The data controller responsible for the processing of your personal data is:

Invisible-Light Labs GmbH
Taubstummengasse 11, 1040 Wien, Austria
Company Registration No. FN 505017y

Email: info@invisible-light-labs.com
Website: www.invisible-light-labs.com

Such as your name, email address, company name, position or title, and business contact details — typically provided when you contact us, place an order, request support, or engage in business communication.

Including IP address, browser type and settings, pages visited, time spent, interactions on our website, and cookies.

For example, when you register on our website or subscribe to newsletters, forums, or surveys.

Related to your inquiries, orders, fulfilment, delivery, invoicing, and support services. We may also receive contact information about employees or representatives of our clients, prospects, partners, and suppliers to facilitate business relationships and contractual obligations.

To respond to your enquiries and provide pre-sales support.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract or pre-contractual steps.

To process orders, arrange delivery and invoicing.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

To maintain records required by Austrian tax and commercial law (UGB/BAO).

Legal basis: Art. 6(1)(c) GDPR — legal obligation.

To send product updates and news where you have given consent.

Legal basis: Art. 6(1)(a) GDPR — consent (withdrawable at any time). You may withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at info@invisible-light-labs.com.

To operate and secure our website, and prevent fraud and misuse.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure and reliable website operation.

To manage relationships with clients, suppliers, and partners.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining business relationships.

To understand how visitors use our website and improve our content.

Legal basis: Art. 6(1)(a) GDPR — consent (via cookie banner).

Where we rely on legitimate interests as a legal basis (Art. 6(1)(f) GDPR), these consist of: operating our website securely and efficiently, maintaining business relationships with clients and partners, and preventing fraud and misuse. You have the right to object to processing based on legitimate interests at any time (see Your Rights section).

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Contact form and general enquiry data: 2 years from the date of last contact.

Contractual data (orders, invoices, delivery records): 7 years in accordance with Austrian commercial and tax law (UGB / BAO).

Newsletter subscriber data: Until you withdraw your consent or unsubscribe.

Website usage data and analytics: Up to 13 months from collection, depending on the tool used.

Business partner contact data: For the duration of the business relationship and 3 years thereafter.

We do not sell your personal data or share it with third parties for their own marketing purposes. However, we use trusted third-party service providers (processors) who process data on our behalf and under our instructions, in accordance with a Data Processing Agreement (DPA) as required by Art. 28 GDPR.

Categories of recipients may include:

— Web hosting and IT infrastructure providers
— Email service and CRM providers
— Payment and invoicing platforms
— Analytics and website performance tools (e.g. Google Analytics, if applicable)
— Customer support software providers

Our CRM and customer relationship data is managed in Odoo, operated by Odoo S.A. (Chaussée de Namur 40, 1367 Grand-Rosière, Belgium). Odoo S.A. is established within the EEA, meaning no international data transfer is required for this processing. Customer data stored in Odoo includes contact details, order history, and business communication records, and is processed on the basis of Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in maintaining business relationships).

All processors are contractually bound to process your data only on our documented instructions, implement appropriate security measures, and not engage further sub-processors without our prior written consent.

Some of our third-party service providers may be located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred to third countries, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR Chapter V.

The safeguards we rely on include:

— Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914)
— Adequacy decisions issued by the European Commission for certain countries

For example, our website uses Google reCAPTCHA, which is operated by Google LLC (USA). Data submitted via the contact form may be processed in the United States. Google LLC participates in the EU-U.S. Data Privacy Framework and processes data under Standard Contractual Clauses.

Our CRM processor Odoo S.A. is based in Belgium (EEA) and does not involve an international transfer.

You may request confirmation of whether we process your personal data, and if so, obtain a copy of it.

You may request correction of inaccurate or incomplete personal data we hold about you.

You may request deletion of your personal data where it is no longer necessary, you withdraw consent, or you object to processing and there are no overriding legitimate grounds.

You may request that we restrict the processing of your data in certain circumstances (e.g. while a dispute is being resolved).

Where processing is based on consent or contract and carried out by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format.

You have the right to object at any time to the processing of your personal data based on legitimate interests (Art. 6(1)(f)), including profiling. You also have the absolute right to object to processing of your data for direct marketing purposes.

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact us at info@invisible-light-labs.com or use the unsubscribe link in any marketing email.

To exercise any of these rights or for questions related to data protection, please contact us at info@invisible-light-labs.com. We will respond to your request within one month of receipt. This period may be extended by up to two further months where necessary, in which case we will inform you.

If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is:

Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 521 52-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

We implement appropriate technical and organisational measures (TOMs) to protect your personal data against unauthorised access, loss, destruction, or misuse. These measures include, among others:

— Encryption of data in transit (TLS/SSL)
— Access controls and role-based permissions
— Regular security assessments and software updates
— Staff confidentiality obligations and awareness training

We do not use your data for automated profiling or automated decision-making within the meaning of Art. 22 GDPR that produces legal or similarly significant effects for you.

These are strictly necessary for the website to function (e.g. session management, security). They do not require your consent.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure and reliable website operation.

These are only placed with your prior consent, which we obtain via our cookie consent banner when you first visit the website.

Legal basis: Art. 6(1)(a) GDPR — consent.

You can withdraw or adjust your cookie consent at any time by clicking [Cookie Settings] in the footer of our website, or by configuring your browser to block or delete cookies. Please note that disabling certain cookies may affect the functionality of the website.

We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you. No decisions about you are made solely on the basis of automated processing.

We may update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, or website functionality. The latest version will always be published on our website with an updated revision date. Where changes are significant, we will notify you by email or via a prominent notice on our website.

Last updated: April 2026

Questions about this policy? Contact us at info@invisible-light-labs.com