Privacy Policy
1. Controller
Controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG):
Ens Naturale e.U.Owner: Cosmin Birtalan
Neustiftgasse 101/1/10
1070 Vienna, Austria
Email: [email protected]
2. Data Protection Officer
A solo-founder setup does not trigger mandatory DPO appointment (§ 38 BDSG only applies for a German seat). For data-protection inquiries please contact the controller directly.
3. Collection and storage of personal data
3.1 Visiting the website (server log files)
When you visit our website, your browser automatically transmits the following to our hosting server:
- IP address of the requesting machine (truncated after processing)
- Date and time of access
- Name and URL of the requested file
- Website from which access takes place (referrer URL)
- Browser used and operating system
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in functional security + cyber security).
Retention: 7 days, then automatic deletion.
3.2 Orders (direct sale via bank transfer)
Sales are conducted as a direct sale by Ens Naturale e.U. — no external payment provider (no Paddle, Stripe, PayPal or similar) is interposed. When placing an order, the following data is collected via the order form on the website and transmitted to us by encrypted email:
- Company name + address
- First and last name of contact person
- Email address
- Phone number (optional)
- VAT-ID (B2B, for reverse-charge)
- Billing and delivery address
- Kit selection + optional Multi-License upgrade
Payment flow:
- Order data arrives by email (via Cloudflare Pages Function + Resend)
- You receive an order confirmation with an invoice (PDF) incl. IBAN/BIC
- You transfer the invoice amount to the business account of Ens Naturale e.U.
- Once payment is received you receive the download link by email
Important: No payment data (credit card numbers, IBAN entries, PayPal accounts, etc.) are collected or stored on the website. Payment is made exclusively by classic bank transfer from your own house-bank account.
Legal basis: Art. 6 (1) (b) GDPR (contract performance) + (c) (statutory record-keeping obligations under § 132 BAO Austria, § 147 AO Germany).
Retention: 7 years (§ 132 BAO Austria) / 10 years (§ 147 AO Germany) for tax/accounting records.
4. Third-party services / processors
4.1 Payment processing — direct sale via bank transfer (no external payment provider)
The contractual counterparty and sole controller for payment processing is Ens Naturale e.U. (Owner: Cosmin Birtalan, Neustiftgasse 101/1/10, 1070 Vienna, Austria). No external Merchant-of-Record service (Paddle, Stripe, PayPal, Lemon Squeezy etc.) is interposed — payment is made classically by bank transfer after invoicing.
Process:
- You send your order data via the order form on the website (data flow: Cloudflare Pages Function → Resend → email to
[email protected]). - Ens Naturale e.U. issues an invoice (PDF) per § 11 UStG / Art. 226 VAT Directive and sends it back to you by email.
- You transfer the invoice amount from your house bank to the business account stated.
- Once the funds are received you receive the time-limited download link for your kit.
Which personal data is processed?
- Billing address, company name, VAT-ID (for B2B / reverse charge)
- Email address, name of contact person
- Order number + kit selection
- From the bank transfer: Sender IBAN/BIC, reference, amount (we see this data exclusively on our house bank's account statement — it is not processed in any online checkout)
Important: Credit-card numbers, PayPal-account data or similar online-payment data are neither collected, processed nor stored, as there is no online checkout.
Legal basis: Art. 6 (1) (b) GDPR (contract performance) + Art. 6 (1) (c) GDPR (statutory record-keeping obligations — § 132 BAO Austria, § 147 AO Germany).
Retention period: 7 years (§ 132 BAO Austria) / 10 years (§ 147 AO Germany) for tax/accounting records.
Third-country transfer: Does not occur as part of the payment (domestic bank transaction within the SEPA area).
4.2 Transactional emails — Resend (Resend Ireland Limited, Ireland / EU)
The contracting party for transactional emails (order confirmation, download link, update notifications) is Resend Ireland Limited (Dublin, Ireland) — the EU subsidiary of Resend Inc. (USA). Data processing takes place primarily within the EU (Ireland/Frankfurt). A data processing agreement (DPA) under Art. 28 GDPR is in place. As Resend Ireland Limited is a subsidiary of a US group, EU Commission Standard Contractual Clauses (SCC) Module 3 (Decision 2021/914) are additionally concluded to safeguard potential sub-processor access by the US parent company in a GDPR-compliant manner.
| Service | Delivery of transactional emails (order confirmation, download link, update notifications) |
| Contracting party | Resend Ireland Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland (EU) |
| Parent company | Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA (potential sub-processor access) |
| Purpose | Delivery of transactional emails to customers |
| Legal basis | Art. 6 (1) (b) GDPR (contract performance); Art. 28 GDPR (data processing) |
| Data categories | Email address, recipient name, content of transactional emails |
| Data processing | EU (Ireland/Frankfurt) — no regular third-country transfer; potential US parent-company access secured by SCC (EU Decision 2021/914) |
| Privacy policy | resend.com/legal/privacy-policy |
4.3 Hosting, backend, file storage, DNS, CDN, email routing — Cloudflare (single-vendor stack)
Cloudflare bundles our entire technical stack: hosting (Cloudflare Pages, EU edge delivery), backend functions (Cloudflare Pages Functions / Workers), kit file storage (Cloudflare R2 Object Storage, EU region), key-value store for rate limiting (Cloudflare KV), DNS resolution, content delivery network, DDoS/bot protection, Cloudflare Turnstile (GDPR-compliant, cookieless CAPTCHA), and email routing for incoming emails to [email protected]. A data processing agreement under Art. 28 GDPR is in place.
| Services | Cloudflare Pages (static hosting, EU edge) · Cloudflare Pages Functions (backend endpoints /api/order, /api/download) · Cloudflare R2 (object storage of kit ZIP files, EU region) · Cloudflare KV (rate-limit counters) · Cloudflare DNS · Cloudflare CDN · Cloudflare DDoS/bot protection · Cloudflare Turnstile (cookieless CAPTCHA) · Cloudflare Email Routing (incoming) |
| Provider | Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA |
| Purpose | Delivery of static website content via EU edge, processing of order forms, provisioning of purchased Compliance Kits for download (HMAC-signed tokens, 7-day validity), rate limiting + bot protection at the order step, routing of incoming emails |
| Region | EU region: R2 bucket in EU storage region (data remains in the EU), Pages/Workers edge delivery primarily from the nearest EU data centre (Vienna/Frankfurt/Amsterdam) |
| Legal basis | Art. 6 (1) (b) GDPR (performance of contract — delivery of ordered kit files) + Art. 6 (1) (f) GDPR (legitimate interest — hosting performance, functional security, cyber security, spam/bot protection) |
| Data categories | Truncated IP address, user agent, request path, timestamp; order data (company name, email, billing address, VAT-ID); download link token (HMAC-SHA256, no classic database token); kit selection + tier; for email routing: sender/recipient address, content of incoming emails |
| Third country | USA — secured by EU-US Data Privacy Framework (DPF, active Cloudflare certification) + Standard Contractual Clauses (SCC, Implementing Decision 2021/914); data processing agreement under Art. 28 GDPR concluded. R2 object storage sits in EU region — file contents do not leave the EU. |
| Retention | Server logs 7 days; rate-limit counters 1 hour; order data per tax-law retention obligations (7 years §132 BAO / 10 years §147 AO); download links valid for 7 days, extendable once for a further 7 days; kit ZIP files retained permanently in R2 (static delivery content) |
| Privacy policy | cloudflare.com/privacypolicy |
5. Cookies
We use only strictly necessary cookies (session cookies, security tokens, language selection). No tracking or third-party cookies are set — therefore no cookie banner is required.
As sales are conducted exclusively by bank transfer (direct sale), no online-checkout iframe is embedded on the website — accordingly, no checkout cookies from external payment providers are set either.
6. Your rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
Please direct your request to: [email protected]. We respond within 1 month (extendable to 3 months for complex requests).
7. Right to lodge a complaint
You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority is:
Austrian Data Protection Authority (DSB)Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: [email protected]
Web: www.dsb.gv.at
8. Data security
We use TLS 1.3 (HTTPS) encryption. Personal data is transmitted and stored encrypted. Only authorised persons with a need-to-know principle have access to data.
9. Validity of this privacy policy
This privacy policy is currently valid and is dated 12.05.2026. If our processing activities change, we will update the policy.