Privacy Policy

Last updated: February 2025

Protecting personal data is paramount for our company. As the landscape of data protection law continues to evolve in the EU, we place the utmost value on the fundamental right to data protection. The following information describes how we process the data of our users.

We have drafted this Privacy Policy in compliance with the provisions set forth in Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 to provide you with an overview of the information we collect, the manner in which we use data, and the options available to you as a visitor to our website.

This Privacy Policy is drafted in English and German. In case of conflict, the English version shall be the binding version.

Responsible: finothek GmbH

Contact: Markus Waghubinger

E-mail: privacy@hallosophia.com

Address: Peter-Behrens-Platz 10, 4020 Linz

1. General data protection information
2. Purposes of the processing data and lawfulness of processing
3. Recipients or categories of recipients of the personal data
4. Rights of the data subject
5. Processors & Third parties
6. Cookie Policy

1. General data protection information

finothek GmbH reserves the right to revise its privacy policy. In the event of any material changes, we will inform you via our Services or other means, allowing you to review the modifications prior to them becoming effective. If you disagree with the changes, you have the option to object; however, this may result in your inability to access and utilize our Services.

2. Purposes of the processing of data and lawfulness of processing

Pursuant to Articles 13 and 14 of the GDPR, the controller (“finothek GmbH” or “We”) is obliged to provide information on the purpose of processing personal data. In addition, as stipulated by law, each processing activity must be based on lawfulness as set forth in Article 6 of the GDPR.

1. Registration Process Data

We process registration data during the registration process, such as:

• E-mail
• First name & surname
• Job
• Employer/Company
• Password
• Preferred business language

2. Profile Creation Data

We process data for the profile creation, such as:

• Profile picture
• Mobile phone number
• Employment data
• VAT number
• Bank Account Information

3. Platform Usage Data

When you use our platform, the following data will be processed:

• Content about uploaded files (Word, PDF, etc.). The content of the files will not be processed by us, unless there is a legal obligation or the risk that the file has harmful effects on users or the platform itself
  
• Content description of the offered service
• Video conferences are only made live and are not processed further by us, in particular not stored

The personal data mentioned above is collected pursuant to Article 6(1)(b) of the GDPR. We process this data for the purpose of providing a suitable service, such as allowing other users to find your profile on the website. Additionally, we process your email address to send you emails related to the service, such as updates about a user who has booked your service.

The data mentioned in sections 2.1-2.3 will be stored throughout the entire user relationship. After the end of the user relationship, the personal data will be retained for an additional period of three years for the purpose of satisfying any legal claims. The obligation to retain this data arises from company law, tax law, and general civil law rules. You may request deletion of your personal data prior to the expiration of this period, in accordance with Article 17 of the GDPR ("Right to Erasure").

4. Payment

In the event that you use MANGOPAY as an advisor or client to process payments, we will disclose the personal data required for the consulting services and fees, charges, remuneration, and wages of the client (name, billing address, payment amount, bank and/or credit card data) to the Luxembourg public limited company MANGOPAY SA, located at 2, Avenue Amélie, L-1125 Luxembourg. Such processing of personal data is based on Art 6(1)(b) GDPR. MANGOPAY SA’s privacy policy can be found at https://mangopay.com/privacy-statement.

5. Know-your-customer process Data

As part of our services, we offer a Know-your-customer (KYC) and an identification (ID) process that may require the collection of:

• Information about corresponding business activities and personal identification data from users in the course of a KYC-process.

The aforementioned processed data is collected pursuant to Article 6(1)(f) of the GDPR. We process this data for the purpose of facilitating the completion of a KYC or ID-process for advisors on our platform.

Once the advisory process is completed, the data is deleted.

KYC data will be shared with the advisor. If the payment is processed through MANGOPAY, KYC data will also be shared with MANGOPAY SA, located at 2, Avenue Amélie, L-1125 Luxembourg.

6. Website Usage Data

We also process anonymous data for the purpose of improving security and protecting against attacks, which includes the following:

• Server log files
• IP address
• App versions
• Operating system
• Device Model
• Language settings
• Statistical data on user behaviour

The data referred to are processed on the basis of the legitimate interest under Article 6(1)(f) of the GDPR.

The purpose of this processing is to retrieve our website from your device and to enable a correct display of our website on your device or in your browser.

7. Compliance Data

As part of our legal obligations under the Digital Platforms Reporting Obligations Act (DPMG), we are required to report relevant data to the Austrian Tax Office after the end of each year. This includes data provided by the advisor as well as data available to us on the advisor's transactions in the relevant calendar year, such as the number of sales and total sales proceeds. We must fulfill this obligation if the advisor has met the thresholds of 30 transactions or a transaction value of EUR 2,000 in the relevant calendar year.

In addition, we are required to process and transmit to the tax authorities any data that we are legally obliged to provide under section 13 of the DPMG. This data is stored for as long as we are legally obligated to keep it.

3. Recipients or categories of recipients of personal data

Data is being transferred to processors and third parties, which have been contracted to provide information technology support services.

This includes in particular the following processors:

• Software as a Service provider for platform communication
• Software Provider for data processing and data storage
• Software provider for analytics and marketing purpose
• AI supporting software provider
• Payment provider

With each processor we concluded a data processing agreement according to Art 28 GDPR.

 This includes in particular the following third parties:

• Hub-partners in collaboration with a Partner-hub (see 6. Processors & Third Parties)
• Advisors
• Austrian Tax Authority

Data transfers from European branches to the USA are carried out on the basis of standard contractual clauses adopted by the Commission.

4. Rights of the data subject

These rights aim to ensure transparency in the processing of personal data. The data subject should be able to be informed about the processing of their personal data, including the identity of the controller, the methods used for processing, the specific purposes of processing, and the legal basis for processing. The data subject is entitled to exercise the following rights (under the legal provisions vis-à-vis the controller):

• Right to confirmation
• Right of access by the data subject (Art 15 GDPR)
• Right to rectification (Art 16 GDPR)
• Right to erasure (Art 17 GDPR)
• Right to restriction of processing (Art 18 GDPR)
• Right of withdrawal in case of consent given
• Right to object (only in case of legitimate interest) (Art 21 GDPR)
• Right to data portability (only in case of contractual relationship or consent) (Art 20 GDPR)

Right to lodge a complaint with a supervisory authority: The data subject has the right to file a complaint with the supervisory authority if they believe that their rights as a data subject have been violated. In Austria, the supervisory authority responsible for data protection is the Austrian data protection authority (www.dsb.gv.at), but the data subject can also file a complaint with any other supervisory authority, particularly the authority in the Member State of their habitual residence, place of work, or place of alleged infringement (see in particular Art 77 GDPR).

5. Processors & Third Parties 

Partner-Hubs

Additionally, we offer a service where we assist other companies in establishing Partner-Hubs. In doing so, finothek GmbH provides other companies with the infrastructure of hallosophia.com, which is individually adapted for the cooperation partner (so-called Hub-partner). The Hub-Partner can thus offer its own network of advisors on an individually set up platform under a subdomain (so-called Partner-Hub). If an advisor wishes to list himself on a Partner-Hub, then there is the possibility that we pass on the above-mentioned data to the Hub-Partner. The disclosure is based on fulfillment of the contract.

In doing so, the Hub-Partner may establish its own purposes for the processing, which exist independently of our purposes. If data is processed for their own purposes, the processing is governed by the privacy rules of the Hub-Partner. For more information about partner hubs, please see our General Terms and Conditions.

Google Analytics

This website uses the service “Google Analytics”, which is offered by Alphabet Inc.’s (Alphabet) subsidiary Google LLC., headquartered at 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, for the analysis of website usage by users. The service uses “cookies” – text files that are stored on your device. The information collected by the cookies is usually sent to a Google server in the USA and stored there. This website uses IP anonymisation. The IP address of users is shortened within the member states of the EU and the European Economic Area. This reduction eliminates the personal reference to your IP address. Within the framework of the data processing agreement that the website operators have concluded with Google LLC., the website operator uses the information collected to analyse website usage and website activity and provides services related to Internet usage. You have the option to prevent the storage of the cookie on your device by adjusting the appropriate settings in your browser. There is no guarantee that you will be able to access all functions of this website without restrictions if your browser does not allow cookies. Furthermore, you can use a browser plug-in to prevent the information collected by cookies (including your IP address) from being sent to Alphabet’s Google LLC. and used by Google LLC. The following link leads you to the corresponding plugin: https://tools.google.com/dlpage/gaoptout?hl=de.  A processor contract was concluded with Google LLC. in accordance with Art 28 GDPR. Here you can find further information about the use of data by Google Inc.: https://support.google.com/analytics/answer/6004245?hl=de

YouTube

Our website uses plugins from the YouTube website. The website is operated by Alphabet Inc.’s subsidiary Google LLC. headquartered at 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. So YouTube – regardless of whether you watch a video – establishes a connection to the Google DoubleClick network.

As soon as you start a YouTube video on our website, a connection to YouTube’s servers will be established. The YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you allow YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube can store various cookies on your device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used, among other things, to collect video statistics, improve user-friendliness and prevent fraud. The cookies remain on your device until you delete them.

If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no influence.

The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Article 6 (1)(f) GDPR.

Further information on data protection on YouTube can be found in their privacy policy at: https://www.youtube.com/t/privacy.

OpenAI

To support our users in finding the most suitable advisory packages and generating quick responses to support inquiries, we use OpenAI Ireland Ltd. as part of our AI-powered support and recommendation system.

What data is processed?

For AI-powered recommendations and support functionalities, we process the following data:

• User-submitted text inputs (e.g., search queries, entries in the advisory system, generated responses).
• Advisor-provided data, such as self-written service titles and descriptions.
• Support documents provided by the operator of SophiaAI, including publicly available support materials and support documentation made available by the operator company.

How is the data processed?

AI Processing (OpenAI Ireland Ltd.)

• User inputs are processed exclusively within the EU by OpenAI Ireland Ltd., The Greenway, St Stephen’s Green, Dublin, D02 TD28, Ireland.
• OpenAI does not permanently store the processed data and does not use it for AI training.
• All processed data is automatically deleted after a maximum of 30 days, in accordance with our Data Processing Agreement (DPA) with OpenAI.

For more details, refer to:

• OpenAI’s EU Privacy Policy: https://openai.com/policies/eu-privacy-policy/

Tax Authorities & DPMG Reporting Requirement

Where legally required, we share data with the Austrian tax authorities, particularly under the Digital Platform Reporting Requirement (DPMG) in accordance with the DAC7 Directive. This applies to advisors providing paid consulting services on our platform once the legal reporting thresholds are exceeded.

For more details, please refer to the European Commission's information on DAC7: https://taxation-customs.ec.europa.eu/taxation/tax-transparency-cooperation/administrative-co-operation-and-mutual-assistance/dac7_en

Sentry.io

We are using Sentry, a fault analysis service. This service is provided by Functional Software Inc., 132 Hawthorne Street, San Francisco, California 94107, USA (“Sentry”). To ensure the technical stability of our services, system errors are logged with the help of Sentry. The information generated by Sentry is usually transmitted to a Sentry server in the USA and stored there. After the analysis, the data is stored for a maximum of 90 days and then deleted without any residue. The processing of the data is based on the legitimate interest pursuant to Article 6(1)(f) of the GDPR.

The terms of use and privacy policy of Sentry can be found at: https://sentry.io/privacy/.

Vimeo

We use the provider Vimeo for the integration of videos, among others. Vimeo is operated by Vimeo LLC, headquartered at 555 West 18th Street, New York, New York 10011.

On some of our websites we use plugins of the provider Vimeo. If you access the websites of our website provided with such a plugin – for example playing a video – a connection to the Vimeo servers is established and the plugin is displayed. This transmits to the Vimeo server which of our websites you have visited. If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account. When using the plugin, such as clicking on the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and by deleting the corresponding cookies from Vimeo.

The terms of use and further information on Vimeo’s data processing and data protection information can be found at: https://vimeo.com/privacy.

Crazyegg

We use the tracking tool CrazyEgg.com to track user behavior with anonymized IP addresses. Via cookies, the tool can evaluate how the user uses the website (e.g. which content is clicked on). For this purpose, a usage profile is displayed visually. Usage profiles are only created when pseudonyms are used. The legal basis for the processing of the data is based on consent.

You can object to the processing of data generated by CrazyEgg.com by following the instructions at https://www.crazyegg.com/opt-out. Further information on data protection at CrazyEgg.com can be found at: https://www.crazyegg.com/privacy.

Meta Pixel

As part of our service, we use the tool "Meta Pixel", which is operated by Meta Platforms Inc., headquartered at 1 Hacker Way, Menlo Park, CA 94025, USA, respectively with the responsible data controller and DPO located at Meta Platforms Ireland Limited at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
By using the Meta pixel, Meta can determine the visitors of our website as a potential target group for the display of ads. In order to deliver our advertising offer only to those users who are also interested in our service or have characteristics related to our offer, we use the "Meta Pixel". In this way, we aim to avoid excess and inappropriate advertising. In addition, the tool allows us to track the effectiveness of Meta ads for statistical and market research purposes.

The use of the Meta Pixel as well as the storage of "conversion cookies" is based on consent. Furthermore, you can find Meta’s data usage policy here: https://www.facebook.com/policy.php. 

For specific information and details about the Meta Pixel and how it works, more information can be found at: https://www.facebook.com/business/help/742478679120153?id=1205376682832142.

Hubspot

On this website, we use the service HubSpot, representing a software company from the USA with a branch in Ireland.

Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. These include: Social Media Publishing & Reporting, Reporting, Landing Pages, and Marketing

More information about HubSpot's privacy policy can be found here.

The personal data will be kept for as long as it is necessary to fulfill the purpose of processing. The data will be deleted as soon as they are no longer required to achieve the purpose. The processing is based on consent.

Matomo

Our website uses the web analytics tool Matomo to analyze page visits. Matomo uses session cookies that are only temporarily stored on your system.

Matomo is configured to be data-saving. Information about the use of our website, which a cookie generates, is stored on our server. Your IP address is immediately anonymized (shortened and randomly supplemented) and retains this value for a maximum of one day. In this way, you remain anonymous to us as a user. The data is only processed internally and is not passed on to third parties. It is only used to identify and improve relevant content of our website. The processing is based on consent.

For more information we refer to https://matomo.org/privacy-policy/.

Google Tag Manager: our ‘Tag Manager’

We use the Google Tag Manager as our main Cookie Tag Manager. The tool uses tags, which means that no cookies are used and no personal data is processed. The Google Tag Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.

LinkedIn

We utilize the website analytics function LinkedIn Insight Tag provided by LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2 Ireland; "LinkedIn"). The LinkedIn Insight Tag allows us to collect data from your visit to our website, including URL, referrer URL, IP address, device and browser properties (user agent), and timestamps. IP addresses are shortened or hashed. LinkedIn does not share any personally identifiable information with us, but instead uses the data collected on our website for reports (in which you are not identified) on website visitors and ad performance. LinkedIn also offers retargeting for website visitors on LinkedIn, allowing us to display targeted ads outside of our website without identifying you. LinkedIn also uses non-identifying data to improve ad relevance and reach members across devices. If you do not wish to participate in retargeting, you can opt-out. For more information, please refer to LinkedIn's privacy policy. The use of the LinkedIn Insight Tag and related tracking is based on your consent. You may withdraw this consent at any time for future effect.  The processing is based on Art. 6(1)(a) of the GDPR. The opt out can be found here: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out Further information can be found at the LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy

MailChimp

We send newsletters only with the consent of the recipients or a legal permission. Our newsletters contain information about the platform HalloSophia – Microadvisory, in particular updates, news, and other information in connection with the service. In addition, we send content about industry-specific news (business consulting).

The newsletter is sent via “MailChimp”, a newsletter delivery platform of the US provider Rocket Science Group LLC, headquartered at 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.

The email addresses of our newsletter recipients, as well as their other data described in these notes, are stored on the servers of MailChimp in the USA. MailChimp uses this information for sending and evaluating the newsletters on our behalf. In addition, MailChimp may, according to its own information, use this data to optimise or improve its own services, e.g. for technical optimisation of the dispatch and presentation of newsletters, or for economic purposes to determine from which countries the recipients come from. MailChimp does not, however, use the data of our newsletter recipients to write to them or pass them on to third parties.

If you subscribe to our newsletter, you submit the above-mentioned personal data and give us the right to contact you by email. We use the data stored during the registration for the newsletter exclusively for our newsletter and do not pass it on.

If you unsubscribe from our newsletter – you will find the ‘unsubscribe’ link in each newsletter at the very bottom – we delete all data that have been stored at the newsletter’s registration.

We rely on the reliability, IT, and data security of MailChimp. This is a contract in which MailChimp undertakes to protect the data of our users, to process in accordance with its data protection provisions on our behalf and, in particular, not to disclose it to third parties. You can find the privacy policy of MailChimp here.

In case of sending out newsletters we process the following data:

• EMail-address
• Name
• Time of registration for the newsletter
• IP-address

Cookie Policy

What exactly are cookies?

Whenever you browse the Internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified. Cookies store certain user data from you, such as language or personal page settings. When you visit our page again, your browser will send the “user-related” information back to our page. There are both first-party cookies and third-party cookies. First-party cookies are created directly from our site; third-party cookies are created by partner websites (e.g. Google Analytics). Each cookie must be evaluated individually, as each cookie stores different data. The expiration time of a cookie also varies from a few minutes to a few years.

Amendments to the Cookie Policy

Our Cookie Policy may change as our website and services are being improved and expanded. In addition, our cookie policy may change if legal and business conditions affect the protection of personal data. Our cookie policy is available on our website: www.hallosophia.com.

We reserve the right to change our Cookie Policy at any time and for any reason. Any changes will be effective immediately when we post the updated cookie policy on our website. Users of our website waive the right to be notified of any such changes.

You are invited to review this Cookie Policy at any time to stay informed of any updates. You will be deemed to have noted and accepted the changes in any revised Cookie Policy if you continue to use the Website after the date of posting of such revised Cookie Policy.

In the following table, you will find a list of cookies that we use: