Articles 13 and 14 GDPR
Privacy Notice
This privacy notice explains how ROARK GmbH processes personal data in connection with this website and our B2B SaaS services.
Controller
ROARK GmbH
Bossigasse 24/8
1130 Vienna
Austria
Managing Director: Juliamarie Curto
Managing Director: Marcello Curto
Email: datenschutz@roark.at
Phone: +43 660 375 8455
Further company details are available in the Imprint.
Data Protection Roles
- For this website and our own business processes, we act as controller under Art. 4(7) GDPR.
- For personal data processed in our SaaS by our customers, we generally act as processor under Art. 28 GDPR.
- A data processing agreement is part of the SaaS setup. A template is available at DPA / AVV.
Categories of Data Subjects and Personal Data
- Visitors of this website
- Contact persons of prospects, customers and partners
- Users of our B2B SaaS applications
Depending on usage, we may process in particular:
- Master data (for example name, company, business contact details)
- Communication data (for example email content and metadata)
- Usage and log data (for example IP address, timestamp, URL, user agent)
- Authentication and access data (for example user ID, business email address, roles, sign-in events and IP address)
- Contract and billing data
- Customer data and content processed in the SaaS
Processing Activities, Purposes, Legal Bases and Retention
| Processing activity | Purpose | Data categories | Legal basis | Retention |
|---|---|---|---|---|
| Website delivery (server logs) | Stability, security, troubleshooting | IP address, URL, timestamp, user agent, referrer | Art. 6(1)(f) GDPR | Usually short-term; longer only for security incidents |
| Language preference (NEXT_LOCALE) | Delivery of selected language | Language code, technical cookie data | Section 165(3) Austrian TKG 2021, Art. 6(1)(f) GDPR | Up to 12 months or until deleted in browser |
| Email communication | Handling requests, pre-contractual and customer communication | Contact data, message content, metadata | Art. 6(1)(b) and Art. 6(1)(f) GDPR | Until request completion, then according to legal or contractual obligations |
| User authentication and access control | Secure login, account access, identity verification and protection against unauthorized access | Business account data, user identifiers, email address, roles, sign-in metadata and IP address | Art. 6(1)(b) and Art. 6(1)(f) GDPR | During active account use, then according to contract, security and legal retention obligations |
| B2B SaaS contract performance | Provision of agreed SaaS functions | Account, usage, content and configuration data | Art. 6(1)(b) GDPR | During contract term, then deletion according to contract or DPA |
| Compliance, legal defense and accounting | Compliance with legal duties and defense of claims | Contract, billing and communication data | Art. 6(1)(c) and Art. 6(1)(f) GDPR | Statutory retention periods (in particular 7 years under BAO or UGB), longer only for disputes |
Cookies
We do not use tracking, marketing or profiling cookies. This website may set only the technically required cookie NEXT_LOCALE to store your language preference. Our SaaS applications may additionally use technically necessary session or security cookies for login, maintaining authenticated sessions and abuse prevention.
Recipients and Processors
We use the following providers. Where required, we have concluded data processing agreements under Art. 28 GDPR.
| Provider | Purpose | Data categories | Role | Processing location | Third-country transfer / safeguard | Retention | DPA status |
|---|---|---|---|---|---|---|---|
| Hetzner | Infrastructure hosting services | Usage and log data | Processor | EU (mainly Germany or Finland) | No transfer initiated by us via this service | Based on contract setup; deletion per contract or DPA | In place |
| Convex | Cloud platform services | Account, usage and content data | Processor | EU and additional regions depending on project configuration | SCC and contractual safeguards under provider terms | Based on provider or project settings; deletion per contract or DPA | In place |
| Microsoft Azure | Cloud platform services | Account, usage and content data | Processor | EU and additional regions depending on configuration | SCC and additional safeguards under Microsoft DPA | Based on provider or project settings | In place |
| Microsoft Entra ID | Identity and access management for user login | Business account data, user identifiers, email address, roles, sign-in metadata and IP address | Processor | EU and additional regions depending on configuration | SCC and additional safeguards under Microsoft DPA | Based on provider or project settings | In place |
| Amazon Web Services | Cloud and communication services | Communication data, usage data and related metadata | Processor | EU and additional regions depending on configuration | SCC and contractual safeguards under AWS DPA | Based on provider or project settings | In place |
| Vercel | Web hosting and delivery services | Request and log data | Processor | EU and additional regions depending on delivery setup | SCC and additional safeguards under Vercel DPA | Based on provider or project settings | In place |
| bunny.net | DNS and edge delivery services | DNS requests and technical metadata | Processor | EU and global edge locations depending on routing | SCC and contractual safeguards under provider terms | Based on provider or project settings | In place |
| netcup | Infrastructure hosting and domain services | Usage or log data, domain administration data, billing-related data | Processor or independent controller depending on process | EU (mainly Germany) | No transfer initiated by us via this service | According to project, registrar and tax-law retention periods | In place where processor relationship applies |
| Migadu | Email services | Email content and metadata, contact data | Processor | Switzerland and, where applicable, additional locations via subprocessors | Switzerland adequacy decision; otherwise SCC | Based on mailbox and contract settings | In place |
Infrastructure Data Flow
- The above providers are used for hosting, cloud platform operation, user authentication and access management, communication, DNS or edge delivery, and domain services.
Subprocessors
The current subprocessors of the above providers are listed in their official subprocessor and privacy pages. Material changes to our own subprocessor setup are communicated to contractual partners according to the agreed contract mechanism.
Disclosure to Additional Recipients
Beyond the above, data is disclosed only:
- where legally permitted,
- where required to perform a contract,
- where we are legally obliged, or
- where you have provided consent.
Retention and Deletion
We retain personal data only for as long as necessary for the applicable purposes. After that, data is deleted or anonymized unless statutory retention obligations apply.
In Austria, relevant retention obligations may arise in particular under BAO and UGB (typically 7 years for accounting-related records).
Security
We implement appropriate technical and organizational measures under Art. 32 GDPR to protect personal data against loss, unauthorized access and manipulation.
Your Rights
Under the GDPR, you have in particular the right to:
- access (Art. 15 GDPR)
- rectification (Art. 16 GDPR)
- erasure (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
- withdraw consent for future processing (Art. 7(3) GDPR)
To exercise your rights, please contact us at datenschutz@roark.at.
Right to Lodge a Complaint
You may lodge a complaint with a data protection supervisory authority. In Austria, the competent authority is:
Austrian Data Protection Authority (Datenschutzbehoerde)
Barichgasse 40-42
1030 Vienna
Website: https://www.dsb.gv.at/
Email: dsb@dsb.gv.at
Updates to This Privacy Notice
We update this privacy notice where processing activities, legal requirements or service providers materially change.
Last updated: March 24, 2026