business days) by email / download link.
Important: Payment data (e.g. credit card number) is entered exclusively on the Stripe-hosted payment page — it is not collected or stored on our website.
Legal basis: Art. 6 (1) (b) GDPR (contract performance) + (c) (statutory record-keeping obligations under § 132 BAO Austria, § 147 AO Germany).
Retention: 7 years (§ 132 BAO Austria) / 10 years (§ 147 AO Germany) for tax/accounting records.
4. Third-party services / processors
4.1 Payment processing — Stripe (online checkout)
Payment is processed via the Stripe-hosted checkout (Stripe Hosted Checkout). The contractual counterparty for payment processing in the EEA is Stripe Payments Europe, Limited (Dublin, Ireland), part of the Stripe group; personal data may be transferred to Stripe, LLC (USA) in the course of processing. A data processing agreement (DPA) under Art. 28 GDPR is in place. The contractual counterparty for the delivered service remains exclusively Ens Naturale e.U.
Important: Payment data (e.g. credit card number) is entered exclusively on the Stripe-hosted payment page — it is not collected, transmitted or stored on our website. Ens Naturale e.U. receives only a payment confirmation and the billing/master data from Stripe, but no full card data.
Process:
- You select a kit and proceed via the order button to the Stripe-hosted checkout.
- You pay directly via Stripe (payment in advance). Stripe calculates the applicable VAT automatically (Stripe Tax); for a valid VAT-ID of an EU B2B customer outside Austria, the reverse-charge procedure is applied.
- After successful payment we personalise your documents and provide them, together with the invoice, within 24 hours (business days) by email / download link.
Which personal data is transmitted to Stripe?
- Company name, name of contact person, email address
- Billing address, VAT-ID (for B2B / reverse charge)
- Purchase amount, kit selection + tier, order/licence number
- Payment-means data (e.g. card data) — processed exclusively by Stripe; we do not receive it.
| Service | Online payment processing (Stripe Hosted Checkout), invoice creation, VAT calculation (Stripe Tax) |
| Contracting party (EEA) | Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02 H210, Ireland (EU) |
| US data transfer | Stripe, LLC (USA) — transfer per Stripe Data Transfers Addendum |
| Legal basis | Art. 6 (1) (b) GDPR (contract performance); Art. 6 (1) (c) GDPR (tax/commercial obligations); Art. 28 GDPR (processing) |
| Data categories | Company name, contact person, email, billing address, VAT-ID, purchase amount, kit/tier selection; payment-means data only at Stripe |
| Third country | USA — secured by EU-US Data Privacy Framework (DPF, active Stripe certification) + Standard Contractual Clauses (SCC, Implementing Decision 2021/914); DPA under Art. 28 GDPR concluded |
| Retention period | Invoice/payment data per statutory record-keeping obligations (7 years § 132 BAO / 10 years § 147 AO) |
| Privacy policy | stripe.com/privacy |
4.2 Transactional emails — Resend (Resend Ireland Limited, Ireland / EU)
The contracting party for transactional emails (order confirmation, download link, update notifications) is Resend Ireland Limited (Dublin, Ireland) — the EU subsidiary of Resend Inc. (USA). Data processing takes place primarily within the EU (Ireland/Frankfurt). A data processing agreement (DPA) under Art. 28 GDPR is in place. As Resend Ireland Limited is a subsidiary of a US group, EU Commission Standard Contractual Clauses (SCC) Module 3 (Decision 2021/914) are additionally concluded to safeguard potential sub-processor access by the US parent company in a GDPR-compliant manner.
| Service | Delivery of transactional emails (order confirmation, download link, update notifications) |
| Contracting party | Resend Ireland Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland (EU) |
| Parent company | Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA (potential sub-processor access) |
| Purpose | Delivery of transactional emails to customers |
| Legal basis | Art. 6 (1) (b) GDPR (contract performance); Art. 28 GDPR (data processing) |
| Data categories | Email address, recipient name, content of transactional emails |
| Data processing | EU (Ireland/Frankfurt) — no regular third-country transfer; potential US parent-company access secured by SCC (EU Decision 2021/914) |
| Privacy policy | resend.com/legal/privacy-policy |
4.3 Hosting, backend, file storage, DNS, CDN, email routing — Cloudflare (single-vendor stack)
Cloudflare bundles our entire technical stack: hosting (Cloudflare Pages, EU edge delivery), backend functions (Cloudflare Pages Functions / Workers), kit file storage (Cloudflare R2 Object Storage, EU region), key-value store for rate limiting (Cloudflare KV), DNS resolution, content delivery network, DDoS/bot protection, Cloudflare Turnstile (GDPR-compliant, cookieless CAPTCHA), and email routing for incoming emails to [email protected]. A data processing agreement under Art. 28 GDPR is in place.
| Services | Cloudflare Pages (static hosting, EU edge) · Cloudflare Pages Functions (backend endpoints /api/checkout, /api/download) · Cloudflare R2 (object storage of kit ZIP files, EU region) · Cloudflare KV (rate-limit counters) · Cloudflare DNS · Cloudflare CDN · Cloudflare DDoS/bot protection · Cloudflare Turnstile (cookieless CAPTCHA) · Cloudflare Email Routing (incoming) |
| Provider | Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA |
| Purpose | Delivery of static website content via EU edge, processing of order forms, provisioning of purchased Compliance Kits for download (HMAC-signed tokens, 7-day validity), rate limiting + bot protection at the order step, routing of incoming emails |
| Region | EU region: R2 bucket in EU storage region (data remains in the EU), Pages/Workers edge delivery primarily from the nearest EU data centre (Vienna/Frankfurt/Amsterdam) |
| Legal basis | Art. 6 (1) (b) GDPR (performance of contract — delivery of ordered kit files) + Art. 6 (1) (f) GDPR (legitimate interest — hosting performance, functional security, cyber security, spam/bot protection) |
| Data categories | Truncated IP address, user agent, request path, timestamp; order data (company name, email, billing address, VAT-ID); download link token (HMAC-SHA256, no classic database token); kit selection + tier; for email routing: sender/recipient address, content of incoming emails |
| Third country | USA — secured by EU-US Data Privacy Framework (DPF, active Cloudflare certification) + Standard Contractual Clauses (SCC, Implementing Decision 2021/914); data processing agreement under Art. 28 GDPR concluded. R2 object storage sits in EU region — file contents do not leave the EU. |
| Retention | Server logs 7 days; rate-limit counters 1 hour; order data per tax-law retention obligations (7 years §132 BAO / 10 years §147 AO); download links valid for 7 days, extendable once for a further 7 days; kit ZIP files retained permanently in R2 (static delivery content) |
| Privacy policy | cloudflare.com/privacypolicy |
5. Cookies
We use only strictly necessary cookies (session cookies, security tokens, language selection). No tracking or third-party cookies are set — therefore no cookie banner is required.
Payment is processed via a Stripe-hosted payment page (redirect). No checkout iframe is embedded on our website — therefore the payment process sets no cookies on our domain. On the Stripe payment page, Stripe's cookie and privacy notices apply.
6. Your rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
Please direct your request to: [email protected]. We respond within 1 month (extendable to 3 months for complex requests).
7. Right to lodge a complaint
You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority is:
Austrian Data Protection Authority (DSB)Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: [email protected]
Web: www.dsb.gv.at
8. Data security
We use TLS 1.3 (HTTPS) encryption. Personal data is transmitted and stored encrypted. Only authorised persons with a need-to-know principle have access to data.
9. Validity of this privacy policy
This privacy policy is currently valid and is dated 12.05.2026. If our processing activities change, we will update the policy.