PRIVACY POLICY

This Privacy Policy explains how Muvamo (“we”, “our”, “us”) processes personal data when you visit www.muvamo.com (the “Website”), interact with our social-media channels, purchase digital or printed guides, book on-location photo-shoots, or subscribe to our newsletter.

We are established in Austria and comply with
(i) the EU General Data Protection Regulation 2016/679 (GDPR),
(ii) the Austrian Data Protection Act (DSG), and
(iii) the Telecommunications Act 2021 (TKG 2021).

1 Controller & Contact

Controller: Michael Föls
Address: Ringelseegasse 17/3, 1210 Vienna, Austria
E-mail: office@muvamo.com
Phone: +43 664 9388206

2 Core Principles

  • We collect only what we need, for specific and lawful purposes.
  • Each processing activity rests on a lawful basis under Article 6 GDPR.
  • We apply technical & organisational measures to ensure confidentiality, integrity and availability.
  • You may exercise your data-subject rights at any time (see section 14).

3 Data We Process

  • Identification data (name, address, e-mail, phone).
  • Contract & transaction data (bookings, orders, invoices).
  • Content you submit (reviews, messages, uploads).
  • Usage data (pages viewed, scroll depth, referrers, truncated IP, timestamp).
  • Device information (browser, OS, screen size, language).
  • Marketing metrics (e.g. newsletter opens, pixel IDs).
  • Location data only if you enable GPS for routes.

4 Legal Bases (Art 6 GDPR)

  • Consent (6 (1)(a)) – optional cookies or pixels, newsletter opt-in, GPS, third-party embeds.
  • Contract (6 (1)(b)) – fulfilling orders, photo-shoot bookings, payment processing.
  • Legal obligation (6 (1)(c)) – tax & accounting rules.
  • Legitimate interest (6 (1)(f)) – security logs, essential cookies, aggregated analytics, fraud prevention, CDN performance.

5 Data Sources

  • Directly from you (forms, e-mails, purchases).
  • Automatically via server logs and cookies.
  • From partners (payment providers, affiliate networks, tour operators).

6 Hosting & Security

Our site is hosted in the EU/EEA and delivered via Amazon Web Services (AWS) CloudFront CDN.
All traffic is TLS-encrypted; cached objects are kept only as needed for performance.
Daily back-ups are encrypted and rotated after 30 days.

7 Contact Forms & E-mail

Messages are processed to reply to your request and administrate it.
Legal basis: legitimate interest or contract (Art 6 (1)(f)/(b)).
Retention: 6 months after last reply unless longer required by law.

8 Server Logs

We store truncated IP, timestamp, URL, referrer and user-agent for security and troubleshooting.
Retention 30 days. Basis: legitimate interest.

9 Payments (Stripe, Google Pay, Apple Pay, PayPal)

Payments are processed through Stripe Payments Europe Ltd., which may also enable Google Pay, Apple Pay, and PayPal.
Data transferred to Stripe includes payment method, amount, currency, and billing details.
Stripe acts as independent controller for its own fraud-prevention and AML obligations.
See Stripe Privacy Policy.
Legal basis: contract performance (Art 6 (1)(b)) and legal obligation (Art 6 (1)(c)).

10 External Widgets & Embedded Content

Mapbox – displays interactive maps (legitimate interest). Exact geolocation only with consent.
GetYourGuide – tour availability widgets (legitimate interest / contract when booking).
Instagram embeds – loaded only after you click “Load content” (consent).
Other social media (YouTube, TikTok, Pinterest, X) – same consent principle.

11 Analytics & Performance Tools

11.1 Google Analytics 4 with Consent Mode v2
We use Google Analytics (“GA4”) by Google Ireland Ltd., Barrow Street, Dublin 4, Ireland.
Consent Mode v2 ensures that cookies and data sharing occur only if you consent. Otherwise, only aggregated non-identifiable pings are sent.
Purpose: usage analysis and site improvement.
Transfers to the USA are protected by the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Legal basis: consent Art 6 (1)(a) / legitimate interest Art 6 (1)(f).
Google Privacy Policy

11.2 PostHog
We use PostHog Ltd. (UK/EU servers) to collect pseudonymised usage data for UX and feature analysis.
No tracking cookies are set without consent. Legal basis: legitimate interest Art 6 (1)(f).

11.3 Metricool
Metricool S.L. (Spain) provides multi-channel marketing analytics and social-media metrics.
Loaded only if you opt-in to marketing cookies (consent).

12 Marketing & Retargeting

Facebook Pixel (Meta Pixel)
Meta Platforms Ireland Ltd. receives pseudonymous event data for campaign measurement and retargeting.
Active only with your consent via the CMP.
Transfers to the USA rely on the Data Privacy Framework / SCCs.
Meta Privacy Policy

13 Newsletter (FunnelKit – self-hosted)

Our newsletter is managed via FunnelKit Automations on our own EU server.
We store only your e-mail address and your name.
Subscription requires double opt-in.
You may unsubscribe at any time via link in each e-mail or by contacting us.
Legal basis: consent Art 6 (1)(a); record of consent kept 3 years for proof.

14 Cookies & Consent Management

We use a GDPR-compliant Consent Management Platform (CMP).
On first visit you can choose:

  • Essential cookies only,
  • Functional/analytics tools (Mapbox, PostHog, Google Analytics Consent Mode), or
  • Marketing pixels (Facebook, Metricool, affiliate tracking).

You can change or withdraw consent any time via the “Cookie Settings” link in the footer.
Rejecting non-essential cookies may limit certain features.

15 International Transfers

Where data is processed outside the EEA, we use either the EU–US Data Privacy Framework or the Standard Contractual Clauses (2021/914/EU) with supplementary safeguards.

16 Retention

  • Contract & invoice data – 7 years (§§ 132 BAO, § 212 UGB).
  • Newsletter data – until unsubscription (+3 years proof).
  • Server logs – 30 days.
  • Analytics data – 14 months (GA4) / 12 months (PostHog & Metricool).
  • Affiliate cookies – max 24 months or as per partner policy.
  • Back-ups – encrypted rotation after 30 days.

17 Security Measures

TLS encryption, firewall hardening, multi-factor authentication, role-based access control, and daily encrypted off-site back-ups.
All processors are bound by Article 28 GDPR agreements.

18 Automated Decision-Making

We do not make automated decisions producing legal effects.
Audience segmentation occurs only with marketing consent.

19 Your Rights

You may request access, rectification, erasure, restriction, data portability, or object to processing based on legitimate interest.
You may withdraw consent at any time.
Complaints can be filed with the Austrian Data Protection Authority (see below).

20 Exercising Your Rights

Write to office@muvamo.com and attach proof of identity.
We reply within one month (extendable by two months for complex cases).

21 Supervisory Authority

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Vienna, Austria
Tel +43 1 521 52-0 |  dsb@dsb.gv.at |  www.dsb.gv.at

22 Children

Our services target persons aged 14 and over. We do not knowingly collect data from minors.

23 Changes to This Policy

We may update this policy to reflect legal or technical developments. Material changes will be announced via banner or e-mail if appropriate.
If we intend to use data for a new purpose, you will be informed beforehand (Art 13 (3) GDPR).

Version: 1.0.0 – Last updated 05 November 2025

Explore
Vienna Travel Guide
Vienna
The Top Things to Do in Vienna
Vienna
Where to Eat in Vienna & What to Try – A Local Food Guide
Vienna
Where to Stay in Vienna: The Best Hotels and Neighbourhoods
Vienna
The Best Vienna City Pass & Tickets
Vienna
Schönbrunn Palace
Vienna
St. Stephen’s Cathedral
Vienna
Vienna Giant Ferris Wheel
Vienna
Belvedere Castle
Vienna
Vienna State Opera 
Vienna
Hofburg Palace
Vienna
Prater
Vienna