Privacy Policy

1. Controller

Controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG):

Ens Naturale e.U.
Owner: Cosmin Birtalan
Neustiftgasse 101/1/10
1070 Vienna, Austria
Email: [email protected]

2. Data Protection Officer

A solo-founder setup does not trigger mandatory DPO appointment (§ 38 BDSG only applies for a German seat). For data-protection inquiries please contact the controller directly.

3. Collection and storage of personal data

3.1 Visiting the website (server log files)

When you visit our website, your browser automatically transmits the following to our hosting server:

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in functional security + cyber security).

Retention: 7 days, then automatic deletion.

3.2 Orders (online checkout via Stripe)

Sales are made by Ens Naturale e.U.; payment is handled by the payment service provider Stripe via a hosted online checkout (details under section 4.1). When placing an order, the following data is collected via the order form / the Stripe checkout:

Flow:

  1. You select a kit and proceed to the Stripe-hosted checkout.
  2. You pay directly via Stripe (payment in advance); Stripe calculates VAT automatically (Stripe Tax).
  3. After payment confirmation we personalise your documents and provide them, together with the invoice, within 24 hours (business days) by email / download link.

Important: Payment data (e.g. credit card number) is entered exclusively on the Stripe-hosted payment page — it is not collected or stored on our website.

Legal basis: Art. 6 (1) (b) GDPR (contract performance) + (c) (statutory record-keeping obligations under § 132 BAO Austria, § 147 AO Germany).

Retention: 7 years (§ 132 BAO Austria) / 10 years (§ 147 AO Germany) for tax/accounting records.

4. Third-party services / processors

4.1 Payment processing — Stripe (online checkout)

Payment is processed via the Stripe-hosted checkout (Stripe Hosted Checkout). The contractual counterparty for payment processing in the EEA is Stripe Payments Europe, Limited (Dublin, Ireland), part of the Stripe group; personal data may be transferred to Stripe, LLC (USA) in the course of processing. A data processing agreement (DPA) under Art. 28 GDPR is in place. The contractual counterparty for the delivered service remains exclusively Ens Naturale e.U.

Important: Payment data (e.g. credit card number) is entered exclusively on the Stripe-hosted payment page — it is not collected, transmitted or stored on our website. Ens Naturale e.U. receives only a payment confirmation and the billing/master data from Stripe, but no full card data.

Process:

  1. You select a kit and proceed via the order button to the Stripe-hosted checkout.
  2. You pay directly via Stripe (payment in advance). Stripe calculates the applicable VAT automatically (Stripe Tax); for a valid VAT-ID of an EU B2B customer outside Austria, the reverse-charge procedure is applied.
  3. After successful payment we personalise your documents and provide them, together with the invoice, within 24 hours (business days) by email / download link.

Which personal data is transmitted to Stripe?

ServiceOnline payment processing (Stripe Hosted Checkout), invoice creation, VAT calculation (Stripe Tax)
Contracting party (EEA)Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02 H210, Ireland (EU)
US data transferStripe, LLC (USA) — transfer per Stripe Data Transfers Addendum
Legal basisArt. 6 (1) (b) GDPR (contract performance); Art. 6 (1) (c) GDPR (tax/commercial obligations); Art. 28 GDPR (processing)
Data categoriesCompany name, contact person, email, billing address, VAT-ID, purchase amount, kit/tier selection; payment-means data only at Stripe
Third countryUSA — secured by EU-US Data Privacy Framework (DPF, active Stripe certification) + Standard Contractual Clauses (SCC, Implementing Decision 2021/914); DPA under Art. 28 GDPR concluded
Retention periodInvoice/payment data per statutory record-keeping obligations (7 years § 132 BAO / 10 years § 147 AO)
Privacy policystripe.com/privacy

4.2 Transactional emails — Resend (Resend Ireland Limited, Ireland / EU)

The contracting party for transactional emails (order confirmation, download link, update notifications) is Resend Ireland Limited (Dublin, Ireland) — the EU subsidiary of Resend Inc. (USA). Data processing takes place primarily within the EU (Ireland/Frankfurt). A data processing agreement (DPA) under Art. 28 GDPR is in place. As Resend Ireland Limited is a subsidiary of a US group, EU Commission Standard Contractual Clauses (SCC) Module 3 (Decision 2021/914) are additionally concluded to safeguard potential sub-processor access by the US parent company in a GDPR-compliant manner.

ServiceDelivery of transactional emails (order confirmation, download link, update notifications)
Contracting partyResend Ireland Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland (EU)
Parent companyResend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA (potential sub-processor access)
PurposeDelivery of transactional emails to customers
Legal basisArt. 6 (1) (b) GDPR (contract performance); Art. 28 GDPR (data processing)
Data categoriesEmail address, recipient name, content of transactional emails
Data processingEU (Ireland/Frankfurt) — no regular third-country transfer; potential US parent-company access secured by SCC (EU Decision 2021/914)
Privacy policyresend.com/legal/privacy-policy

4.3 Hosting, backend, file storage, DNS, CDN, email routing — Cloudflare (single-vendor stack)

Cloudflare bundles our entire technical stack: hosting (Cloudflare Pages, EU edge delivery), backend functions (Cloudflare Pages Functions / Workers), kit file storage (Cloudflare R2 Object Storage, EU region), key-value store for rate limiting (Cloudflare KV), DNS resolution, content delivery network, DDoS/bot protection, Cloudflare Turnstile (GDPR-compliant, cookieless CAPTCHA), and email routing for incoming emails to [email protected]. A data processing agreement under Art. 28 GDPR is in place.

ServicesCloudflare Pages (static hosting, EU edge) · Cloudflare Pages Functions (backend endpoints /api/checkout, /api/download) · Cloudflare R2 (object storage of kit ZIP files, EU region) · Cloudflare KV (rate-limit counters) · Cloudflare DNS · Cloudflare CDN · Cloudflare DDoS/bot protection · Cloudflare Turnstile (cookieless CAPTCHA) · Cloudflare Email Routing (incoming)
ProviderCloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA
PurposeDelivery of static website content via EU edge, processing of order forms, provisioning of purchased Compliance Kits for download (HMAC-signed tokens, 7-day validity), rate limiting + bot protection at the order step, routing of incoming emails
RegionEU region: R2 bucket in EU storage region (data remains in the EU), Pages/Workers edge delivery primarily from the nearest EU data centre (Vienna/Frankfurt/Amsterdam)
Legal basisArt. 6 (1) (b) GDPR (performance of contract — delivery of ordered kit files) + Art. 6 (1) (f) GDPR (legitimate interest — hosting performance, functional security, cyber security, spam/bot protection)
Data categoriesTruncated IP address, user agent, request path, timestamp; order data (company name, email, billing address, VAT-ID); download link token (HMAC-SHA256, no classic database token); kit selection + tier; for email routing: sender/recipient address, content of incoming emails
Third countryUSA — secured by EU-US Data Privacy Framework (DPF, active Cloudflare certification) + Standard Contractual Clauses (SCC, Implementing Decision 2021/914); data processing agreement under Art. 28 GDPR concluded. R2 object storage sits in EU region — file contents do not leave the EU.
RetentionServer logs 7 days; rate-limit counters 1 hour; order data per tax-law retention obligations (7 years §132 BAO / 10 years §147 AO); download links valid for 7 days, extendable once for a further 7 days; kit ZIP files retained permanently in R2 (static delivery content)
Privacy policycloudflare.com/privacypolicy

5. Cookies

We use only strictly necessary cookies (session cookies, security tokens, language selection). No tracking or third-party cookies are set — therefore no cookie banner is required.

Payment is processed via a Stripe-hosted payment page (redirect). No checkout iframe is embedded on our website — therefore the payment process sets no cookies on our domain. On the Stripe payment page, Stripe's cookie and privacy notices apply.

6. Your rights

You have the following rights regarding your personal data:

Please direct your request to: [email protected]. We respond within 1 month (extendable to 3 months for complex requests).

7. Right to lodge a complaint

You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority is:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: [email protected]
Web: www.dsb.gv.at

8. Data security

We use TLS 1.3 (HTTPS) encryption. Personal data is transmitted and stored encrypted. Only authorised persons with a need-to-know principle have access to data.

9. Validity of this privacy policy

This privacy policy is currently valid and is dated 12.05.2026. If our processing activities change, we will update the policy.