Privacy Policy

1. Data Controller

MK-i Automations GesmbH (in formation)
M.-Lang-Gasse 5
2380 Perchtoldsdorf
Austria

Email: [email protected]
Phone: +43 6991 5555 327

2. Data Collection on Our Website

Our website is designed to collect and process as little personal data as possible.

a) Server Log Files

When you visit our website, your browser automatically transmits data to our server, which is temporarily stored in server log files:

• Browser type and version
• Operating system used
• Referrer URL (previously visited page)
• Hostname of the accessing device
• Time of the server request
• IP address

This data cannot be directly attributed to specific individuals and is not merged with other data sources. Processing serves the technical security and proper functioning of the website.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Retention period: Log files are automatically deleted after 7 days.

b) Contact Forms and Email Communication

When you use our contact or inquiry form, or send us an email, we process the data you provide (e.g. name, email address, phone number, company name, address) as well as your message.

Purposes of processing:

• Processing your inquiry (Art. 6(1)(b) GDPR – pre-contractual measures)
• Sending additional information about our services, provided you have consented (Art. 6(1)(a) GDPR – consent)

Note: The transmitted data is used exclusively to process your inquiry and fulfil the agreement. Transmission to external processors may occur and is explained in section 4. You may withdraw your consent at any time with effect for the future.

3. Data Retention

We store personal data only for as long as necessary to fulfil the respective purposes: during the processing of your inquiry, for the duration of a customer relationship, and beyond that only where statutory retention obligations exist or where necessary for the establishment, exercise or defence of legal claims. Data is deleted after expiry of the retention period or when the purpose no longer applies.

4. Recipients of Data and Data Processors

Transmission of your personal data to third parties only occurs where necessary for contract performance or required by law. Standard recipients:

• Tax advisor: for bookkeeping and tax documentation
• Public authorities: upon statutory disclosure obligation (tax authorities, law enforcement)
• E-mail infrastructure: self-operated Exchange server in Austria; no external mail provider is used as data processor

Additionally, external data processors are engaged for order processing. Only those data categories required for the respective purpose are transmitted:

• Cloud-based AI language models (third country USA): for the creation of website drafts from the data contained in the order. Legal basis: Art. 6(1)(b) GDPR. Third-country safeguard: EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
• Cloud infrastructure providers (third country USA): for TLS-secured delivery of website calls. Legal basis: Art. 6(1)(b) GDPR. Third-country safeguard: EU-US Data Privacy Framework adequacy decision pursuant to Art. 45 GDPR (provider is DPF-certified).
• Messaging services (third country with international establishment): for internal workflow notifications to MK-i employees. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient internal order processing).
• Google PageSpeed Insights API (third country USA): for the one-off performance and best-practice analysis of the website URL you provide, both in the audit pre-stage (websitecheck.mk-i.net) and for quality assurance in the redesign service. Only the URL to be analysed is transmitted; no personal data. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in a meaningful initial analysis). Third-country safeguard: EU-US Data Privacy Framework adequacy decision pursuant to Art. 45 GDPR (provider is DPF-certified).

Notes on AI processing: Data processing agreements pursuant to Art. 28 GDPR are in place with the providers used. The inputs are processed exclusively to fulfil the specific order and are not used for training purposes by the provider. The retention period at the AI provider is limited to the duration of the respective request plus technically required security logs (usually 30 days). Please note that generative AI systems produce statistically probable content - the final content review remains with MK-i Automations or with you.

A copy of the Standard Contractual Clauses and further information on the third-country safeguards employed are available on request at [email protected].

Banking and billing-relevant data are not transmitted to the external data processors named above (AI language models, cloud infrastructure, messaging services). Payment-transaction data is exclusively transmitted to the banks required for payment execution.

5. Social Media Links (Twitter/X, Telegram)

Our website contains links to our profiles on external platforms (Twitter/X and Telegram). Clicking these links will redirect you to the respective platforms, where the privacy policies of those providers apply:

• Twitter/X Privacy Policy
• Telegram Privacy Policy

Please note: a connection to the servers of the respective network is only established when you actively click one of these links. At that point, your IP address and the fact that you came from our site (referrer) are transmitted to the provider. In the case of X (Twitter) in particular, this data may be transferred to the USA. We have no influence over any further processing of personal data by these providers.

6. Hosting

Our website is operated in our own data centre in Austria. We do not transfer any personal data to third countries outside the EU as part of our hosting. For information on data transfers by external services (Telegram, X), please refer to the respective sections of this policy.

7. Your Rights as a Data Subject

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent with effect for the future (Art. 7(3) GDPR)

To exercise your rights, a simple informal email to [email protected] is sufficient.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

Competent authority in Austria:
Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40–42, 1030 Vienna
Email: [email protected]
www.dsb.gv.at

9. Analysis of the Website Provided (Redesign Service)

As part of processing your redesign request, MK-i Automations performs an automated visual analysis of the URL you provide. The publicly accessible homepage is loaded and a screenshot is taken. Only publicly accessible content is analysed. There is no access to password-protected areas or internal systems.

The data collected (screenshot, visual analysis, order content you submit) is used exclusively to prepare the redesign offer. External data processors are engaged for the technical preparation (see Section 4).
Retention period: Screenshots and analysis results are retained for the duration of the redesign offer and deleted no later than 6 months after refusal or non-engagement.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) for inquiries via the form, or Art. 6(1)(f) GDPR (legitimate interest) for analyses in the context of business initiation.

10. Audit Pre-Stage (websitecheck.mk-i.net)

If you request a website check via our audit form on websitecheck.mk-i.net, we process the URL you provide and your email address in order to compile and deliver the audit report.

Processing steps:

• Loading the homepage you provided and taking a screenshot
• Performance and best-practice analysis via the Google PageSpeed Insights API (see Section 4)
• Initial content evaluation using the AI language models we employ (see Section 4)
• Delivery of the report by email via our own mail infrastructure in Austria
• Entry on an internal suppression list as soon as you object to further contact, so that you are not contacted again

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in business initiation).
Retention period: Audit reports and accompanying data are retained for up to 6 months after the request; if you are entered on the internal suppression list, only the domain and the date of objection are recorded permanently in order to prevent future contact.

11. Tracking of Visits and Replies (redesign.mk-i.net and Follow-Up Emails)

Once we have delivered a redesign draft, an audit result, or a follow-up email to you, we evaluate whether and when you have responded to the content delivered. The aim is to manage the specific case appropriately - timely reminders, classification as „no interest", and avoidance of unnecessary follow-up emails.

• Visits to the preview URL: our Apache web server logs accesses to the individual preview address of your draft. At regular intervals, the number and time of visits per case are aggregated from these logs and assigned to the corresponding order in our internal ERP system (so-called „lead-heat tracking"). Our own visits and bot accesses are filtered out.
• Replies to our emails: when you reply to one of our messages, we assign the reply to the corresponding case via subject, sender address, and order identifier. The content and time of receipt are recorded in our internal ERP system so that you receive an appropriate reply and are not inadvertently contacted again. Retrieval takes place from our own mailbox via IMAP - only messages addressed to our own email addresses are evaluated.

Legal basis: Art. 6(1)(b) GDPR (contract initiation and performance) or Art. 6(1)(f) GDPR (legitimate interest in resource-efficient, non-intrusive customer support).
Cookies: No cookies are set for this tracking. Evaluation takes place purely on the server and mail side.
Retention period: raw web server logs are deleted after 7 days (see Section 2.a). Aggregated visit counters and assigned replies remain part of the order record and are subject to the retention rules described in Section 12.
Right to object: you may object to this processing at any time by email to [email protected]. New visits and replies will then no longer be assigned to your case.

12. Retention of Order and Invoice Data

As part of order processing, we store your master data (salutation, name, company, address, VAT ID, email, phone) and the contents related to the order (URL, order description, drafts produced, correspondence, invoices, payment status) in our internal ERP system. The ERP system is operated on our own infrastructure in Austria.

Retention periods:

• Orders without engagement (inquiries, draft offers, audit reports): up to 6 months after the last activity, then deletion.
• Engaged orders, including invoices and payment records: 7 years from the end of the relevant business year pursuant to § 132 BAO and § 212 UGB (commercial and tax retention obligations under Austrian law). After expiry the data is deleted, unless other statutory obligations or legal disputes prevent this.
• Partner and commission data (where applicable): also 7 years from the end of the relevant business year.

Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (statutory retention obligations in conjunction with § 132 BAO and § 212 UGB).

13. Referral Programme, Cashback and Donation List

If, as an existing customer or referrer, you pass on a referral code to a new prospective client and that prospect places a paid order, this gives rise to a cashback claim in your favour.

In this context we process the following data:

• Master data (name, email, where applicable company name) for assigning the referral code and informing you about the status of your cashback claim.
• Case data (domain of the referred order, amount and status of the cashback entry) within our internal ERP system.
• Bank details (IBAN, account holder, where applicable VAT ID) only if you opt for payout. These details are not published and are processed exclusively for executing the bank transfer and for accounting documentation.

Payout or waiver in favour of an occasion-based donation: you may choose between having your cashback paid out to you and waiving the payout in favour of our donation partner. In the case of a waiver, MK-i Automations makes its own corporate donation on the occasion of your referral instead of paying out the cashback.

Publication on the donation list: on our public donation-partner page we maintain a list of occasion-based donations. A named entry (full name or company) is made solely with your express consent, which you grant by selecting the option „Donate with name" via the corresponding button in our confirmation email. If you choose „Donate anonymously", only a non-attributable short form (e.g. initials) is shown - your full name is not published.
Withdrawal of consent: you may withdraw your consent at any time with effect for the future by email to [email protected]. We will then promptly remove the entry from the public list; donations already made remain unaffected.

Legal bases:

• Processing of master and case data: Art. 6(1)(b) GDPR (contract performance).
• Processing of bank details: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (statutory retention obligations, see Section 12).
• Publication of the name on the donation list: Art. 6(1)(a) GDPR (consent).

Retention period: referral and cashback data are subject to the commercial and tax retention periods set out in Section 12. Entries on the public donation list remain visible until you withdraw your consent.

14. Unsolicited Business Initiation (Outbound Acquisition)

In individual cases we contact commercial recipients who have not previously contacted us, with a non-binding proposal for a new website or with a supplementary audit notice (so-called „acquisition demo"). Recipients and the occasion are determined on the basis of publicly available sources (own website, imprint, business directories) as well as on the basis of the technical initial check that we have conducted on your website.

We process exclusively:

• the business contact address published in your imprint or in public directories,
• the website URL associated with the domain and the publicly accessible content available there (for the screenshot and the demo preview),
• the internally created case record (offer, demo link, dispatch and reaction status).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in initiating business relationships with commercial recipients). Such contact is made exclusively with substantive professional content and an offer of concrete cooperation; it is designed as a single proposal per recipient.

Information pursuant to Art. 14 GDPR: as we did not collect the data directly from you, this privacy policy serves as the information notice within the meaning of Art. 14 GDPR. Storage takes place for the duration of case processing and is subject thereafter to the periods set out in Section 12. No transmission to third parties takes place; the data processors named in Section 4 are only involved insofar as this is necessary for preparing the demo preview.

Right to object and suppression list: you may object to the processing of your data for acquisition purposes at any time without giving reasons - by email to [email protected] or via the button „Not interested" on the demo response page. We will then add your domain to an internal suppression list so that you will not be contacted again as part of our acquisition. Only the domain and the date of objection are stored permanently on the suppression list.

Last updated: May 2026