DOC / IH-LG-03 GDPR · ART. 13/14 · PROCESSING RECORD

DATA.
LEDGERED.

A complete, per-purpose disclosure of every personal-data processing activity operated by Marawan Elsayed Mohamed Salem Salama (trading as INHOUSE) — what we collect, why we collect it, the legal basis we rely on, how long we keep it, and who else touches it. Modelled on the Record of Processing Activities under Art. 30 GDPR and disclosed pursuant to the information obligations in Art. 13 and Art. 14 GDPR.

We collect the minimum.
We record the maximum about what we collect.

This document is the public, reader-friendly face of our internal data-map. Every box we tick, every field we log, every third-party processor we engage — it's documented below. If a processing activity is not listed here, it does not happen on inhouse-vie.com.

We process personal data only where a lawful basis under Article 6 GDPR applies, only for the disclosed purpose, and only for as long as we need it. We do not sell data. We do not share it with data brokers. We do not profile visitors for behavioural advertising.

Questions on any single ledger entry: legal@inhouse-vie.com.

Controller · Art. 4 (7) GDPR Marawan Elsayed Mohamed Salem Salama
Trading as INHOUSE · Mühlsteigstraße 97, 2753 Waldegg-Ober-Piesting, Austria · GISA-Zahl 39252395 · UID pending
Contact for all data-protection matters: legal@inhouse-vie.com.
A Data Protection Officer (DPO) is not mandatory under Art. 37 GDPR, given the size and nature of processing. An internal data-protection coordinator has been nominated and is reachable under the address above.
SECTION · A

Website Operation

RPA / A-01

Server Logs & Security Monitoring

REQUIRED
Purpose
Serving the website, detecting and defending against abuse (DoS, scraping, injection), debugging technical faults, reconstructing incidents.
Data categories
IP address (truncated after 7 days), request timestamp, HTTP method, path, status code, response size, user-agent string, referrer URL, ASN.
Legal basis
Art. 6 (1) (f) GDPR — legitimate interest in the secure operation and integrity of the website. Interest balanced against the relatively low intrusiveness of technical logs.
Retention
Raw logs: 7 days. IP-truncated logs (last octet removed): 30 days. Incident-related logs retained until the incident is closed and ticket resolved (max 12 months).
Recipients
  • Hosting & CDN — Amazon Web Services EMEA SARL (Luxembourg) / Amazon.com Inc. (USA). Origin storage & compute in Frankfurt (eu-central-1); global CDN edge caching via Amazon CloudFront; SSL/TLS certificate issuance via AWS Certificate Manager; authoritative DNS via Amazon Route 53. Controller-Processor Agreement (Art. 28 GDPR) & AWS Data Processing Addendum signed. (aws.amazon.com/compliance/gdpr-center)
  • Mail hosting — IONOS SE (Germany). Inbound/outbound mail servers and mailbox storage for the domain. Controller-Processor Agreement signed.
  • Transactional outbound mail (contact form) — Amazon Simple Email Service (AWS, Frankfurt region) — dispatches form submissions from the website to INHOUSE mailboxes.
Transfers
Primary processing: EU (Frankfurt) — no third-country transfer. Amazon CloudFront edge network: global, incl. USA. Parent company of AWS (Amazon.com Inc.) is US-based, which may in edge cases imply access to data from the USA. Legal basis for such edge cases: Standard Contractual Clauses (Commission Implementing Decision 2021/914) and the EU-US Data Privacy Framework (where applicable). AWS is DPF-certified. IONOS: EU (no transfer).
RPA / A-02

Strictly-Necessary Cookies

REQUIRED
Purpose
Session handling, CSRF protection, consent-banner state memory, basic accessibility preference (reduced-motion, high-contrast). No tracking, no analytics, no marketing.
Data categories
Cookie identifier, boolean flags, timestamps. No persistent user ID.
Legal basis
§ 165 (3) Austrian Telecommunications Act (TKG 2021) — strictly-necessary exemption from consent. Art. 6 (1) (f) GDPR — legitimate interest in website functionality.
Retention
Session cookies: end of browser session. Consent state: 12 months. Preference cookies: 6 months. See Cookies for per-cookie detail.
Recipients
Only INHOUSE (set by our origin).
Transfers
None.
RPA / A-03

Web Fonts & External Libraries

REQUIRED
Purpose
Rendering the typography (Space Grotesk, DM Sans, IBM Plex Mono) and loading shared JavaScript libraries (GSAP) that power page animations.
Data categories
IP address transmitted by the browser to the CDN to fulfil the HTTP request. No account-level identifier.
Legal basis
Art. 6 (1) (f) GDPR — legitimate interest in a performant, visually consistent website. Where a browser supports caching, fonts are only fetched once per cache lifetime.
Retention
We retain no record of these requests. The CDN retains access logs per its own policy (typically 24–72 h).
Recipients
  • Google Fonts — Google Ireland Limited, Ireland (EU)
  • Cloudflare & jsDelivr — Cloudflare Inc., USA
Transfers
CDN requests routed through US infrastructure. Safeguards: SCCs 2021/914 + EU-US DPF.
SECTION · B

Communication & Inquiries

RPA / B-01

Contact Form Submissions

CONTRACT / LI
Purpose
Receiving inquiries, preparing a reply or a proposal, managing follow-up correspondence.
Data categories
Full name, business email address, company name, budget range, project type, brief message, timestamp, source page, anti-spam fingerprint (honeypot).
Legal basis
Art. 6 (1) (b) GDPR — pre-contractual measure where the inquiry aims at engaging INHOUSE.
Art. 6 (1) (f) GDPR — legitimate interest in responding to general inquiries.
Retention
Inquiries that do not lead to a contract: up to 24 months after last contact, then deleted.
Inquiries that lead to a contract: retained for the life of the contract plus statutory retention (§ 132 BAO — 7 years, § 212 UGB — 7 years).
Recipients
  • Transport — Amazon API Gateway & AWS Lambda (Frankfurt, eu-central-1) — receives the HTTPS POST request from the browser and routes it to the appropriate internal mailbox based on project_type.
  • Dispatch — Amazon Simple Email Service (eu-central-1) — delivers the formatted message to the relevant INHOUSE mailbox (project@, office@, legal@, career@inhouse-vie.com).
  • Mailbox storage — IONOS SE (Germany) — mailbox hosting for all inbound mail at the @inhouse-vie.com domain.
  • Internal — only the addressed department (project, legal, career, office).
Transfers
Primary processing: EU (Frankfurt) — no third-country transfer. AWS parent (Amazon.com Inc., USA) may in edge cases imply US access. Legal bases: Standard Contractual Clauses (2021/914) + EU-US Data Privacy Framework (AWS DPF-certified). IONOS: EU only.
RPA / B-02

Email Correspondence

CONTRACT / LI
Purpose
Conducting business correspondence with clients, leads, candidates, suppliers, press and authorities.
Data categories
Email address, display name, message body, attachments, metadata (timestamps, headers, SPF/DKIM/DMARC results).
Legal basis
Art. 6 (1) (b) GDPR where related to a contract or its initiation.
Art. 6 (1) (f) GDPR where related to business contacts outside a contract.
Art. 6 (1) (c) GDPR where a legal retention obligation applies (tax, commercial).
Retention
Ordinary correspondence: 36 months from last contact. Commercially-relevant emails (offers, invoices, contracts): 7 years per § 132 BAO / § 212 UGB. Thereafter deleted.
Recipients
Addressed employees; email provider as processor.
Transfers
Depending on email provider — see B-01.
RPA / B-03

Discovery Call Scheduling

CONSENT
Purpose
Letting prospects self-book a 30–45 minute discovery call via an embedded scheduling widget.
Data categories
Full name, email, time-zone, chosen slot, answers to pre-call questions (company, focus area, current challenge), optional meeting notes.
Legal basis
Art. 6 (1) (a) GDPR — the user actively books a slot and agrees to the provider’s terms.
Art. 6 (1) (b) GDPR — pre-contractual measure.
Retention
Calendar records: 12 months. Notes imported into CRM: per CRM retention rules (see D-01). Consent can be withdrawn with effect for the future at any time.
Recipients
  • Scheduling provider — [Cal.com Inc. / SavvyCal / Calendly LLC] (processor)
  • CRM (on import)
Transfers
Where a US-based provider is used: USA · SCCs + DPF.
SECTION · C

Analytics, Marketing & Consent

RPA / C-01

Privacy-Friendly Website Analytics

CONSENT
Purpose
Aggregated understanding of site usage: visits, top pages, referral sources, device class, country. We measure what readers find useful — we do not follow individuals.
Data categories
Hashed, rotating daily visitor identifier derived from IP+user-agent+salt — never stored as raw IP. Page URL, referrer, approximate country, device class, viewport size.
Legal basis
Art. 6 (1) (a) GDPR & § 165 TKG 2021 — opt-in consent via our cookie banner. No analytics firing until the visitor accepts.
Retention
Aggregated reports: 26 months. Individual daily hashes: rotated nightly.
Recipients
Analytics provider — [Plausible Analytics B.V., The Netherlands] (processor, AV-contract signed). EU-only, cookieless, no cross-site profiling.
Transfers
None. All processing within the EU.
RPA / C-02

Newsletter Subscription

CONSENT
Purpose
Sending our monthly newsletter (INHOUSE Dispatch) with insights, new case studies and occasional product announcements to recipients who explicitly requested it.
Data categories
Email address, opt-in timestamp, opt-in IP, double-opt-in confirmation timestamp, optional first name, engagement metrics (open/click, anonymised in aggregate after 90 days).
Legal basis
Art. 6 (1) (a) GDPR — explicit consent via double-opt-in. § 107 TKG 2021 — electronic marketing opt-in. Withdrawal possible at any time via the unsubscribe link in every email or by writing to legal@inhouse-vie.com.
Retention
Active subscribers: duration of subscription. Proof of consent: 3 years after unsubscribe (evidentiary retention, § 1489 ABGB limitation period). Unsubscribed: email is moved to a suppression list (hashed) to prevent re-import.
Recipients
Email-sending provider — [Brevo / MailerLite / Buttondown] (processor, AV-contract signed).
Transfers
Depending on provider — EU or USA under SCCs + DPF.
RPA / C-03

Social-Media Embeds (LinkedIn Insight Tag, Meta Pixel)

CONSENT
Purpose
Measuring the performance of paid campaigns on LinkedIn and Meta platforms and building lookalike audiences for future campaigns — only when the visitor consents.
Data categories
Cookie IDs, IP address, user-agent, visited URLs, event type, hashed email (where supplied via forms — server-side).
Legal basis
Art. 6 (1) (a) GDPR & § 165 TKG 2021 — opt-in consent. Tags do not load until the visitor accepts the marketing category.
Retention
Cookies: 90 days on the visitor device. Platform-side: per provider policy (typically 13–24 months).
Recipients
  • LinkedIn — LinkedIn Ireland Unlimited Company (joint-controller for platform events, Art. 26 GDPR)
  • Meta — Meta Platforms Ireland Ltd. (joint-controller for platform events)
Transfers
USA · SCCs + DPF. Joint-controller agreement incorporated by reference.
RPA / C-04

Google Ads Conversion Measurement

CONSENT
Purpose
Attributing conversions from Google Ads campaigns to actual contact-form submissions, using enhanced conversions with hashed identifiers — only with consent.
Data categories
Google click identifier (gclid), conversion event, hashed email (SHA-256, server-side). No raw PII sent client-side.
Legal basis
Art. 6 (1) (a) GDPR & § 165 TKG 2021 — opt-in consent under the Google Consent Mode v2 signal.
Retention
Cookies: up to 90 days on the visitor device. Server-side: 13 months of attribution window then aggregated.
Recipients
Google Ireland Ltd. (processor for the ads account); Google LLC (USA) for global infrastructure.
Transfers
USA · SCCs + DPF.
SECTION · D

Commercial Relationships

RPA / D-01

Client & Lead Records (CRM)

CONTRACT
Purpose
Running the relationship with prospects and clients — pipeline tracking, proposal history, engagement notes, project documents, retrospective reviews.
Data categories
Corporate contact details (full name, role, email, phone, company, LinkedIn URL), engagement history, notes, meeting minutes, documents shared, invoicing references.
Legal basis
Art. 6 (1) (b) GDPR — contract performance.
Art. 6 (1) (f) GDPR — legitimate interest in tracking prospects not yet under contract.
Art. 6 (1) (c) GDPR — commercial/tax retention on invoiceable records.
Retention
Active client: duration of engagement. Inactive lead: 24 months since last contact. Invoiced records: 7 years (§ 132 BAO). After retention: archived or deleted.
Recipients
CRM provider (processor), authorised employees, our accountant (subject to contractual NDA).
Transfers
Depends on the CRM; where US-based, SCCs + DPF apply.
RPA / D-02

Invoicing & Bookkeeping

LEGAL OBLIGATION
Purpose
Issuing invoices, processing payments, running financial accounts, fulfilling tax obligations, defending against claims.
Data categories
Billing entity (name, address, UID/VAT), contact person, invoice numbers, amounts, service descriptions, bank account or payment reference, payment timestamps.
Legal basis
Art. 6 (1) (c) GDPR — legal obligation (§ 132 BAO, § 212 UGB, § 11 UStG).
Art. 6 (1) (b) GDPR — contract performance.
Retention
7 years after the end of the fiscal year in which the record was created (§ 132 BAO). Longer where litigation or audit is pending.
Recipients
  • Accountant / tax advisor — [Name], AT (processor under separate AV)
  • Bank — [Institution], AT (controller for payments)
  • Tax authority — Finanzamt Österreich (on request per BAO)
  • Payment provider — [Stripe Payments Europe Ltd. / Mollie B.V.] where card payment is offered
Transfers
Stripe: IE & USA · SCCs + DPF. Others: EU only.
RPA / D-03

Processor Engagements on Behalf of Clients

AV / DPA
Purpose
Where we build, host or operate systems for a client (e.g. CRM, automations, internal tools), we act as processor under Art. 28 GDPR for the client’s personal data.
Data categories
Whatever the client determines. Each engagement has its own scope defined in the signed AV / DPA.
Legal basis
Processor role — the client is the controller. Art. 28 GDPR. INHOUSE acts solely on documented instructions.
Retention
As instructed by the client. On termination: deletion or return within 30 days, unless Union or Member-State law requires otherwise.
Recipients
Approved sub-processors listed in the engagement DPA; no un-listed onward transfer.
Transfers
Only where the client has been informed and the appropriate safeguards (Art. 46 GDPR) are in place.
SECTION · E

Talent & Careers

RPA / E-01

Job Applications

CONTRACT / LI
Purpose
Assessing applications for open positions, running interview processes, making offers, onboarding hires, maintaining a talent pool for future roles.
Data categories
Full name, contact details, CV, cover letter, portfolio links, work samples, references, interview notes, assessment scores, eventually identity documents and employment contract.
Legal basis
Art. 6 (1) (b) GDPR — pre-contractual measures.
Art. 6 (1) (a) GDPR — consent, where the candidate allows retention for future roles.
§ 29 DSG — anti-discrimination evidentiary retention (6 months per Gleichbehandlungsgesetz).
Retention
Rejected candidate: 6 months after decision (evidentiary, anti-discrimination). Talent-pool consent: 24 months, renewable. Hired candidate: moved into HR records.
Recipients
Hiring manager, founder, optional external reference checker.
Transfers
None outside EU unless explicitly disclosed in the job posting.
SECTION · F

Your Rights as a Data Subject

Art. 15 GDPR

Right of Access

Confirmation of whether we process your data, and if so, a copy of the data and all information required under Art. 15 (1).

Art. 16 GDPR

Right to Rectification

Correction of inaccurate data and completion of incomplete data — promptly upon request.

Art. 17 GDPR

Right to Erasure

Deletion of your data where one of the grounds in Art. 17 (1) applies — subject to overriding legal obligations.

Art. 18 GDPR

Right to Restriction

Temporary freeze of processing where accuracy is contested, processing is unlawful, or you need the data for legal claims.

Art. 20 GDPR

Right to Portability

Structured, commonly-used, machine-readable export of data you provided under consent or contract.

Art. 21 GDPR

Right to Object

Objection to processing based on legitimate interest — for marketing, an absolute right.

Art. 22 GDPR

Automated Decisions

We take no automated decisions with legal or similarly significant effects on you.

Art. 7 (3) GDPR

Withdraw Consent

Withdrawal of any consent at any time, with effect for the future. Prior processing remains lawful.

How to exercise your rights. A single email to legal@inhouse-vie.com is enough. We answer within one month. If we cannot confirm your identity from the request, we will ask for additional information proportionate to the sensitivity of the request.

Supervisory authority. You have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) — Barichgasse 40–42, 1030 Wien, Austria · dsb@dsb.gv.at · dsb.gv.at — or with the supervisory authority of the EU Member State where you reside, work, or where the alleged infringement took place.

International transfers. When we transfer data outside the EEA, we rely on one of the safeguards in Art. 44–49 GDPR: (i) an adequacy decision of the European Commission; (ii) Standard Contractual Clauses 2021/914; (iii) the EU-US Data Privacy Framework certification of the recipient; (iv) binding corporate rules; (v) your explicit, informed consent. Copies of the safeguard documentation are available on request.

Automated decision-making & profiling. We do not take decisions solely on the basis of automated processing that produce legal effects or significantly affect you within the meaning of Art. 22 GDPR. Profiling for marketing audiences (see C-03, C-04) is performed by the respective platforms based on their own models; we do not access or store the resulting profiles.

Children. Our services are directed at businesses. We do not knowingly collect personal data from children under 14 (§ 4 (4) DSG). If you believe a child has provided us with data, please contact us and we will delete it.

Last reviewed · 2026-04-19 · legal@inhouse-vie.com
Version 4.0 · 14 processing records · Art. 30 GDPR aligned