Privacy Policy
For us, AICT FlexCo, Bruno-Marek-Allee 5/10/6, 1020 Vienna, Austria ("AICT FlexCo", "we", "us"), the protection of your personal data is a major concern. Accordingly, compliance with applicable data protection laws, in particular the General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG"), and the Austrian Telecommunications Act ("TKG"), is a matter of course for us.
This Privacy Policy informs you about the nature, scope, and purposes of the collection and processing of your personal data within the framework of our service provision.
Contact Details of the Controller
Name: Felix Degeler
Address: Bruno-Marek-Allee 5/10/6, 1020 Vienna, Austria
E-Mail Address: privacy@aict.group
What is personal data?
Personal data is any information relating to an identified or identifiable natural person – meaning a person whose identity is determined or at least determinable. This includes, for example, name, date of birth, e-mail address, IP address, etc.
Data Processing
General Contact
If you contact us via the contact details listed above or other contact information, we process your personal data ((user) name, e-mail address, telephone number, postal address, and your inquiry as well as any documents, images, and records contained therein) for the purpose of processing and answering your inquiry.
The legal basis for this is the fulfillment of our (pre-)contractual obligations pursuant to Art 6 (1) (b) GDPR or our legitimate interests pursuant to Art 6 (1) (f) GDPR in the rapid handling of your inquiry and response to any follow-up questions.
We store your personal data in the context of contact inquiries for a period of six months so that we can respond appropriately to follow-up questions. A longer storage period only occurs if a business relationship is established, due to statutory retention obligations (7 years according to § 132 BAO and § 212 UGB), or for the assertion and defense of legal claims (in particular § 1484 et seq. ABGB).
Business Relationship and Contract Fulfillment
Both for the conclusion of the contract regarding the services to be provided by us and for its fulfillment, the provision of data – including personal data – is required, which we subsequently process. Basically, we process data from two different groups of data subjects: your data as a customer and that of employees.
Within the scope of customer support and fulfillment and processing of the contractual relationship with you, we process the following personal data:
- Master Data: We process master data of the company as well as the contact persons (e.g., company name; business address; name, e-mail address, telephone number, and position of the contact person within the company).
- General Business Relationship Data: We process basic data regarding the contractual relationship with you or your company, in particular contract data and contract amendments, billing and order data, and data on incoming payments.
This data processing is based on the fulfillment of our contractual obligations to you as a customer pursuant to Art 6 (1) (b) GDPR. Insofar as it concerns data of employees, the data processing is based on our legitimate interests as well as those of our customers in the optimal execution of the commissioned service and thus the fulfillment of the contract with the customer.
Use of peaceflow AI Software
We offer the AI-supported software Peaceflow, which supports users in conflict resolution, mediation, coaching, and negotiation. The use of Peaceflow requires the registration of a user account.
Registration and Account Management
During registration, we collect the following personal data:
- Name (First Name, Last Name)
- E-Mail Address
- Password (stored encrypted in our password and user management tool Supabase and is not visible to us)
Data processing is carried out based on the fulfillment of the user agreement pursuant to Art 6 (1) (b) GDPR.
Payment Processing
For paid services, we use the payment service provider Stripe. Payment data (e.g., credit card data, account information) is processed directly by Stripe and is not stored on our servers. Stripe acts as a processor pursuant to Art 28 GDPR. Further information on data processing by Stripe can be found in Stripe's privacy policy at https://stripe.com/privacy.
Chat History and Conversation Content
When using Peaceflow, we process your chat content and conversation history to provide you with AI-supported assistance in conflict resolution, mediation, coaching, and negotiation. Processing is carried out based on contract fulfillment pursuant to Art 6 (1) (b) GDPR.
Important Notes on Data Processing:
- No Use for AI Training: Your chat content is explicitly not used to train or improve our AI models.
- Hosting and Data Processing: We use Microsoft Azure OpenAI Service to process your chat content. The Azure infrastructure (databases, storage) is located in European data centers. The Azure OpenAI Service is currently provided via US data centers. Backups are stored exclusively in the EU.
- KI Model: We use Azure OpenAI Service with GPT-4o Mini, hosted by Microsoft.
Emergency Score and Automated Analysis
To improve user support, Peaceflow automatically determines a so-called Emergency Score (risk assessment from 1-10). This score serves to assess the urgency and need for support in your situation and to adapt Peaceflow's responses accordingly.
The Emergency Score is stored user-specifically in your personal Knowledge Base and is exclusively accessible to you. Third parties do not have access to this data. Processing is carried out based on contract fulfillment pursuant to Art 6 (1) (b) GDPR.
For clarification, it is noted that you are not subject to a solely automated decision pursuant to Art 22 GDPR. The Emergency Score merely serves to adapt the AI responses and has no legal effect on you.
Protection of Personal Data (PII Detection)
Peaceflow has automated protection mechanisms (Safety Guardrails) that detect personally identifiable sensitive information (e.g., social security numbers, credit card numbers, etc.) in your inputs and automatically remove them. This detected data is not stored or logged. Only the information that a removal has taken place is logged for security purposes.
Multi-User Chats
Peaceflow allows you to invite other people to joint chats. This is done by sharing a chat link. To join a multi-user chat, the invited person must register or log in to their existing account. All participants in a multi-user chat have access to the complete chat history.
If you invite other people to a chat, you are responsible for ensuring that these people are informed about the data processing and agree to it.
Retention Period
We store your chat histories indefinitely as long as your user account is active. The data is stored either in live access or archived, but not automatically deleted. This allows you continuous access to your conversation histories and the use of the system's learning functions.
Chat histories cannot be deleted individually by you. Deletion of all your data occurs exclusively through the deletion of your user account.
Account Deletion: If you request the deletion of your account, all your personal data, including chat histories, will be completely and irrevocably deleted within 5-7 business days. Deletion is currently a manual process.
Account data (Name, E-Mail) we store as long as your user account exists. After account deletion, all personal data will be deleted, with the exception of data that must continue to be stored due to statutory retention obligations (e.g., billing data for 7 years pursuant to § 132 BAO and § 212 UGB). This data is stored separately from your account.
CRM Database
Marketing
For the purpose of Customer Relationship Management (CRM), we process master data of customers ((company) name, address, e-mail address, telephone number) as well as general contract data to maintain the relationship and bond with our customers and to align our marketing strategy accordingly. We process this personal data to occasionally inform you as a customer about our activities, services, and offers.
The legal basis for postal marketing is our legitimate interests pursuant to Art 6 (1) (f) GDPR. Electronic direct marketing (e.g., newsletter) takes place exclusively on the basis of your voluntary and express consent pursuant to Art 6 (1) (a) GDPR in conjunction with § 174 TKG. You can revoke consent given at any time with effect for the future (e.g., via e-mail to privacy@aict.group or via the "Unsubscribe" link in every newsletter).
We store the mentioned personal data after the end of the business relationship for a period of three years after your last contact with us, unless you have previously objected to the use of your data for this purpose or revoked your consent given.
Retention Period (General)
Basically, we store your personal data only as long as we need it for the fulfillment of the purposes described. If we no longer need your data, it will be deleted from our systems or irrevocably anonymized so that you can no longer be identified.
In addition, we store your personal data if there are indications that the data is required for the assertion and defense of our legal claims. The retention of data is subject to statutory limitation periods (in particular § 1484 et seq. ABGB).
Recipients of Personal Data
We naturally treat your personal data as strictly confidential and keep the circle of recipients deliberately small ("Need-to-know principle").
Transfer of your personal data takes place in individual cases and to the extent necessary to the following recipients, who act as independent controllers:
- Courts, authorities, and other public institutions, insofar as legally provided (e.g., Data Protection Authority, tax authorities; state courts);
- External third parties based on our legitimate interests in the assertion, enforcement, and defense of our legal claims (legal representatives and insurance companies, auditors, other consultants).
In addition, we use external providers and IT service providers who may have access to your personal data. This is necessary to provide the commissioned services. These external service providers are processors pursuant to Art 28 GDPR, who are obliged to confidentiality and process your personal data only on our behalf, based on our instructions, and for the provision of the commissioned services.
We use the following processors:
- Microsoft Azure (Microsoft Corporation, USA): Cloud hosting and infrastructure. Privacy
- Supabase (Supabase Inc., USA): User account management. Privacy
- Stripe (Stripe Inc., USA): Payment processing. Privacy
- MailerLite (MailerLite Limited, Lithuania): E-mail marketing. Privacy
- Notion (Notion Labs Inc., USA): CRM and document management. Privacy
- Google Workspace (Google LLC, USA): Internal communication. Privacy
Third Country Transfers: Some of the mentioned processors are based in the USA. For the transfer of personal data to the USA, we rely on the standard contractual clauses of the EU Commission pursuant to Art 46 GDPR as well as additional technical and organizational measures. Microsoft, Google, and other mentioned service providers are also certified under the EU-US Data Privacy Framework.
Data Security
For us, data security is a matter of course. We have taken appropriate technical and organizational security measures pursuant to Art 32 GDPR to ensure the confidentiality and security of your personal data.
Rights of Data Subjects
As a data subject, you have the following rights:
- Right to access (Art 15 GDPR)
- Right to rectification (Art 16 GDPR)
- Right to erasure (Art 17 GDPR)
- Right to restriction of processing (Art 18 GDPR)
- Right to data portability (Art 20 GDPR)
- Right to withdraw consent given (Art 7 (3) GDPR)
- Right to object (Art 21 GDPR)
Furthermore, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40-42, 1030 Vienna
E-Mail: dsb@dsb.gv.at
Before lodging a formal complaint or if you have questions/concerns regarding the processing of your personal data, you are welcome to contact us at privacy@aict.group. We are always happy to help.
Catch us on LinkedIn www.linkedin.com