Note: This English translation is provided for convenience only. The German version is legally binding.
Read the German version
Legal · Privacy
Privacy Policy.
Information on the processing of your personal data in accordance with the
General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).
Protecting your personal data is a matter of central importance to us. Below, we
inform you in accordance with Art. 13 and 14 GDPR about which personal data we
collect when you use this website and the product Radical Personas, the purposes
for which we process it, the legal basis on which this is done, and the rights
you have with regard to your data.
§1 Controller
Controller Within the Meaning of the GDPR
Radical Innovators GmbH
Robert-Stolz-Straße 8/Top 10
4020 Linz, Austria
We are not legally required to appoint a data protection officer under
Art. 37 GDPR. For data protection inquiries, please contact the email
address listed above.
§2 Scope
Scope
This privacy policy applies to the marketing website
radicalpersonas.com
as well as to personal data arising in connection with information requests,
proposal requests, and contract inquiries relating to the product Radical
Personas. Use of the SaaS application itself (after registration / login) is
governed by the in-product privacy policy, which is available within the
application.
§3 Server Log Files
Provision of the Website & Server Log Files
Each time this website is accessed, our hosting provider automatically
collects technical information that your browser transmits to us. This includes:
IP address of the requesting device
Date and time of access
Requested URL / content of the request
Access status / HTTP status code
Referrer URL (previously visited page)
Browser type, browser version, language, operating system
Purpose: providing the
website, ensuring IT security, detecting and defending against attacks.
Legal basis:
Art. 6(1)(f) GDPR — legitimate interest in the technically sound and
secure operation of the website.
Retention period: 7 days,
unless longer retention is required in individual cases for security
reasons (e.g., incident analysis).
§4 Cookies
Cookies & Local Storage
This marketing website does not set any tracking, analytics, or marketing
cookies. No cross-site tracking takes place, and no advertising profile is
created. The audience measurement described in §16 (Matomo) deliberately
works without cookies.
Only technically necessary storage values may be set — values without which
the basic functioning of the website cannot be guaranteed (e.g., a session
identifier, or storing the selected mobile menu state).
This data does not leave your browser.
Legal basis:
Art. 6(1)(f) GDPR and §165(3) of the Austrian Telecommunications Act
(TKG 2021) (technically necessary storage).
Note: different rules apply to the corporate website radical-innovators.com
(which uses, among other things, Cookiebot and Google Analytics 4 with
anonymized IP addresses). These are described separately in that site's
privacy policy
(in German).
§5 Contact
Contacting Us (Email, Form)
If you contact us by email or via a contact form, we process the data you
provide (name, email address, company, message text, and telephone number
where provided) for the purpose of handling your inquiry.
Legal basis:
Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR
(legitimate interest in responding to inquiries).
Technical implementation of the form:
Transmission is handled via the service Resend, Inc. (USA); processing
takes place on US servers (AWS, Cloudflare). The third-country transfer is
based on Standard Contractual Clauses under Art. 46 GDPR and the
EU-US Data Privacy Framework.
Retention period:
Data from inquiries that do not lead to a project is deleted within
6 months after the correspondence ends; if an inquiry results in a project,
statutory retention periods apply (7 years under §132 of the Austrian
Federal Fiscal Code (BAO) for business records).
§6 Newsletter
Newsletter
We do not send marketing newsletters. If you actively sign up for product or
release notifications at a later time, the consent form will separately
inform you about the purpose, the legal basis
(Art. 6(1)(a) GDPR — consent), the dispatch tool used, and
how to withdraw your consent.
§7 Web Hosting
Web Hosting
This website is operated by an EU-based web hosting provider. A data
processing agreement under Art. 28 GDPR is in place with the hosting
provider. The hosting provider processes the server log data described in §3
strictly according to our instructions and exclusively for the purpose of
providing and securing the website.
§8 Product Context
Data Processing in the Product Radical Personas
When you use the SaaS product Radical Personas (after registration /
login in the application), we process data that you actively enter —
e.g., persona context information, test questions, uploaded documents, or
review texts. The complete in-product privacy policy with all details is
available within the application. In summary:
LLM providers: For
AI-based inference, we select the best available language model (LLM)
from several providers for each task in order to achieve the highest
review quality. We provide an up-to-date subprocessor list
to Enterprise and Business customers on request.
Inference region:
Where contractually possible, we use the providers' EU endpoints.
No-training clause:
Customer content is not used to train the language models
we deploy. We have contractual assurances from all providers
we use that API content will not be used for
model training.
Third-country transfers:
Where processing takes place outside the EEA (e.g., on providers' US
endpoints), it is based on Standard Contractual Clauses under
Art. 46 GDPR or — where available — the EU-US Data Privacy Framework.
§9 Recipients
Recipients / Processors
Personal data is disclosed to third parties only to the extent necessary
to provide the respective service or where a legal obligation exists.
Processors we use (Art. 28 GDPR):
EU web hosting provider (hosting of this website)
Resend, Inc. (USA) — delivery of form inquiries
Anthropic, PBC (USA) — LLM inference for product features
Stripe Payments Europe Ltd. (Ireland) — payment processing for subscriptions
Business and Enterprise customers can obtain a complete, up-to-date
subprocessor list on request (Art. 28(2) GDPR).
§10 Third Countries
Data Transfers to Third Countries
Where personal data is transferred to countries outside the European Economic
Area (EEA) — in particular to the USA (Anthropic, Stripe US back office,
Resend infrastructure, and Cloudflare where applicable) — this is done on the
basis of the EU Commission's Standard Contractual Clauses under
Art. 46(2)(c) GDPR and, where the recipient is certified, under the
EU-US Data Privacy Framework pursuant to Art. 45 GDPR.
We provide a copy of the safeguards on request.
§11 Retention
Retention Periods
We store personal data only for as long as necessary for the respective
purposes or as required by statutory retention obligations:
Server log files: 7 days (see §3)
Contact emails without a project connection: up to 6 months
Project and contract correspondence, invoices: 7 years (§132 BAO)
Active product accounts: for the duration of the contract
After cancellation: a 30-day export window, followed by deletion of
production content; invoice data remains subject to the statutory 7-year period
Consent-based data: until consent is withdrawn
§12 Your Rights
Your Rights as a Data Subject
Under the GDPR, you have the following rights:
Access (Art. 15 GDPR) —
confirmation of whether and which personal data we process about you
Rectification (Art. 16 GDPR) —
correction of inaccurate data or completion of incomplete data
Erasure (Art. 17 GDPR) —
the “right to be forgotten,” subject to the statutory requirements
Restriction of processing
(Art. 18 GDPR)
Data portability
(Art. 20 GDPR) — receiving your data in a structured, commonly used,
machine-readable format
Objection (Art. 21 GDPR) —
to processing based on legitimate interests, on grounds relating to your
particular situation
Not to be subject to
automated individual decision-making (Art. 22 GDPR)
To exercise your rights, an informal message to
contact@radicalpersonas.com
is sufficient. We respond to requests within the statutory period
(Art. 12(3) GDPR — generally one month).
§13 Complaints
Right to Lodge a Complaint With the Supervisory Authority
Under Art. 77 GDPR, you have the right to lodge a complaint with a data
protection supervisory authority. The competent supervisory authority in
Austria is:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40–42
1030 Vienna, Austria dsb@dsb.gv.at www.dsb.gv.at
Alternatively, you may contact the supervisory authority of your habitual
residence, your place of work, or the place of the alleged infringement.
§14 Withdrawal
Withdrawal of Consent
Where the processing of your data is based on consent under Art. 6(1)(a)
or Art. 9(2)(a) GDPR, you may withdraw that consent at any time with effect
for the future. The lawfulness of the processing carried out before the
withdrawal remains unaffected. Consent may be withdrawn informally by emailing
contact@radicalpersonas.com.
§15 Data Security
Data Security & Technical and Organizational Measures
We implement technical and organizational measures in line with the state
of the art, in accordance with Art. 32 GDPR, to protect personal data
against unauthorized access, loss, or manipulation. These include, among
others:
Transport encryption (TLS 1.3) on all connections
Encryption of sensitive data at rest
Role-based and least-privilege access model, 2FA for administrative access
Regular security updates and patch management
Versioned backup strategy with separate recovery paths
Pen test reports and subprocessor list on request (Business/Enterprise)
ISO 27001 certification is part of our medium-term roadmap.
§16 Web Analytics
Audience Measurement With Matomo (Self-Hosted, Cookieless)
For statistical analysis of how this website is used, we use the
open-source software Matomo.
Matomo runs on our own server within
the EU — no analytics data is transmitted to
third parties or to third countries.
Measurement takes place without cookies: no
persistent identifier is stored on your device. Your
IP address is truncated (the last
2 bytes are anonymized) and is not stored in plain text. No personal
profiles are created and no cross-site tracking takes place.
Data processed (anonymized/aggregated):
pages visited, date and time, approximate region of origin (derived from the truncated IP),
referral source (referrer), browser and device type.
Purpose: needs-based design,
improvement, and audience measurement of this website.
Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in data-minimizing,
statistical audience measurement). Since only data-minimizing, cookieless
storage and access operations take place, we base the processing on your
device on §165(3) of the Austrian Telecommunications Act (TKG 2021).
Retention period: The
statistical data is deleted after no more than 6 months (180 days).
Objection: You can object to the anonymous
measurement at any time using the following toggle:
Note: if you opt out, we store this choice in a technically necessary
cookie so that we can continue to exclude you from measurement on this browser.
§17 Updates
Updates to This Privacy Policy
We update this privacy policy when changes to our processing activities or
the legal framework require it. The current version is always available on
this page. The version indicated under “Last updated” is authoritative.
Last updated: June 6, 2026 · Radical Innovators GmbH · FN 557123z · UID ATU76870708