Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Daniel Wagner
Josef-Mayburger-Kai 126
5020 Salzburg, Austria
Email: [email protected]

2. Overview

This Privacy Policy explains how we collect, use, and protect personal data when you use the WGST Store at store.wgst.at. We are committed to protecting your privacy and processing your data in compliance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (Datenschutzgesetz, DSG), and all other applicable data protection legislation.

3. Data We Collect

We minimize data collection to what is strictly necessary for contract performance. The following data is collected during the purchase process:

3.1 Data collected by us

• Email address — provided by you during Stripe checkout, used for order confirmation and delivery of digital content.
• Order details — product purchased, purchase date, transaction reference, and amount paid.

3.2 Data processed by Stripe (not stored by us)

• Payment data — credit card details, billing address, and other payment information are collected and processed directly by Stripe, Inc. We do not receive, access, or store your full payment card details.
• Tax-related data — Stripe Tax may collect your country of residence and/or billing address to determine applicable VAT rates.

3.3 Data we do not collect

The Store does not require user account creation. We do not collect names, phone numbers, physical addresses (unless provided to Stripe for payment purposes), or any data beyond what is described above.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

• Art. 6(1)(b) GDPR — Contract performance: Processing of your email address and order details is necessary for the performance of the purchase contract, specifically for delivering the purchased digital content and sending order confirmations.
• Art. 6(1)(c) GDPR — Legal obligation: Retention of order records and invoicing data is required to comply with Austrian tax and accounting obligations (see Section 7).

5. Data Processors and Recipients

We share personal data only with the following categories of processors, each bound by data processing agreements in accordance with Art. 28 GDPR:

• Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) — Payment processing, invoicing, and tax calculation. Stripe processes payment data as an independent data controller for payment transactions. Data transfers to the USA are covered by Stripe's participation in the EU-U.S. Data Privacy Framework. Stripe's privacy policy: stripe.com/privacy
• Third-party service providers — After payment, your email address or a transaction reference may be shared with the third-party service to which digital credits are provisioned, solely for the purpose of fulfilling your order.

We do not sell, rent, or otherwise disclose personal data to third parties for marketing or advertising purposes.

6. International Data Transfers

Where personal data is transferred to countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. This includes reliance on:

• EU adequacy decisions (Art. 45 GDPR)
• The EU-U.S. Data Privacy Framework
• Standard contractual clauses adopted by the European Commission (Art. 46(2)(c) GDPR)

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy:

• Order records and invoicing data — Retained for 7 years from the end of the relevant calendar year, as required by the Austrian Federal Fiscal Code (Bundesabgabenordnung, BAO, Section 132).
• Email addresses — Retained for the duration of the statutory retention period for order records (7 years), unless you request earlier erasure and no legal retention obligation applies.

After the applicable retention period expires, personal data is securely deleted or anonymized.

8. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at [email protected]:

• Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, access to that data.
• Right to rectification (Art. 16 GDPR) — You have the right to request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request restriction of processing under certain conditions.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data under certain conditions.

We will respond to your request without undue delay and in any event within one month of receipt, in accordance with Art. 12(3) GDPR.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority in Austria is:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna, Austria
Website: www.dsb.gv.at
Email: [email protected]

10. Cookies and Tracking

The Store uses only technically necessary cookies that are essential for the functioning of the website and the checkout process. These cookies do not require consent under Art. 5(3) of the ePrivacy Directive (2002/58/EC) as they are strictly necessary for the provision of the service explicitly requested by the user.

We do not use any analytics, tracking, advertising, or third-party cookies on the Store subdomain. No user behavior profiling or cross-site tracking takes place.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR. All data transmission between your browser and our servers is encrypted using TLS (Transport Layer Security).

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The updated version will be published on this page with a revised effective date. We encourage you to review this page periodically.

13. Contact

For any questions or concerns regarding this Privacy Policy or our data processing practices, please contact:

Daniel Wagner
Josef-Mayburger-Kai 126
5020 Salzburg, Austria
Email: [email protected]