Privacy Policy - HEH-LED - Light is more than brightness

Status: 07 February 2026

1. Overview

Protecting your personal data is a top priority for us. This Privacy Policy explains in a transparent manner which personal data we process when you use our website www.heh-led.com, for which purposes such processing takes place, on which legal basis the data is processed, and which rights you are entitled to.

This Privacy Policy is based primarily on the EU General Data Protection Regulation (GDPR) and Austrian data protection law. Where applicable, we also align our practices with requirements that may be relevant for international visitors (e.g., UK GDPR principles and common procurement/customer compliance expectations).

2. Data Controller

The data controller within the meaning of the GDPR is:

HEH-LED Ing. Helmuth Horvath
Angerried 11
2424 Zurndorf
Austria

Email: office@heh-led.com
Telephone: +43 676 4910956
Fax: +43 214720398
VAT ID: ATU65905103

3. Data Protection Contact

For questions regarding data protection, requests for information, or the exercise of your rights, please contact:

Email: office@heh-led.com
(please use the subject line: “Data Protection”)

Note: We are generally not legally required to appoint a Data Protection Officer. Nevertheless, all privacy requests are handled with priority and in a structured manner.

4. Categories of Personal Data Processed

Depending on how the website is used, we may process in particular:

Access data (server log files): IP address, date and time of access, pages/files accessed, referrer URL, browser/device information, operating system, error codes if applicable.
Communication data: name, company name, email address, message content, and any additional information provided by you (e.g., tender context, technical questions).
Account/login data (downloads area): username, email address, password (stored in encrypted/hashed form), login status, roles/permissions if applicable.
Comment/publication data (if comments are enabled): name, email address, website (optional), comment content, IP address, timestamp.
Technical cookie/session data: preferences (e.g., “remember me”), security and performance-related information.

5. Purposes and Legal Bases of Processing

We process personal data only where legally permitted. Legal bases include in particular:

Art. 6(1)(b) GDPR (contract / pre-contractual measures): handling inquiries, preparing quotations/offers, and managing business relationships.
Art. 6(1)(c) GDPR (legal obligation): compliance with statutory retention and documentation obligations (e.g., commercial and tax laws).
Art. 6(1)(f) GDPR (legitimate interests): stable, secure, and efficient website operation, IT security, prevention of misuse, troubleshooting, and protection against attacks.
Art. 6(1)(a) GDPR (consent): only where we explicitly request consent (e.g., for non-essential cookies or optional analytics/marketing services, if used).

B2B context: Our website and services are aimed primarily at business users (e.g., rail vehicle operators, integrators, procurement bodies). The data we process typically relates to business contacts and project communication.

6. Web Hosting and Server Log Files

Our website is hosted on servers operated by a hosting provider. In the course of hosting, access data (server log files) is processed to:

technically provide the website,
maintain system security and stability,
detect and prevent attacks or malfunctions.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable operation).

Storage period: Log files are stored only as long as necessary for operations, security and error analysis—typically for several days up to a few weeks, depending on the hosting setup; longer if required to investigate a security incident.

7. Contact via Form, Email or Telephone

If you contact us (e.g., via the website contact form or by email), we process the data you provide to handle your request and communicate with you.

Typical mandatory contact form fields:

first name, last name, company name, email address, message.

Purpose: processing inquiries, preparing offers, project and tender communication (B2B), and documentation of correspondence.

Legal bases:

Art. 6(1)(b) GDPR (pre-contractual measures / contract),
Art. 6(1)(f) GDPR (legitimate interest in efficient communication),
for general inquiries without contractual relevance: Art. 6(1)(f) GDPR.

Storage period:

until the inquiry is resolved;
longer where business relevance or legal retention requirements apply.

8. Downloads Area (Login / Customer Portal)

Our website includes a restricted downloads area for customers and registered users. Accounts are typically created upon request.

When using the login area, we process:

username/email address, password (not stored in plain text), login status (“remember me”), and IP address if applicable (security logging).

Purpose: provision of protected content, access control, traceability and IT security.

Legal bases:

Art. 6(1)(b) GDPR (contract / pre-contractual relationship),
Art. 6(1)(f) GDPR (legitimate interest in access protection and IT security).

Storage period: account data is stored until deletion of the account or end of the business relationship, unless retention obligations require longer storage.

9. Tender / Procurement Data Exchange (Project Communication)

In the context of requests for quotation, tenders, procurement processes, or technical clarifications, we may process business contact data and correspondence content (including technical requirements, compatibility questions, and documentation references) to:

assess feasibility,
prepare offers and compliance documentation,
coordinate project execution and deliverables.

Legal bases: Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR (legitimate interest in conducting business and maintaining an audit trail typical for B2B procurement).

We ask you not to send sensitive personal data (special categories under Art. 9 GDPR) unless strictly necessary and explicitly requested.

10. Comments / Posts (News)

Our website contains news posts. If the comment function is enabled, we process the data you submit and technical metadata (e.g., IP address, timestamp).

Purpose: publication/moderation, abuse prevention, traceability.

Legal basis:

Art. 6(1)(a) GDPR (consent through active submission) and/or
Art. 6(1)(f) GDPR (legitimate interests in interaction and abuse prevention).

Note: Email addresses are generally not displayed publicly. Comments may be moderated.

Storage period: until the post is deleted or you request deletion, provided no overriding reasons or legal obligations apply.

11. Cookies and Similar Technologies

Our website uses cookies and comparable technologies.

We distinguish between:

a) Technically necessary cookies (essential)
Required to enable core functions (e.g., login, security features, language/session settings).
Legal basis: Art. 6(1)(f) GDPR and—where applicable—Austrian TKG 2021 provisions on necessary cookies.

b) Optional cookies (statistics/marketing)
Used only if implemented and—where legally required—after obtaining your consent.
Legal basis: Art. 6(1)(a) GDPR.

Typical examples (depending on configuration):

WordPress login/session: wordpress_logged_in_*, wordpress_sec_*
User settings: wp-settings-*, wp-settings-time-*
Comment convenience: comment_author_*, comment_author_email_*, comment_author_url_*
Security/firewall (e.g., Wordfence): wfwaf-authcookie-*
Performance/caching: cookies supporting cache status/variants

You can delete or block cookies in your browser settings. Please note that blocking essential cookies may limit website functionality.

12. IT Security / Protective Measures

We implement appropriate technical and organizational measures to protect data, such as TLS/HTTPS encryption, access controls, regular updates and backups, and security mechanisms to detect and prevent attacks.

In the context of IT security, IP addresses, access patterns and technical event data may be processed.
Legal basis: Art. 6(1)(f) GDPR.

13. Backups and Data Recovery

We perform regular backups to ensure business continuity and recoverability. Backups may contain personal data stored in the website database or files (e.g., user accounts, contact inquiries, technical settings).

Purpose: operational security and recovery after errors or attacks.
Legal basis: Art. 6(1)(f) GDPR.

Storage period: backups are retained on a rotating basis (multiple generations). Access is restricted to authorized personnel.

14. Recipients / Data Processors

We may use service providers (data processors) to operate and secure the website, for example for:

hosting/server operation,
IT security,
backup storage.

Processors receive data only to the extent necessary to provide their services and are contractually bound to GDPR requirements (data processing agreements where required).

15. International Data Transfers (Outside the EU/EEA)

As a rule, we process data primarily within the EU/EEA. If, in individual cases, service providers or technical processes result in transfers to third countries (e.g., the USA), we ensure an adequate level of protection, in particular through:

adequacy decisions of the European Commission (e.g., EU–US Data Privacy Framework where the provider is certified), and/or
Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR, supplemented by additional measures where necessary.

16. Data Retention and Deletion

We store personal data only as long as necessary for the stated purposes or as required by law.

Examples:

inquiries/communication: until completion, and beyond that depending on business relevance,
contractual/invoicing data: in Austria generally 7 years,
accounts: until deletion or end of the business relationship (unless longer retention is required),
log files: short-term, depending on security and operational requirements.

17. Your Rights (Data Subject Rights)

Under the GDPR you have, in particular, the right to:

access (Art. 15 GDPR),
rectification (Art. 16 GDPR),
erasure (Art. 17 GDPR),
restriction (Art. 18 GDPR),
data portability (Art. 20 GDPR),
object to processing based on legitimate interests (Art. 21 GDPR),
withdraw consent at any time with future effect (Art. 7(3) GDPR), where processing is based on consent.

To exercise your rights, contact: office@heh-led.com

18. Right to Lodge a Complaint (Austria)

If you believe that processing of your personal data infringes data protection law, you may lodge a complaint with the competent supervisory authority.

Austrian Data Protection Authority (DSB)
Barichgasse 40–42
1030 Vienna, Austria
Telephone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

19. UK Visitors (UK GDPR – Additional Note)

If you are located in the United Kingdom, GDPR-like rights and principles generally apply under the UK GDPR. We handle requests from UK-based individuals in line with the rights described in Section 17. In specific cases, additional information may be required to verify identity and jurisdiction.

20. US Visitors (No “Sale” of Personal Data – Additional Note)

We do not sell personal data in the sense commonly used under US state privacy laws (e.g., CCPA/CPRA and similar frameworks).
If we ever implement optional marketing/advertising technologies that involve “sharing”/cross-context behavioral advertising, we will update this Privacy Policy and implement appropriate consent/opt-out mechanisms as required.

21. Children

Our website is not directed at children and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

22. No Automated Decision-Making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR in connection with the website.

23. Changes to this Privacy Policy

We may update this Privacy Policy if our website, processes or the legal framework change. The current version is always available at www.heh-led.com.