— PRIVACY POLICY
In accordance with Regulation (EU) 2016/679 (GDPR)
Version 1.0 — June 2026
1. Data Controller
The Data Controller is Gladius GmbH, registered in the Austrian Commercial Register under company number FN 674280p, with registered office at Webgasse 43, 1060, Vienna, Austria.
For any questions, requests, or communications relating to the processing of personal data, the Controller may be contacted at:
E-mail: privacy@gladius.at
Website: https://www.gladius.at/
2. Scope and Purpose of This Policy
This Privacy Policy describes how Gladius GmbH collects, uses, stores, and protects personal data submitted through the website https://www.gladius.at/ (hereinafter, the "Website"), in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") and applicable Austrian data protection legislation, including the Datenschutzgesetz (DSG).
This Policy applies to all individuals — whether acting in a personal capacity or as representatives or contact persons of legal entities — who submit personal data through the Website's contact functionalities.
A separate Cookie Policy governs the use of cookies and similar tracking technologies on the Website and is available at https://www.gladius.at/cookie-policy.
3. Categories of Personal Data Collected
Through the Website, Gladius GmbH may collect the following categories of personal data, exclusively as voluntarily submitted by the user:
3.1 Standard Contact Data
– Full name (of the individual or of the contact person acting on behalf of a legal entity)
– Name and legal form of the represented legal entity, where applicable
– E-mail address
– Telephone number
– Country of residence or domicile
– Any further information freely included in the body of the contact message
3.2 Special Categories of Personal Data
The Controller draws the user's particular attention to the fact that the content of a contact message may — depending on the nature of the matter — include special categories of personal data within the meaning of Article 9 GDPR, including but not limited to:
– Data relating to health or medical condition
– Data relating to criminal convictions, offences, or judicial proceedings (Article 10 GDPR)
– Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
– Data concerning trade union membership
– Genetic or biometric data
– Data concerning a natural person's sex life or sexual orientation
Users are strongly advised not to include such sensitive information in their communications unless strictly necessary for the purpose of their inquiry. Where such data is submitted, the Controller shall apply the heightened safeguards described in Section 7 below.
4. Legal Basis for Processing
All processing of personal data carried out by Gladius GmbH through the Website is based on the freely given, specific, informed, and unambiguous consent of the data subject, in accordance with:
– Article 6(1)(a) GDPR — for ordinary personal data;
– Article 9(2)(a) GDPR — for special categories of personal data, where the data subject has given explicit consent to the processing of such data for one or more specified purposes.
Consent is collected through an explicit affirmative action at the time of submission of the contact form. The provision of consent is entirely voluntary. Refusal to consent will result in the inability to submit the contact form but will have no other consequence for the user.
Consent may be withdrawn at any time, without prejudice to the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent may be exercised by contacting the Controller at privacy@gladius.at.
5. Purposes of Processing
Personal data submitted through the Website is processed for the following purposes:
– Responding to and managing the user's inquiry or request;
– Establishing and maintaining a pre-contractual or contractual relationship, where applicable;
– Complying with legal obligations applicable to the Controller under Austrian and EU law;
– Protecting the legitimate interests of the Controller in the event of disputes, where processing is not based solely on consent.
Personal data will not be used for automated decision-making or profiling within the meaning of Article 22 GDPR.
6. Data Retention
Personal data collected through the Website shall be retained for no longer than:
– two (2) years from the date of the last contact or communication between the user and Gladius GmbH;
– or until consent is withdrawn, if withdrawal occurs before the expiry of the above period.
Upon expiry of the retention period, personal data shall be securely deleted or irreversibly anonymised. Where data is subject to legal retention obligations under applicable law (e.g. tax, accounting, or anti-money laundering legislation), the Controller may retain such data for the duration required by law, notwithstanding the above.
7. Security Measures
Gladius GmbH implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Such measures include, without limitation:
– Encryption of data in transit (TLS/SSL) and, where applicable, at rest;
– Access controls restricting data access to authorised personnel only, on a need-to-know basis;
– Regular review and testing of the effectiveness of security measures;
– Procedures for promptly detecting, reporting, and investigating personal data breaches.
In respect of special categories of personal data and data relating to criminal convictions and offences, the Controller applies additional, enhanced safeguards commensurate with the elevated sensitivity of such information, including strict access restrictions and confidentiality obligations binding all personnel with access to such data.
8. Recipients and Disclosure of Personal Data
Personal data collected through the Website is processed exclusively by Gladius GmbH and is not sold, rented, or otherwise transferred to third parties for their own marketing or commercial purposes.
Data may be disclosed to the following categories of recipients, strictly to the extent necessary:
– IT service providers and hosting providers acting as data processors pursuant to Article 28 GDPR, bound by appropriate data processing agreements;
– Legal, tax, or compliance advisors, subject to professional confidentiality obligations;
– Public authorities or judicial bodies, where disclosure is required by applicable law or by a binding order.
Where data processors are engaged, the Controller ensures that they provide sufficient guarantees to implement appropriate technical and organisational measures in accordance with the GDPR.
9. International Transfers
Gladius GmbH processes personal data within the European Economic Area (EEA). In the event that personal data is transferred to a recipient located outside the EEA, such transfer shall take place only:
– to countries recognised by the European Commission as providing an adequate level of protection pursuant to Article 45 GDPR; or
– on the basis of appropriate safeguards pursuant to Article 46 GDPR, such as standard contractual clauses adopted by the European Commission; or
– with the explicit consent of the data subject pursuant to Article 49(1)(a) GDPR, after having been informed of the possible risks.
10. Rights of Data Subjects
Under the GDPR, data subjects whose personal data is processed by Gladius GmbH are entitled to exercise the following rights:
10.1 Right of Access (Art. 15 GDPR)
The right to obtain confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to such data and to the information specified in Article 15 GDPR.
10.2 Right to Rectification (Art. 16 GDPR)
The right to obtain without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data.
10.3 Right to Erasure (Art. 17 GDPR)
The right to obtain the erasure of personal data where one of the grounds listed in Article 17 GDPR applies, including withdrawal of consent, where the data is no longer necessary for the purposes for which it was collected, or where the data has been unlawfully processed.
10.4 Right to Restriction of Processing (Art. 18 GDPR)
The right to obtain restriction of processing in the circumstances defined in Article 18 GDPR, including where the accuracy of the data is contested or where processing is unlawful but erasure is opposed.
10.5 Right to Data Portability (Art. 20 GDPR)
Where processing is based on consent and carried out by automated means, the right to receive personal data in a structured, commonly used, and machine-readable format, and to transmit such data to another controller.
10.6 Right to Withdraw Consent (Art. 7(3) GDPR)
The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
10.7 Right to Lodge a Complaint (Art. 77 GDPR)
The right to lodge a complaint with the competent supervisory authority. In Austria, the competent authority is:
Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna, Austria
E-mail: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/
To exercise any of the above rights, data subjects may contact the Controller at privacy@gladius.at. The Controller shall respond within one month of receipt of the request, extendable by a further two months in cases of complexity or volume of requests, with prior notice to the data subject.
11. Processing of Data Relating to Legal Entities and Their Representatives
Where a contact request is submitted on behalf of a legal entity (such as a company, association, foundation, trust, or other body corporate), the personal data of the individual submitting the request — including their name, professional role, and contact details — will be processed in accordance with this Privacy Policy.
The legal entity as such is not a "data subject" within the meaning of the GDPR. However, information relating to identified or identifiable natural persons acting as representatives, directors, officers, or contact persons of legal entities is treated as personal data and accorded full protection under this Policy.
12. Data of Minors
The Website and the services offered by Gladius GmbH are not directed at minors under the age of 16. Gladius GmbH does not knowingly collect personal data from minors. If the Controller becomes aware that personal data of a minor has been submitted without verifiable parental or guardian consent, such data will be promptly deleted.
13. Cookies and Tracking Technologies
This Privacy Policy does not govern the use of cookies or similar tracking technologies on the Website. Such matters are addressed exclusively in the Cookie Policy, available at https://www.gladius.at/cookie-policy, which forms a separate and complementary document to this Privacy Policy.
14. Amendments to This Privacy Policy
Gladius GmbH reserves the right to amend or update this Privacy Policy at any time, in particular to reflect changes in applicable law, regulatory guidance, or the Controller's data processing activities. The updated version will be published on the Website with an indication of the date of the most recent revision.
Users are encouraged to consult this page periodically. Where amendments are material, the Controller will take reasonable steps to bring such changes to the attention of users who have previously submitted personal data.
15. Governing Law and Jurisdiction
This Privacy Policy is governed by Regulation (EU) 2016/679 (GDPR) and, to the extent applicable, by Austrian national data protection law (Datenschutzgesetz — DSG, BGBl. I Nr. 165/1999 as amended). Any dispute arising in connection with this Privacy Policy that is not resolved through the exercise of data subject rights or administrative complaints shall be subject to the jurisdiction of the competent courts of Vienna, Austria.
Gladius GmbH — privacy@gladius.at — https://www.gladius.at/
Last updated: June 2026