Data protection provisions about the website sproof.com
This Privacy Policy applies exclusively to our website, sproof.com, and to data processing in connection with inquiries, pre-contractual and contractual communications, and documentation.
The Privacy Policy for our web applications, sproof sign and sproof Ident, can be found here.
1. Introduction
The protection of your personal data is of particular importance to us. Consequently, we process your personal data in accordance with the applicable legal provisions governing the protection, lawful handling, and confidentiality of personal data, in particular the Austrian Data Protection Act (hereinafter “DSG”), the General Data Protection Regulation (hereinafter “GDPR”), and the Telecommunications Act 2021 (hereinafter “TKG 2021”).
The following information explains how we process your personal data when you use our website (www.sproof.com) (hereinafter referred to as the “Website”).
This Privacy Policy applies to the website www.sproof.com. The web application sproof sign.sproof.com is technically separate; there is no automated data exchange between the sites.
2. Name and contact information of the data controller
sproof GmbH (hereinafter “sproof” or “we”) is responsible for data processing on this website.
sproof GmbH Urstein Süd 19/2
A-5412 Puch near Hallein
Austria
Email: privacy@sproof.com
3. Data processing
In providing our services, in particular our website and the offers made available on our website, we process personal data of users of our website as well as of users who use our online offer. The specific data processing methods are presented below:
3.1. Data processing Website use
The following personal data is automatically processed when you visit our website:
- Log;
- IP address (in truncated/anonymized form);
- Type and version of your web browser;
- Data about your device (e.g., device ID);
- The date and time of visits to our website or its subpages;
- Website from which you access our website (referrer URL).
Purpose of processing: The purpose of processing is to provide you with the content on our website, to ensure the security and stability of our IT infrastructure, to conduct anonymized analyses for optimization purposes, and to enable you to use our website for informational purposes.
Retention period: Log data is generally retained for 30 days. In the event of a security-related incident (e.g., a DDoS attack or attempted intrusion), the data is retained until the incident has been fully investigated and resolved.
Legal Basis: The legal basis for processing this data is our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest consists of making our website user-friendly, continuously improving it, providing you with the content you access securely and without errors, and ensuring the security of our IT infrastructure (in particular to defend against and document attacks and disruptions).
Provision of Data: The provision of this data is technically necessary. Without this data, we are unable to provide you with the website content you have accessed.
3.2. Data Processing, Contact Requests, and Communication
Use of Atlassian (Jira Service Desk / Confluence)
You can contact us directly by email or through our forms. To efficiently process and organize customer inquiries, we use systems provided by our IT service provider, Atlassian (Atlassian Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia).
- Purpose: To respond to and archive contact requests, support tickets, and customer communications.
- Legal basis: The processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in prompt and professional communication and—if your inquiry is aimed at entering into or performing a contract—on the implementation of precontractual measures or the performance of the contract (Art. 6(1)(b) GDPR).
- Transfers to third countries: Atlassian is headquartered in Australia and uses servers worldwide (including in the U.S.). Data transfers are safeguarded by the conclusion of EU Standard Contractual Clauses (SCCs) in accordance with Article 46(2)(c) of the GDPR.
Using Google Workspace and Gmail
For our internal and external email communication, we use Google Workspace, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
- Data Processed: Name, email address, communication metadata, and the content and attachments of your emails.
- Legal basis: Performance of a contract or implementation of precontractual measures (Art. 6(1)(b) of the GDPR), as well as our legitimate interest in a modern, secure, and efficient office and communications infrastructure (Art. 6(1)(f) of the GDPR).
- Transfers to Third Countries: Google may also process data in third countries outside the EU (particularly the United States). Google LLC is certified under the EU-U.S. Data Privacy Framework. Additionally, the processing is safeguarded by EU Standard Contractual Clauses.
- Retention Period: We delete emails and the data they contain as soon as they are no longer necessary for the purpose of communication and there are no legal (particularly corporate and tax law) retention requirements that prevent their deletion.
Using HubSpot
We use HubSpot’s CRM system (HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA) to manage our customer relationships, maintain records, and optimize our sales and communication processes.
- Data Processed: Depending on the communication channel, we process master data, contact information, email histories, notes from phone calls or video conferences, and, where applicable (only with prior consent), transcripts or recordings of online meetings.
- Legal Basis:
- Consent (Art. 6(1)(a) GDPR) in conjunction with § 165(3) TKG 2021: We always obtain your explicit, voluntary consent in advance for the active recording of audio and video during phone calls or video meetings.
- Legitimate interest (Art. 6(1)(f) GDPR): To log written chats, emails, and customer histories in the CRM system for the purpose of providing efficient B2B customer service and ensuring accurate assignment of inquiries.
- Transfers to Third Countries: HubSpot stores data in the United States, among other locations. HubSpot, Inc. is certified under the EU-U.S. Data Privacy Framework. In addition, EU Standard Contractual Clauses ensure the level of data protection.
- Withdrawal & Deletion: You may withdraw your consent to recording at any time with future effect (e.g., by email to privacy@sproof.com). The recordings will be deleted immediately once the purpose has been fulfilled or upon revocation, provided that no statutory retention requirements prevent this.
3.3. Data Processing Applicant Management
If you apply for a position with us (via email or through a job portal), we will process the following data:
- Personal information (name, date of birth, nationality);
- Contact information (address, email, phone number);
- Application materials (resume, transcripts, cover letter, education, work experience);
- Notes from job interviews, if any.
Your application information will not be disclosed to unauthorized third parties outside our company.
- Purpose of processing: To conduct and manage the application process and to prepare an employment contract.
- Legal basis: Implementation of pre-contractual measures (Art. 6(1)(b) of the GDPR) and compliance with legal obligations in connection with social security registration in the event of employment (Art. 6(1)(c) of the GDPR).
- Record-keeping (talent pool): If we wish to retain your application for future job openings, we will obtain your explicit consent to do so in accordance with Article 6(1)(a) of the GDPR.
- Retention Period: In the event of a rejection, your application data will be stored for a period of 6 months following the conclusion of the application process to defend against any potential claims (e.g., under the Equal Treatment Act—GlBG) and will be deleted thereafter. If you consent to the retention of your data, we will process it until you revoke your consent, but for no longer than 2 years. You may revoke your consent to the retention of your data at any time by sending an email to privacy@sproof.com.
3.4. Data Processing Newsletter
When you subscribe to our newsletter, we process:
- Your name (for personal address);
- Your email address.
We use the ” double opt-in” process for newsletter sign-ups. After signing up on our website, you will receive a confirmation email to verify that you are the owner of the email address.
- Legal basis: Your explicit consent pursuant to Article 6(1)(a) of the GDPR in conjunction with Section 165(3) of the TKG 2021.
- Data Processor: The data is transferred to our IT service provider for newsletter distribution (headquartered within the EU). A data processing agreement has been entered into in accordance with Article 28 of the GDPR.
- Unsubscribe & Withdrawal: You may withdraw your consent at any time, free of charge, with future effect. To do so, use the unsubscribe link at the bottom of each newsletter or send us an email at privacy@sproof.com. Your data will then be promptly removed from the mailing list. The lawfulness of the data processing carried out up until the time of revocation remains unaffected.
3.5. Data Processing, Social Media, and Video Services
Social Media Plugins
We have not integrated any active social media plugins or buttons on our website that transmit data to social media networks as soon as the page loads. Any links to our social media profiles (e.g., LinkedIn, X) are implemented as simple hyperlinks.
Vimeo video service
We embed videos on our website using the “Vimeo” platform. The provider is Vimeo.com, Inc., 330 West 34th Street, 5th Floor, New York, New York 10011, USA.
- Data processed: IP address, technical device and browser information, the URL accessed, and interaction data (e.g., whether a video was started or paused). If you are logged into your Vimeo account, Vimeo can link your browsing activity directly to your personal profile.
- Legal Basis: Data processing is carried out exclusively on the basis of your consent in accordance with Art. 6(1)(a) of the GDPR in conjunction with § 165(3) of the TKG 2021. Videos are not loaded and data is not transmitted until you have actively consented to their activation via our cookie banner or our two-click video player.
- Transfers to Third Countries: Vimeo Inc. is certified under the EU-U.S. Data Privacy Framework (DPF). In addition, we have entered into a data processing agreement based on the EU Standard Contractual Clauses.
3.6. Data Processing, Cookies, and Consent Management
We use cookies and similar technologies (e.g., local storage) on our website. Cookies are small text files that your browser stores on your device.
We distinguish between:
- Strictly necessary (technical) cookies: These are necessary to provide the website’s basic functions (e.g., storing your cookie preferences). These are processed without consent based on our legitimate interest (Art. 6(1)(f) GDPR) in conjunction with § 165(3) TKG 2021.
- Cookies Requiring Consent (Analytics, Marketing, Media): These will not be loaded until you have given us your explicit consent (Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG 2021).
You can adjust or revoke the consents you have given at any time using our integrated consent management tool (cookie banner).
3.7. etracker Data Processing
On this website, we use analytics services provided by etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.
- Special feature: etracker is used in a cookie-free version by default. Data processing takes place exclusively in the web server’s RAM, without any information being stored on your device. The IP address is anonymized as soon as possible. No data is generated that would allow for the direct identification of an individual.
- Legal basis: The processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in measuring reach in a privacy-friendly manner and optimizing our website.
- To the extent that we use additional analytics and optimization cookies from etracker, we do so exclusively on the basis of your prior express consent (Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG 2021).
- Objection: You may object at any time to the collection of your usage data by etracker without the use of cookies:
Opt-out
3.8. Data Processing and B2B Analysis (Venta.ai & SalesViewer)
Venta AI
If you give your consent in the cookie banner, we use Venta AI (april.eleven GmbH, Am Kartoffelgarten 14, 81671 Munich, Germany) to identify the company or organization from which a visit to our website originates.
- Data Processed: Online identifiers (IP address, cookie ID), usage data (pages viewed, duration of visit, referrer URL), and statistical company data derived from this information (company name, industry, location).
- Purpose: B2B marketing, sales support, and website optimization for corporate clients.
- Legal basis: Consent pursuant to Article 6(1)(a) of the GDPR in conjunction with Section 165(3) of the TKG 2021. You may withdraw your consent at any time via the cookie banner.
SalesViewer® Technology
Based on our legitimate interest (Art. 6(1)(f) of the GDPR), we use SalesViewer® technology provided by SalesViewer® GmbH, Huestraße 30, 44787 Bochum, Germany, to analyze visits to our business website.
- How it works: JavaScript-based code is used to collect company-related data. The data (e.g., IP address) is encrypted using a one-way function (hashing) that cannot be reversed and is immediately pseudonymized. No natural persons are identified.
- Purpose: To identify B2B prospects for marketing and market research purposes.
- Opt-out: You can opt out of data collection by SalesViewer® at any time by clicking the following link: salesviewer.com/opt-out. This will place an opt-out cookie for our website on your device.
3.9. Use of the LinkedIn Insight Tag
We use the “LinkedIn Insight Tag” from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, on our website.
- Purpose: Conversion tracking (measuring the success of our LinkedIn ads), retargeting (displaying relevant ads to website visitors on LinkedIn), and website analytics (aggregated demographic reports about our visitors).
- Data collected: URL, referrer URL, IP address (truncated by LinkedIn), device properties, timestamps, and actions taken (e.g., form submissions).
- Legal basis: The processing (including the setting of the cookie
li_c) is carried out exclusively on the basis of your explicit consent in accordance with Article 6(1)(a) of the GDPR in conjunction with Section 165(3) of the TKG 2021. - Joint Controllership: We are jointly responsible with LinkedIn Ireland for the collection and transfer of data to LinkedIn (Art. 26 GDPR). We have entered into a Joint Controller Addendum for this purpose, which you can view at legal.linkedin.com/pages-joint-controller-addendum. LinkedIn is the sole controller for the subsequent processing by LinkedIn.
- Transfer to Third Countries: LinkedIn processes some data on servers operated by LinkedIn Corporation in the United States. This transfer is safeguarded by EU Standard Contractual Clauses. In addition, LinkedIn’s parent company is certified under the EU-U.S. Data Privacy Framework.
- Withdrawal: You can withdraw your consent at any time through our cookie settings or by using the opt-out option for LinkedIn members in their account settings.
4. Automated decision-making / profiling
No automated decision-making, including profiling, within the meaning of Article 22, paragraphs 1 and 4 of the GDPR, takes place on our website.
5. Your rights as a data subject
As a data subject, you are entitled to the following rights under the GDPR, provided the legal requirements are met:
- Right of Access (Art. 15 of the GDPR): You may request information regarding whether we process any of your personal data and, if so, what personal data we process.
- Right to Rectification (Art. 16 of the GDPR): You may request the rectification of inaccurate data or the completion of incomplete data.
- Right to Erasure / “Right to Be Forgotten” (Art. 17 GDPR): Under certain conditions, you may request that your data be erased.
- Right to Restriction of Processing (Art. 18 GDPR): You may request that the processing of your data be restricted.
- Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format or to have it transferred to another controller.
- Right to Object (Art. 21 GDPR): You may object at any time, on grounds relating to your particular situation, to processing carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR).
- Right to Withdraw Consent (Art. 7(3) of the GDPR): You may withdraw any consent you have given at any time, effective for the future.
To exercise your rights, please contact us by email at privacy@sproof.com.
Right to File a Complaint with the Supervisory Authority
If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, you have the right to file a complaint with the competent supervisory authority. In Austria, this is:
Austrian Data Protection Authority (DSB) Barichgasse 40-42
1030 Vienna
Phone:
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at
6. Status and Changes
This Privacy Policy is current as of July 2026.
An update may be necessary due to technical changes or changes in legal requirements. We therefore recommend that you review this statement periodically.
This Privacy Policy is available in various languages. In the event of any ambiguities, discrepancies, or questions of interpretation, the German version of this Privacy Policy shall be the sole authoritative version.
