1. Controller
Project Manager SaaS Platform for Startup & Agency Management Webformance OG Dreihackengasse 7/29 8020 Graz, Austria Email: office@project-mngr.com
Effective: May 2026
Project Manager SaaS Platform for Startup & Agency Management Webformance OG Dreihackengasse 7/29 8020 Graz, Austria Email: office@project-mngr.com
The protection of personal data is of particular concern to us. We process your data exclusively based on the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG). This privacy policy applies to: • Customer companies (startups, agencies and their representatives) who register and use the platform • Users (employees and team members of customer companies) who have access to the platform • Website visitors of project-mngr.com
Project Manager is a B2B SaaS platform. Therefore, different roles apply to data processing: 3.1 Webformance OG as Controller For the processing of personal data of customers, prospects, contractual partners and website visitors, Webformance OG itself is the data controller within the meaning of Art. 4 No. 7 GDPR. 3.2 Webformance OG as Processor To the extent that customer companies enter and manage personal data of their employees, contacts (CRM) or other persons on the platform, Webformance OG processes this data exclusively on behalf of and at the instruction of the respective customer company. In this relationship, the customer company is the controller within the meaning of Art. 4 No. 7 GDPR, and Webformance OG is the processor within the meaning of Art. 4 No. 8 GDPR. The details of data processing are governed by a separate Data Processing Agreement (DPA), which forms part of the terms of use.
During registration and use of the platform, the following data is processed: • Name, email address • Company name, industry • Profile picture (optional) • Role (user/administrator/workspace owner) • Password (stored encrypted) Legal basis: Art. 6(1)(b) GDPR (contract performance).
When using the platform, users independently enter and process content in the following modules: • CRM: Contact details, communication history, company information • Tasks & OKRs: Tasks, goals, milestones, progress data • Calendar: Appointments, events (incl. Google Calendar integration) • Meetings & Weekly Reviews: Notes, minutes, action items • Time Tracker: Recorded working hours, project assignments • Knowledgebase & CMS: Documents, articles, knowledge entries • Files: Uploaded files and attachments • Metrics: Key figures, KPIs, reports The content of these modules is processed exclusively on behalf of and at the instruction of the respective customer company. Legal basis (where personal data is involved): Art. 6(1)(b) GDPR (contract performance).
Users may optionally connect their Google account to the platform. With explicit consent, the following data from Google Calendar is read and/or transferred to the platform: • Calendar appointments (title, date, time, description, attendees) • Calendar metadata (calendar names) The connection is entirely voluntary and can be revoked at any time in the account settings. After revocation, no further Google data is synchronized. Legal basis: Art. 6(1)(a) GDPR (consent).
When accessing the platform and website, the following data is automatically processed: • IP address (anonymized) • Browser type and version • Operating system, device type • Access timestamps, referrer URL • Session data Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the platform).
From administrators and contact persons of customer companies, we process: name, email address, phone number (optional), position/function, communication history, and contract data. Legal basis: Art. 6(1)(b) GDPR (contract performance).
The platform is designed as a multi-tenant system. Each customer company works in a separate workspace. Data of one customer company is not visible or accessible to other customer companies. Within a workspace: • For all workspace members: Name, profile picture, assigned tasks and shared content according to set permissions • For administrators additionally: Complete usage overviews, all workspace content, export functions • Technically isolated: Content of other workspaces is not viewable at any time
The platform is operated exclusively on servers within the European Union: • Hosting: Vercel (EU region, Frankfurt am Main) • Database: Supabase (EU region, Frankfurt am Main) • Authentication: Supabase Auth (EU region)
7.1 PostHog We use PostHog for product analytics and improving the user experience. Provider: PostHog Inc., San Francisco, USA (EU cloud instance). PostHog captures usage behavior within the platform, including page views, click behavior, feature usage and session data. The data is used for product usage analysis, error detection and improvement of the user interface. We use the EU cloud version of PostHog, so data processing takes place exclusively within the European Union. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product improvement) or Art. 6(1)(a) GDPR (consent) where cookies or similar technologies are used.
8.1 Resend For transactional email delivery (e.g. registration confirmations, notifications, password reset) we use Resend. Provider: Resend Inc., USA. Transmission is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in reliable communication).
9.1 Stripe For processing payments (subscriptions, upgrades) we use Stripe. Provider: Stripe Inc., USA / Stripe Payments Europe Ltd., Ireland. During payment transactions, payment data (e.g. credit card details, billing address) is transmitted directly to Stripe and processed there. We do not store complete payment data on our systems. Stripe processes data partly in the USA based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Legal basis: Art. 6(1)(b) GDPR (contract performance).
For contact and inquiry forms on our website, we use exclusively in-house developed forms. The data entered (e.g. name, email address, message) is transmitted directly to our systems. No data is shared with external form service providers. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in processing inquiries).
We use the following sub-processors: Vercel Inc. — Hosting, CDN — EU (Frankfurt) Supabase Inc. — Database, Auth, Realtime — EU (Frankfurt) Stripe Inc. — Payment processing — EU/USA (SCCs) Resend Inc. — Email delivery — USA (SCCs) PostHog Inc. — Product analytics — EU (Cloud) Google Ireland Ltd. — Calendar Integration — EU/USA (SCCs)
The platform uses technically necessary cookies for authentication and session management. Analytics cookies (e.g. from PostHog) — to the extent they go beyond technical necessity — are only activated with the user's explicit consent.
Some of the service providers we use may transfer data to the USA or other third countries. The transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR or comparable guarantees. We regularly review whether adequate levels of protection are ensured and take additional measures where necessary (e.g. encryption, data anonymization).
• Account data: For the duration of use and up to 30 days after account deletion or contract termination. • Platform content data (CRM, tasks, etc.): For the duration of the active subscription; after contract termination, data is deleted upon request or automatically after 30 days. • Google Calendar data: Only during active connection; no further storage after connection is revoked. • Invoice and contract data: 7 years in accordance with tax retention obligations (BAO). • Technical logs: Maximum 90 days. • PostHog analytics data: Maximum 12 months, then automatically deleted or anonymized. • Email logs (Resend): Maximum 30 days.
You have the following rights under GDPR: • Right of access (Art. 15 GDPR) • Right to rectification (Art. 16 GDPR) • Right to erasure (Art. 17 GDPR) • Right to restriction of processing (Art. 18 GDPR) • Right to data portability (Art. 20 GDPR) • Right to object (Art. 21 GDPR) • Right to withdraw consent at any time (Art. 7(3) GDPR) To exercise your rights, please contact: office@project-mngr.com Note for users of customer companies: Since your employer or client (the customer company) is the data controller with respect to the data they have entered, we may need to forward your request to the respective customer company.
You have the right to lodge a complaint with the Austrian Data Protection Authority: Austrian Data Protection Authority Barichgasse 40–42 1030 Vienna Email: dsb@dsb.gv.at Website: www.dsb.gv.at
We implement appropriate technical and organizational measures to protect personal data, in particular: • Encryption of data transmission (TLS) • Encryption of stored data (encryption at rest) • Access control and role-based permissions • Workspace isolation (multi-tenancy separation) • Regular security updates • Pseudonymization and anonymization where possible • Regular security audits
We reserve the right to adapt this privacy policy as needed, particularly in the event of changes in the legal situation, platform features or services used. The current version is available on the platform at project-mngr.com. In the case of material changes, we will inform registered users via the platform or by email.