GDPR

1. Data controller

Fringelo Group ("we", "us") is the data controller for personal data collected through Marteso. For data protection enquiries, contact us at [email protected].

2. Legal bases for processing

Under the GDPR, we rely on the following legal bases to process your personal data:

• Article 6(1)(b) — Contract performance: processing necessary to provide the Marteso service under our subscription agreement with you.
• Article 6(1)(c) — Legal obligation: processing required by applicable law (e.g., VAT records, anti-fraud obligations).
• Article 6(1)(f) — Legitimate interests: processing for security, fraud prevention, product improvement, and internal analytics, where these interests are not overridden by your rights.
• Article 6(1)(a) — Consent: for optional marketing communications. You may withdraw consent at any time by clicking "Unsubscribe" in any email or contacting us directly.

3. Your rights under the GDPR

As a data subject in the EU/EEA, you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your personal data where no legitimate reason for retention exists.
• Right to restriction of processing (Art. 18): request that we limit processing of your data in certain circumstances.
• Right to data portability (Art. 20): receive your personal data in a structured, machine-readable format and transfer it to another controller.
• Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): withdraw consent for consent-based processing at any time without affecting lawfulness of prior processing.

To exercise any of these rights, email [email protected] with the subject line "GDPR Request". We will respond within 30 days. We may ask you to verify your identity before processing your request.

4. International data transfers

We store and process data primarily within the European Economic Area. Where personal data is transferred to third countries (e.g., to sub-processors located outside the EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.

A list of our sub-processors and the applicable transfer mechanisms is available on request at [email protected].

5. Data retention

We retain personal data only as long as necessary for the purposes described in our Privacy Policy:

• Account data: for the duration of your subscription plus 90 days after account deletion.
• Billing records: 7 years as required by tax law.
• Support communications: 3 years from last interaction.
• Anonymized analytics: indefinitely (no longer personal data).

6. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk, we will also notify affected users directly without undue delay.

7. Supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the Austrian Data Protection Authority (Datenschutzbehörde):

• Website: www.dsb.gv.at
• Email: [email protected]

You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence.

8. Contact

For all GDPR-related enquiries, contact us at [email protected]. We aim to respond within 30 days and at no charge for reasonable requests.