Privacy Policy

PebbleByte GmbH Mittelgasse 4/13 1060 Vienna, Austria Email: office@pebblebyte.com

We take the protection of your personal data very seriously. Your data are processed exclusively on the basis of the General Data Protection Regulation (GDPR) and the applicable national data protection provisions.

Our offering is designed so that as little personal data as possible are processed ("Privacy by Design"). We do not create individual user profiles and we do not analyze the content or flow of video calls.

When our website is accessed, technically necessary data are processed:

• →IP address
• →Date and time of the request
• →Browser type and version
• →Operating system

This processing is carried out to ensure the technical operation of the website.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

No storage takes place beyond the duration of the session. If statutory retention obligations exist, storage takes place only to the extent required by law.

Our video call solution was developed so that maximum data minimization is ensured:

• →No video or audio content is stored
• →Where technically possible, communication takes place directly between the participants (peer-to-peer)
• →If firewalls or other technical circumstances prevent a direct connection, a relay server may be used to establish the connection
• →In both cases, we do not have access to communication content at any time; such content is neither read nor analyzed by us

For the technical provision of the service, the following participant data in particular may be processed:

• →the participant's display name
• →an internal participant identifier (peer ID)
• →role and status data, in particular moderator status and camera, microphone, and screen-sharing status
• →waiting room data, in particular join status and the time of the request
• →chat messages including timestamps, if the chat function is used
• →connection and signaling data, in particular WebRTC/SDP/ICE data, to the extent technically required

For business customers with increased participant requirements, the technical provision of larger video rooms may, under separate B2B arrangements, take place via an open-source LiveKit SFU hosted on the respective customer's own servers.

• →The SFU carries audio and video streams as well as technically required transport, connection, and signaling data
• →On the SFU, only participant metadata required for connection establishment and session control are processed on a session basis, in particular internal participant identifiers, display names, and role and status data

No permanent storage of communication content takes place in this case either. Session-related technical data are generally retained on the customer's servers only for the duration of the active session and, where technically necessary, for short-term processing in volatile system memory. This does not affect the fact that the display name, a rejoin key, and short-term rejoin status data may be stored locally in the user's browser. Video calls are not individually tracked and are not analyzed for analytics purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures)

When a user account is created, the following data are processed:

• →Email address
• →where applicable, name / username
• →password (stored as a hash)

The processing is carried out in order to provide the user account function.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) The data are stored until the user account is deleted, unless statutory retention obligations prevent this.

For registered users, the following additional usage data are processed:

• →created rooms or meeting rooms
• →room data such as name, slug/link, visibility (public/private), waiting-room setting, and call mode / plan tier
• →for protected private rooms, a hash of the room password
• →the assignment of the room to the user account
• →technical timestamps such as creation and modification date

The processing is carried out to provide and manage personal rooms and participant data.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

As a rule, the data are stored until the user account is deleted or until the respective rooms or participant data are deleted, unless statutory retention obligations prevent this.

For paying customers, subscription-related and billing-related data are also processed. This may include in particular:

• →information on whether an active paid subscription exists
• →booked tariff / plan
• →subscription term data, e.g. start, end, renewal, or cancellation
• →internal customer, contract, subscription, or transaction identifiers
• →invoice and payment receipt data
• →where applicable, billing address, company name, and VAT ID
• →payment status information, e.g. paid, open, or failed

Where an external payment service provider is used, that provider processes the actual payment data under its own data protection responsibility or as an independent controller in accordance with its privacy information. In such cases, we generally receive only the billing, status, and reference data required for contract performance, invoicing, and legal proof. We do not store complete credit card or debit card data.

The processing is carried out for the handling of paid services, contract administration, invoicing, and compliance with statutory obligations. The legal bases are Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (compliance with legal obligations).

We store billing-relevant records in accordance with statutory retention obligations, in Austria generally for seven years. Longer storage only takes place where this is necessary for pending proceedings or statutory proof obligations.

No user account is required to use our video calls.

• →No personal data are stored beyond what is necessary for the technical provision
• →Invitation links do not contain any personal information

Our website and servers are hosted by Hetzner Online GmbH as processor pursuant to Art. 28 GDPR.

A corresponding data processing agreement has been concluded. Further information can be found in Hetzner's DPA.

The processing takes place exclusively in data centers within the European Union.

No transfer of personal data to third countries (e.g. USA) takes place. Further information can be found in Hetzner's privacy policy.

If you contact us by email or if we send you transactional emails, we process the communication data and metadata required for this via our email inboxes hosted with IONOS.

This may include in particular email address, sender and recipient details, subject line, time, technical delivery and server data, and the content of the message to the extent necessary to handle your request or send the respective email.

The processing is carried out to handle inquiries, for contract-related communication, and for the secure and reliable operation of our email communication. The legal bases are Art. 6(1)(b) GDPR (contract or pre-contractual communication) and Art. 6(1)(f) GDPR (legitimate interest in reliable business communication).

We use IONOS, a German hosting provider, for email hosting. Further information can be found in IONOS's privacy policy. Emails are stored only for as long as this is necessary for the communication, the handling of the respective matter, or statutory retention obligations.

If paid services are processed via the payment service provider Mollie, payment-related personal data are processed via Mollie.

Depending on the payment method, this may include in particular name, billing and contact details, payment data, transaction data, and technical usage data to the extent necessary for payment processing.

According to Mollie, Mollie generally processes such data in the context of payment processing as an independent controller. Further information can be found in Mollie's privacy statement and Mollie's information on its data protection role.

Information on storage periods and any transfers to third countries by Mollie can be found in Mollie's privacy statement.

Our website uses exclusively technically necessary cookies and technically required local storage entries that are necessary for operation and the provision of essential functions.

• →no tracking cookies
• →no analytics cookies
• →no marketing tracking cookies

As these cookies and local storage entries are necessary for operation, no consent is required. Further information can be found on our cookie page.

For our website and admin dashboard, we use the self-hosted open-source statistics tool GoatCounter. It is used only for privacy-friendly usage statistics in these areas, not for analyzing video calls.

• →stored data include in particular visited pages (path and page title), time of access, access counts, and the referring page (referrer)
• →GoatCounter also processes technical statistics such as browser type and version, operating system, language, approximate country, and screen width
• →no analytics cookies, no full IP addresses, no full User-Agent strings, and no tracking of individual people across devices

GoatCounter runs on our own servers. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a data-minimizing reach and usage analysis).

No disclosure of your data to third parties takes place, except:

• →to technical service providers for hosting and server operations acting as processors
• →to IONOS insofar as email inboxes, email communication, or the delivery of transactional emails are processed via IONOS
• →to the payment service provider Mollie, insofar as paid services are processed via Mollie

To the extent that service providers act as processors, they are contractually obliged to comply with the GDPR. Mollie's own privacy information additionally applies to payment processing via Mollie.

We store personal data only for as long as this is necessary for the respective purpose.

• →no permanent storage of communication content or connection data
• →account data until deletion of the account
• →invoices and other tax-relevant records generally for seven years (section 132 Austrian Federal Fiscal Code - BAO)

If statutory retention obligations exist or records are required for pending proceedings, we store them for longer accordingly.

You have the right at any time to:

• →access (Art. 15 GDPR)
• →rectification (Art. 16 GDPR)
• →erasure (Art. 17 GDPR)
• →restriction of processing (Art. 18 GDPR)
• →data portability (Art. 20 GDPR)
• →objection (Art. 21 GDPR)

You have the right to lodge a complaint with the competent data protection authority.

In Austria: Austrian Data Protection Authority Barichgasse 40-42 1030 Vienna, Austria Email: dsb@dsb.gv.at

We implement technical and organizational measures to protect your data against unauthorized access, loss, and misuse. These include in particular:

• →transport encryption for the website, API, and media connections
• →access to internal administrative functions only after authentication
• →optional password-protected rooms; configured room passwords are stored only in hashed form
• →short-lived access and connection tokens as well as time-limited TURN credentials
• →rate limiting to protect against abusive access attempts
• →depending on the configuration, waiting-room and moderation functions to control admission
• →minimization of data storage
• →server locations within the EU

Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.