Privacy Policy — Zeitgeist

1. Data Controller Verantwortlicher gemäß Art. 4 Abs. 7 DSGVO

[YOUR NAME]

[YOUR ADDRESS]

Austria

Zeitgeist is operated as an Austrian business subject to Austrian and European Union data protection law. As the data controller, we determine the purposes and means of processing your personal data.

Information obligation pursuant to §5 E-Commerce Act (ECG), §14 Austrian Trade Regulation Act (GewO), and §25 Media Act (MedienG): see our Impressum for full disclosure.

2. Data We Collect Erhobene Daten

We collect and process the following categories of personal data:

2.1 Data you provide directly

Data	When Collected	Required
Email address	When you subscribe to the daily brief	Yes
Name	Optionally provided during subscription	No
Topic / industry preferences	When you select interest topics (e.g., AI, SaaS, Fintech)	No

2.2 Data collected automatically

Data	How Collected	Purpose
Visitor ID (pseudonymous)	Generated via localStorage and stored in your browser	Analytics (unique visitor counting)
Page views (URL path)	Tracking pixel on page load	Understanding content engagement
Referrer URL	HTTP referrer header	Understanding traffic sources
User agent string	HTTP request header	Browser/device analytics
IP address	Server access logs	Security, abuse prevention, approximate geolocation

We do not collect sensitive personal data (special categories under Art. 9 GDPR) such as health information, political opinions, religious beliefs, or biometric data.

3. Purpose of Processing Zweck der Verarbeitung

We process your personal data for the following purposes:

Newsletter delivery: Sending you the daily trend intelligence brief to the email address you provided, personalized according to your selected topic preferences.
Service operation: Managing your subscription, processing unsubscribe requests, and maintaining the subscriber database.
Analytics and service improvement: Analyzing aggregate page view data and visitor patterns to understand how our service is used, which content resonates, and how to improve the user experience.
AI-powered trend analysis: Using artificial intelligence to generate trend analysis content that is delivered through the daily brief and displayed on the website. Your personal data is not used as training data for AI models.
Security: Protecting against abuse, spam, and unauthorized access to our systems.

4. Legal Basis Rechtsgrundlage gemäß Art. 6 DSGVO

We process your data based on the following legal grounds under Article 6(1) GDPR:

Processing Activity	Legal Basis	GDPR Article
Sending daily brief emails	Consent — You actively subscribe by entering your email address and clicking the subscribe button.	Art. 6(1)(a)
Storing topic preferences	Consent — You voluntarily select your interests during subscription.	Art. 6(1)(a)
Website analytics (page views, visitor counting)	Legitimate interest — Understanding how visitors use our website to improve the service. We use privacy-friendly, localStorage-based analytics with no third-party cookies.	Art. 6(1)(f)
Security logging (IP addresses)	Legitimate interest — Protecting our service against abuse, DDoS attacks, and unauthorized access.	Art. 6(1)(f)

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent by unsubscribing from the daily brief or contacting us directly.

Where processing is based on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our analytics are privacy-friendly by design: we use no third-party cookies, no cross-site tracking, and all visitor IDs are pseudonymous.

5. Data Storage and Security Datenspeicherung und Sicherheit

We take appropriate technical and organizational measures to protect your personal data:

Database: Your data is stored in a PostgreSQL database hosted within the European Union.
Encryption in transit: All connections to our servers use TLS/SSL encryption (HTTPS). Database connections are encrypted.
Access control: Database access is restricted to authorized application services only, using credentials managed through secure environment variables.
Infrastructure: Our application infrastructure is hosted by Render (render.com) with servers located in the EU region. Render maintains SOC 2 Type II compliance.
No unnecessary data collection: We follow the principle of data minimization (Art. 5(1)(c) GDPR) and only collect data that is necessary for the stated purposes.

6. Data Retention Aufbewahrungsfristen

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

Data Category	Retention Period
Subscriber email and preferences	Until you unsubscribe, plus 30 days for processing the deletion. If you do not open any email for 12 consecutive months, we may send a re-confirmation request and delete your data if you do not respond.
Analytics data (page views, visitor IDs)	Aggregated after 90 days; raw data deleted after 180 days.
Server access logs (IP addresses)	Deleted after 30 days.
Data deletion request records	Retained for 3 years to document compliance with legal obligations (Art. 5(2) GDPR accountability principle).

After the retention period expires, data is permanently deleted or irreversibly anonymized.

7. Your Rights Under GDPR Ihre Rechte gemäß DSGVO

As a data subject, you have the following rights under the General Data Protection Regulation:

Right of access (Art. 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data along with information about the processing.
Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, when you withdraw consent, or when the data has been unlawfully processed.
Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data.
Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
Right to object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

8. How to Exercise Your Rights Rechtsausübung

You can exercise any of your rights by:

Email: Send your request to [YOUR EMAIL]. Please include sufficient information to identify your account (e.g., the email address you subscribed with).
Data deletion request: Visit our data deletion page to submit an automated deletion request.
Unsubscribe: Click the unsubscribe link at the bottom of any daily brief email.

We will respond to your request within 30 days as required by Art. 12(3) GDPR. If the request is complex or we receive a large number of requests, we may extend this period by a further two months, and we will inform you of any such extension within the initial 30-day period.

We will verify your identity before processing any data subject request to prevent unauthorized access to personal data. Requests are processed free of charge, unless they are manifestly unfounded or excessive, in which case a reasonable fee may be charged (Art. 12(5) GDPR).

9. Cookies and Tracking Technologies Cookies und Tracking-Technologien

9.1 What we use

Zeitgeist uses a privacy-friendly, first-party analytics system powered by Polsia. This system:

Uses localStorage (not cookies) to store a pseudonymous visitor ID (polsia_vid) in your browser.
Sends a tracking pixel on each page load that records the page path, referrer, and visitor ID.
Does not use any third-party cookies.
Does not perform cross-site tracking.
Does not share analytics data with third parties.
Does not create user profiles for advertising purposes.

9.2 What we do not use

We do not use:

Third-party analytics services (e.g., Google Analytics)
Advertising cookies or tracking pixels from ad networks
Social media tracking widgets or share buttons that transmit data to third parties
Fingerprinting techniques

9.3 Opting out

You can opt out of analytics tracking by clearing your browser's localStorage for this site, or by using your browser's built-in tracking protection features. Since we use localStorage rather than cookies, standard cookie-blocking extensions will not affect our analytics; however, clearing site data will remove the visitor ID.

10. Third-Party Services Drittanbieter

We use the following third-party services in the operation of Zeitgeist:

Service	Purpose	Data Shared	Location
OpenAI	AI-powered trend analysis and content generation for the daily brief	No personal subscriber data is sent to OpenAI. Only publicly available trend data and content prompts are processed.	USA
Polsia	Application infrastructure, hosting, analytics processing, and subscriber management	Subscriber email, preferences, page view data, visitor IDs	EU
Render	Cloud infrastructure hosting (application servers, database)	Data stored in hosted database; server access logs	EU (Frankfurt)
Google Fonts	Web font delivery (Space Grotesk, DM Sans)	Your IP address is transmitted to Google when fonts are loaded. See Google Fonts Privacy FAQ.	USA

International data transfers

Where data is transferred to services outside the EU/EEA (OpenAI, Google), such transfers are conducted on the basis of:

The EU-US Data Privacy Framework (where the recipient is certified), or
Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR.

We ensure that all third-party processors provide sufficient guarantees to implement appropriate technical and organizational measures in accordance with GDPR requirements.

11. Changes to This Policy Änderungen dieser Datenschutzerklärung

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
For significant changes that affect your rights, notify active subscribers via email at least 14 days before the changes take effect.

We encourage you to review this privacy policy periodically. Your continued use of Zeitgeist after changes have been published constitutes acceptance of the updated policy.

12. Contact and Supervisory Authority Kontakt und Aufsichtsbehörde

Data controller contact

[YOUR NAME]

[YOUR ADDRESS]

Austria

Email: [YOUR EMAIL]

Supervisory authority

If you believe that our processing of your personal data violates the GDPR or Austrian data protection law, you have the right to lodge a complaint with the competent supervisory authority:

Österreichische Datenschutzbehörde

(Austrian Data Protection Authority)

Barichgasse 40-42

1030 Wien (Vienna), Austria

Phone: +43 1 52 152-0

Email: dsb@dsb.gv.at

Website: https://www.dsb.gv.at

You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work, if different from Austria.