This privacy policy informs you, in accordance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and the Austrian Telecommunications Act (TKG), about the nature, scope, and purpose of the processing of personal data on www.conscious-synergy.com and in the Course Portal.
1. Data controller
The data controller in the sense of the GDPR is:
BearCave GmbHNußdorfer Straße 4/2/120
1090 Vienna
Austria
Email: support@supnig.com
A statutory data protection officer is not required. For data protection inquiries, please use the email address above.
2. Categories of personal data
2.1 Account data
- Email address (required for sign-in and communication)
- Display name (optional)
- Stripe customer ID (internally linked to the email address)
- Billing address and VAT ID (collected via Stripe; not stored in our systems)
2.2 Course Portal usage data (from Phase 3)
- Video views per module
- Downloaded companion materials
- Learning progress
2.3 Analytics and marketing data
- Google Analytics 4: anonymised IP, device and browser information, session history
- Meta Pixel (Facebook): Pixel ID, conversion events
- Newsletter (Kit): email address, subscription status, open and click rates
2.4 Server log data
- IP address (shortened)
- Date and time of access
- Bytes transferred, user agent, referrer URL
3. Legal basis of processing
| Data category | Purpose | Legal basis |
|---|---|---|
| Account data | Contract performance, course delivery | Art. 6(1)(b) GDPR (contract) |
| Payment data | Payment via Stripe | Art. 6(1)(b) GDPR (contract) |
| Accounting data | Compliance with statutory retention obligations | Art. 6(1)(c) GDPR (legal obligation) |
| Portal usage data | Service provision and improvement | Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) (legitimate interest) |
| Server logs | IT security, fraud prevention | Art. 6(1)(f) GDPR (legitimate interest) |
| Google Analytics, Meta Pixel | Analysis, marketing optimisation | Art. 6(1)(a) GDPR (consent via cookie banner) |
| Newsletter | Direct marketing | Art. 6(1)(a) GDPR (consent) |
4. Recipients and processors
We share personal data only with processors under data processing agreements (DPAs) pursuant to Art. 28 GDPR:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing, invoicing, customer portal | Ireland (EU); parent in the USA | EU Standard Contractual Clauses (SCC), EU–US Data Privacy Framework adequacy decision |
| Amazon Web Services EMEA SARL | Hosting (S3, DynamoDB, Lambda, SES) in the eu-central-1 region (Frankfurt) | EU (Luxembourg / Germany) | EU data processing, DPA in place |
| SeedProd LLC dba Kit | Email marketing, newsletter delivery | USA | EU Standard Contractual Clauses (SCC), EU–US Data Privacy Framework |
| Google Ireland Ltd. | Web analytics (Google Analytics 4) | Ireland (EU); processing partially in the USA | SCC, EU–US Data Privacy Framework, IP anonymisation enabled |
| Meta Platforms Ireland Ltd. | Conversion tracking (Meta Pixel) | Ireland (EU); processing partially in the USA | SCC, EU–US Data Privacy Framework |
5. Retention periods
- Active user accounts: until revocation or deletion request by the customer.
- Accounting and invoice data: 7 years pursuant to §132 of the Austrian Federal Fiscal Code (BAO).
- Magic-link tokens: 30 minutes, then automatically deleted.
- Session cookies (cs_session): 90 days or until sign-out.
- Newsletter data: until consent is revoked (unsubscribe link in every email).
- Server logs: 14 days, then automatically deleted.
- Analytics data: 14 months (GA4 default).
6. Data subject rights
Under Art. 15–22 GDPR, you have the following rights:
- Access to the data stored about you (Art. 15);
- Rectification of inaccurate data (Art. 16);
- Erasure (“right to be forgotten”), provided no statutory retention obligations apply (Art. 17);
- Restriction of processing (Art. 18);
- Data portability (Art. 20);
- Objection to processing based on legitimate interests (Art. 21);
- Withdrawal of consent with effect for the future (Art. 7(3)).
Please send requests to support@supnig.com. We respond within one month of receipt. For identity verification, we require the request to be sent from the email address on file.
7. Cookies and tracking
We use the following cookie categories:
- Strictly necessary cookies (no consent required): session cookie
cs_session(sign-in), Stripe security cookies. Legal basis: contract performance (Art. 6(1)(b) GDPR). - Analytics cookies (consent required): Google Analytics 4 (
_ga,_gid) — reach measurement, anonymised IP. - Marketing cookies (consent required): Meta Pixel (
_fbp) — conversion tracking for ad campaigns.
Our cookie banner lets you grant or refuse consent per category. Rejecting all optional cookies is possible in one click. You can change your settings at any time via the “Cookie settings” link in the footer.
8. Right to complain
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority:
Austrian Data Protection Authority (Datenschutzbehörde)Barichgasse 40–42
1030 Vienna, Austria
Tel.: +43 1 521 52-25 69
Web: www.dsb.gv.at
9. Data security
Data transmission between your browser and our servers is transport-encrypted (TLS 1.2+). Sensitive data such as payment information is processed exclusively by Stripe and does not traverse our systems in clear text. Internal access rights are granted on a “least privilege” basis.
10. Changes to this privacy policy
We update this privacy policy when processing activities or the legal situation change. The current version is always available on this page.