Privacy Policy

As of: 2026-05-09

1. Controller

Controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG):

Ens Naturale e.U.
Owner: Cosmin Birtalan
Neustiftgasse 101/1/10
1070 Vienna, Austria
Email: office@compliance-kit.eu

2. Data Protection Officer

A solo-founder setup does not trigger mandatory DPO appointment (§ 38 BDSG only applies for a German seat). For data-protection inquiries please contact the controller directly.

3. Collection and storage of personal data

3.1 Visiting the website (server log files)

When you visit our website, your browser automatically transmits the following to our hosting server:

IP address of the requesting machine (truncated after processing)
Date and time of access
Name and URL of the requested file
Website from which access takes place (referrer URL)
Browser used and operating system

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in functional security + cyber security).

Retention: 7 days, then automatic deletion.

3.2 Orders (Paddle Checkout)

The following data is processed during an order:

Company name + address
First and last name of contact person
Email address
Phone number (optional)
Payment data (held by Paddle, not stored directly by us)
VAT-ID (B2B, for reverse-charge)
Billing and delivery address

Legal basis: Art. 6 (1) (b) GDPR (contract performance) + (c) (statutory record-keeping obligations under § 132 BAO Austria, § 147 AO Germany).

Retention: 7 years (§ 132 BAO Austria) / 10 years (§ 147 AO Germany) for tax/accounting records.

4. Third-party services / processors

4.1 Payment processing via Paddle (Merchant of Record)

For order and payment processing we use Paddle as so-called Merchant of Record. The buyer's contractual counterparty for the payment processing is therefore not Ens Naturale e.U., but a Paddle entity:

For buyers domiciled in the EEA: Paddle.com Market B.V., Spuistraat 282, 1012 VX Amsterdam, Netherlands
For buyers outside the EEA: Paddle.com Market Limited, 110 Bishopsgate, London EC2N 4AY, United Kingdom, or Paddle.com, Inc., 3811 Ditmars Blvd, Astoria NY 11105, USA

Personal data transferred: name, email address, billing address, IP address, browser information, payment details, and VAT-ID for B2B purchases.

Legal basis: Art. 6 (1) (b) GDPR (performance of contract) and Art. 6 (1) (f) GDPR (legitimate interest in secure payment processing and fraud prevention).

Data transfer to the United Kingdom: Paddle's central data processing infrastructure is located in the United Kingdom. The data transfer is based on the European Commission's adequacy decision (EU) 2021/1772 of 28 June 2021, valid until 27 June 2027.

Data transfer to the USA: Where data is transferred to Paddle.com, Inc. (USA), this is based on the European Commission's Standard Contractual Clauses (SCC, Implementing Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

Data Processing Agreement: A data processing agreement under Art. 28 GDPR is in place with Paddle. Paddle's privacy policy is available at paddle.com/legal/privacy.

Retention period: In accordance with tax law retention obligations (generally 10 years).

4.2 Transactional emails — Resend (Resend Inc., USA / EU region Frankfurt)

Resend Inc. (US provider with EU region Frankfurt) is used for transactional emails (order confirmation, download link, update notifications). Standard Contractual Clauses (SCC) concluded.

Service	Delivery of transactional emails (order confirmation, download link, update notifications)
Provider	Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — EU region Frankfurt
Purpose	Delivery of transactional emails to customers
Legal basis	Art. 6 (1) (b) GDPR (contract performance)
Data categories	Email address, recipient name, content of transactional emails
Third country	USA — secured by Standard Contractual Clauses (SCC); data processing in EU region Frankfurt
Privacy policy	resend.com/legal/privacy-policy

4.3 Hosting / DNS / CDN / Email routing — Cloudflare

Cloudflare bundles multiple functions for us: hosting (Cloudflare Pages, EU edge delivery), DNS resolution, content delivery network, DDoS/bot protection, and email routing for incoming emails to office@compliance-kit.eu. A data processing agreement under Art. 28 GDPR is in place.

Service	Static web hosting (Cloudflare Pages, EU edge), DNS, CDN, DDoS/bot protection, email routing (incoming emails)
Provider	Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA
Purpose	Delivery of static website content via EU edge, DNS resolution, CDN caching, DDoS/bot protection, routing of incoming emails to `office@compliance-kit.eu`
Legal basis	Art. 6 (1) (f) GDPR (legitimate interest — hosting performance, functional security, cyber security)
Data categories	Truncated IP address, user agent, request path, timestamp; for email routing: sender/recipient address, content of incoming emails
Third country	USA — secured by EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCC); data processing agreement under Art. 28 GDPR concluded
Privacy policy	cloudflare.com/privacypolicy

4.4 File storage and backend functions — Firebase (Google LLC)

After a successful order, the personalised kit files (Word templates) are made available for download via Firebase Storage; webhook processing and dispatch of download links are handled via Firebase Cloud Functions. A data processing agreement under Art. 28 GDPR is in place.

Service	Firebase Storage (file storage for kit deliveries) + Firebase Cloud Functions (Paddle webhook processing, download link generation, transactional email triggers)
Provider	Google Ireland Ltd., Gordon House, 4 Barrow Street, Dublin 4, Ireland (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Purpose	Delivery of purchased Compliance Kits for download, processing of Paddle webhooks, generation of time-limited download links, triggering transactional emails (via Resend)
Region	EU region europe-west3 (Frankfurt)
Legal basis	Art. 6 (1) (b) GDPR (performance of contract — delivery of ordered kit files)
Data categories	Email address, company name, order number (Paddle transaction ID), order details (kit type, tier), download link token, IP address
Third country	USA — secured by EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCC); data processing agreement under Art. 28 GDPR concluded. Data processing primarily in EU region Frankfurt.
Retention	Order data per tax-law retention obligations (generally 10 years); download links valid for 7 days, extendable once for a further 7 days
Privacy policy	policies.google.com/privacy + firebase.google.com/support/privacy

5. Cookies

We use only strictly necessary cookies (session cookies, security tokens, language selection). No tracking or third-party cookies are set — therefore no cookie banner is required.

Paddle Checkout uses only session/security cookies during the payment process.

6. Your rights

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Right to withdraw consent (Art. 7 (3) GDPR)

Please direct your request to: office@compliance-kit.eu. We respond within 1 month (extendable to 3 months for complex requests).

7. Right to lodge a complaint

You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority is:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Web: www.dsb.gv.at

8. Data security

We use TLS 1.3 (HTTPS) encryption. Personal data is transmitted and stored encrypted. Only authorised persons with a need-to-know principle have access to data.

9. Validity of this privacy policy

This privacy policy is currently valid and is dated 09.05.2026. If our processing activities change, we will update the policy.

As of: 2026-05-09