Privacy Policy

Privacy Policy

As of: 22 May 2026

The following statement comprehensively informs you about the processing of personal data by Baminger GmbH in connection with your visit to our website lkw-baminger.at, the conclusion of contracts via our online shop, and all further processing activities, including the use of artificial intelligence (AI) systems and initial contact in the context of B2B direct outreach. We process your data exclusively on the basis of the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

1. Controller

Baminger GmbH
Schölmlahn 18
4712 Michaelnbach, Austria
Telephone: +43 7277 40001
E-Mail: info@lkw-baminger.at
Managing Director: Philipp Baminger
FN: 670793 k, Landesgericht Wels
UID: ATU82974328

2. Principles of Processing

We process personal data only to the extent necessary for the provision of our website and online shop, for the performance of contracts, for compliance with legal obligations, on the basis of your consent, or for the protection of our legitimate interests. No fully automated decision-making within the meaning of Art. 22 GDPR takes place. To the extent we use artificial intelligence systems (see Section 7), their results are always reviewed and approved by a natural person before further use.

3. Data Processing When Visiting the Website

Each time our website is accessed, the following data is processed for technical reasons (server log files):

  • IP address (truncated/anonymised)
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • Pages visited and time spent

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational and IT security, and technical provision of the website). Storage period: maximum 14 days in the server logs of our hosting provider.

4. Data Processing for Orders

When you place an order via our online shop, we process the following data:

  • Title, first and last name, company if applicable
  • Delivery and billing address
  • Email address, telephone number (if provided)
  • Order data (products, configuration, quantities, prices)
  • Payment information (processed exclusively by the respective payment provider, see Section 9)
  • for B2B orders: VAT number, company register number if applicable, role of the ordering person
  • for individual product configuration: vehicle make, model, year of manufacture, seat configuration, uploaded logo if applicable
  • for orders requiring photos: vehicle and seat photos uploaded by the customer

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR in conjunction with § 132 BAO and § 212 UGB (statutory retention obligations under tax and commercial law).

Storage period: 7 years from the end of the financial year (statutory retention obligation under tax and commercial law).

5. Customer Account and B2B Portal

You may voluntarily create a customer account or B2B access. The data provided for this purpose is processed on the basis of your consent (Art. 6(1)(a) GDPR) and for the initiation and performance of a contract (Art. 6(1)(b) GDPR). In the B2B portal, the role (e.g. dealer) as well as assigned discount groups and customer-specific delivery/billing addresses are additionally stored. You may request the deletion of your account at any time; statutory retention obligations remain unaffected.

6. Contact

When contacted by email, contact form, telephone, WhatsApp, or letter, we process the data provided (name, contact details, content of the enquiry, attachments if applicable) in order to handle your request.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

Storage period: until the final resolution of your enquiry, subsequently for up to 6 months for evidential purposes. If a business relationship develops as a result, the retention periods referred to in Section 4 apply.

7. Use of AI Systems (Anthropic Claude)

We use the AI system Claude by the US provider Anthropic PBC (548 Market Street, San Francisco, CA 94104, USA) via its application programming interface (API) for selected internal processes. Specifically, we use Claude for:

  • Generation of draft texts for B2B direct outreach (initial emails, follow-ups) — see Section 8
  • Classification and preparation of draft responses for incoming emails to info@lkw-baminger.at (e.g. identification of positive/negative responses, suggestion of a reply text); final sending takes place only after manual review by our staff
  • Translation of product and shop content into our 7 shop languages
  • Classification and quality assurance of lead selection prior to each email send

Personal data transmitted to Claude in the context of the classification of incoming emails typically includes the sender's name, email address, and message content. Anthropic is certified under the EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR are additionally in place. Anthropic does not use API inputs for training its models in accordance with its Commercial Terms.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient communication processing, quality assurance, and multilingual provision). No fully automated individual decision-making within the meaning of Art. 22 GDPR takes place — all AI-generated content is reviewed and approved by a natural person before sending or publication.

You may object to the processing of your personal data by AI systems at any time by contacting info@lkw-baminger.at. In such a case, we will handle your enquiry exclusively manually.

8. B2B Direct Outreach (Cold Email Outreach)

We contact exclusively business email addresses of companies whose field of activity has a factual connection to our products (seat covers, floor mats, roof spoilers for commercial vehicles) (e.g. freight forwarders, construction companies, tradespeople, car dealerships, municipalities, vehicle fitters).

Source of data: We obtain business contact data (company name, industry, size, business email address, role of the contact person) from the following data provider:

  • Apollo.io (Apollo.io, Inc., 535 Mission Street, 14th Floor, San Francisco, CA 94105, USA) — business contact database
  • additionally for enrichment with public LinkedIn profile data: ReverseContact (Lugano, Switzerland)

Purpose: Initial contact to introduce our products and, where applicable, to initiate a business relationship.

Categories of data processed: First and last name, business position, company name, business email address, industry and approximate number of employees of the company, country/region.

Dispatch: Emails are sent via the platform Instantly (Instantly.ai, USA), which acts as a data processor on our behalf. Instantly stores recipient data exclusively for the purpose of email delivery and for the detection of bounces and replies.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in B2B direct marketing towards professionally reachable contact persons with a factual product connection).

Storage period: We store your data for the duration of the business initiation process or until any objection is raised. Following an objection, your data will be deleted without delay; only your email address will remain on an internal suppression list to prevent future contact (Art. 6(1)(c) in conjunction with Art. 21(3) GDPR).

Your right to object (Art. 21 GDPR): You may object to the processing of your data for direct marketing purposes at any time and without giving reasons. A brief reply containing the word “STOP”, “UNSUBSCRIBE”, or “DELETE” to one of our emails is sufficient; you may also contact us at info@lkw-baminger.at. We will implement your objection without delay and cease all further contact.

Use of AI in B2B direct outreach: The draft texts for our B2B emails are created with the support of the AI system Claude (see Section 7). Before sending, a sample review is carried out by our staff. No fully automated decision on the initiation of a business relationship takes place.

9. Payment Providers

To process payments, we use the following providers to whom your payment data is transmitted directly:

  • Shopify Payments / Stripe (Stripe Payments Europe Ltd., Ireland) — credit card, Apple Pay, Google Pay
  • PayPal (PayPal (Europe) S.à r.l. et Cie, Luxembourg)
  • Klarna (Klarna Bank AB (publ), Sweden) — invoice, instalment purchase, SOFORT transfer; if “invoice” or “instalment purchase” is selected, a credit check by Klarna takes place
  • EPS — via your Austrian online banking provider
  • Amazon Pay (Amazon Payments Europe S.C.A., Luxembourg)
  • Bank transfer / advance payment

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). The privacy notices of the respective provider also apply.

10. Shipping and Logistics

For the delivery of your order, we transmit your delivery and, where applicable, contact data to our shipping service providers:

  • GLS (General Logistics Systems Germany GmbH & Co. OHG; or GLS Austria Paket-Service GmbH) — standard shipping EU
  • BRT / DPD — alternative EU shipping
  • DHL — shipping to Switzerland
  • Rovertex S.r.l. (Northern Italy) as production and logistics partner and as importer for shipments to Switzerland; in this context, delivery and, where applicable, contact data is shared for import processing purposes

For the purpose of automated status processing of GLS shipping notifications, we process the tracking number and shipping status on our server.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

11. Accounting and Invoicing

For the creation and management of invoices, payment reminders, and accounting documents, we use the online accounting tool SevDesk (SevDesk GmbH, Offenburg, Germany). Data transmitted includes name, address, VAT number if applicable, order data, payment status, and invoice numbers. Legal basis: Art. 6(1)(b) and (c) GDPR. Retention: 7 years.

12. Hosting, Shop, and Theme Platform

Our website and online shop are operated on the e-commerce platform Shopify (Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, Ireland; data also processed in Canada and the USA). Shopify processes all data arising in connection with the operation of the shop on our behalf.

Data transfers to third countries are made on the basis of the EU-US Data Privacy Framework or supplementary Standard Contractual Clauses (Art. 46(2) GDPR).

13. Newsletter and Transactional Emails

For the sending of newsletters and transactional emails (order confirmations, shipping and delivery information, enquiry processing), we use the services of Brevo GmbH (Köpenicker Str. 126, 10179 Berlin, Germany). When subscribing to the newsletter, we collect your email address and the date of subscription via the double opt-in process.

Legal basis — newsletter: Art. 6(1)(a) GDPR (consent). You may unsubscribe from the newsletter at any time via the unsubscribe link in any email or by sending a message to info@lkw-baminger.at.

Legal basis — transactional: Art. 6(1)(b) GDPR.

14. Product Reviews

For the collection and display of product reviews, we use Judge.me (Judge.me Ltd., Hong Kong). When submitting a review, the name, email address, and review text are processed. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in meaningful product information).

15. Cookies, Tracking, and Consent Management

15.1 Technically Necessary Cookies

Our shop sets technically necessary cookies that are required for operation (e.g. shopping cart, session, login, language selection, cookie consent). These are set without consent. Legal basis: Art. 6(1)(f) GDPR in conjunction with § 165(3) TKG 2021.

15.2 Analytics and Marketing Cookies (only with consent)

With your express consent via our cookie banner, we use the following services:

  • Google Analytics 4 (GA4) — Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Purpose: pseudonymous analysis of website usage. IP addresses are anonymised. Storage period: 14 months. Data transfer to the USA on the basis of the EU-US Data Privacy Framework and Standard Contractual Clauses. Google Privacy Policy.
  • further marketing and conversion tracking tools if applicable, where we have activated them; a complete list can be found in the cookie banner.

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG 2021.

15.3 Cookie Consent Management

For the management of your consents, we use Consentmo. Your consent decision is saved so that it does not need to be requested again on subsequent visits. You may revoke your consent at any time via the cookie settings on our website.

16. Internal Tools Potentially Involving Personal Data

For internal organisation, sales management, and documentation, we use the following services in which business contact and order data may be stored:

  • Google Workspace (Google Ireland Limited) — email, calendar, Google Sheets (internal CRM and order list)
  • Notion (Notion Labs, Inc., USA) — knowledge management, visit notes, customer history
  • Telegram (Telegram Messenger Inc.) — internal notifications and workflow management; content is exchanged exclusively in a bot/group context between authorised staff members
  • own server (Hetzner Online GmbH, Germany) — hosting internal automation scripts and receiving and storing customer-uploaded order photos

Legal basis: Art. 6(1)(b) and (f) GDPR. Data transfers to third countries are made on the basis of the EU-US Data Privacy Framework or Standard Contractual Clauses.

17. Data Transfers to Third Countries

Some of our service providers process data in the USA or other third countries. A transfer takes place only where an adequate level of data protection is ensured:

  • on the basis of the EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023) — where the respective provider is certified (including Anthropic, Google, Shopify, Stripe)
  • additionally or alternatively on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR

Upon request, we will provide you with a copy of the relevant safeguards.

18. Overview of Storage Periods

  • Order data, invoices, accounting: 7 years (§ 132 BAO, § 212 UGB)
  • Customer account / B2B portal: until deleted by you, subject to statutory retention obligations
  • Contact enquiries: until final resolution, subsequently max. 6 months
  • Newsletter: until unsubscription
  • Order photos (customer uploads): up to 12 months after order completion
  • Server log files: max. 14 days
  • Cookie consents: max. 12 months
  • Analytics data (GA4, with consent): 14 months
  • B2B lead data (Apollo contacts): until objection or until the end of the business initiation process; following an objection, only the email address remains on a suppression list

19. Your Rights

You have the following rights against us at any time:

  • Access to the data processed about you (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data, to the extent no statutory retention obligations preclude this (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability in a structured, commonly used, machine-readable format (Art. 20 GDPR)
  • Objection to processing on the basis of legitimate interests (Art. 21 GDPR) — in particular against direct marketing; such an objection may be raised at any time and without giving reasons and will be implemented immediately
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR)
  • Complaint to a data protection supervisory authority (Art. 77 GDPR)

To exercise your rights, you may contact us informally at info@lkw-baminger.at.

20. Web Analytics and Reach Measurement

Own reach measurement (first-party): We collect anonymised usage data on our website (including pages visited, language used, approximate country of origin, device type, click and scroll behaviour, and the steps taken in the vehicle configurator) in order to continuously improve our offering and identify missing products in our range. This data is processed on our own server within the EU. We do not store IP addresses and do not use identifying markers without your consent. The legal basis for this anonymous, aggregated analysis is our legitimate interest in designing our website in a demand-oriented manner (Art. 6(1)(f) GDPR).

Microsoft Clarity: With your consent, we use Microsoft Clarity, a service of Microsoft Corporation (One Microsoft Way, Redmond, WA 98052, USA) and Microsoft Ireland Operations Ltd. Clarity creates anonymised heatmaps and session recordings (mouse, scroll, and click movements) in order to analyse the usability of our website. This may involve the transfer of data to the USA; Microsoft is certified under the EU-US Data Privacy Framework, and Standard Contractual Clauses are additionally in place. The legal basis is your consent (Art. 6(1)(a) GDPR, § 165(3) TKG 2021), which you may withdraw at any time with effect for the future via the cookie settings.

Logged-in B2B customers: If you are logged into our B2B portal, we associate your use of the portal with your customer account in order to provide you with personalised support and better service. The legal basis is the performance of the contractual relationship with you (Art. 6(1)(b) GDPR).

Storage technologies used: For the purposes described above, we use your browser's local storage: bam_cookie_consent (your consent status), bam_track_sid (session identifier, only with consent), and bam_track_vid (distinguishing new and returning visits, only with consent).

Storage period: The raw data collected is deleted after a maximum of 18 months. Anonymous, aggregated statistics without personal reference are retained for longer-term analysis.

21. Competent Supervisory Authority

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Vienna
Telephone: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at
Web: www.dsb.gv.at

22. Changes to this Privacy Policy

We reserve the right to amend this privacy policy in order to adapt it to changes in the legal situation or changes to our processing activities. The current version with its effective date can always be found on this page.