For us, AICT FlexCo, Bruno-Marek-Allee 5/10/6, 1020 Vienna, Austria ("AICT FlexCo", "we", "us"), the protection of your personal data is a matter of great importance. Accordingly, compliance with applicable data protection laws, in particular the General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG"), and the Austrian Telecommunications Act ("TKG"), is standard practice for us.
This privacy policy informs you about the nature, scope, and purposes of the collection and processing of your personal data within the context of our service provision.
Name: Felix Degeler
Address: Bruno-Marek-Allee 5/10/6, 1020 Vienna, Austria
Email Address: privacy@aict.group
Personal data is any information relating to an identified or identifiable natural person – meaning someone whose identity is determined or at least determinable. This includes, for example, name, date of birth, email address, IP address, etc.
When you contact us using the contact details provided above or other contact information, we process your personal data ((user) name, email address, phone number, postal address, and your inquiry, as well as any documents, images, and files contained therein) for the purpose of handling and answering your inquiry.
The legal basis for this is the fulfillment of our (pre-)contractual obligations pursuant to Art. 6 (1) (b) GDPR or our legitimate interests pursuant to Art. 6 (1) (f) GDPR in responding promptly to your inquiry and any follow-up questions.
We store your personal data from contact inquiries for a period of six months so that we can respond adequately to follow-up questions. Longer storage only occurs if a business relationship is established, due to statutory retention obligations (7 years according to § 132 BAO and § 212 UGB), or for the establishment, exercise, or defense of legal claims (in particular § 1484 ff ABGB).
For both the conclusion of the contract regarding the services we are to provide and its fulfillment, the provision of data – including personal data – is required, which we subsequently process. Fundamentally, we process data from two different groups of data subjects: your data as customers and that of your employees.
As part of customer support and the fulfillment and processing of the contractual relationship with you, we process the following personal data:
This data processing is based on the fulfillment of our contractual obligations to you as a customer pursuant to Art. 6 (1) (b) GDPR. If the data concerns employees, the data processing is based on our legitimate interests as well as those of our customers in the optimal performance of the commissioned service and thus the fulfillment of the contract with the customer.
We offer the AI-supported software Peaceflow, which assists users in conflict resolution, mediation, coaching, and negotiation. The use of Peaceflow requires the registration of a user account.
During registration, we collect the following personal data:
The data processing is based on the fulfillment of the user agreement pursuant to Art. 6 (1) (b) GDPR.
For paid services, we use the payment service provider Stripe. Payment data (e.g., credit card details, account information) is processed directly by Stripe and is not stored on our servers. Stripe acts as a data processor pursuant to Art. 28 GDPR. Further information on data processing by Stripe can be found in Stripe's privacy policy at https://stripe.com/privacy.
When you use Peaceflow, we process your chat content and conversation histories to provide you with AI-supported assistance in conflict resolution, mediation, coaching, and negotiation. The processing is based on contract fulfillment pursuant to Art. 6 (1) (b) GDPR.
Important notes on data processing:
To improve user support, Peaceflow automatically determines a so-called Emergency Score (risk assessment from 1-10). This score serves to assess the urgency and the need for support in your situation and to adjust Peaceflow's responses accordingly.
The Emergency Score is stored user-specifically in your personal Knowledge Base and is exclusively accessible to you. Third parties have no access to this data. The processing is based on contract fulfillment pursuant to Art. 6 (1) (b) GDPR.
For the sake of clarity, we note that you are not subject to a decision based solely on automated processing pursuant to Art. 22 GDPR. The Emergency Score serves merely to adjust the AI responses and has no legal effect on you.
Peaceflow features automated protective mechanisms (Safety Guardrails) that detect and automatically remove sensitive personal information (e.g., social security numbers, credit card numbers, etc.) from your inputs. This detected data is not stored or logged. Only the information that a removal has taken place is logged for security purposes.
Peaceflow allows you to invite other people to joint chats. This is done by sharing a chat link. To join a multi-user chat, the invited person must register or log into their existing account. All participants in a multi-user chat have access to the entire chat history.
If you invite other people to a chat, you are responsible for ensuring that these people are informed about the data processing and agree to it.
We store your chat histories indefinitely as long as your user account is active. The data is stored either with live access or archived, but is not automatically deleted. This allows you continuous access to your conversation histories and the use of the system's learning functions.
Chat histories cannot be deleted individually by you. A deletion of all your data occurs exclusively through the deletion of your user account.
Account Deletion: If you request the deletion of your account, all your personal data, including chat histories, will be fully and irrevocably deleted within 5-7 business days. Deletion is currently a manual process.
Account data (name, email) is stored for as long as your user account exists. Upon account deletion, all personal data is deleted, except for data that must be further stored due to statutory retention obligations (e.g., billing data for 7 years according to § 132 BAO and § 212 UGB). This data is stored separately from your account.
For the purpose of Customer Relationship Management (CRM), we process master data of customers ((company) name, address, email address, phone number) as well as general contract data to maintain our relationship with our customers and align our marketing strategy accordingly. We process this personal data to occasionally inform you as a customer about our activities, services, and offers.
The legal basis for postal marketing is our legitimate interests pursuant to Art. 6 (1) (f) GDPR. Electronic direct marketing (e.g., newsletters) takes place exclusively on the basis of your voluntary and explicit consent pursuant to Art. 6 (1) (a) GDPR in conjunction with § 174 TKG. You can revoke your consent at any time with effect for the future (e.g., via email to privacy@aict.group or via the "Unsubscribe" link in any newsletter).
We store the aforementioned personal data after the end of the business relationship for a period of three years after your last contact with us, unless you have previously objected to the use of your data for this purpose or revoked your consent.
We generally only store your personal data for as long as we need it to fulfill the purposes outlined. If we no longer need your data, it will be deleted from our systems or irrevocably anonymized so that you can no longer be identified.
In addition, we store your personal data if there are indications that the data is necessary for the establishment, exercise, or defense of our legal claims. The retention of data is subject to statutory limitation periods (in particular § 1484 ff ABGB).
We treat your personal data strictly confidentially, of course, and consciously keep the circle of recipients small ("need-to-know principle").
Your personal data is transferred in individual cases and to the extent necessary to the following recipients, who act as independent data controllers:
In addition, we use external providers and IT service providers who may have access to your personal data. This is necessary to perform the commissioned services. These external service providers are data processors pursuant to Art. 28 GDPR, who are obliged to maintain confidentiality and only process your personal data on our behalf, based on our instructions, and to provide the commissioned services.
We use the following data processors:
Third Country Transfers:
Some of the aforementioned data processors are based in the USA. For the transfer of personal data to the USA, we rely on the standard contractual clauses of the EU Commission pursuant to Art. 46 GDPR as well as additional technical and organizational measures to ensure an adequate level of data protection. Microsoft, Google, and other mentioned service providers are also certified under the EU-US Data Privacy Framework.
Data security is a matter of course for us. We have implemented appropriate technical and organizational security measures pursuant to Art. 32 GDPR to ensure the confidentiality and security of your personal data.
As a data subject, you have the following rights:
Furthermore, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is:
Austrian Data Protection Authority (Österreichische Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna
Email: dsb@dsb.gv.at
Before making a formal complaint or if you have any questions/concerns regarding the processing of your personal data, please feel free to contact us at privacy@aict.group. We are always happy to assist you with advice and support.