Who we are (data controller)
Plain English: The legal entity behind this website and how to reach our DPO.
OS Domains GmbH is an Austrian limited liability company registered with the Vienna Commercial Court at Fleischmarkt 1, 1010 Wien, Austria. We are the data controller for personal data processed through this website (osdomains.com and its subdomains) and the customer portal (app.osdomains.com). Our Data Protection Officer is reachable at [email protected] and responds to inquiries within 1 business day. For customer-specific data processing (where we process personal data on behalf of our customers), we act as a data processor under the separate Data Processing Agreement at /dpa. This Privacy Policy covers our processing as a controller — when you visit our website, sign up for our newsletter, fill out a contact form, or interact with our marketing assets.
What personal data we collect
Plain English: The specific categories, source by source, with no marketing fluff.
We collect the following categories of personal data: (a) Information you actively provide via contact forms, sales inquiries, or job applications — typically name, work email, company, phone (optional), and the content of your message. (b) Account credentials and billing information when you become a customer — name, work email, billing address, VAT ID, and payment method via Stripe (we never see your card number). (c) Technical data automatically collected when you visit the website — IP address (used only for security and edge routing, not for tracking), user agent, the URL you came from, the URLs you visited within our site, and the timestamp. This data is processed by Cloudflare for DDoS protection and bot mitigation. (d) Aggregate analytics data via Plausible Analytics (EU-hosted) — page views and source counts, no individual user tracking, no cross-session identification, no third-party trackers. (e) Cookies as described separately in our Cookies Policy at /cookies. We do not collect Special Categories of Personal Data under GDPR Article 9 (racial/ethnic origin, political opinions, religious beliefs, health, sex life) through the website.
Why we collect it (purposes and legal basis)
Plain English: For each category above, what we do with it and the GDPR Article 6 basis.
Each category of data has a specific purpose and a corresponding lawful basis under GDPR Article 6: (a) Contact form / sales inquiry data — purpose: respond to your inquiry, qualify your needs, schedule follow-up calls; legal basis: Article 6(1)(b) (taking steps prior to entering into a contract at your request) or 6(1)(f) (legitimate interests in operating a sales function). (b) Customer account data — purpose: provide the Services, send invoices, deliver customer support; legal basis: Article 6(1)(b) (performance of a contract). (c) IP address and technical data — purpose: protect the site from attacks, route traffic to nearest PoP, troubleshoot errors; legal basis: Article 6(1)(f) (legitimate interest in operating a secure service). (d) Aggregate analytics — purpose: understand which content is read most, what pages convert; legal basis: Article 6(1)(a) (your consent, given via the cookies banner). (e) Job applications — purpose: evaluate your candidacy; legal basis: Article 6(1)(b) (taking steps prior to entering an employment contract) and, where applicable, Article 6(1)(a) (your consent to retain CV for future openings). We do not rely on consent for processing required to deliver the Services or operate the website securely; consent is reserved for analytics and marketing-style processing where the user has a meaningful choice.
International transfers
Plain English: Where your data leaves the EEA and how we make that lawful after Schrems II.
Personal data is processed primarily within the European Economic Area. Where data transfers outside the EEA occur (Cloudflare, Stripe, US-based sub-processors), we rely on one or more of the following lawful transfer mechanisms: (i) the EU-US Data Privacy Framework, where the recipient is certified under it; (ii) the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 or Module 3 as appropriate; (iii) Binding Corporate Rules where the recipient has them. For each cross-border transfer, we have completed a Transfer Impact Assessment (TIA) per the Court of Justice's Schrems II ruling, evaluating the destination country's laws and identifying supplementary measures (encryption in transit and at rest, access controls, pseudonymization). TIA documentation is available to data subjects on legitimate request via [email protected].
How long we keep it
Plain English: A retention table — not "as long as necessary" weasel words.
Retention periods by data category: (a) Contact form inquiries that do not become customers — 24 months from last interaction, then deleted automatically. (b) Sales conversations and quotes that did not convert — 36 months for win/loss analysis, then deleted. (c) Customer account data — for the duration of the customer relationship plus 90 days for the export grace period, then deleted (except for billing records which are retained 7 years under Austrian commercial law §190 UGB). (d) Job applications — 6 months from the close of the role for which you applied; if you consented to retention for future openings, an additional 18 months from your last contact with us. (e) IP and technical data in Cloudflare logs — 30 days, then automatically purged. (f) Aggregate analytics in Plausible — retained indefinitely in aggregate form (no individual identification possible). (g) Newsletter subscription data, if any — until you unsubscribe, then immediately deleted; we do not keep unsubscribed addresses on a "do not contact" list because we do not need it.
Your rights as a data subject
Plain English: The eight GDPR rights, how to exercise each, and how long we take to respond.
Under GDPR Chapter III, you have the following rights regarding your personal data: (a) Right of access (Article 15) — request a copy of the data we hold about you; we respond within 30 days at no cost. (b) Right to rectification (Article 16) — correct inaccurate or incomplete data. (c) Right to erasure / "right to be forgotten" (Article 17) — request deletion where the data is no longer necessary, you have withdrawn consent, or processing is unlawful. (d) Right to restriction of processing (Article 18) — pause processing while a dispute is resolved. (e) Right to data portability (Article 20) — receive your data in a structured, machine-readable format (JSON or CSV). (f) Right to object (Article 21) — object to processing based on legitimate interests, including direct marketing. (g) Right not to be subject to automated decision-making (Article 22) — we do not make decisions about you based solely on automated processing, including profiling. (h) Right to withdraw consent at any time (Article 7(3)) — where processing is based on consent, you can withdraw it via the cookies preferences panel or by emailing [email protected]. To exercise any right, email [email protected] from the email address associated with your data. We respond within 30 days; complex requests may extend by 60 days with notification.
Right to lodge a complaint
Plain English: Where to complain if you think we are mishandling data.
If you believe our processing of your personal data violates the GDPR or other applicable data protection law, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is the Austrian Data Protection Authority (Datenschutzbehörde): Barichgasse 40-42, 1030 Wien, Austria; phone +43 1 52152-0; email [email protected]; website https://www.dsb.gv.at. You can also contact the supervisory authority in your own EU/EEA Member State — the full list is at https://edpb.europa.eu/about-edpb/board/members_en. We strongly prefer that you contact us first at [email protected] so we have a chance to resolve the issue directly, but you are not required to do so before complaining to a supervisory authority.
How we protect your data
Plain English: Brief overview — full security measures live in the DPA Annex 2.
We implement technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.3 mandatory), encryption at rest (AES-256), least-privilege access controls with logged staff access to customer data, network segregation, real-time monitoring with 24/7 incident response, annual penetration testing, and an information security management system whose controls are aligned to ISO 27001:2022. The complete current list of security measures is in Annex 2 of our DPA at /dpa#annex-2 and is updated quarterly. We notify affected data subjects of personal data breaches without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons, in accordance with GDPR Article 34.
Children
Plain English: We do not target our services at children. Not an exhaustive policy because nothing about this product is child-relevant.
Our services are designed for businesses sending email infrastructure traffic, not for individuals under the age of 18, and certainly not for children under 16 (the age below which GDPR Article 8 requires parental consent for information society services in Austria). We do not knowingly collect personal data from children. If you become aware that a child has provided personal data to us, please contact [email protected] and we will delete the data promptly. Our marketing communications and sales conversations are directed exclusively at adults in professional capacities.
Changes to this policy
Plain English: How we update this and how you get told.
We update this Privacy Policy when our processing activities change, when new services launch, when sub-processors are added or removed, or when regulatory guidance changes. Material changes are communicated at least 30 days before the effective date via (a) a banner notification on the website homepage, (b) an email to customer technical contacts and newsletter subscribers, and (c) the version-history table below. Non-material changes (typos, clarifications without substantive impact) may be made without advance notice but are reflected in the version history. The version and "last updated" date at the top of this page reflect the most recent revision; earlier versions are available on request from [email protected].