Legal & Privacy

How we handle personal data and your rights under GDPR.

Last updated: 2025-11-23

Who we are (Controller)

CozyCode Kumi Systems e.U. Brandhofgasse 7/1 8010 Graz Austria Email: hello@cozycode.eu

We do not appoint a Data Protection Officer. For privacy questions, contact us at hello@cozycode.eu.

Scope

This policy explains how we process personal data when you:

  • visit our website at cozycode.eu,
  • contact us (e.g., by email), or
  • discuss or enter into a contract with us.

What data we process and why

  1. Visiting our website (server logs)
  • Data: IP address, date/time, URLs visited, referrer, user‑agent, HTTP status codes.
  • Purpose: deliver pages, ensure security and reliability, detect abuse.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests: secure, reliable operation).
  1. Cookies
  • We do not set non‑essential cookies.
  • If our hosting/CDN sets essential cookies for security or load balancing, these are strictly necessary.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests: secure, efficient delivery).
  1. Analytics (optional)
  • If we enable privacy‑friendly, aggregated, cookie‑less analytics, we will collect only anonymized or de‑identified usage metrics.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests: improve the site) where no personal data is processed; otherwise Art. 6(1)(a) GDPR (consent). We will show a notice if consent is required.
  • Current status: no invasive tracking and no marketing cookies.
  1. Contacting us (e.g., email)
  • Data: your contact details, message content, metadata (time, sender, recipients), and any files you send.
  • Purpose: respond to inquiries, pre‑contractual steps, record‑keeping, and—if applicable—contract performance.
  • Legal basis: Art. 6(1)(b) GDPR (pre‑contract/contract), Art. 6(1)(f) (our interest in efficient communication), and Art. 6(1)(c) (legal obligations, e.g., tax law).
  1. Clients and prospective clients
  • Data: business contact details, contract data, billing data, project communications.
  • Purpose: provide services, project management, invoicing, compliance.
  • Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) (legal obligations), Art. 6(1)(f) (legitimate interests: business operations).

We do not intentionally process special categories of data (Art. 9 GDPR). Please avoid including sensitive information in emails unless necessary.

Recipients and processors

We use carefully selected service providers that act as processors:

  • Hosting/CDN and repository pages for serving the site.
  • Email provider for sending/receiving email.
  • (If enabled) privacy‑friendly analytics provider.

These providers may be located in the EU/EEA or in countries with an adequacy decision, or we use EU Standard Contractual Clauses (SCCs). We require processors to implement appropriate technical and organisational measures.

International transfers

Where data is transferred outside the EU/EEA:

  • we rely on an adequacy decision (Art. 45 GDPR), or
  • we use SCCs (Art. 46 GDPR) with supplementary safeguards where appropriate.

Retention

  • Inquiries (email): typically up to 6 months after last interaction, unless longer retention is required or justified (e.g., to establish, exercise, or defend legal claims).
  • Client/project and billing data: retained for the statutory periods (e.g., tax/commercial law).
  • Server logs: typically up to 30 days unless needed longer for incident investigation.

We delete or anonymize data after the retention period ends.

Your rights

You have the following rights under GDPR:

  • access to your personal data (Art. 15),
  • rectification (Art. 16),
  • erasure (“right to be forgotten”, Art. 17),
  • restriction of processing (Art. 18),
  • data portability (Art. 20),
  • objection to processing based on legitimate interests (Art. 21),
  • withdrawal of consent at any time (Art. 7(3)), where processing is based on consent.

To exercise your rights, email hello@cozycode.eu. You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or place of work. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en

Security

We apply appropriate technical and organisational measures, including least‑privilege access, encryption in transit, regular updates, and restricted administrative access. No method is 100% secure, but we aim for practical, risk‑based protection.

Children

Our services are aimed at businesses and adults. We do not knowingly process children’s data.

Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. The “Last updated” date indicates the latest revision.