Data Protection Policy


Personal Data

This privacy policy applies to all visitors to our website. All personal references apply equally to male, female, and diverse individuals and should be understood as inclusive.

Privacy Overview

Per Article 12 of the GDPR, website operators must inform visitors precisely, transparently, and understandably about the processing of personal data. We aim to contribute to this by summarizing our privacy policy as follows:

Processing Personal Data for Contracts: We process personal data to establish, execute, and/or terminate contracts using services such as PayPal, Digistore24, Sofortüberweisungen, CopeCart, Mollie, Calendly, Klick-Tipp, Zapier, Woodpecker, and HubSpot.

Processing Based on Consent: We process personal data with your consent for services like Google Analytics, Google Optimize, Google Tag Manager, Hotjar, social networks with advertising tools (Facebook, LinkedIn), Google Ads, Google Remarketing, YouTube, Klick Tipp, and HubSpot.

Processing Based on Legitimate Interest: We process personal data for informational website use, transient cookies, rights management with external legal advice, Trustpilot, and PostAffiliate Pro.

Automated Decision-Making: We do not process personal data through automated decision-making or profiling.


The data controller per Article 4(7) GDPR for processing visitors’ personal data on this website is:

PATHADVICE International GmbH
Represented by Dr. Michael Suitner (CEO)
Serlesweg 3, 6161 Natters, Austria
Phone: +43 676 415 9000


(1) Under the GDPR, individuals have several rights regarding their personal data, including the right to:

  1. Access stored personal data,
  2. Rectify incorrect personal data,
  3. Erase personal data if there is no legal basis for continued storage,
  4. Restrict the processing of stored personal data,
  5. Data portability,
  6. Lodge a complaint with the relevant data protection authority.

(2) We will promptly fulfill your claims if the conditions are met and you can be identified.

Automated Decision-Making Including Profiling

Automated decision-making, including profiling, does not occur. Further details are provided in our separate data protection declaration.

Data Transfer Outside the EU

(1) We may transfer personal data to non-EU entities, ensuring GDPR-level protection per Article 44 GDPR. Non-EU entities may include controllers and processors.

(2) An adequacy decision signifies that the entity offers adequate protection per Article 45 GDPR.

(3) Standard contractual clauses ensure GDPR compliance per Articles 46(1) and (5) GDPR.

(4) Your consent to data transfer includes acknowledgment of all associated risks without adequacy decisions or other safeguards, per Article 49(1)(a) GDPR.

(5) These provisions apply only if referenced in the following declaration.

Special Case: Standard Contractual Clauses and US Entities

(1) Standard contractual clauses for US entities are limited. We only use them after thorough risk assessment and verification of adequate safeguards.

(2) We disclose this precautionarily, and it applies only if referenced in the following declaration.

Special Case: Consent for Data Transfer to US Entities with Risk Notices

(1) Standard contractual clauses for US entities are limited. Consent may be requested, with risk disclosure including:

  1. Lack of comprehensive data protection laws in the US,
  2. Extensive US legislative access to personal data,
  3. Limited effective legal remedies for EU citizens in the US.

Mandatory Processing Based on Legal Obligations

Processing based on Article 6(1)(c) GDPR is mandatory only if referenced in the following data protection declaration.

Contractually Required Processing (Primary Legal Basis: Article 6(1)(b) GDPR)

General Purpose and Legal Basis for Described Processing

(1) Processing aims to establish, execute, and terminate contracts and defend against related claims.

(2) Article 6(1)(b) GDPR is the legal basis for contract-related processing, allowing data processing without consent if necessary for contract fulfillment or pre-contractual measures at your request.

(3) Article 6(1)(c) GDPR mandates data retention for ongoing legal or administrative proceedings.

(4) The same legal basis applies to data processed in your capacity as an applicant, current, or former employee.

(5) Article 6(1)(f) GDPR allows you to object to processing, which, if valid, terminates the processing. No processing obligation exists without explicit Article 6(1)(c) GDPR reference.

General Data Retention Information for Described Processing

(1) Data is retained as necessary for contract establishment, execution, termination, and defense against related claims.

(2) Contractual data is retained until legal retention periods expire, per Article 6(1)(c) GDPR and § 212 UGB, which mandates retention beyond purpose fulfillment for some data types.

(3) Applicant data is retained until the final decision, six months post-rejection for complaint defense (Article 6(1)(f) GDPR), or until consent withdrawal for applicant pool inclusion (Article 6(1)(b) GDPR). No retention obligation is established by this declaration.

(4) Article 6(1)(f) GDPR allows you to object to processing, terminating it if valid. No processing obligation exists without explicit Article 6(1)(c) GDPR reference.

Processing Requiring Your Consent (Primary Legal Basis: Article 6(1)(a) GDPR)

General Information on the Purpose and Legal Basis of the Following Processing Activities

  1. Each tool’s purpose is described separately.
  2. The legal basis is your consent under Article 6(1)(a) GDPR, allowing data processing for specified purposes with your consent.

General Information on Data Retention

  1. Data is stored until you withdraw consent, which you can do at any time through informal communication.
  2. We retain records of consent and how it was given for three years for documentation and legal defense purposes per Article 6(1)(c) and Article 7(1) GDPR, also justified by Article 6(1)(f) GDPR.

Notes on Consent Legal Basis

  1. You can withdraw consent anytime, typically through informal communication (see “Controller” above). We may also process additional personal data like identity markers and consent logs per Article 6(1)(c) and Article 7(1) GDPR for proof of consent.
  2. To obtain cookie consent, we use “cookie-script” by Object is Ltd. This tool documents your cookie-based data processing consent.
  3. We use Google Analytics to analyze website usage, with data possibly transferred to the USA based on your consent (Article 49(1)(a) GDPR). Risks are detailed in our general terms.
  4. Google Tag Manager coordinates analysis and advertising efforts, with data possibly transferred to the USA based on your consent.
  5. HubSpot automates marketing communication, with data possibly transferred to the USA based on your consent.

Website Informational Use

We use transient cookies to display the website. Transient cookies, such as session cookies, store session IDs to recognize visitors’ computers when they return.

Rights Management

When you exercise your rights (e.g., data access), we process related communication data for proof and legal defense. Data is stored until the third calendar year after your request per Article 6(1)(f) GDPR and § 1489 ABGB.

External Consultation

For rights requests, we may consult external advisors (e.g., legal, IT) while ensuring confidentiality. This processing is in our and your legitimate interest. Data includes your name, contact details, and communication content.