top of page

Data privacy

I Overview

If we may welcome you as a customer or business partner, or if you use our Nuseum application, please read from Section III.

If you visit our website, please read from Section II.

II What data do we process when you visit our website?

Welcome to our website! Please take a moment to understand how we process your personal data when you visit our website (Art. 13, Art. 14 GDPR; § 165 para. 3 TKG).

When visiting our website, the following data may be processed:

  • Browser type,

  • Operating system,

  • Country,

  • Date,

  • Time and duration of access,

  • IP address and visited pages on our website, including entry and exit pages,

  • Contact page on the website,

  • Device data: We may store personal data from your device, including geolocation data, IP address, unique identifiers (e.g., MAC address),

  • Data entered during appointment scheduling,

  • Email address,

  • First and last name,

  • Phone number,

  • Institution (name of the company or organization).

Processing this data is necessary to ensure the security of website operations and to maintain the website's functionality from a technical standpoint. This data is collected in part through technical cookies, which are only used to the necessary extent (§ 165 para. 3 TKG). Processing this data is justified by our legitimate interest in operating our website (Art. 6 para. 1 lit. f GDPR).

For the operation of our website, it may be necessary to disclose your data to the following recipients:

Data Recipient: Google LLC (Google Cloud & Folder; Google Workspace; Google Analytics; Google Calendar)
Purpose of Data Processing: Email and chat server; storage of internal documents; marketing and offer optimization; communication
Legal Basis for Data Processing: Predominantly legitimate interest (Art. 6 para. 1 lit. f GDPR), consent regarding Google Analytics (Art. 6 para. 1 lit. a GDPR), and contractual necessity (Art. 6 para. 1 lit. b GDPR)
Business Location: USA
Secure Third-Country Transfer: Google LLC is listed under the EU-US Data Privacy Framework (HR & Non-HR data)

Data Recipient: HubSpot, Inc. (CRM)
Purpose of Data Processing: Sales data management (contact and sales activities)
Legal Basis for Data Processing: Predominantly legitimate interest (Art. 6 para. 1 lit. f GDPR)
Business Location: USA
Secure Third-Country Transfer: HubSpot is listed under the EU-US Data Privacy Framework (Non-HR data)

Data Recipient: Wix.com, Limited
Purpose of Data Processing: Website hosting
Legal Basis for Data Processing: Predominantly legitimate interest (Art. 6 para. 1 lit. f GDPR)
Business Location: Israel
Secure Third-Country Transfer: The European Commission has issued an adequacy decision recognizing Israel's data protection level as sufficient.

 

II.1. Overview of "Technical" Cookies Used

The above-mentioned data is stored via so-called "cookies." Cookies are text files stored on your computer that enable the analysis of website usage. They help recognize and temporarily store data of website visitors. We only use cookies to the extent necessary to communicate with you via the website.

These technical cookies are activated as soon as you visit our website.

The following cookies are used on our platform based on our predominantly legitimate interest (Art. 6 para. 1 lit. f GDPR):

  • ssr-caching: Set by Wix (website hosting, see above), indicating how a website was rendered.

  • XSRF-Token: Enhances browsing security by preventing cross-site request forgery.

  • hs: Used by Wix for security purposes.

  • svSession: Identifies individual visitors and tracks their session on a website.

  • _wixAB3: Used at the beginning of a session to collect information about website traffic, duration, and location.

  • Server-session-bind

    • Technical necessary

  • fedops.logger.sessionID

    • Technical necessary

  • Client-session-bind

    • Technical necessary

II.2. Overview of "Advertising Cookies"

In addition to the above-described "technical cookies," we do not use any cookies, particularly no advertising cookies.

III. What data do we process when you are a customer, business partner, or use our application(s)?

As part of our business relationship with customers and business partners, and the provision of the Nuseum application for users, we process data due to contractual obligations (execution of the contractual relationship, pre-contractual obligations, service billing, document dispatch, communication, application provision) and legal obligations (legally required retention pursuant to § 132 BAO) (Art. 6 para. 1 lit. b and c GDPR), as well as due to our legitimate interests or those of third parties (Art. 6 para. 1 lit. f GDPR), namely:

  • For internal administration and management of your business case as necessary (e.g., processing, forwarding to assistants, filing, archiving, correspondence);

  • For providing the Nuseum application;

  • For providing Copilot and CuratorSpace;

  • For asserting and defending legal claims.

If you do not provide us with this data, we cannot process your business case.

In certain cases, we may process your data based on your voluntary, explicit consent (Art. 6 para. 1 lit. a GDPR).



 

III.1. What data

 is processed in connection with a business relationship?

For handling and fulfilling business relationships with our customers and suppliers, the following personal data or categories of personal data are processed:

  • Contact details (postal address, email, phone number) of customers or involved employees;

  • Subject of respective delivery or service.

III.2. What data is processed when using the Nuseum application?

When using the Nuseum application (“application”), the following personal data or categories of personal data are processed:

  • Device data (operating system, model, IP address, unique identifiers, geolocation data);

  • Time, date, and duration of use;

  • Data that you submit via a "prompt" (input in the designated field, confirmed via button, in text or voice input).

In general, no personal data should be entered into the application.

 

IV How long do we store your data?

We store your data only as long as necessary for the purposes for which it was collected. Legal retention periods must be considered (e.g., contracts and documents related to tax law must be stored for seven years, § 132 BAO). In justified cases, such as asserting or defending legal claims, we may store data for up to 30 years after the business relationship ends.

Data from interested parties is stored for up to one year from the last contact.

 

V Who may receive your data?

As part of our business relationship and the use of the application, it may be necessary for us to transfer your data to the following recipients:

Recipient: Google LLC

Services Used: Google Cloud & Folder, Google Workspace, Google Analytics, Google Calendar
Purpose of Data Processing: Email and chat servers, storage of internal documents, marketing and optimization of the offering, contact management
Legal Basis for Data Processing:

  • Predominantly legitimate interest (Art. 6(1)(f) GDPR)

  • Consent regarding Google Analytics (Art. 6(1)(a) GDPR)

  • Contractual necessity (Art. 6(1)(b) GDPR)
    Business Location: USA
    Secure Third-Country Transfer: Google LLC is listed under the EU-US Data Privacy Framework (HR & Non-HR data).

Recipient: HubSpot, Inc.

Services Used: CRM
Purpose of Data Processing: Sales data management (contact and sales activities)
Legal Basis for Data Processing: Predominantly legitimate interest (Art. 6(1)(f) GDPR)
Business Location: USA
Secure Third-Country Transfer: HubSpot is listed under the EU-US Data Privacy Framework (Non-HR data).

Recipient: Amazon.com, Inc.

Services Used: Amazon AWS
Purpose of Data Processing: Hosting of the software infrastructure (Copilot & CuratorSpace)
Legal Basis for Data Processing:

  • Predominantly legitimate interest (Art. 6(1)(f) GDPR)

  • Contractual necessity (Art. 6(1)(b) GDPR)
    Business Location: USA
    Secure Third-Country Transfer: Amazon.com is listed under the EU-US Data Privacy Framework (Non-HR data).

VI Collection of Data from Other Sources (Art. 14 GDPR)

For the provision of the Nuseum application, the system is trained by the museum or cultural institution for specific use cases. In this process, personal data may also be processed.

  • Source: Museum or other cultural institution

  • Data: Information shared by the museum or cultural institution, such as details about an artist or an artwork. Some of this data may be publicly accessible.

For the purpose of initiating contact with relevant stakeholders in the cultural sector, personal data may also be processed:

  • Source: Museum, cultural institution, their websites or public registers

  • Data: Publicly accessible contact details or information about relevant stakeholders in the cultural sector, provided by public registers or the aforementioned institutions.


 

VII Are automated decision-making or profiling processes used?

No automated decision-making or profiling takes place in our company.

 

VIII What rights do you have regarding data processing?

You have the right to:

  • Request information about the data processed about you (Art. 15 GDPR);

  • Request correction or completion of incorrect or incomplete data (Art. 16 GDPR);

  • Request deletion of your data (Art. 17 GDPR);

  • Object to data processing for legitimate interests (Art. 21 GDPR); Especially regarding to the use of your data for advertising purposes;

  • Receive your provided data in a structured, machine-readable format;

  • Withdraw consent at any time via email (Art. 7 para. 3 GDPR).

 

IX Which rights to complain do you have?

If data processing breaches your rights, you can contact us (via mail or email). We aim to process your inquiry as soon as possible. You also have the right to complain to the authority responsible for you.

The address of the Austrian Data Protection Authority is:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna

 

X How can you contact us?

For questions regarding the processing of your data, you can contact our data protection coordinator as stated below.

XI Controller

Controller according to Art 4 Z 7 GDPR is:

KOHATECH FlexCo
Rabensburgerstraße 17
1020 Vienna, Austria
Email: florian@nuseum.ai

Note: If a museum or cultural institution uses the Nuseum application, KOHATECH FlexCo acts as a processor, while the museum or institution is the controller.


 

Last Updated: 1st of March 2025

bottom of page