Privacy statement

1. General and scope

This privacy policy provides information on the type, scope and purpose of the processing of personal data when using our website https://www.taxi31300.at/ as well as our online services.

‍

2. Responsible person

TAXI 31300 VermittlungsGmbH
Johnstraße 4 Top 7, 1150 Vienna, Austria
email: zentrale@taxi31300.at | Phone: +43 1 31300

‍

3. Development & Hosting (Webflow)

Our website will developed, operated and hosted on the basis of Webflow.

Service provider & role: Webflow, Inc., 398 11th Street, San Francisco, CA 94103, USA, acts for us as Contract processor within the meaning of Art. 28 GDPR.
AV contract: With Webflow, there is a Order processing contract (Art. 28 GDPR). Webflow partly sets Sub-processor (e.g. infrastructure/content delivery); Webflow provides an up-to-date list.
Processing purposes by Webflow: Provision/hosting of the website, delivery of static content (HTML, CSS, JS, media), security features (e.g. DDoS protection, error/access logs), performance optimization (CDN), form processing (if used).
Data categories: IP address, time stamp, requested resources/URLs, user agent (browser/OS), referrer, form data, if applicable.
legal basis:
- Art. 6 para. 1 lit. f DSGVO (legitimate interest: secure, efficient provision of the website) for server/security logs and CDN.
- Art. 6 para. 1 lit. b GDPR for forms/contract initiation.
- Art. 6 para. 1 lit. a GDPR in conjunction with Section 165 para. 1 TKG 2021 for unnecessary cookies/tags (only with consent).
Storage period: Security/access logs usually 7 days, then deletion/anonymization; form data in accordance with the deadlines set out below.
Third country transfer: Webflow is a US provider. Data transfers to the USA are carried out on the basis of EU standard contractual clauses (Art. 46 GDPR) including transfer impact assessment and additional technical/organizational measures. A adequate level of protection This is intended; however, the risk of government access in third countries cannot be completely ruled out.

(Note: If Webflow uses EU data centers/CDNs, the role of contract processor and the SCC level of protection for any US payments will remain.)

‍

4. Processing as part of taxi ordering & contract fulfilment

purpose: Arrangement/execution of trips (online, app, telephone), billing, customer service.
data: Name, telephone number, pick-up/destination address, booking details (date/time), payment details, if applicable.
legal basis: Art. 6 para. 1 lit. b GDPR (contract/initiation).
Recipient: Taxi driver (execution of the trip), dispatch/headquarters, payment service provider.
Storage period: Booking/billing data 7 years (UGB/BAO). Travel data will be deleted after the purpose has been fulfilled, unless there are any legal claims.

Customer card/company service: Master data, trip history, billing data, customer number.
legal basis: Art. 6 para. 1 lit. b GDPR.
Storage period: Duration of business relationship plus legal storage (usually 7 years).

‍

5. Transfer to taxi companies and drivers (order processing)

In order to carry out the transport services, we transfer the necessary data to the responsible Taxi companies and their drivers. They act — insofar as they are not responsible themselves — as a contract processor and are contractually bound in accordance with Art. 28 GDPR (purpose limitation, confidentiality, security).

Any other data transfer is only carried out when Consent (Art. 6 para. 1 lit. a), Fulfilment of contract (lit. b), legal obligation (lit. c) or legitimate interest (lit. f).

‍

6. Further processing activities (overview)

A. Hosting & Security (Webflow/CDN)
Purpose: Website delivery, stability, defense against attacks.
Data: IP, timestamp, URL, header/browser info.
legal basis: Art. 6 para. 1 lit. f DSGVO.
Storage period: ~7 days.

B. Cookies — technically necessary (Section 165 (3) TKG 2021)
Purpose: Basic functions (e.g. session, language, consent storage).
legal basis: does not require consent.
Storage period: End of session up to several months (depending on purpose).

C. Cookies — Analysis/Marketing (Section 165 (1) TKG 2021)
Purpose: Reach measurement, statistics, personalization.
legal basis: Consent (Art. 6 para. 1 lit. a GDPR) via Consent Banner.
Withdrawal: at any time in Cookie settings.
Recipient: depending on the integrated tool (third country transfer with SCC, if applicable).

D. Communication — Newsletter
Data: email, double opt-in, timestamp.
legal basis: Art. 6 para. 1 lit. a GDPR in conjunction with Section 107 TKG 2021.
Withdrawal: anytime via unsubscribe link.

E. Communication — contact forms/email
Data: Name, email, message.
legal basis: Art. 6 para. 1 lit. b (initiation) or Lit. f (inquiries).
Storage period: Deletion after completion, provided that there are no storage obligations.

F. Callbot/telephone exchange
Data: telephone number, voice/control data for call transfer.
legal basis: Art. 6 para. 1 lit. f (accessibility/service).
Storage period: only temporarily for command implementation.

G. Embedded services/third parties (e.g. iFrames)
When using embedded widgets (e.g. online booking), direct connections to third parties arise. Their data protection information applies; the legal basis is Art. 6 para. 1 lit. b (if necessary for booking) or Art. 6 para. 1 lit. a (for content or cookies that are not necessary).

‍

7. Special provider information

Facebook/Meta Services
Processing only after Consent (Art. 6 para. 1 lit. a). Data: IP, cookie IDs, device/usage data, interactions. Recipient: Meta Platforms, Inc. (USA); SCC for third-country transfers. Withdrawal at any time in the Cookie settings. Profiling/automated decisions for advertising purposes can be made.

Google Tag Manager (GTM)
The GTM does not set any cookies itself, but controls tags (analysis/marketing).
legal basis: Consent (Art. 6 para. 1 lit. a in conjunction with Section 165 para. 1 TKG) for activated unnecessary tags.
Recipient: Google LLC (USA); SCC. Storage time depends on the respective integrated services.

Bunny (CDN)
Purpose: Delivery/Performance/Security.
legal basis: Art. 6 para. 1 lit. f DSGVO.
Data: (abbreviated) IP, time stamp, browser technology, status codes, country assignment, file requests.
Recipient: bunny.net d.o.o., Slovenia (EU).
Storage period: Logs usually up to 7 days.

DPO cookie management (consent tool)
Purpose: Obtain/manage consents for cookies/tags.
legal basis: Art. 6 para. 1 lit. f (proof of consent) and Art. 6 para. 1 lit. c (proof of compliance).
Data: Consent status, time stamp, abbreviated IP/ID if applicable.
Storage period: up to 12 months (or legal proof periods).

gstatic (Google CDN)
Purpose: Delivery of static resources (fonts, JS), security.
legal basis: Art. 6 para. 1 lit. f.
Recipient: Google LLC (USA); SCC.
Storage time: depends on the respective cookie/cache mechanism.

‍

8. Cookies & consent management

Technically necessary cookies We use without consent (Section 165 (3) TKG).
Analytics/marketing cookies Do we set only after consent (Section 165 para. 1 TKG in conjunction with Art. 6 para. 1 lit. a GDPR).
Consents can Revoked anytime will (cookie settings in the page footer/consent banner).
Browser settings allow cookies to be deleted/blocked (functionality may be impaired).

‍

9. Visiting our website (server logs)

When the website is accessed, the Webflow/CDN server automatically processes: IP address, date/time, URL/file name, referrer URL, browser/OS/provider.
Purpose: Establishing a connection, system security, prevention of misuse, statistics.
legal basis: Art. 6 para. 1 lit. f DSGVO.
Storage period: usually 7 days.

‍

10. Data transfers to third countries

If, as part of hosting, embedded services or analysis/marketing tools, there is a transfer to third countries (in particular the USA), this is done on the basis of Standard contractual clauses (Art. 46 GDPR) and — if necessary — further protective measures (pseudonymization, encryption, need-to-know). A Residual risk of government access cannot be completely ruled out.

‍

11. Storage periods (excerpt)

Logs (hosting/security): cca 7 days.
Consent data/cookies: until revocation or in accordance with tool specification (usually up to 12 months).
Contact requests: Deletion after final processing, provided that there are no obligations to the contrary.
Booking/billing documents: 7 years (UGB/BAO).
Trip data (GPS, etc.): Deletion after purpose has been fulfilled, unless there are any claims.

‍

12. Rights of data subjects

They have information (Art. 15), rectification (Art. 16), erasure (Art. 17), constraint (Art. 18), data portability (Art. 20) and contradiction (Art. 21 GDPR).
Consents can anytime be revoked with effect for the future (Art. 7 para. 3).
Complaints should be addressed to Austrian Data Protection Authority (DPO).

‍

13. Technical and organizational measures (Art. 32 GDPR)

Transport encryption (TLS/SSL), HSTS, current cipher suites.
Access control & authentication (MFA, roles, least privilege).
Firewalls/intrusion prevention, monitoring, rate limiting.
Backups/disaster recovery, logging, regular Pen testing.
AV contracts with all order processors, Sub-processor control.
Trainings/policies, confidentiality obligations, incident response processes.
Pseudonymization/anonymization where possible.

‍

14. Update of the privacy policy

We'll update this statement as needed (e.g. after tool changes). We will publish significant changes on the website and, if necessary, actively provide information.

‍