Privacy Policy

This page is for information and does not constitute legal advice.

This privacy policy explains how Farmer Diamonds – IT Service Provider GmbH ("we", "us") processes personal data when you visit this website (farmer.diamonds), when you use the Digital Art Factory customer portal (art.farmer.diamonds), and when you are a customer of our platform. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Austrian Datenschutzgesetz (DSG).

1. Data controller

Farmer Diamonds – IT Service Provider GmbH, Jensengasse 6, 8010 Graz, Österreich. E-Mail: support@farmer.diamonds, Telefon: +43 316 375028. Full provider details are in our Imprint.

A data protection officer is not appointed, as we are not legally required to appoint one. For all data-protection matters, contact support@farmer.diamonds.

2. Two roles: controller and processor

Our platform gives every customer a dedicated, isolated instance that holds their application and all of their data. This creates two distinct roles:

  • We are the controller for data processed to run this website and to manage our customer relationships: visitor server logs, customer account and contract data, sign-in credentials and session data, billing data, and support correspondence. Sections 3–7 cover this.
  • We are the processor (Art. 28 GDPR) for personal data that our customers store or process inside their own instance. Our customers are the controllers of that data. Section 8 covers this.

3. Data we process as controller

  • Website visitors: server log data only (see section 5). No registration is possible or required on the public website.
  • Customers and their authorized users: name, business contact details, contract and order data; the public credential of your hardware security key (WebAuthn/FIDO2 public key and key identifier — we never receive or store a password, and the private key never leaves your security key); one-time enrollment link status; session identifiers; sign-in timestamps.
  • Billing: invoicing details, VAT ID where applicable, payment status. We do not store full payment-card data.
  • Support: correspondence you send us by email or phone.

4. Purposes and legal bases

  • Performance of the contract (Art. 6(1)(b) GDPR): providing your dedicated instance, enrollment, sign-in and session handling, support, billing administration.
  • Legal obligations (Art. 6(1)(c) GDPR): retention of invoices and accounting records under Austrian tax and commercial law (in particular § 132 BAO, § 212 UGB).
  • Legitimate interests (Art. 6(1)(f) GDPR): security and abuse prevention, service reliability, defense of legal claims, and delivery of the public website (server logs). Our interest is operating a secure, reliable service; you may object under Art. 21 GDPR (see section 12).
  • Where we ever rely on consent (Art. 6(1)(a) GDPR), you can withdraw it at any time with effect for the future.

Providing personal data is neither a statutory requirement nor necessary for simply visiting this website (the server log data described in section 5 arises automatically for technical reasons). To conclude and perform a subscription contract, however, account, contact and billing data are contractually required: without this data we cannot conclude the contract, provide your instance, or issue invoices.

5. Server log files

When you access our web pages, our servers automatically record: the IP address of the requesting device, date and time of the request, the requested resource, the HTTP status, and the transmitted user-agent string. We use this data exclusively to deliver the website reliably, to detect and defend against attacks and abuse, and to diagnose faults. Log data is stored for 14 days and then deleted or anonymized, unless a specific security incident requires longer retention of specific entries.

6. Cookies and local storage

The public website uses no cookies. It stores at most a single functional value in your browser's local storage (your language preference) so the site appears in your chosen language. The customer portal sets a strictly necessary session cookie after sign-in (Secure, HttpOnly, SameSite-strict; server-side session, limited to 12 hours). These items are technically required and involve no tracking, so no consent banner is needed (§ 165(3) TKG 2021).

7. No tracking, no third-party content

We do not use analytics or advertising trackers, social-media plugins, external fonts, external content delivery networks, or any other third-party embeds. All resources are served from our own European, self-hosted infrastructure. Your visit to this website is not disclosed to any third party.

8. Customer instance data — we act as processor

For all personal data our customers store or process inside their dedicated instance, the customer is the controller and we process it solely on the customer's documented instructions as processor under Art. 28 GDPR:

  • Data processing agreement (DPA): a DPA forms part of every customer contract and is available from support@farmer.diamonds.
  • Isolation as a technical measure (Art. 32 GDPR): each customer's application and data run in the customer's own dedicated container. Customers never share an application instance or database with other tenants. The portal/gateway layer has no administrative access to the virtualization hosts and can only forward traffic to instances it is explicitly configured for.
  • Further measures: hardware-key (phishing-resistant) authentication, transport encryption (TLS) on all connections with auto-renewing certificates, modern security headers, operator-only administration of instance lifecycle, and self-hosted supporting services (DNS, mail, web, code and documentation infrastructure) under our own control.
  • Sub-processors: we currently engage no sub-processors for customer instance data. All processing takes place on our own infrastructure. Should this ever change, customers will be informed in advance in accordance with the DPA and may object.
  • No third-country transfers: all data is stored and processed exclusively on our own infrastructure in Austria (EU). We do not transfer personal data to third countries or international organizations.
  • Return and deletion: upon termination, we make the customer's data available for export and then delete the customer's container. Because the application and all data live in one dedicated container, deletion is complete and auditable: deleting the container deletes the tenant.

9. Recipients

Within our company, only personnel who need the data to fulfill the purposes above have access. We disclose personal data to third parties only where legally required (e.g., to competent authorities on a valid legal basis) or where necessary to establish, exercise or defend legal claims.

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place — neither on this website nor in the management of our customer relationships.

10. Retention

We store personal data only as long as necessary for the purposes above: contract and account data for the duration of the contract and any statutory limitation periods; invoicing and accounting records for the statutory retention period (generally seven years under Austrian law); server logs per section 5; customer instance data per section 8 (deleted with the container on exit). Data is then deleted or anonymized.

11. Security

We take appropriate technical and organizational measures under Art. 32 GDPR, including the isolation architecture, passwordless hardware-key authentication, encrypted transport, time-limited server-side sessions, least-privilege gateway design, and operator-controlled provisioning described in section 8.

12. Your rights

You have the right to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw consent at any time with effect for the future. To exercise your rights, contact support@farmer.diamonds. If your request concerns data held inside a customer's instance, we will refer you to the responsible customer (the controller) and support them in responding, as required by Art. 28 GDPR.

13. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). In Austria this is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, DSB), Barichgasse 40–42, 1030 Vienna, Austria, dsb@dsb.gv.at, https://www.dsb.gv.at.

14. Changes to this policy

We will update this policy when our service or the legal situation changes. The current version is always available on this page; the date below indicates the last revision.

Last reviewed/updated: 16 July 2026.