Data Protection

Privacy Policy in accordance with Art. 13 and 14 GDPR – fulfilment of obligation to provide information

All references to the gender of persons are intended to be gender neutral and are used solely for easier readability.

1         Controller for data processing

The Controller pursuant to Art. 4(7) General Data Protection Regulation (GDPR) is

Ithuba Capital AG
Stallburggasse 4, A-1010 Vienna
Tel.: +43 1 512 38 83 – 0
Fax: +43 1 512 38 83 – 300

The company has voluntarily appointed a data protection officer. That person may be reached at

2         Processing of personal data in connection with business operations

2.1        Data processing in accordance with Art. 13 GDPR

We process personal data provided to us by various individuals, for example when handling e-mail enquiries, as well as prior to entering into or when concluding a contract or a business relationship.

2.2        Data processing in accordance with Art. 14 GDPR

We also process the personal data of individuals who may be part of a contractual relationship, which we have lawfully received from third parties (e.g. managing directors who provide us with personal data of their employees).

2.3        Data Subjects

We process the following data of potential customers: company, name of contact person, contact details at the company, and address.

We process the following data of customers: company, titles and names of contact persons, address and contact details at the company, bank details and contract details.

We process the following data of suppliers and business associates: company, titles and names of contact persons, address and contact details at the company, bank details and contract details.

2.4        Transmission of data

We only pass on personal data to third parties where this is necessary in order to process or perform a contract, or where this is required under statutory regulations.

2.5        Storing/deleting data

We erase data as soon as its storage is no longer required/permitted, or where statutory retention obligations, such as obligations to keep sales tax records, have lapsed. If processing is based on the Data Subject’s consent, we will restrict our processing or erase the data when they withdraw their consent, unless otherwise required under the statutory regulations.

2.6        E-mail communication

When you contact us by e-mail, we will store the data you provide, on the basis of your consent, in order to respond to your queries. We erase data received in this way when processing is no longer necessary, or we restrict processing of the data if statutory retention obligations apply.

2.7        Publication of names of copyright holders

By law we are obliged to credit the copyright holders of images (photos or videos) every time we publish them. We automatically delete these personal data as soon as we stop using the image concerned.

2.8        Legal basis

The legal basis for data processing is:

  • Prior to entering into and for performing a contract: Art. 6(1)(b) GDPR.
  • Our statutory obligations under Art. 6(1)(c) GDPR (e.g. statutory obligations regarding retention and documentation, and disclosure obligations under the Austrian Urheberrechtsgesetz [Copyright Act]).
  • Safeguarding the legitimate interests of our company in the meaning of Art. 6(1)(f) GDPR (e.g. the use of software).
  • 6(1)(a) GDPR where we have obtained consent (e.g. for the processing of images or for marketing purposes).

3         Processing of personal data in cases involving applications

3.1        Job applicants

3.1.1        General

If you send your application documents to us, we will process your personal data contained therein as well as your CV and references for purposes of personnel selection in order to fill the position. In the event of rejection, we will erase your documents 7 months after sending the rejection letter to you.

Legal basis: Art. 6(1)(b) GDPR

Should you consent to our retaining your application on record in order to contact you at a later date, we will approach you with a separate request to transmit your consent to us. If you explicitly give us your consent, we will store that declaration of consent. If there is no further opportunity to fill a position within our organisation within one year, we will erase all of your applicant data one year after your consent was transmitted to us.

Legal basis: Art. 6(1)(a) GDPR

3.1.2        Application platform

We also use application platforms to recruit employees for our company, for example currently Individuals interested in working for us can apply directly on these application portals, using a form provided by the operator of that platform. Applicants themselves decide which data to provide when using such an online portal. They also have the option of uploading application documents. Personal data entered and documents uploaded are forwarded to us by the operator of the application portal. Both the application platform and our company will process this data as the Controller within the meaning of the GDPR. Please refer to the data protection statements/privacy statements of the respective portal operators. Sec. 3.3.1 applies to us in this context.

For further information, please refer to the privacy policy of

Legal basis: Art. 6(1)(b) GDPR

4         Data processing when you visit our website

4.1        Informational use of the website

If you use our website solely for information purposes, we will only collect the personal data that your browser transmits to our server (known as server logfiles). If you wish to view our website, we will collect at most such data as are technically necessary to enable us to display our website to you and to ensure its stability and security:

  • IP address
  • Date and time of request
  • Time zone difference to Coordinated Universal Time (UTC)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Website from which the request originated
  • Browser
  • Operating system and its interface
  • Language and version of your browser software

We do not merge this data with personal data sources. We reserve the right to retrospectively examine this data if we become aware of specific indications of unlawful use, and to pass it on to the law enforcement authorities if a hacker attack has taken place. There will be no further disclosure to any other third parties.

Legal basis: Art. 6(1)(f) GDPR

4.2        Cookies

When you use our website, cookies are stored on your device. These are small text files that are stored on your hard drive and associated with the browser you are using. They also provide the entity that places the cookie (in this case, either us or a third party) with certain information. Cookies cannot execute programs or transfer viruses to your computer.

A cookie allows you to be recognised when you visit our website without having to re-enter data you have already entered previously.

The information contained in the cookies is used, for example, to determine whether you are logged in or what data you have already entered, or to recognise you as a user when a link is established between our website server and your browser.

We make a distinction between technical cookies that ensure the proper operation of a website and other cookies which are used either by us or by third parties for statistical analysis, tracking or advertising/marketing.

Legal basis: Art. 6(1)(f) GDPR (for technical cookies), Art. 6(1)(a) GDPR (for all other cookies)

4.3        Data processing in the USA

When you visit our website, there is a possibility that the personal data you provide will be transmitted to the USA. If this happens, we will inform you in another part of this Privacy Policy.

Art. 46 of the GDPR states that appropriate safeguards must be applied if data are transmitted to a third country or an international organisation. There are no such safeguards for data transmitted to the USA.

Possible risks that cannot be excluded for you as a Data Subject in connection with the above-referenced information include, in particular:

  • The respective service provider may pass on your personal data to other third parties (e.g. US authorities) for reasons above and beyond the actual purpose of performing a contract.
  • You may not be able to assert or enforce your rights regarding access to information from the service provider concerned.
  • There may be a greater probability that incorrect data processing may occur, as the technical organisational measures for the protection of personal data do not fully comply with the requirements of the GDPR in terms of quantity and quality.

When you give your consent to processing using cookies (in particular, advertising and marketing cookies), you explicitly consent to the transmission of your data to the United States. You can remove cookies stored on your PC at any time by deleting the temporary Internet files.

Legal basis: Art. 6(1)(a) GDPR

5         Social media platforms

We operate a page on the social media platform LinkedIn. When you visit our profile there, your personal data – including your IP address – are processed by the provider concerned and cookies are placed in order to collect information. You can find further details about the specific types of information collected in the provider’s privacy policy. This also includes contact details as well as information on various settings.

We always aim to achieve complete customer satisfaction and use this service primarily to make contact and to communicate with you. We also see this as a supplementary channel alongside our existing information services.

Regarding services with links to the USA, the data collected are usually transmitted to a server in the USA and stored there. We have no influence over or means of controlling the type and scope of the information processed by these services, the form of processing and use, or the transmission of these data to third parties. Please read the detailed descriptions in the provider’s privacy policies to find out how you can restrict processing of these data by adjusting the settings for the platform.

Please also note that you are personally responsible for the ways in which you use the service and its functions. This particularly applies to the use of interactive functions (e.g. sharing, commenting and rating).

The provider of this social media platform has provided us with corresponding agreements – in most cases these are agreements regarding joint responsibility for data processing. The use of social media is based on our right to safeguard our company’s legitimate interests.

Legal basis: Art. 6(1)(f) GDPR

6         Data processing with Borlabs Cookie

Our website uses Borlabs Cookie, a cookie consent management tool provided by Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany.

The service places a technologically necessary cookie (borlabs-cookie) that stores your consent to the use of the cookie. By integrating Borlabs Cookie on our server, we guarantee that no data of any kind will be passed on to third parties.

Further information can be found in Borlabs’ privacy policy at

Legal basis: Art. 6(1)(f) GDPR

7         Data processing with the Zoom video communications platform

7.1        Purpose

We use the Zoom communication tool in order to hold online meetings. Zoom is operated by Zoom Video Communications, Inc., which is headquartered in the USA.

The use of this service means that your personal data will be transferred to the USA, or the transfer of your personal data to the USA at least cannot be ruled out. See section 4.3 of this Privacy Policy for further information.

If we would like to record online meetings, we will clearly notify you of this in advance and – where necessary – ask for your consent. The fact that a meeting is being recorded is also displayed in the Zoom app.

We will also record the content of chats if this is necessary in order to document the results of an online meeting.

When holding webinars, we may process questions asked by participants for the purposes of recording and carrying out follow-up activities on webinars.

If you are registered as a user with Zoom, reports on online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, webinar survey function) may be stored by Zoom for up to one month.

7.2        Controller

The Controller responsible for data processing directly related to online meetings is Ithuba Capital AG.

Note: when you visit the Zoom website, the provider of Zoom is responsible for data processing. However, to use Zoom, it is only necessary to visit the website in order to download the required software.

You can also use Zoom if you enter the respective meeting ID and, where applicable, other meeting access data directly in the Zoom app.

If you do not want to or cannot use the Zoom app, the basic functions can be used in the browser version, which you can also find on the Zoom website.

7.3        Processed data

When you use Zoom, various types of data are processed. The scope of the data processed depends on the information you provide before or while participating in an online meeting.

The following personal data of participants are processed when they use the service:

  • User data
    • First and last name
    • Telephone number (optional)
    • E-mail address
    • Password (unless you are using single sign-on)
    • Profile picture (optional)
    • Department (optional)
  • Meeting metadata
    • Subject
    • Description (optional)
    • Participants’ IP addresses
    • Device/hardware information
  • In case of recording (optional)
    • MP4 file with all video, audio and presentation recordings
    • M4A file with all audio recordings
    • Text file with online meeting chat
  • When dialling in by phone
    • Details of incoming and outgoing phone number
    • Country
    • Start and end time
    • Where applicable, other data on the connection such as the device’s IP address
  • Text, audio and video data (optional)

In order to take part in an online meeting or access the meeting room, you must as a minimum provide a name.

7.4        Transmission of data

Personal data processed in connection with participation in online meetings will not be transmitted to third parties, unless the data are specifically intended to be transmitted.

Other recipients: the data specified above will only become known to the provider of Zoom where this is required under the data processing agreement with Zoom.

Legal basis: Art. 6(1)(a) GDPR

8         Your rights

You have the following rights vis-à-vis us regarding the personal data concerning you:

  • Right to access information, right to request rectification and erasure
  • Right to restrict processing
  • Right to object to processing
  • Right of data portability

Please address your enquiries and requests by e-mail to or contact us by using the contact details provided.

If you believe that we have violated Austrian or European data protection law in our processing of your data and thereby violated your rights, we would request that you contact us to resolve any issues.

You also have the right to complain to the supervisory authority, which is the Austrian Data Protection Authority:

Austrian Data Protection Authority, Barichgasse 40 – 42, 1030 Vienna, telephone: +43 1 52 152-0


9         Amendments to this Privacy Policy

We reserve the right to make amendments to our Privacy Policy from time to time. All amendments to our Privacy Policy will be published by us on this website. In this regard, please refer to the current version of our Privacy Policy.

10    Disclaimer

Ithuba Capital AG accepts no responsibility for the content of external websites to which links are provided. The operators of the linked websites are solely responsible for their content.