PRIVACY POLICY

1. Controller

The controller responsible for processing personal data on this website is:

WERK Clubkultur GmbH Spittelauer Lände 12/331-333 1090 Wien FN 605514 m info[at]daswerk.org

Represented by: Fabian Walder

2. General

We process personal data in accordance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

“Personal data” means any information relating to an identified or identifiable natural person.

3. Hosting and provision of the website

This website is operated on servers of a hosting provider. When you visit the site, certain technical data are processed automatically, including:

• IP address
• date and time of the request
• requested URL / referrer (if transmitted)
• browser type and version
• operating system

Purpose: secure and stable operation of the website (Art. 6(1)(f) GDPR; Art. 6(1)(b) GDPR where applicable for contractual use).
Retention: typically limited, depending on provider and configuration (e.g. server log rotation).

[Hosting provider name and address]
Where required, we have concluded a data processing agreement (DPA) with the provider.

4. Content management system (Strapi)

Content (text, images, structured data such as events, FAQs, etc.) is delivered via a headless CMS (Strapi). When content is retrieved, connection data (e.g. IP address) and request-related metadata may be processed on the system hosting Strapi.

Purpose: displaying website content (Art. 6(1)(f) GDPR).
Note: [Describe where Strapi is hosted – e.g. same provider as the website or separate].

5. Contact form and email

If you use the contact form, we process the information you enter (e.g. subject, message, name, email address, depending on the form configuration in the CMS).

• Submission: Data is sent through a server-side endpoint on our website (/api/contact-submit). The recipient email address is loaded on the server from the CMS and cannot be changed from the browser.
• Email delivery: The message is sent via SMTP using our email infrastructure ([SMTP / mailbox provider]).
• Reply-To: If you provide a valid email address, it may be set as the reply address on the outgoing message.
• Spam protection: An invisible honeypot field may be used; if it is filled, the submission is discarded without further processing.

Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract / contract-related requests) and/or Art. 6(1)(f) GDPR (responding to general enquiries).

Data are retained only as long as necessary to handle your request, subject to any statutory retention obligations (e.g. in the mailbox).

6. Error monitoring and performance: Sentry

We use Sentry (provided by Functional Software, Inc., USA) to maintain technical reliability. This may involve processing:

• technical error information (e.g. stack traces, environment data)
• performance data (tracing; in production with a sample rate, so not every request is recorded)
• Session Replay (recording of interactions on the site; not all sessions are recorded; higher sampling may apply when errors occur—see our technical configuration)

Our configuration includes sendDefaultPii, which may allow more personal data to be included in error and monitoring data than in a minimal setup.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable and secure website). Where consent is required for Session Replay or broader personal data processing (e.g. under ePrivacy / national telecom rules), we obtain it via an appropriate mechanism—[adjust to your legal setup / cookie banner].

International transfers: Data may be transferred to the USA. Sentry relies on Standard Contractual Clauses and, where applicable, further safeguards under Art. 46 GDPR. Details: SENTRY PRIVACY POLICYSSEENNTTRRYY  PPRRIIVVAACCYY  PPOOLLIICCYY.

We have entered into a data processing agreement with Sentry where required.

7. Fonts

We use fonts via next/font (Google Fonts integration at build time). Font files are typically served from our site, so visitors’ browsers usually do not load fonts directly from Google on each page view. Technical details follow the NEXT.JS FONT DOCUMENTATIONNNEEXXTT..JJSS  FFOONNTT  DDOOCCUUMMEENNTTAATTIIOONN.

8. Embedded content and external links

• PDF / room plan: On some pages, a PDF may be shown in a frame via our own URL. Processing is the same as for a normal page request.
• Map links: We link to Google Maps and Apple Maps. Their providers’ privacy policies apply only after you click those links.

9. No solely automated decision-making

We do not use solely automated decision-making within the meaning of Art. 22 GDPR.

10. Your rights

Subject to the conditions in applicable law, you have the right to:

• access (Art. 15 GDPR)
• rectification (Art. 16 GDPR)
• erasure (Art. 17 GDPR)
• restriction of processing (Art. 18 GDPR)
• data portability (Art. 20 GDPR)
• object to processing (Art. 21 GDPR)

To exercise these rights, contact us using the details in section 1.

11. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In Austria:

Austrian Data Protection Authority
Barichgasse 40–42, 1030 Vienna
HTTPS://WWW.DSB.GV.AT/HHTTTTPPSS::////WWWWWW..DDSSBB..GGVV..AATT//

12. Changes

We may update this privacy policy if the website or legal requirements change.