Back

Legal

Imprint

Content responsibility:

ROARK GmbH
Bossigasse 24/8
1130 Vienna
Austria

Managing Director: Juliamarie Curto
Managing Director: Marcello Curto

Email: kontakt@roark.at

VAT ID: ATU79133046
Tax number: 03 740/0892

Graphic design & logo: Lena Drießen

Copyright Notice

Please contact us before using our images or other works. The content and works on this website are protected by Austrian copyright law and were created by the site operators. Reproduction, editing, distribution, or any use outside the limits of copyright law requires the prior written consent of the respective author or creator. Where content on this site was not created by the operators, third-party rights are respected and such content is identified accordingly. If you become aware of an infringement, please let us know. We will remove infringing content promptly after becoming aware of it.

Online Dispute Resolution

The European Commission provides a platform for online dispute resolution at https://ec.europa.eu/consumers/odr/. We are neither obliged nor willing to participate in dispute resolution proceedings before a consumer arbitration board.

Objection to Unsolicited Advertising

We object to the use of the contact details published as part of our imprint obligations for sending unsolicited advertising or information material. In the event of unsolicited advertising, such as spam emails, we reserve the right to take legal action.

Responsible for Editorial Content

ROARK GmbH
Bossigasse 24/8
1130 Vienna
Austria

Privacy Notice

Privacy notice of ROARK GmbH under Articles 13 and 14 GDPR, including purposes, legal bases, recipients, and data subject rights.

This privacy notice explains how ROARK GmbH processes personal data in connection with this website and our B2B SaaS services.

Controller

ROARK GmbH
Bossigasse 24/8
1130 Vienna
Austria

Managing Director: Juliamarie Curto
Managing Director: Marcello Curto

Email: datenschutz@roark.at
Phone: +43 660 375 8455

Further company details are available in the imprint above.

Data Protection Roles

For this website and our own business processes, we act as controller under Art. 4(7) GDPR.

For personal data processed in our SaaS by our customers, we generally act as processor under Art. 28 GDPR.

A data processing agreement is part of the SaaS setup. A template is available at DPA / AVV.

Categories of Data Subjects and Personal Data

We may process personal data relating to:

  • visitors of this website
  • contact persons of prospects, customers, and partners
  • users of our B2B SaaS applications

Depending on usage, we may process in particular:

  • master data, for example name, company, and business contact details
  • communication data, for example email content and metadata
  • usage and log data, for example IP address, timestamp, URL, and user agent
  • contract and billing data
  • customer data and content processed in the SaaS

Processing Activities, Purposes, Legal Bases, and Retention

  • Website delivery (server logs): Purpose: stability, security, troubleshooting. Data categories: IP address, URL, timestamp, user agent, referrer. Legal basis: Art. 6(1)(f) GDPR. Retention: usually short-term; longer only for security incidents.
  • Language preference (NEXT_LOCALE): Purpose: delivery of selected language. Data categories: language code and technical cookie data. Legal basis: Section 165(3) Austrian TKG 2021 and Art. 6(1)(f) GDPR. Retention: up to 12 months or until deleted in the browser.
  • Email communication: Purpose: handling requests, pre-contractual communication, and customer communication. Data categories: contact data, message content, metadata. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. Retention: until request completion, then according to legal and contractual obligations.
  • B2B SaaS contract performance: Purpose: provision of agreed SaaS functions. Data categories: account, usage, content, and configuration data. Legal basis: Art. 6(1)(b) GDPR. Retention: during the contract term, then deletion according to the contract or DPA.
  • Compliance, legal defense, and accounting: Purpose: compliance with legal duties and defense of claims. Data categories: contract, billing, and communication data. Legal basis: Art. 6(1)(c) and Art. 6(1)(f) GDPR. Retention: statutory retention, in particular 7 years under BAO and UGB, and longer only for disputes.

Cookies

We do not use tracking, marketing, or profiling cookies. Only the technically required cookie NEXT_LOCALE may be set to store your language preference.

Recipients and Processors

We use the following providers. Where required, we have concluded data processing agreements under Art. 28 GDPR.

  • Hetzner: Infrastructure hosting services. Data categories: usage and log data. Role: processor. Processing location: EU, mainly Germany and Finland. Third-country transfer or safeguard: no transfer initiated by us via this service. Retention: based on contract setup; deletion per contract or DPA. DPA status: in place.
  • Convex: Cloud platform services. Data categories: account, usage, and content data. Role: processor. Processing location: EU and additional regions depending on project configuration. Third-country transfer or safeguard: SCC and contractual safeguards under provider terms. Retention: based on provider and project settings; deletion per contract or DPA. DPA status: in place.
  • Microsoft Azure: Cloud platform services. Data categories: account, usage, and content data. Role: processor. Processing location: EU and additional regions depending on configuration. Third-country transfer or safeguard: SCC and additional safeguards under Microsoft DPA. Retention: based on provider and project settings. DPA status: in place.
  • Amazon Web Services: Cloud and communication services. Data categories: communication data, usage data, and related metadata. Role: processor. Processing location: EU and additional regions depending on configuration. Third-country transfer or safeguard: SCC and contractual safeguards under AWS DPA. Retention: based on provider and project settings. DPA status: in place.
  • Vercel: Web hosting and delivery services. Data categories: request and log data. Role: processor. Processing location: EU and additional regions depending on delivery setup. Third-country transfer or safeguard: SCC and additional safeguards under Vercel DPA. Retention: based on provider and project settings. DPA status: in place.
  • bunny.net: DNS and edge delivery services. Data categories: DNS requests and technical metadata. Role: processor. Processing location: EU and global edge locations depending on routing. Third-country transfer or safeguard: SCC and contractual safeguards under provider terms. Retention: based on provider and project settings. DPA status: in place.
  • netcup: Infrastructure hosting and domain services. Data categories: usage and log data, domain administration data, billing-related data. Role: processor or independent controller depending on process. Processing location: EU, mainly Germany. Third-country transfer or safeguard: no transfer initiated by us via this service. Retention: according to project, registrar, and tax law retention periods. DPA status: in place where a processor relationship applies.
  • Migadu: Email services. Data categories: email content and metadata, contact data. Role: processor. Processing location: Switzerland and, where applicable, additional locations via subprocessors. Third-country transfer or safeguard: Switzerland adequacy decision, otherwise SCC. Retention: based on mailbox and contract settings. DPA status: in place.

Infrastructure Data Flow

The above providers are used for hosting, cloud platform operation, communication, DNS and edge delivery, and domain services.

Subprocessors

The current subprocessors of the above providers are listed in their official subprocessor and privacy pages. Material changes to our own subprocessor setup are communicated to contractual partners according to the agreed contract mechanism.

Disclosure to Additional Recipients

Beyond the above, data is disclosed only:

  • where legally permitted
  • where required to perform a contract
  • where we are legally obliged
  • where you have provided consent

Retention and Deletion

We retain personal data only for as long as necessary for the applicable purposes. After that, data is deleted or anonymized unless statutory retention obligations apply.

In Austria, relevant retention obligations may arise in particular under BAO and UGB, typically 7 years for accounting-related records.

Security

We implement appropriate technical and organizational measures under Art. 32 GDPR to protect personal data against loss, unauthorized access, and manipulation.

Your Rights

Under the GDPR, you have in particular the right to:

  • access under Art. 15 GDPR
  • rectification under Art. 16 GDPR
  • erasure under Art. 17 GDPR
  • restriction of processing under Art. 18 GDPR
  • data portability under Art. 20 GDPR
  • object to processing based on Art. 6(1)(f) GDPR under Art. 21 GDPR
  • withdraw consent for future processing under Art. 7(3) GDPR

To exercise your rights, please contact us at datenschutz@roark.at.

Right to Lodge a Complaint

You may lodge a complaint with a data protection supervisory authority. In Austria, the competent authority is:

Austrian Data Protection Authority (Datenschutzbehoerde)
Barichgasse 40-42
1030 Vienna

Website: https://www.dsb.gv.at/
Email: dsb@dsb.gv.at

Updates to This Privacy Notice

We update this privacy notice where processing activities, legal requirements, or service providers materially change.