This is a courtesy translation. The German version is legally binding.
Privacy Policy
Last updated: April 2026
Protecting your personal data is a central concern for us. We process your data exclusively on the basis of the statutory provisions (GDPR, Austrian TKG 2003).
1. Controller
i-factory — Michael D. Garrigosa Laudongasse 4/1/121080 Wien, Österreich
Email: i-factory@i-factory.at
GISA number 39477644 · WKO member 0313294
2. What data we process
2.1 When you visit the website
When you access our website, technically necessary data is collected: IP address, date/time, page accessed, browser type and referrer URL. This data is stored in the server log and automatically deleted after a maximum of 30 days.
2.2 When you register and place an order
We process the following personal data:
- First and last name
- Email address
- Delivery address (for orders)
- Order history and the configuration of your calendars
- Photos uploaded for your calendar design
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligations, e.g. retention duties).
2.3 Uploaded photos
Uploaded photos are processed to create your calendar. Before being displayed, photos are automatically checked for prohibited content (violence, erotic content, illegal material) (Art. 6(1)(f) GDPR, legitimate interest in a safe platform).
3. Payment processing — Stripe
We use Stripe Payments Europe Ltd. (Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland) for payment processing. When you pay, your payment details are transmitted directly to Stripe; we ourselves do not store complete credit card data.
Stripe privacy policy: stripe.com/at/privacy
4. Spam and abuse protection — Google reCAPTCHA
To protect our forms (login, registration, password reset) against automated abuse, we use Google reCAPTCHA v3 provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Among other things, your IP address and your interaction behavior are transmitted to Google and may be transferred to the USA — legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing bots and spam); transfers to the USA take place on the basis of the EU standard contractual clauses and the EU-US Data Privacy Framework.
More information: policies.google.com/privacy. We host fonts and JavaScript libraries ourselves — for these, no transfer to third countries takes place.
5. Cookies & local storage
We use technically necessary cookies (a session cookie to maintain your shopping cart) and cookies for session management. We do not use tracking or marketing cookies.
6. Recipients of your data
- Shipping providers (to deliver your order)
- Payment provider Stripe (to process your payment)
- Google reCAPTCHA (bot/spam protection for our forms)
- Print service providers (to produce your calendar)
- Hosting providers (within the EU)
7. Retention
We store your data for as long as it is required for the respective purpose or as long as statutory retention periods (e.g. 7 years for invoices pursuant to § 132 BAO) apply.
8. Your rights
You have the right to:
- Access to the data stored about you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing (Art. 21)
- Lodging a complaint with the Austrian Data Protection Authority (dsb.gv.at)
To exercise your rights, simply send an informal email to office@surprisecalendar.at.
9. Deleting your account
You can delete your account via My account → Edit profile at any time. For legal reasons, order data remains stored for as long as the statutory retention periods require.