Privacy Policy

This Privacy Policy explains how personal data is processed in connection with this website and the registration workflow (e.g., newsletter/updates and, where applicable, portal/community features). No third-party tracking or ad network technologies are used.

1. Controller

Dipl.-Ing. (FH) Herbert Laner, MBA, MIB
Willibald-Hauthaler-Str. 6
5020 Salzburg, Austria
web: www.mychancecom.com
E-Mail: office@mychancecom.com

2. Data processed

• Website/Server data: in particular IP address, date/time, requested URL, status codes, user agent, referrer (where provided), error/security events.
• Registration data: in particular email address; any additional data you provide (required and optional fields).
• Consent/verification (double opt-in) evidence: sign-up/confirmation timestamps and technical metadata (e.g., IP/user agent).
• First-party attribution: referral/campaign identifiers (e.g., URL parameters); first-party only, no third-party tracking.
• Newsletter interaction data: first-party open and click events for delivery control, security, and content improvement; no third-party tracking or advertising network use.

3. Purposes and legal bases

• Provision and security of the service (operation, troubleshooting, abuse/attack detection): Art. 6(1)(f) GDPR (legitimate interest in a secure and functional service).
• Registration and feature delivery (verification, necessary transactional emails, registration management): Art. 6(1)(b) GDPR (contract/steps prior to entering a contract) and Art. 6(1)(f) GDPR (security/abuse prevention).
• Newsletter/marketing updates (only with explicit consent, typically double opt-in): Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time (e.g., via unsubscribe link or by email).

4. Cookies / sessions

Only strictly necessary cookies/sessions are used for core functionality and security. Legal basis: Art. 6(1)(f) GDPR.

5. Recipients

Hosting: IONOS SE (processor under Art. 28 GDPR).
Email delivery: via the hosting/SMTP infrastructure; limited to what is necessary to deliver messages (in particular the email address and the content of the respective message).

No disclosure for advertising purposes takes place. Further recipients receive data only where legally required or where necessary to establish, exercise, or defend legal claims.

6. International transfers

Transfers outside the EU/EEA are not intended. If an individual transfer becomes necessary, it will be carried out only in accordance with GDPR requirements.

7. Retention

• Unconfirmed registrations: deleted during regular clean-ups; generally after the double opt-in expiry and follow-up grace period, and no later than 60 days.
• Temporary sessions/CAPTCHA data: stored only short-term and cleaned up after no later than 48 hours.
• Rate-limit and security counters: generally retained for up to 3 days; admin/login security data for up to 30 days.
• Referral/campaign/click data: personal or pseudonymous attribution data is retained for attribution, abuse prevention, and analysis for up to 90 days; afterwards it is deleted or used only in aggregated/anonymized form.
• Mail queue and delivery logs: successful delivery records are retained for up to 30 days, failed delivery attempts for up to 90 days.
• Active registrations: retained as long as necessary for registration, project/waitlist functionality, DOI evidence, referral functionality, and transactional communication; thereafter deleted or anonymized unless legal obligations require otherwise.
• Marketing/newsletter consent: used only with separate explicit consent; withdrawal is possible at any time via the unsubscribe link or by email.
• Newsletter interaction data: open/click events with technical metadata are retained for up to 90 days. Delivery and consent evidence may be retained for documentation for up to 3 years.
• Consent/DOI evidence: retained for documentation and abuse prevention for up to 3 years after unsubscribe/deletion, unless longer retention is necessary in an individual case.
• Account deletion: after a deletion request, a short restore and security grace period of currently 5 days applies; afterwards data is deleted or anonymized unless legal obligations require otherwise.
• Server, operational, and security logs: regular operational/cron logs are retained for up to 90 days; app, error, and security logs for up to 180 days where operationally or security necessary.
• Backups: overwritten or deleted regularly; personal data may remain temporarily in backups. The technical default retention is currently 14 days, with a maximum of 30 days under a different operational configuration.

8. Your rights

You have rights under the GDPR, including access, rectification, erasure, restriction, data portability, and the right to object to processing based on legitimate interests (Art. 6(1)(f) GDPR). Where processing is based on consent, you may withdraw consent at any time.
Contact: office@mychancecom.com

You also have the right to lodge a complaint with a supervisory authority. For Austria: Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna.

9. No automated decision-making

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place.

10. Effective date

Effective date: 11 May 2026