Privacy Policy

Controller within the meaning of Art. 4 No. 7 GDPR:

Ing. Dipl.-Ing. (FH) Karl J. Pilz
Sole proprietorship
Sagmüllerweg 8, 5081 Anif-Niederalm, Salzburg, Austria
VAT-ID: ATU 66845907
Email: datenschutz@hoviguard.eu
Phone: +43 660 1495489

Data Protection Officer (Sec. 13(1) DSG in conjunction with Art. 37 GDPR): Karl J. Pilz, contact as above.

HOVIGuard is a B2B SaaS gateway for the secure use of AI models in enterprises. We process personal data exclusively within the EU (server location: Hetzner GEX44, Falkenstein/Germany). Third-country transfers only occur via EU-approved safeguards (DPF or SCCs).

• Account data (name, email, password hash)
• Usage data (chats, generated images/videos, uploaded files)
• Billing data (tenant, seat count, token consumption)
• Technical logs (IP address pseudonymised after 7 days, user-agent, audit trails)

• Art. 6(1)(b) GDPR — contract performance (account, billing, service delivery)
• Art. 6(1)(c) GDPR — legal obligations (accounting, tax, audit)
• Art. 6(1)(f) GDPR — legitimate interest (security logs, fraud prevention)

We use carefully selected sub-processors, all bound by data processing agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs):

• Hetzner Online GmbH (Germany) — hosting ¹
• Eden AI SAS (Lyon, France) — LLM gateway (covers OpenAI, Anthropic, Google, Mistral, Meta, DeepSeek, Qwen, Cohere, Perplexity as sub-processors)
• xAI Corp. (EU region eu-west-1 for processing; HQ USA) — direct call to Grok models, not via Eden gateway (xAI standard DPA + EU SCCs)
• All-Inkl.com (Germany) — SMTP email delivery
• Stripe Payments Europe Ltd. (Dublin) — payment processing (SCCs Module 1+2 for Stripe LLC USA)
• LLM providers (Anthropic, OpenAI, Google, xAI, Mistral, Amazon, etc.) per active selection — DPF/SCCs in place

Where HOVIGuard processes personal data on behalf of the Customer, our Data Processing Agreement (DPA) per Art. 28 GDPR applies and is part of the contract. Enterprise customers may request a separately signable PDF version via datenschutz@hoviguard.eu.

You have the following rights under the GDPR:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to lodge a complaint with the Austrian Data Protection Authority (DSB), Barichgasse 40–42, 1030 Vienna

Requests to: datenschutz@hoviguard.eu.

• Account data: duration of business relationship + 30 days
• Usage logs: 90 days, after which aggregated only
• IP addresses: pseudonymised after 7 days
• Invoices: 7 years (Sec. 212 BAO, Austrian accounting law)
• Audit logs: 6 months (Art. 26(6) AI Act deployer obligation)

We only use technically necessary cookies (session, CSRF, language preference). No tracking cookies, no third-party advertising. Analytics via Umami (self-hosted, cookie-less). For details see the German master version.

• TLS 1.3 on all public endpoints
• Argon2id password hashing, rate limiting, IP blocklists
• Encrypted backups (daily, 7-day retention)
• RBAC with strict Company-Admin / Superadmin separation
• Safety layer (Qwen3Guard) for prompt injection and jailbreak detection
• Audit logs for security-relevant events

In case of a data breach with risk to the rights and freedoms of natural persons, we will notify the Austrian Data Protection Authority within 72 hours (Art. 33 GDPR) and inform affected customers immediately if a high risk exists (Art. 34 GDPR).

All photographic marketing content on hoviguard.eu (hero images, illustrations, person portraits in hero sections) is entirely AI-generated. These are not photographs of real persons, employees, or customers. Any depicted person is a synthetic character; any resemblance to existing individuals would be coincidental.

Authentic application screenshots (chat UI, audit log, model catalog, etc.) are real captures of the HOVIGuard platform and are not AI-generated.

This notice fulfils the transparency obligation under Art. 50 of EU Regulation 2024/1689 (EU AI Act) effective 02 Aug 2026 as well as obligations to avoid misleading advertising under § 2 UWG (AT) / § 5 UWG (DE). An additional "AI-generated" notice is shown in the website footer.

This privacy policy will be updated as processing changes. The current version is available at hoviguard.eu/privacy. Material changes will be announced at least 30 days in advance via email.