fynk fynk Logo

Privacy Policy

Here you will find the privacy policy of fynk GmbH as a downloadable PDF document:

Current privacy policy of fynk GmbH (last amended on November 18, 2025)

Introduction

Thank you for your interest in our online offering. The protection of your personal data is very important to us. Below, we provide information about what data is collected when you visit our website, how it is processed, and what rights you have with regard to your personal data. This privacy policy applies to the website at the domain https://fynk.com/en/ and all subpages. It is intended for all users of our website, regardless of whether they have a contractual relationship with us.

Information about the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

fynk GmbH
Heinrichsgasse 2/1/8
1020 Vienna
Austria

Email: [email protected]

Data Protection Officer

You can contact our data protection officer at:

Kertos GmbH
Brienner Str. 41
80333 Munich
Germany
DPO: Dr. Kilian Schmidt

Email: [email protected]

Data processing when visiting our website

Introduction

When you visit our website, certain data is automatically collected that is necessary for the technical operation, security, and presentation of the website. This processing takes place regardless of whether you actively contact us.

In addition, various technically necessary services (such as content delivery networks) are used to improve the functionality and reach of our website. Cookies and other technologies used for statistical analysis or marketing purposes are only set with your express consent.

Categories of personal data processed

  • IP address
  • Browser type and version
  • Operating system
  • Referrer URL
  • Host name of the accessing device
  • Time of the server request
  • Individual cookie settings, if applicable (Consent)

Recipients of the data

  • Hosting service providers
  • Technical service providers for the operation and security of the website
  • Content delivery networks (see relevant sections)
  • Providers of web analysis and marketing services (only with consent, see sections under “Data processing when using third-party providers”)

The processing of the aforementioned data is necessary for the provision of the website and to ensure its security. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the secure and technically error-free operation of the website. For services that are only activated after consent has been given, Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021 applies.

Duration of storage

The log file data is stored for a maximum of 60 days and then automatically deleted, unless there is a legal obligation to store it for longer or the data is required in individual cases to investigate security-related incidents.

Storage of data on your device

Introduction

We use cookies and similar technologies to provide certain functions and to store your privacy settings. This data is stored locally on your device. Certain cookies are technically necessary and are set automatically. Other cookies—in particular those used for analysis or marketing purposes—are only activated after you have given your express consent.

Your consent is managed using the consent management tool “Klaro,” which stores a technically necessary cookie to document your selection.

Categories of personal data processed

  • Cookie IDs
  • Consent status (consent or rejection of individual services)
  • Time stamp of consent
  • Pseudonymized usage data, if applicable (depending on the selected service)

Recipients of the data

  • Providers of the respective activated third-party services (e.g., analysis or marketing tools, see following sections)
  • For technically necessary cookies: Art. 6 (1) (f) GDPR in conjunction with § 165 (3) TKG 2021. Our legitimate interest lies in the technically error-free provision of the website.
  • For all other cookies: Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021. Storage and processing only takes place after you have given your voluntary and informed consent via our consent banner.

Duration of storage

The storage duration of individual cookies depends on the respective service and can vary between a few minutes and several years. Details can be found in the sections on the respective services used and in your browser’s cookie settings.

Data processing when using third-party providers

Use of Matomo (analysis tool, self-hosted)

Introduction

We use the open source software Matomo to analyze the usage behavior of our website visitors. The software is hosted on our own servers, so no data is transferred to third parties. The analysis is anonymous, without creating user profiles or storing IP addresses in full.

Categories of personal data processed

  • IP address (truncated and anonymized)
  • Usage behavior (e.g., pages viewed, length of stay, click paths)
  • Device information (e.g., browser, operating system, screen resolution)
  • Geographical origin (approximate region based on IP)

Recipients of the data

No external recipients, as Matomo is operated on our own servers

Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021.

The purpose is the statistical evaluation of website usage to improve content and functionality.

Conversion Tracking (marketing services such as Google, Meta, Reddit, etc.)

We use various conversion tracking services on our website to improve our marketing measures and measure the success of advertising campaigns. These services enable us to recognize whether users have accessed our website through specific marketing measures (e.g., advertisements or affiliate links). The providers are informed that our website has been accessed via your IP address. Individual services may also integrate so-called pixels or scripts in order to assign visits to our website to specific target groups or to track conversions (e.g., submitted forms). These services are only activated with your express consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021. You can revoke your consent at any time via our consent management tool.

Categories of personal data processed

  • IP address
  • Time of visit
  • Referrer URL
  • Information on user behavior (e.g., pages viewed, clicks)
  • Device information, browser type, operating system, if applicable

Recipients of the data

  • Meta Platforms Ireland Ltd. (Facebook, Instagram)
  • Google Ireland Limited (Google Ads, Google Tag)
  • Microsoft Ireland Operations Limited (Microsoft Advertising)
  • Reddit Inc.
  • TikTok Technology Limited
  • Capterra Inc.
  • FirstPromoter Inc.
  • Cello Inc.
  • Leadinfo B.V.
  • LinkedIn Ireland Unlimited Company

Data transfer to third countries (e.g., the USA) cannot be ruled out. Some providers use EU standard contractual clauses to ensure an adequate level of data protection.

Processing is carried out exclusively on the basis of your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG 2021. The purpose is to measure reach, measure the success of advertising measures, and optimize our marketing strategy.

Duration of storage

The storage period varies depending on the provider and can be several months. For details, please refer to the information in our consent management tool or the privacy policies of the respective providers.

Applications and recruiting (Join.com)

We use the Join.com service to carry out our application and recruiting process. This involves processing applicants’ personal data in order to manage incoming applications, carry out application procedures, and select suitable candidates.

Categories of personal data processed

  • Master data (e.g., name, address, contact details)
  • Application documents (e.g., resume, cover letter, references)
  • Communication content (e.g., emails or notes from job interviews)
  • Other information provided by applicants

Recipients of the data

Join Solutions AG (Join.com), Zurich, Switzerland. Data processing is carried out by Join.com as a processor on the basis of a contract in accordance with Art. 28 GDPR. Join Solutions AG is based in Switzerland. The EU Commission has issued an adequacy decision for Switzerland in accordance with Art. 45 GDPR, meaning that no additional transfer instrument is required.

Processing is carried out to safeguard our legitimate interests or to implement pre-contractual measures at the request of the data subject (Art. 6(1)(b) GDPR).

Duration of storage

The data will be stored for the duration of the application process. If no employment relationship is established, the data will be deleted no later than 6 months after completion of the process, unless longer storage is required due to legal obligations or consent to inclusion in a talent pool.

Appointment booking (Cal.com)

We provide an online booking tool from Cal.com for arranging appointments. You can view available time slots and book an appointment directly via a link provided. Processing takes place directly via our website or a booking page hosted by Cal.com.

Categories of personal data processed

  • Name
  • Email address
  • Telephone number, if applicable
  • Booked time
  • Voluntary information (e.g., concerns or notes)

Recipients of the data

Cal.com acts as a data processor. A data processing agreement in accordance with Art. 28 GDPR has been concluded. The transfer of personal data to the USA cannot be ruled out. To protect this data, the standard contractual clauses issued by the European Commission (Art. 46 (2) (c) GDPR) have been concluded with Cal.com to ensure an adequate level of data protection.

Processing is carried out on the basis of Art. 6(1)(b) GDPR for the preparation and execution of appointments (pre-contractual measure) or, in the case of general information meetings, on the basis of Art. 6(1)(f) GDPR. The purpose is the efficient coordination and planning of appointments.

Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected, but no later than 6 months after the booked appointment – unless further legal retention periods apply.

Contact form (Pipedrive)

If you contact us via the contact form provided on the website or by email, the data you enter will be transmitted to us and processed. The technical implementation and transmission is carried out via the Pipedrive service.

Categories of personal data processed

  • Name
  • Email address
  • Content of the message
  • Any other voluntary information
  • Time of the request

Recipients of the data

Pipedrive OÜ, Estonia, as the technical service provider for the processing of contact form data. The cooperation is based on a data processing agreement in accordance with Art. 28 GDPR.

Processing is based on Art. 6(1)(b) GDPR, insofar as your request is related to the performance of a contract or pre-contractual measures. In all other cases, processing is based on our legitimate interest in responding to your request (Art. 6(1)(f) GDPR).

Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. This is usually the case when the respective conversation with you has been concluded and there are no legal retention requirements.

Direct communication via email (Mailcoach)

If you contact us directly via email, the data you enter will be processed in order to handle your request. The technical transmission is carried out via the Mailcoach email service or that of Microsoft.

Categories of personal data processed

  • Name
  • Email address
  • Content of your message
  • Technical header information of the email
  • Any other voluntary information

Recipients of the data

  • Spatie BV (Mailcoach), Belgium, as a technical email service provider within the framework of a data processing agreement in accordance with Art. 28 GDPR
  • Microsoft Ireland Operations Limited as a technical service provider for form processing. The cooperation is based on a data processing agreement pursuant to Art. 28 GDPR. The transfer of personal data to the USA cannot be ruled out. Any data transfer is based on the adequacy decision of the EU Commission pursuant to Art. 45 GDPR, as Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework.

Processing is based on Art. 6(1)(b) GDPR, insofar as your request is related to the performance of a contract or pre-contractual measures. In all other cases, processing is based on Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

Duration of storage

The data will be deleted as soon as it is no longer required for processing your request and there are no legal retention obligations.

Use of Zapier for process automation

Introduction

The Zapier service is used to automate internal processes and link various web services. Zapier enables the automated transfer of data between different applications (e.g., from contact forms to internal tools or email systems). This may also involve the processing of personal data.

Categories of personal data processed:

  • Contact details (e.g., name, email address, telephone number)
  • Content data (e.g., message content from forms)
  • Usage data (e.g., timestamp, form source)

Recipients of the data

  • Zapier Inc., 548 Market St. #62411, San Francisco, CA 94104, USA

Processing is carried out on the basis of Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the efficient design of processes and the internal processing of transmitted data.

Data transfer to third countries

Zapier also processes data in the USA. Data is transferred on the basis of the adequacy decision of the EU Commission pursuant to Art. 45 GDPR, as Zapier Inc. is certified under the EU-U.S. Data Privacy Framework.

Duration of storage

Data transmitted automatically via Zapier is only processed for the duration necessary for forwarding and logging. The actual storage then takes place in the respective connected system (e.g., CRM, email system). The retention periods specified there apply.

Hosting and technical infrastructure

Introduction

We use technical infrastructure and hosting services to provide and securely operate our website. These are necessary to deliver website content, process requests, ensure security, and enable basic functionality.

Categories of personal data processed

  • IP address
  • Time and duration of access
  • Browser and operating system information
  • Referrer URL
  • Host name of the accessing computer
  • Other technical usage data

Recipients of the data

  • Technical operators and, if applicable, maintenance partners within the scope of order processing relationships
  • Cloudflare Inc., USA (CDN and security services, e.g., bot management)
  • Google Trust Services LLC, USA (SSL certificate provider, indirectly through TLS communication)
  • Art. 6(1)(f) GDPR (legitimate interest in the secure, stable, and efficient operation of the website)
  • Section 165(3) TKG 2021 (technically necessary storage and access to end devices)

Purposes:

  • Delivery of the website
  • Protection against attacks and misuse
  • Performance optimization
  • Bot detection and protective measures (e.g., through Cloudflare’s __cf_bm cookie)

Duration of storage

  • Log data: up to 60 days, unless deleted earlier by a system routine
  • TLS certificates: ongoing communication, no storage of personal data by the certificate provider
  • CDN access: temporary and technically limited to the provision of content

Applications and Application process

Introduction

When you apply for a position with us, we process your personal data for the purpose of conducting the application process. This includes, in particular, reviewing your documents, communicating with you, and preparing any contract documents.

Categories of personal data processed

In this context, we process the following categories of data in particular:

  • Master data (e.g., name, contact details, date of birth)
  • Application documents (e.g., resume, references, cover letter, application photo)
  • Communication data (e.g., correspondence, interview notes)
  • If applicable, special categories of personal data within the meaning of Art. 9 GDPR (e.g., information on severe disability), if voluntarily disclosed

Recipients of the data

The data is processed exclusively internally by the persons entrusted with the selection process. If external service providers (e.g., application portals such as Join.com) are involved in the process, this is done within the framework of order processing in accordance with Art. 28 GDPR. If external service providers (e.g., application portals such as Join.com) are involved, this is done within the framework of order processing in accordance with Art. 28 GDPR. Data will only be transferred to third countries if there is an adequacy decision in accordance with Art. 45 GDPR or suitable safeguards in accordance with Art. 46 GDPR, or if you have expressly consented to this.

Processing is carried out to implement pre-contractual measures at your request, i.e. on the basis of Art. 6 (1) (b) GDPR. Insofar as special categories of personal data are processed, the processing is based on Art. 9 (2) (b) GDPR. The purpose is to assess your suitability for the advertised position and to carry out the selection process.

Duration of storage

Your application documents will generally be deleted six months after completion of the application process, unless there is a legal obligation to store them for longer or you have expressly agreed to longer storage (e.g., for inclusion in an applicant pool).

Information for customers, suppliers, and business partners

Introduction

We also process personal data outside of visits to our website if you have a business relationship with us—for example, as a customer, supplier, or other business partner. The following information relates to this processing in the context of communication, contract processing, and the management of business relationships.

Categories of personal data processed

  • Contact details (e.g., name, email address, phone number)
  • Company-related data (e.g., company name, position, business address)
  • Contract and billing data
  • Correspondence (e.g., email history, notes from phone calls)
  • Payment information (if necessary)
  • Log data when using digital tools (e.g., video conferencing tools), if applicable

Recipients of the data

  • Internal departments involved in contract processing
  • Technical service providers (e.g., hosting, email providers, accounting), if involved as processors
  • Payment service providers, banks
  • Public authorities in the case of legal obligations
  • Art. 6 (1) (b) GDPR (contract execution and initiation)
  • Art. 6 (1) (f) GDPR (legitimate interest in business communication, customer care, legally compliant processes)
  • Art. 6 (1) (c) GDPR (statutory retention obligations) Purposes:
  • Communication
  • Implementation of pre-contractual measures
  • Contract fulfillment
  • Maintenance of business relationships
  • Fulfilment of legal obligations (e.g. under commercial and tax law)

Duration of storage

  • In accordance with statutory retention obligations (usually 6–10 years)
  • Other data is deleted as soon as the purpose no longer applies and there is no retention obligation

Direct registration

Introduction

If you register directly on our website (e.g., to use a customer area or to manage your data), we process the personal data provided in the form to give you access to protected areas and functions.

Categories of personal data processed

  • First and last name
  • Email address
  • Phone number
  • Company name
  • Position in the company, if applicable
  • IP address
  • Usage data

Recipients of the data

Hosting and IT service providers, processors for user administration, if applicable

Art. 6 (1) (b) GDPR - Implementation of (pre)contractual measures. The purpose is to set up and manage a user account.

Duration of storage

Until the account is deleted or after the expiry of statutory retention obligations.

Management of user databases

Introduction

We use an internal user database to manage existing contacts and for targeted communication. This may contain data from contact forms, registrations, or other interactions on our website.

Categories of personal data processed

  • First and last name
  • Email address
  • Phone number
  • Company affiliation
  • Position
  • Interaction data
  • Publicly available profile information (e.g., LinkedIn), if applicable

Recipients of the data

CRM service providers (e.g., Pipedrive) or marketing platforms as processors (e.g., via Zapier), internal departments

Art. 6(1)(f) GDPR - legitimate interest. The purpose is the structured maintenance and targeted addressing of existing business contacts.

Duration of storage

As long as there is a legitimate interest in maintaining contact, at most until the entry is objected to or deleted.

Introduction

Our website contains links to our profiles on external social networks (e.g., LinkedIn, Instagram, Facebook). These are exclusively static links (external hyperlinks), not plugins or direct integrations (so-called “social plugins”).

Categories of personal data processed

When you click on these links, no personal data about you is transmitted to the respective social networks. Only when you actively click on such a link is a connection established with the respective provider, whereby the following data in particular may be transmitted:

  • Your IP address
  • Information about the browser and operating system used
  • The page you visited from which you were redirected

Recipients of the data

After clicking on a social media link, the respective privacy policies of the external service provider apply. We have no influence on what data is collected, stored, or processed there. Possible recipients are:

  • Meta Platforms Ireland Ltd. (Facebook, Instagram)
  • LinkedIn Ireland Unlimited Company
  • TikTok Technology Limited and TikTok Information Technologies UK Limited (TikTok)

The links are set on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR in an appealing presentation of our online offerings and to promote communication with our customers, partners, and interested parties via external platforms.

Duration of storage

Since no personal data is processed on our website itself by the mere linking, we do not store any data. Further processing on the platforms is subject to the respective data protection regulations of the providers.

Data transfer to third countries or international organizations

Introduction

Within the scope of our website and the associated services, personal data may be transferred to so-called third countries outside the European Economic Area (EEA). This applies in particular to the use of certain tools or platforms by external providers.

Categories of personal data processed

This applies in particular to:

  • IP addresses,
  • cookie IDs,
  • technical usage data (e.g., browser type, device used),
  • content data from forms, if processed by the services concerned.

Recipients of the data and third-country reference

The following providers and tools may involve a transfer to a third country:

  • Meta Platforms Ireland Ltd. / Meta Platforms Inc. (USA) (e.g., Facebook Pixel, Instagram)
  • Google Ireland Ltd. / Google LLC (USA) (e.g., Google Ads, Google Fonts – locally integrated, but contact with CDN possible)
  • Microsoft Ireland Operations Ltd. / Microsoft Corp. (USA) (marketing tools)
  • Reddit Inc. (USA)
  • TikTok Technology Limited / TikTok Inc. (USA)
  • Zapier Inc. (USA) (automation of processes)
  • Cal.com Inc. (USA) (appointment booking)

Some of the services are offered via European subsidiaries. Nevertheless, due to the technical infrastructure, access to data by the parent companies in third countries, in particular in the USA, cannot be ruled out.

The transfer of personal data to third countries is based either on an adequacy decision by the European Commission pursuant to Art. 45 GDPR (in particular for providers certified under the EU–US Data Privacy Framework) or on standard contractual clauses pursuant to Art. 46 (2) c GDPR. Where necessary, additional technical and organizational measures are used to protect your data, such as encryption or pseudonymization. Further details on the guarantees used in each case can be found in the privacy policy of the respective service provider.

Duration of storage

The specific storage period depends on the respective service and is explained in the relevant sections of this privacy policy.

Further information

Obligation to provide your data / consequences of not providing it

The provision of your personal data is generally neither required by law nor contractually stipulated. However, for certain services (e.g., appointment booking, contacting us, or applying for a job), the provision of certain data is necessary in order to use the respective service. You are not obligated to provide us with your data. In this case, however, we may not be able to process your request or provide certain functions.

Automated decisions and profiling

We do not use automated decision-making within the meaning of Art. 22 GDPR. However, in the context of web analysis and marketing services, target group assignment (“profiling”) may take place based on your user behavior, e.g., for the purpose of displaying interest-based advertising. This is done exclusively with your express consent and on the basis of the services mentioned in section 5.

Rights of the data subject

As a data subject, you have the following rights in connection with the processing of your personal data by us in accordance with the General Data Protection Regulation (GDPR):

Your rights:

  • Information (Article 15 GDPR): You have the right to request information about the personal data we process about you.
  • Rectification (Art. 16 GDPR): You have the right to have inaccurate or incomplete personal data corrected.
  • Erasure (Art. 17 GDPR): You can request the erasure of your personal data, provided that there is no legal obligation to retain it or any other legitimate reason.
  • Restriction of processing (Art. 18 GDPR): Under certain conditions, you have the right to request the restriction of the processing of your data.
  • Data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format or to have it transferred to another controller.
  • Objection (Art. 21 GDPR): You may object to the processing of your personal data if it is based on Art. 6(1)(e) or (f) GDPR.
  • Withdrawal of consent (Art. 7(3) GDPR): You have the right to withdraw your consent at any time with effect for the future.
  • Right to lodge a complaint: If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is: Austrian Data Protection Authority Barichgasse 40-42 1030 Vienna Austria Telephone: +43 1 52 152-0 Email: [email protected]

Version 2.0, last changed November 18, 2025.