Privacy Policy

1. Controller

Mag. (FH) Florian Neuhuber
Obere Höllstraße 20d
4451 Garsten
Austria
Email: hello@graceandsteel.io

2. Core principles

Grace & Steel is a digital self-development service for women: a short quiz produces a personalized assessment, and a paid subscription unlocks a guided plan.

We host within the European Union, we use cookieless analytics, and session replay runs only with your explicit consent. We do not sell personal data, and we do not run advertising or tracking pixels on this site. Where individual processors (in particular payment and email providers) may process or access data outside the EU/EEA, this only takes place under Art. 44 et seq. GDPR and, where required, on the basis of appropriate safeguards such as EU Standard Contractual Clauses.

3. Data we process, purposes and legal bases

a) The quiz and your assessment

When you take the quiz, we process the answers you select. These answers are scored into a personalized assessment (covering the self-abandonment pattern, attachment and nervous-system signals). If you choose to receive your result or plan by email, we also process the email address you provide. Your quiz answers are stored as profile signals (tags) on your contact record in our CRM (see section 4) so that we can send you a result that fits you.

The purpose is to provide your personalized result and the requested service. The legal basis is the performance of a contract or the taking of pre-contractual steps at your request (Art. 6 para. 1 lit. b GDPR) and, where you opt in to receive content, your consent (Art. 6 para. 1 lit. a GDPR).

b) Subscription and account

When you subscribe, we process your email address, the plan you selected, the purchase time, subscription status and the technical access data needed to give you access to your plan. The purpose is to create, provide and manage your subscription. The legal basis is the performance of a contract (Art. 6 para. 1 lit. b GDPR).

c) Payment processing

Payments and subscription billing are handled by Stripe. You enter your payment details (in particular card data) directly with Stripe; we do not receive your full payment details in plain text, but rather payment status, amount, time, transaction information and the email address needed to match the payment to your account. Stripe may process data in the United States; such transfers take place on the basis of EU Standard Contractual Clauses and/or an applicable adequacy framework under Art. 44 et seq. GDPR. The purpose is payment processing and performance of the contract; the legal basis is Art. 6 para. 1 lit. b GDPR, and, where statutory accounting and tax retention duties apply, Art. 6 para. 1 lit. c GDPR.

d) Reach measurement (analytics)

We use Plausible Analytics, self-hosted within the EU ( stats.solavia.at). Plausible runs without cookies, without cross-site tracking, without persistent storage of full IP addresses and without building personal profiles. We process aggregated data such as page views, referrers, device type, browser and approximate region. The legal basis is our legitimate interest (Art. 6 para. 1 lit. f GDPR) in privacy-friendly, aggregated statistics to improve our service.

e) Session replay (consent only)

To understand and improve how the site works, we use OpenReplay, self-hosted within the EU (replay.solavia.at). Session replay is only activated with your explicit consent (consent-gated); if you do not consent, no session is recorded. When active, it records interactions such as clicks, navigation and page structure to reconstruct your session; text inputs are masked. The legal basis is your consent (Art. 6 para. 1 lit. a GDPR), which you can withdraw at any time with effect for the future.

f) Transactional email

For necessary transactional emails — for example your result, login or access links, and subscription confirmations — we use smtp2go as our delivery provider. We process your email address, the content of the respective message, the send time and technical delivery information. The legal basis is the performance of a contract (Art. 6 para. 1 lit. b GDPR).

g) Email, CRM and follow-up communication

We store your contact details and the signals from your quiz and subscription in our self-hosted Mautic system within the EU ( mautic.solavia.at). We use this to send you the plan you requested, relevant follow-ups and, where permitted, information about our own similar offerings. The legal basis is your consent (Art. 6 para. 1 lit. a GDPR) where you opted in, and otherwise our legitimate interest in customer communication (Art. 6 para. 1 lit. f GDPR) within the limits of applicable law. You can object to this use at any time — for example via the unsubscribe link in every email, or by writing to hello@graceandsteel.io. There is no website tracking via Mautic.

4. Recipients and processors

We use carefully selected service providers and, where required, conclude data processing agreements with them pursuant to Art. 28 GDPR. The main recipients/providers are:

• Hetzner Online GmbH, Germany/EU — hosting, server operation and storage
• Stripe Payments Europe Ltd., Ireland (with group entities incl. the United States) — payment and subscription processing
• smtp2go — delivery of transactional email
• Plausible, self-hosted in the EU — cookieless reach measurement
• OpenReplay, self-hosted in the EU — consent-gated session replay
• Mautic, self-hosted in the EU — email, CRM and follow-up communication

With payment and certain communication providers, processing or access may take place outside the EU/EEA. In that case, processing is carried out in accordance with Art. 44 et seq. GDPR.

5. Retention periods

We keep account, subscription and contact data for as long as your subscription is active and afterwards as needed to fulfil our obligations. Invoicing, payment and contract data are retained in line with statutory retention duties. Marketing and CRM data are kept until you object or until the legitimate interest in customer communication no longer applies. Analytics data are aggregated and not stored in a personally identifiable form. Session-replay recordings are retained only for as long as needed to analyse and improve the service, and you may withdraw consent at any time.

6. Your rights

Under the GDPR you have, in particular, the following rights:

• the right of access,
• the right to rectification,
• the right to erasure (“right to be forgotten”),
• the right to restriction of processing,
• the right to data portability,
• the right to object to processing based on legitimate interests,
• the right to withdraw consent at any time with effect for the future.

You can exercise your rights by emailing hello@graceandsteel.io. You also have the right to lodge a complaint with a data protection supervisory authority — in our case the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

7. Note on advertising

We may promote Grace & Steel through advertising platforms. The Grace & Steel website itself does not embed advertising tracking pixels. If you reach us through an ad, the advertising platform may set its own identifiers on its own pages and under its own privacy terms, outside our control.

8. Security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access and unauthorised disclosure. These include EU hosting, encrypted backups, access restrictions and privacy-friendly defaults.