PRIVACY POLICY

August 2025

1. Controller

The entity responsible for the processing of personal data pursuant to Art. 4(7) GDPR is:

Expand Future GmbH
Seitenstettengasse 5/37
1010 Vienna, Austria
E-mail: hello@expand-future.com

For all questions concerning the protection of your personal data or the exercise of your rights under GDPR, you may contact us at the above details. We have not appointed a Data Protection Officer as we do not meet the mandatory requirements under Art. 37 GDPR.

2. Categories of Personal Data

We may process the following categories of personal data, depending on your relationship with us and your use of this website:

Identification data: name, title, date of birth, gender, position, function.

Contact data: address, telephone number, e-mail address.

Contract and order data: contractual relationship, invoicing data, payment details, correspondence, performance history.

Website usage data: IP address, access times, browser type, operating system, referrer URL, language settings, log files, device identifiers.

Marketing data: preferences, consent history, newsletter interactions, cookies and tracking information.

Special categories of personal data: as a rule, we do not process sensitive data (Art. 9 GDPR). Should such processing be required (e.g. in exceptional HR matters), it will only take place on the basis of explicit consent or another legal justification.

3. Legal Bases and Purposes of Processing

We process personal data strictly in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.

The processing is carried out for the following purposes and on the following legal bases:

Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR): e.g. fulfilment of service agreements, provision of our products, processing of inquiries, or customer support.

Compliance with legal obligations (Art. 6(1)(c) GDPR): e.g. storage obligations under tax and commercial law, compliance with export regulations, documentation duties.

Legitimate interests (Art. 6(1)(f) GDPR): e.g. ensuring IT security, preventing fraud, direct marketing to existing clients, optimisation of services, maintaining business relationships.

Consent (Art. 6(1)(a) GDPR): e.g. newsletter subscription, analysis and tracking cookies, use of certain third-party services.

Where processing is based on your consent, you have the right to withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

4. Website Access and Log Files

Each time this website is accessed, information is automatically collected and stored in server log files. These data include the IP address of the requesting computer, date and time of access, name and URL of the file retrieved, referrer URL, browser type and version, as well as operating system.

The collection of these data is technically necessary to ensure stability, security and functionality of this website. The data are evaluated exclusively for internal statistical purposes and to improve our online presence. The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR. Log files are generally retained for a period of 14 days, unless longer storage is required for security incidents.

5. Cookies and Tracking Technologies

We use cookies and similar technologies to make this website user-friendly, efficient and secure. Cookies are small text files stored on your device. Some are technically necessary (session cookies), others are used to analyse user behaviour (analytics cookies) or for marketing purposes (advertising cookies).

We operate a Consent Management Platform (CMP) in order to ensure that non-essential cookies are only set with your explicit consent. This allows you to manage, accept or refuse individual categories of cookies at any time.

Necessary cookies: required for website operation; set without consent.

Analytics cookies (e.g. Google Analytics 4): allow us to measure and analyse website use. Activated only after your consent.

Marketing cookies: allow personalised advertising. Activated only after your consent.

You can configure your browser to block or delete cookies. Please note that blocking cookies may impair the full functionality of this website.

Cookie retention periods:

• Necessary cookies: session-based (deleted when browser is closed) or up to 1 year

• Analytics cookies (Google Analytics 4): 26 months from last user activity

• Marketing cookies: typically 30-90 days, with a maximum of 2 years depending on the provider

• Consent cookies: 13 months to remember your preferences

Detailed information about specific cookies and their retention periods is available in our Cookie Settings, accessible via the cookie banner on this website.

6. Newsletter and Marketing Communication

You may subscribe to our newsletter via this website. Subscription is only possible with your consent (Art. 6(1)(a) GDPR) and is confirmed via the double opt-in procedure. For documentation and legal proof, we log the subscription and confirmation process (time stamp, IP address).

We use your data exclusively for sending our newsletter and information about our products, services, promotions and events. You may unsubscribe at any time via the unsubscribe link contained in every newsletter. Upon unsubscribing, your data will be deleted without undue delay, unless continued storage is required by law.

Unless you object to this, we will transmit your data within our group for the purpose of analysis and for the transmission of information for advertising purposes. Within the group of companies, the data that you have made available to us to receive the newsletter will be compared with data that we may otherwise collect (e.g. when purchasing goods or booking a service).

7. Processing of Customer, Supplier and Prospect Data

We process the personal data of our customers, suppliers and prospects to the extent necessary for the initiation, performance and termination of business relationships. This includes communication, preparation of offers, fulfilment of contractual obligations, accounting, and customer service.

In addition, we collect personal data from interested parties (e.g. contact persons, their contact details, and marketing-relevant information) in the course of our acquisition and sales activities. We are always on the lookout for potential contractual partners on the Internet, at trade fairs, and at other events, and for this purpose, we maintain a marketing database in order to enable targeted advertising for our products and services.

All of the measures listed here are carried out in legitimate interest for marketing purposes in accordance with Article 6 Paragraph 1 Sentence 1 lit. f GDPR for a period of three years from the end of a contractual relationship (customers & suppliers) or our first (unsuccessful) contact (interested parties).

Data are stored for the duration of the business relationship and thereafter for the statutory retention periods:

• Contract and invoice data: 7 years (Austrian tax law)

• Customer communication: 3 years after last contact (unless ongoing business relationship)

• Newsletter data: until withdrawal of consent

• Website logs: 14 days (as stated in Section 4)

• Analytics data: 26 months (Google Analytics 4 default)

• Marketing consent records: 3 years after withdrawal for documentation purposes

• Warranty claims: up to 30 years in exceptional cases for long-term warranties

Data will be deleted or anonymized once the respective retention period expires, unless longer storage is required by law or for the establishment, exercise, or defense of legal claims.

8. Data Transfers and Third-Party Services

For the purposes described above, we may transfer data to external processors (e.g. IT service providers, hosting companies, newsletter systems, payment providers, CRM tools). All processors are contractually bound under Art. 28 GDPR to process personal data only on our documented instructions and in compliance with adequate security measures.

Where third-party providers are located outside the EU/EEA, data transfer takes place on the basis of:

• an adequacy decision of the European Commission (e.g. EU–US Data Privacy Framework for certified US providers such as Google, Meta, LinkedIn, Stripe),

• Standard Contractual Clauses (SCCs) issued by the European Commission, or

• your explicit consent (Art. 49(1)(a) GDPR).

Google Maps Integration
We use Google Maps on this website. This enables us to show you interactive maps directly on this website and enables you to conveniently use the map function to find our location and make your journey easier.

When you visit this website, Google receives the information that you have accessed the corresponding subsite of this website and the personal data listed under section 4. This happens regardless of whether you are logged in to a Google account or not. If you are logged in to Google, your data will be assigned directly to your account. If you do not want this, you must log out of Google before using this service.

Google also processes your data in the USA under the EU-US Data Privacy Framework for which Google is certified.

9. Payment Processing

When using payment providers, personal data necessary for processing the transaction (such as name, payment details, billing address) are transmitted to the respective provider:

Stripe Payments Europe Ltd. (Ireland) – GDPR compliant; potential transfers to the USA under the EU-US Data Privacy Framework.

Bank transfers within the EU/EEA – processed according to applicable banking regulations.

We assume no liability for the independent data processing of external payment providers, which act as separate controllers under GDPR.

10. Security Measures

We implement state-of-the-art technical and organisational measures (TOMs) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include encrypted data transmission (SSL/TLS), access control systems, firewalls, backups, and regular security reviews.

Nevertheless, we cannot guarantee absolute security of data transmission over the internet. Any transmission is at your own risk.

11. Rights of Data Subjects

Pursuant to GDPR, you have the following rights in relation to personal data concerning you:

Right of access (Art. 15): You have the right to request information about whether and, if so, which personal data about you is being processed.

Right to rectification (Art. 16): You have the right to immediately request the correction of incorrect personal data concerning you or the completion of incomplete personal data.

Right to erasure ("right to be forgotten") (Art. 17): You have the right to request the deletion of your data, provided that the criteria of Art. 17 GDPR are met.

Right to restriction of processing (Art. 18): Under the legal requirements, you have the right to restrict the processing of all personal data collected.

Right to data portability (Art. 20): You can request the unhindered and unrestricted transfer of personal data that you have provided to us to you or a third party.

Right to object (Art. 21): For reasons that arise from your particular situation, you can object at any time to the processing of your personal data that is necessary to safeguard our legitimate interests or those of a third party. You can object to data processing for the purpose of direct marketing at any time with effect for the future.

Right to withdraw consent (Art. 7(3)): If you have separately given your consent to the processing of your data, you can revoke this at any time with effect for the future.

Requests may be addressed in writing to Expand Future GmbH at the contact details indicated in Section 1. We may require proof of identity to prevent misuse. We endeavour to respond to all requests within one month in accordance with statutory obligations.

If you believe that processing of your personal data violates applicable data protection law, you may lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42, 1030 Vienna
E-mail: dsb@dsb.gv.at
Telephone: +43 1 52 152-0
Website: https://www.dsb.gv.at

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making, including profiling, pursuant to Art. 22 GDPR that would produce legal effects concerning you or similarly significantly affect you.

Any analytics or marketing activities described in this Privacy Policy are used solely for statistical analysis and service improvement, not for automated individual decision-making.

13. Liability Disclaimer

We carefully select and contractually bind our processors. However, we cannot assume responsibility or liability for the content, security or data processing practices of independent third-party providers (e.g. Google, payment processors). Their own privacy policies apply exclusively.

Any liability claims against Expand Future GmbH relating to material or immaterial damage caused by the use or misuse of information provided shall be excluded, unless there is evidence of wilful misconduct or gross negligence on our part.

14. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time in order to reflect changes in law, technology or business operations. The version published on this website shall apply.

Significant changes will be communicated to you via email (if we have your consent for newsletters) or through a prominent notice on this website. We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your data.

Previous versions of this Privacy Policy are available upon request.

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and Austrian data protection law as of August 2025.