← Back

Privacy Policy

Last updated: 2026-05-10

1. Data controller

Social Cooling FlexCo
Stella-Klein-Löw-Weg 8, 1020 Vienna, Austria
VAT: ATU81640949
Email: privacy@so.cool

2. Personal data we process

  • Account data: email, name, role, hashed password (Art. 6(1)(b) GDPR — contract).
  • Customer & quote data: contact details, billing/shipping addresses, VAT IDs, quote and invoice content (Art. 6(1)(b)/(c) GDPR — contract & legal obligation).
  • Authentication logs & audit logs: sign-in events, document number issuance, security-relevant actions (Art. 6(1)(f) GDPR — legitimate interest in security).
  • Uploaded files: sales documents and branding assets you upload (Art. 6(1)(b) GDPR).
  • Cookies: a strictly necessary session cookie for authentication. Optional analytics only with your consent (Art. 6(1)(a) GDPR).

3. Recipients & processors

We use vetted processors under Art. 28 GDPR for hosting, database, email delivery, and AI features. Data may be processed within the EU/EEA. Where transfers outside the EEA occur, they are protected by Standard Contractual Clauses.

4. Retention

Invoices and accounting documents are retained for 7 years as required by Austrian/EU tax law. Other personal data is deleted when no longer necessary or upon valid request.

5. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15)
  • rectification (Art. 16)
  • erasure / "right to be forgotten" (Art. 17)
  • restriction of processing (Art. 18)
  • data portability (Art. 20)
  • object to processing (Art. 21)
  • withdraw consent at any time (Art. 7(3))

To exercise these rights, contact privacy@so.cool. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, dsb.gv.at).

6. Cookies

We use one strictly necessary cookie/local-storage entry to keep you signed in. Optional analytics cookies are only set after you click "Accept all" in our consent banner. You can reset your choice at any time using the "Cookie settings" link in the footer.

7. Security

Access is protected by authentication, role-based authorization, and row-level security at the database level. All traffic is encrypted in transit (TLS).