Privacy Policy

Introduction and Overview

We have prepared this Privacy Policy (version 17.10.2025) to explain to you in accordance with the requirements of the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable national laws, which personal data (hereinafter “data”) we as the controller—and the processors commissioned by us (e.g., providers)—process, will process in the future, and what lawful options you have. The terms used are to be understood as gender-neutral.

In short: We provide you with comprehensive information about the data we process about you.

Privacy policies usually sound very technical and use legal terminology. This Privacy Policy, however, is intended to describe the most important matters to you as simply and transparently as possible. Insofar as it is conducive to transparency, technical terms are explained in a reader-friendly manner, links to further information are provided, and we use clear and simple language. We only process personal data in the course of our business activities when there is a corresponding legal basis. This is certainly not possible if we provide overly brief, unclear, and legalistic-technical explanations, as is often standard on the internet when it comes to data protection.

If you still have questions, please contact the responsible party listed below or in the legal notice, follow the existing links, and view further information on third-party sites. Our contact information can also be found in the legal notice.

Scope of Application

This Privacy Policy applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information within the meaning of Art. 4 No. 1 GDPR, such as a person’s name, email address, and postal address. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline.

The scope of this Privacy Policy includes:

  • All online presences (websites, web applications) that we operate
  • Social media presences and email communication
  • Mobile apps for smartphones and other devices
  • Professional service engagements and consulting projects

In short: This Privacy Policy applies to all areas in which personal data is processed in a structured manner within the company via the channels mentioned. Should we enter into legal relationships with you outside these channels, we will inform you separately if necessary.

In the following Privacy Policy, we provide you with transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, that enable us to process personal data.

Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can read this EU General Data Protection Regulation online at EUR-Lex.

We process your data only if at least one of the following conditions applies:

  1. Consent (Article 6 paragraph 1 lit. a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered in a contact form.

  2. Contract (Article 6 paragraph 1 lit. b GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we enter into a service agreement with you, we need personal information in advance.

  3. Legal obligation (Article 6 paragraph 1 lit. c GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obligated to retain invoices for accounting purposes. These usually contain personal data.

  4. Legitimate interests (Article 6 paragraph 1 lit. f GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website securely and economically efficiently. This processing is therefore a legitimate interest.

Additional conditions such as the performance of tasks in the public interest and the exercise of official authority, as well as the protection of vital interests, generally do not occur with us. If such a legal basis should nevertheless be applicable, it will be stated at the appropriate place.

In addition to the EU regulation, national laws also apply:

  • In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), in short DSG.
  • In Germany, the Federal Data Protection Act applies, in short BDSG.

If other regional or national laws apply, we will inform you about them in the following sections.

Contact Details of the Controller

Should you have any questions about data protection or the processing of personal data, you will find below the contact details of the responsible party according to Article 4 paragraph 7 EU General Data Protection Regulation (GDPR):

HMMC (Human–Machine–Mind Corporation)
Graz, Austria

Email: Contact Form
Legal Notice: Terms and Conditions

Storage Duration

As a general criterion, we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased, for example for accounting purposes.

If you wish to have your data deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible and provided there is no obligation to store it.

We will inform you below about the specific duration of the respective data processing, provided we have further information on this.

Rights under the General Data Protection Regulation

In accordance with Articles 13, 14 GDPR, we inform you of the following rights to ensure fair and transparent data processing:

  • According to Article 15 GDPR, you have the right to know whether we process data about you. If this is the case, you have the right to receive a copy of the data and to know the following information:

    • The purposes for which the processing is carried out
    • The categories of personal data being processed
    • The recipients or categories of recipients to whom the data has been or will be disclosed
    • The planned storage period or the criteria for determining this period
    • The existence of the right to rectification, erasure, restriction of processing, or objection
    • The right to lodge a complaint with a supervisory authority
    • The origin of the data if it was not collected from you
    • Whether automated decision-making, including profiling, takes place

  • According to Article 16 GDPR, you have the right to rectification of data, meaning we must correct data if you find errors.

  • According to Article 17 GDPR, you have the right to erasure (“right to be forgotten”), which specifically means that you can request the deletion of your data.

  • According to Article 18 GDPR, you have the right to restriction of processing, meaning that we may only store the data but not use it further.

  • According to Article 20 GDPR, you have the right to data portability, meaning that upon request we will provide you with your data in a common format.

  • According to Article 21 GDPR, you have a right to object, which, after enforcement, will result in a change in processing:

    • If the processing of your data is based on Article 6 paragraph 1 lit. e (public interest, exercise of official authority) or Article 6 paragraph 1 lit. f (legitimate interest), you can object to the processing. We will then check as quickly as possible whether we can legally comply with this objection.
    • If data is used for direct marketing purposes, you can object to this type of data processing at any time. We may then no longer use your data for direct marketing.
    • If data is used for profiling purposes, you can object to this type of data processing at any time. We may then no longer use your data for profiling.

  • According to Article 22 GDPR, you may have the right not to be subject to a decision based solely on automated processing (including profiling) under certain circumstances.

  • According to Article 77 GDPR, you have the right to lodge a complaint. This means that you can complain to the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

In short: You have rights – do not hesitate to contact the responsible party listed above.

If you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way, you can complain to the supervisory authority. For Austria, this is the Data Protection Authority. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Data Processing Overview

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the data subjects.

Types of Data Processed

  • Contact data (e.g., email, telephone numbers, postal addresses, names)
  • Content data (e.g., text entries in forms, inquiries, messages)
  • Usage data (e.g., websites visited, access times, click behavior)
  • Meta/communication data (e.g., device information, IP addresses)
  • Professional and organizational data (e.g., company name, position, project information)

Categories of Data Subjects

  • Website visitors
  • Prospective clients and partners
  • Service engagement clients
  • Communication partners (email, contact forms)
  • Research publication readers

Purposes of Processing

  • Provision of our website and services
  • Responding to inquiries and communication
  • Security measures and fraud prevention
  • Range measurement and marketing analytics
  • Professional service delivery and consulting engagements
  • Research dissemination and knowledge sharing

Personal Data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Explanation: Personal data is therefore all data that can identify you as a person. These are usually data such as:

  • Name
  • Address
  • Email address
  • Postal address
  • Telephone number
  • Date of birth
  • Identification numbers such as social security number, tax identification number, ID number, or matriculation number
  • Bank data such as account number, credit information, account balances, etc.

According to the European Court of Justice (ECJ), your IP address also counts as personal data. IT experts can use your IP address to determine at least the approximate location of your device and, subsequently, you as the connection owner. Therefore, storing an IP address also requires a legal basis within the meaning of the GDPR.

There are also “special categories” of personal data that are particularly worthy of protection. These include:

  • Racial and ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data, such as data taken from blood or saliva samples
  • Biometric data (information on psychological, physical, or behavioral characteristics that can identify a person)
  • Health data
  • Data on sexual orientation or sex life

HMMC does not intentionally collect special categories of personal data. If such data is shared with us in the context of professional engagements, it is processed only with explicit consent and under strict confidentiality and security measures.

Processing

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Note: When we speak of processing in our Privacy Policy, we mean any type of data processing. This includes, as mentioned in the original GDPR explanation above, not only collection but also storage and processing of data.

Website Hosting and Content Delivery

When you visit our website, certain information is automatically transmitted by your browser to our web server and temporarily stored in log files. This happens without any action on your part and is automatically logged until automatic deletion.

The following data may be stored:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access was made (referrer URL)
  • Browser used and, if applicable, the operating system of your device and the name of your access provider

This data is processed to enable the use of our website (connection establishment), to ensure long-term system security and stability, and to optimize our website. The legal basis is Article 6 paragraph 1 lit. f GDPR (legitimate interest), as we have a legitimate interest in the technically error-free presentation and optimization of our website.

Contact and Inquiry Management

If you contact us via our contact form, email, or other communication channels, we process the data you provide for the purpose of handling your inquiry and any follow-up questions.

Data processed:

  • Name and contact details (email, phone if provided)
  • Content of your message/inquiry
  • Timestamp of communication
  • Any attachments or additional information provided

Legal basis: Article 6 paragraph 1 lit. b GDPR (contract initiation/pre-contractual measures) and Article 6 paragraph 1 lit. f GDPR (legitimate interest in responding to inquiries and establishing business relationships).

Storage duration: Contact data is stored until your inquiry is fully resolved and then for the period required by legal retention obligations (typically 3-7 years for business correspondence under Austrian commercial law).

Professional Service Engagements

When we enter into professional service agreements with clients, we process personal data necessary for contract fulfillment, project delivery, and ongoing collaboration.

Data processed:

  • Client contact persons (names, titles, email addresses, phone numbers)
  • Organizational information (company name, department, role)
  • Project-related communication and documentation
  • Technical data related to systems we work on
  • Meeting notes and collaboration records

Legal basis: Article 6 paragraph 1 lit. b GDPR (contract performance) and Article 6 paragraph 1 lit. f GDPR (legitimate interest in professional service delivery and documentation).

Storage duration: Data is retained for the duration of the engagement and for the legally required retention period thereafter (typically 7 years under Austrian commercial and tax law).

Confidentiality: All client data is treated as strictly confidential. We maintain appropriate technical and organizational measures to protect sensitive project information, including encryption, access controls, and confidentiality agreements with all team members.

Research Publications and Knowledge Sharing

We publish research findings, case studies, and perspectives on this website. Any examples or case studies are generalized and anonymized to protect client and participant confidentiality.

Data in publications:

  • Generalized metrics and findings (no personally identifiable information)
  • Anonymized case study details
  • Aggregated research insights

Legal basis: Article 6 paragraph 1 lit. f GDPR (legitimate interest in knowledge dissemination and thought leadership).

No personal data is disclosed in our publications without explicit consent.

Cookies and Analytics

We use minimal analytics to understand website usage and improve user experience. We do not use third-party tracking or advertising cookies.

Essential cookies only: Our website uses only technically necessary cookies required for basic functionality (session management, security features).

No tracking: We do not employ user tracking, behavioral profiling, or cross-site tracking mechanisms.

If we implement analytics in the future, we will update this policy and, where required, obtain your consent.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Security measures include:

  • Encryption of data in transit (TLS/SSL)
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Staff training on data protection and confidentiality
  • Incident response procedures

Given our expertise in technical trust and security for complex environments, we apply professional-grade security practices to protect all data we handle.

Data Sharing and Third Parties

We do not sell, rent, or trade personal data to third parties. We share data only in the following limited circumstances:

Processors (Article 28 GDPR): We may use service providers (e.g., hosting providers, email services) who process data on our behalf. These processors are contractually bound to process data only according to our instructions and to maintain appropriate security measures.

Legal requirements: We may disclose data if required by law, court order, or regulatory authority.

With your consent: We may share data with third parties if you have explicitly consented to such sharing.

International Data Transfers

Our distributed team operates across European countries. Data may be processed in various EU member states, all of which are subject to GDPR protections.

If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally compliant transfer mechanisms

Your Rights

You have the following rights regarding your personal data:

  • Right to information about what data we store about you
  • Right to rectification of incorrect data
  • Right to erasure of your data (with legal limitations)
  • Right to restriction of processing
  • Right to data portability in a machine-readable format
  • Right to object to processing based on legitimate interests
  • Right to withdraw consent at any time (without affecting prior lawful processing)
  • Right to lodge a complaint with a supervisory authority

To exercise these rights, please contact us using the contact information provided in the legal notice or via our contact form.

Children’s Privacy

Our website and services are directed at professional audiences and business clients. We do not knowingly collect personal data from children under 16 years of age. If you believe we have inadvertently collected data from a child, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post any changes on this page with an updated revision date.

We encourage you to review this Privacy Policy periodically. Continued use of our website after changes constitutes acceptance of the updated policy.

Data Protection Officer and Responsible Party

For questions about data protection, you can contact:

HMMC (Human–Machine–Mind Corporation)
Graz, Austria

Contact Form

Supervisory Authority

If you believe we are not processing your data in accordance with data protection regulations, you have the right to lodge a complaint with the competent supervisory authority:

Austria: Österreichische Datenschutzbehörde

Germany: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

Closing Words

Thank you for reading through our Privacy Policy. As you can see from the scope of this document, we take the protection of your personal data very seriously. It is important to us to inform you to the best of our knowledge about the processing of personal data. We not only want to tell you which data is processed, but also explain the reasons for using various services and practices.

Privacy policies usually sound very technical and legalistic. Since most of you are not web developers or lawyers, we wanted to take a different linguistic approach and explain the matter in simple and clear language. Of course, this is not always possible due to the subject matter. Therefore, the most important terms are explained in context throughout this policy.

If you have questions about data protection on our website, please do not hesitate to contact us or the responsible party. We wish you a pleasant time and hope to welcome you to our website again soon.

Last updated: October 17, 2025

This privacy policy was created with reference to GDPR-compliant frameworks and adapted for HMMC’s specific context and practices.