Privacy Policy
Last updated: 26/05/2026
General Information
We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy. When you use this website, various items of personal data are collected. Personal data is data that can be used to identify you personally.
Some data is collected when you provide it to us (e.g. through entries in a contact form). Other data is automatically collected by our IT systems when you visit the website (technical data in particular, e.g. internet browser, operating system, time of the page request, or IP address). This data is collected automatically as soon as you enter our website.
What do we use your data for? A large part of the data is collected to ensure the error-free provision of the website (ensuring technical operation and security of the website). Other data may be used to analyse your user behaviour, provided that we use analytics tools (details on this can be found later in this privacy policy).
Your rights: You have, among other things, the right to obtain information at any time, free of charge, on the origin, recipient, and purpose of your stored personal data. You also have other rights, such as the right to correction, deletion, or restriction of the processing of this data, which we explain in more detail in this privacy policy under “Data Subject Rights”. You also have the right to withdraw consent given for the future at any time, as well as the right to lodge a complaint with the competent supervisory authority.
Data Controller
The controller responsible for data processing on this website is:
eco Chalets GmbH
Zösenberg 51, 8045 Weinitzen, Austria
Phone: 0316 376200
Email: markus@hoam-house.at
The controller is the natural or legal person who, alone or jointly with others, decides on the purposes and means of the processing of personal data.
Hosting and Server Log Files
External Hosting
This website is hosted by an external service provider (host). Personal data collected on this website is stored on the host's servers. This may include IP addresses, meta and communication data, website accesses, contact data, usage data, contract data, and other data generated via a website. The host is used for the purpose of fulfilling a contract with our potential and existing customers (Art. 6 (1) (b) GDPR) and in our legitimate interest in a secure, fast, and efficient provision of our online offering through a professional provider (Art. 6 (1) (f) GDPR). Our host will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions in relation to this data.
We have concluded a data processing agreement with the host to ensure GDPR-compliant processing.
Server Log Files
The provider of the pages (or our hosting provider) automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
• Browser type and browser version
• Operating system used
• Referrer URL (previously visited page)
• Host name of the accessing computer
• Time of the server request
• IP address
This data is not merged with other data sources.
This data is collected on the basis of Art. 6 (1) (f) GDPR. We have a legitimate interest in the technically error-free presentation and optimisation of this website – the server log files must be recorded for this purpose.
Contacting Us (Contact Form, Email, Phone)
If you send us enquiries via the contact form or by email/phone, your details, including the contact data you provided (name, email address, phone number, etc.), will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. We do not pass this data on without your consent.
This data is processed on the basis of Art. 6 (1) (b) GDPR, provided that your enquiry is related to the performance of a contract or necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if requested; consent can be withdrawn at any time.
The data you have submitted to us via contact enquiries remains with us until you request its deletion, withdraw your consent to its storage, or the purpose for the data storage no longer applies (e.g. after completion of the processing of your enquiry). Statutory retention obligations remain unaffected.
Appointment Bookings and Enquiries
If you book an appointment for a consultation via our website or send an enquiry, we store the data you provide in our PostgreSQL database. This data includes name, email address, phone number (optional), preferred appointment time, and any further notes.
In addition, as part of our usage analysis (see "Own usage analysis"), we record anonymised data on your interaction with the appointment booking function, but without any attribution to your person.
Email communication in connection with your enquiry or appointment booking takes place via our email service provider Resend (see section "Email Communication").
Website Analytics and Tracking
We use various technologies to analyse the use of our website in order to improve our offering and provide you with an optimal user experience. In the following, we explain which analytics methods we use and on what legal basis.
Google Analytics 4 with Consent Mode v2
This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies and similar technologies to analyse the use of our website.
What data is collected with your consent?
If you accept analytics cookies, Google Analytics collects:
• Page views, clicks, and navigation
• Time spent on pages and bounce rates
• Demographic data (age, gender) via Google Signals
• Users' areas of interest
• Device information (browser, operating system, screen resolution)
• Geographical data (country, city)
• Traffic sources and campaign tracking
• User behaviour and conversions
• Cross-device tracking (Google Signals)
• IP address (truncated/anonymised)
IP anonymisation: We use Google Analytics with IP anonymisation. Your IP address is truncated by Google within the European Union or in the European Economic Area before being transferred to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.
Google Signals: With your consent to marketing cookies, we activate Google Signals, which allows Google to collect cross-device data and use it for remarketing purposes.
Legal basis: The use of Google Analytics with full functionality only takes place with your express consent (Art. 6 (1) (a) GDPR and § 25 (1) TTDSG). You can withdraw your consent at any time with effect for the future by adjusting the cookie settings.
Data transfer to the USA: The data collected is generally transferred to Google servers in the USA. The data transfer takes place on the basis of EU Standard Contractual Clauses or under the EU-US Data Privacy Framework. We have concluded a data processing agreement with Google.
Storage period: Data collected by Google Analytics is automatically deleted after 14 months (for user-based data) or after 2 months (for event-based data without a user ID).
Further information on Google Analytics can be found at: https://policies.google.com/privacy?hl=en
Cookieless Pings (Google Consent Mode v2)
Even if you reject analytics cookies, our website uses Google Analytics in "Consent Mode v2". This means that Google receives anonymised, cookieless "pings" that do not allow any conclusions to be drawn about your person.
What we collect:
• Anonymised page views (counting only, no user identification)
• Country of origin of your access (only country, no city or IP)
• Rough device category (desktop/mobile) – estimated by Google
What we do NOT collect:
• No cookies on your device
• No individual user tracking
• No profiling
• No sharing with advertising partners
• No demographic data (age, gender, interests)
Legal basis: The cookieless pings are based on our legitimate interest (Art. 6 (1) (f) GDPR) in anonymised website analytics. Since no personal data is collected and no cookies are set, no consent is required.
Your right to object: You can also deactivate this anonymised collection via the Google Analytics browser add-on.
Own usage analysis (PostgreSQL database)
In addition to Google Analytics, we operate our own analytics system based on a PostgreSQL database. This is done independently of your cookie consent on the basis of our legitimate interest in optimising our website and security monitoring.
What data is collected?
• Session ID (anonymous session identifier, no personal data)
• Timestamps of page views
• Visited pages and click paths
• Click and scroll behaviour (via data-tracking-id attributes)
• Configurator selection and configuration data (anonymised)
• Geographical data (country, city – determined via IP hash)
• Traffic source (referrer URL, UTM parameters)
• Device information (browser, operating system)
• Time spent on the website
• IP address (hashed for anonymisation, not stored in plain text)
Purpose of processing:
• Optimisation of website functionality and user experience
• Security monitoring and abuse detection
• Analysis of configurator usage to improve our products
• Technical error analysis
• Understanding user behaviour to optimise our offering
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the optimisation of our website, ensuring security, and improving our offering. The IP address is hashed so that no direct identification is possible.
Data storage: Session data is stored in a PostgreSQL database. Detailed analytics data is retained for 30 days, after which it is deleted or aggregated into statistics (without personal reference).
Data processor: The database is operated by our hosting provider NeonDB. We have concluded a data processing agreement.
Your right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your data based on Art. 6 (1) (f) GDPR. Please contact us using the contact details given above.
Payment Processing
Stripe (payment service provider)
We use the payment service provider Stripe to process payments on our website. The provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
What do we use Stripe for?
Stripe is used for payment of our Concept Check service (€3,000). Via Stripe, you can pay securely and encrypted by credit card, SEPA direct debit, or other available payment methods.
What data is transmitted to Stripe?
When you make a payment via Stripe, the following data is transferred to Stripe:
• Name and email address
• Payment information (credit card data, bank details – depending on the chosen payment method)
• Transaction ID and amount
• Billing address (if provided)
• IP address (for fraud prevention)
Important: Payment information (e.g. credit card number) is processed directly by Stripe and is never stored on our servers. We only receive confirmation from Stripe regarding successful or failed payments and an anonymised transaction ID.
Legal basis: The data processing takes place on the basis of Art. 6 (1) (b) GDPR (contract performance). The processing of your data by Stripe is necessary to carry out the payment ordered by you.
Data security: Stripe meets the strict PCI-DSS standards (Payment Card Industry Data Security Standard) for the secure processing of payment data. We have concluded a data processing agreement with Stripe.
Data transfer to the USA: Stripe may transfer data to the USA. The transfer takes place on the basis of EU Standard Contractual Clauses or under the EU-US Data Privacy Framework.
Further information on data protection at Stripe can be found at: https://stripe.com/privacy
Email Communication
Resend (email delivery service)
For sending transactional emails (e.g. appointment confirmations, payment confirmations) we use the email service Resend. The provider is Resend, Inc., based in the USA.
Which emails are sent via Resend?
• Confirmation of appointment bookings
• Confirmation of Concept Check purchases
• Responses to contact form enquiries
• Other transactional emails related to your enquiries
What data is transmitted to Resend?
• Your email address (recipient)
• Your name (if provided)
• Email content (subject and message text)
• Timestamp of dispatch
Legal basis: Processing takes place on the basis of Art. 6 (1) (b) GDPR (contract performance), provided that the email is related to a contractual relationship, or on the basis of Art. 6 (1) (f) GDPR (legitimate interest in efficient email communication).
Data transfer to the USA: Resend is a US service, so your email data may be transferred to the USA. The transfer takes place on the basis of EU Standard Contractual Clauses. We have concluded a data processing agreement with Resend.
Storage period: Resend stores sent emails for a maximum of 30 days for delivery and error logging. After that, the email data is deleted.
Further information on data protection at Resend can be found at: https://resend.com/privacy
Google Services and External Tools
Note on data transfer to the USA
We would like to point out that when using Google tools, website visitor data may be transferred to the USA. The USA is currently considered by the European Court of Justice to be a country with a level of data protection that is inadequate by EU standards. US companies such as Google are required to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. To ensure a level of data protection in the USA comparable to that in the EU, we have concluded EU Standard Contractual Clauses with the providers that process data in the USA, or ensure that appropriate certifications (e.g. EU-US Data Privacy Framework) are in place. The data transfer to Google therefore takes place on the basis of the Standard Contractual Clauses or an adequate level of data protection in accordance with Art. 44 et seq. GDPR.
Google Maps
This site uses the Google Maps map service via an API. The provider is also Google Ireland Limited, Dublin, Ireland. In order to use Google Maps functions, it may be necessary to store your IP address. This information is generally transferred to a Google server and stored there, with a possible transfer to the USA. The provider of this site has no influence on this data transfer.
Google Maps is used in the interest of an appealing presentation of our online offering and making it easy to find the places we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If consent has been requested, processing takes place exclusively on the basis of Art. 6 (1) (a) GDPR; consent can be withdrawn at any time.
Data transfer to the USA takes place, as mentioned above, on the basis of EU Standard Contractual Clauses or under the EU-US Data Privacy Framework. More information on the handling of user data can be found in Google's privacy policy.
YouTube
Our website embeds videos from the YouTube platform. The provider is Google Ireland Limited, Dublin, Ireland. We use YouTube in “extended privacy mode”. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch a video. However, a connection to YouTube servers is established when a YouTube video is started. In doing so, the YouTube server is informed which of our pages you have visited.
If you are logged in to your YouTube account, you allow YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube may store various cookies on your device after starting a video or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve user-friendliness, and prevent fraud attempts. After the end of a YouTube video, further data processing operations may be triggered over which we have no influence.
We use YouTube in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest pursuant to Art. 6 (1) (f) GDPR. If consent has been requested, processing takes place exclusively on the basis of Art. 6 (1) (a) GDPR; consent can be withdrawn at any time.
Further information on data protection at YouTube can be found in their privacy policy at: https://policies.google.com/privacy?hl=en.
Google Web Fonts
This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. To do this, the browser you use connects to Google servers. This means that Google knows that our website has been accessed via your IP address. If your browser does not support web fonts, a default font is used by your computer.
The use of Google Web Fonts takes place in the interest of a uniform and appealing presentation of our online offerings (legitimate interest pursuant to Art. 6 (1) (f) GDPR). If consent has been obtained, processing of the data takes place exclusively on the basis of Art. 6 (1) (a) GDPR; consent can be withdrawn at any time.
Data transfer to the USA takes place either on the basis of Standard Contractual Clauses or under an adequacy decision (e.g. EU-US Data Privacy Framework). Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://policies.google.com/privacy?hl=en.
B2B Supplier Communication and RFQ Processing
As part of our procurement activities (obtaining quotes, placing orders with suppliers and subcontractors), we operate an internal system for processing business correspondence with our suppliers. Via the email address jan@hoam-house.com, we send out enquiries and receive offers that are then systematically evaluated.
Who is affected?
This processing exclusively concerns business partners (suppliers, subcontractors, trade companies) to whom we send enquiries for works or material deliveries, or from whom we receive offers. Consumers (end customers) are not affected by this processing.
What data do we process?
• Company contact data: name, address, email address, phone, website, contact person (where known) – obtained from public sources (Austrian commercial register, WKO directory, Maps, our own preliminary research) or from the supplier's response itself
• Business correspondence: content of our enquiries, content of incoming offers (incl. pricing information, lead times, technical specifications, terms)
• Attachments: PDFs, images, calculations a supplier provides to us
• Mail metadata: sender/recipient addresses, subject lines, timestamps, message IDs, bounce/delivery status events from the mail provider
Legal basis
Processing is carried out on the basis of legitimate interests (Art. 6 (1) (f) GDPR) – specifically: carrying out procurement processes, evaluating offers, documenting the selection decision in accordance with commercial-law retention obligations (§ 132 BAO, § 212 UGB – 7 or 10 years, respectively). Insofar as a contractual relationship arises from the initial discussions, Art. 6 (1) (b) GDPR (contract performance) also applies as a legal basis.
Storage period
• Active enquiries and responses: for the duration of the ongoing business relationship
• Completed cases: up to 10 years (commercial-law retention obligation for business correspondence, § 212 UGB)
• Email attachments in Google Drive: in parallel with the above periods, mirrored in the local database
• At the request of the business partner, early deletion takes place – provided no statutory retention obligations preclude this
Data processors (Art. 28 GDPR)
For the technical processing of supplier communication, we use the following service providers. Data processing agreements (for US-based providers additionally EU Standard Contractual Clauses, SCC 2021/914) have been concluded with all of them:
| Service | Function | Location/Region |
|---|---|---|
| Resend, Inc. | Outbound mail delivery (SMTP relay, bounce tracking) | US (SCC EU 2021/914) |
| Google LLC / Google Ireland Ltd. | Mail reception (Gmail Workspace), file storage (Google Drive), AI analysis (Vertex AI Gemini 2.5 Flash) – EU workspace account, Vertex AI in region europe-west3 (Frankfurt) | IE / EU |
| Anthropic, PBC | AI classification of incoming mail content (Claude Sonnet) | US (SCC EU 2021/914) |
| Vercel Inc. | Web hosting of the backend application | US (SCC EU 2021/914) |
| Neon, Inc. | PostgreSQL database, region eu-central-1 (Frankfurt) | US holding, EU data storage |
Automated processing
The content of incoming supplier responses is automatically analysed by AI models in order to extract prices, lead times, material specifications, and conditions in a structured form. This automated processing serves exclusively for internal comparability and preparation of our decision – it does not lead to a legally or commercially binding automated individual decision for the business partner within the meaning of Art. 22 GDPR. The final award of the contract is always made by a human employee (management or site management).
Transfer to third countries
The processing of AI content via Anthropic takes place on US servers. The legal basis is Art. 49 (1) (b) GDPR (contract performance) in combination with the EU Standard Contractual Clauses (SCC 2021/914). With Vertex AI (Google), processing takes place in the EU region – the data location is europe-west3 (Frankfurt). Outbound mail delivery via Resend and backend hosting via Vercel may also involve transfer to the USA; here too, SCC provide the legal basis pursuant to Art. 44 et seq. GDPR.
Rights of the business partners
Business partners have the right to:
• Information (Art. 15 GDPR) – what we have specifically stored about them and their company
• Rectification (Art. 16 GDPR) – correction of incorrect or outdated data
• Erasure (Art. 17 GDPR) – insofar as not blocked by statutory retention obligations
• Restriction of processing (Art. 18 GDPR) – for the duration of an ongoing review
• Objection (Art. 21 GDPR) – against processing on the basis of legitimate interests
• Data portability (Art. 20 GDPR) – export in a structured, common format
Please direct data protection enquiries from business partners to: datenschutz@hoam-house.com. General business enquiries continue to reach us at info@hoam-house.com or office@hoam-house.com.
Storage Duration
Insofar as no more specific storage period is mentioned within this privacy policy, your personal data will remain with us until the purpose for processing the data ceases to apply. If you submit a justified request for deletion or withdraw your consent to data processing, your data will be deleted, provided that we are not legally obliged to continue storing it (e.g. tax or commercial law retention periods). In the latter case, deletion takes place after the corresponding obligations have ceased to apply.
Specific retention periods at a glance
Cookies:
• Necessary cookies: 7 to 365 days (depending on cookie type)
• Analytics cookies (Google Analytics): up to 2 years
• Marketing cookies: up to 90 days
• Cookie consent: 12 months (then renewed query)
Website analytics data:
• Google Analytics: user-based data 14 months, event-based data 2 months
• Own usage analysis (PostgreSQL): detailed session data 30 days, then only aggregated statistics (without personal reference)
Contact enquiries and appointment bookings:
Your contact data is stored until the purpose of data processing ceases (e.g. after completion of the processing of your enquiry or after the appointment has taken place). Thereafter it will be deleted, provided that no statutory retention obligations exist.
Payment data (Concept Check):
Transaction data is retained in accordance with tax and commercial law retention obligations for 7 to 10 years (§ 132 BAO, § 212 UGB). Payment information (credit card data) is not stored by us, but processed exclusively by Stripe.
Email communication (Resend):
Email delivery logs are stored by Resend for a maximum of 30 days.
Server log files:
Server log files are usually automatically deleted after 7 to 14 days.
Data Subject Rights
As a data subject within the meaning of the GDPR, you have the following rights:
• Right to information (Art. 15 GDPR): you have the right to obtain information about your personal data processed by us.
In particular, you can request information about the processing purposes, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right of rectification, deletion, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data (if we have not collected it from you) and – where applicable – the existence of automated decision-making including profiling.
• Right to rectification (Art. 16 GDPR): you have the right to immediately request the rectification of incorrect or completion of your personal data stored with us.
• Right to erasure (Art. 17 GDPR): you have the right to request the deletion of your personal data stored with us, provided that processing is not necessary. This is the case, for example, if your data is no longer necessary for the purposes for which it was collected, you have withdrawn your consent, or processing was unlawful.
• Right to restriction of processing (Art. 18 GDPR): you have the right to request the restriction of the processing of your personal data as long as the accuracy of the data is contested by you, if you request the restriction of processing instead of deletion, if we no longer need the data but you require it for the establishment, exercise, or defence of legal claims, or if you have objected to the processing as long as it has not yet been determined whether our legitimate grounds override.
• Right to data portability (Art. 20 GDPR): you have the right to receive the personal data concerning you that you have provided to us in a common, machine-readable format, or to request transmission to another controller, insofar as this is technically feasible.
• Right to object (Art. 21 GDPR): if your data is processed on the basis of legitimate interests (Art. 6 (1) (f) GDPR) or in the public interest (Art. 6 (1) (e) GDPR), you have the right, on grounds relating to your particular situation, to object at any time to such processing.
If your data is processed for the purpose of direct marketing, you have a general right to object, which is implemented by us without you having to state a particular situation.
• Right to withdraw consent (Art. 7 (3) GDPR): you have the right to withdraw any consent given to the processing of your data at any time with effect for the future. The lawfulness of processing up to the point of withdrawal remains unaffected.
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): if you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority.
You can, for example, contact the data protection authority in the member state of your place of residence, your place of work, or the place of the suspected infringement. In Austria, the competent supervisory authority is the Austrian Data Protection Authority (Barichgasse 40–42, 1030 Vienna, www.dsb.gv.at).
Updates and Changes to this Privacy Policy
This privacy policy is dated May 2026.
We reserve the right to adapt the content of this declaration at any time if this should be necessary (e.g. in the event of legal changes or new offerings on our website). The current privacy policy can be viewed on our website at any time.
As of: 26/05/2026