General Data Protection Regulation (GDPR)

  • our privacy and the protection of your personal data are of the utmost importance to us. The operations of What Matters, an initiative run under the roof of CO-LAB for Future Economics, are fully compliant with the European Union’s General Data Protection Regulation (GDPR), as implemented in Austria (Datenschutzgesetz – DSG). All data processing activities described below follow Austrian legal requirements and European standards for data protection.

    This GDPR statement explains how your personal data is collected, processed, stored, and protected when you interact with our website, services, and digital tools. It also informs you of your rights as a data subject under Austrian law and EU law.

  • The data controller for all processing activities is:

    CO-LAB für Zukunftsökonomie
    Address: Lichtenfelsgasse 5/6, 1010 Vienna, Austria
    E-mail: connect@humanitywhatmatters.com
    Data Protection Officer (DPO): Nicole Bastien

    As the controller, CO-LAB determines the purposes and means of processing your personal data in accordance with the GDPR.

  • 3.1 Voluntarily Provided Data

    We collect data you provide directly, including:

    • Name, e-mail address, phone number

    • Messages submitted via contact forms

    • Information provided when booking appointments or registering for events

    • Other information you may provide when subscribing to updates or engaging with us

    3.2 Automatically Collected Data

    When you visit our website, certain information is collected automatically, including:

    • IP address, browser type, operating system, and device type

    • Date and time of your visit

    • Pages visited and interaction behavior

    3.3 Data from Third-Party Services

    When you interact with third-party services embedded on our site, such as social media feeds, video or audio players, or widgets, these providers may collect data directly from your device.

  • We process your data for the following purposes:

    • PurposeLegal BasisOperation and security of the websiteArt. 6(1)(f) GDPR – legitimate interest

    • Responding to inquiriesArt. 6(1)(b) GDPR – contractual/pre-contractual necessity

    • Appointment booking and event registrationArt. 6(1)(b) GDPR – contractual necessity

    • Sending updates/newsArt. 6(1)(a) GDPR – consent

    • Payment processingArt. 6(1)(b) GDPR – contractual necessity

    • Embedded content display (video, audio, social media)Art. 6(1)(f) GDPR – legitimate interest / Art. 6(1)(a) GDPR – consent

    • Website analytics and optimizationArt. 6(1)(f) GDPR – legitimate interest

    Your consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

  • 5.1 What Are Cookies?

    Cookies are small text files stored on your device that allow the website to recognize your browser and improve your experience.

    • Session cookies: deleted after closing the browser

    • Persistent cookies: remain on your device until manually deleted

    • First-party cookies: set by this website

    • Third-party cookies: set by external services

    5.2 Purposes of Cookies

    • Functional cookies for website operation

    • Analytics cookies to understand user behavior

    • Social media and content integration via widgets

    5.3 Legal Basis

    • Necessary cookies: Art. 6(1)(f) GDPR – legitimate interest

    • Optional/analytics/social cookies: Art. 6(1)(a) GDPR – consent

    You can manage cookies in your browser settings or withdraw consent at any time.

    5.4. Cookies & Tracking on the What Matters page

    Necessary Cookies
    These cookies are essential for the operation of the website and cannot be disabled:

    • __Host-squarespace-session (Squarespace): Maintains secure session while you are logged in. Expires at the end of the session.

    • tidycal_session (TidyCal): Keeps your booking session active while scheduling appointments. Expires at the end of the session.

    • Zoom_JSESSIONID and Zoom_CSRF (Zoom): Required for secure video meeting functionality. Expires at the end of the session.

    • stripe_mid and stripe_sid (Stripe): Ensure secure payment processing and session integrity. stripe_mid expires in 1 year, stripe_sid in 1 day.

    • sessionid (Squarespace / Widgets): Maintains session state during page visits. Expires at the end of the session.

    Functional Cookies
    These cookies enable features such as embedded media, widgets, and social media integration. Consent is requested for their use:

    • ss-cookies-consent (Squarespace): Stores your cookie consent preferences. Expires in 1 year.

    • Secure-3PAPISID and Secure-3PSID (Google): Enable social login and embedded content functionality. Expires in 2 years.

    • CONSENT (Google): Stores your consent preferences for Google services. Expires in 20 years.

    • elfsight_cookie_consent (Elfsight): Stores your consent status for scrolling and social media widgets. Expires in 1 year.

    • sc_anonymous_id and sc_logged_in (SoundCloud): Enable playback and social interactions for embedded audio. Expires 1–2 years depending on the cookie.

    Analytics Cookies
    Analytics cookies allow us to understand how visitors use the website so we can improve content, performance, and user experience. These are active only with your consent:

    • _ga (Google Analytics): Tracks visitor behavior and website performance. Expires in 2 years.

    • _gid (Google Analytics): Distinguishes individual users for analytics. Expires in 24 hours.

    • _gat (Google Analytics): Limits the request rate. Expires in 1 minute.

    Marketing / Social Media Cookies
    These cookies help integrate social media functions and, with consent, track interactions for social plugins:

    • li_sugr and bcookie (LinkedIn): Track interaction with embedded LinkedIn elements and maintain security. Expires 1–2 years.

    • ig_cb (Instagram / Meta): Tracks engagement with social media integration. Expires 1 year.

    • fr and _fbp (Facebook / Meta): Used for social plugin functionality and marketing analytics. Expires 3 months.

    Consent and Management
    You can consent to, decline, or withdraw cookies at any time using the cookie banner on our website or by adjusting your browser settings. Necessary cookies are always active to guarantee proper functionality, but all other cookies require your explicit consent.

    Note: Certain embedded Google services, including Google Drive, Google Calendar, and Google Forms, may set additional cookies on your device. These cookies are used solely to ensure the proper functionality of the embedded content and may collect anonymized information for statistical purposes. No personal data from these cookies is shared with us unless you actively provide it (e.g., by submitting a form).

  • We use the following third-party tools. Personal data may be processed by these providers under GDPR-compliant agreements (Data Processing Agreements) and Standard Contractual Clauses (SCCs) for transfers outside the EU.

    Squarespace

    Website hosting, security, analytics
    Art. 6(1)(f), Art. 6(1)(a) (with consent)
    USA via SCC

    Google Drive / Calendar / Forms

    File storage, scheduling, form collection
    Art. 6(1)(b), Art. 6(1)(f)USA via SCC

    TidyCal (AppSumo)

    Appointment schedulingArt. 6(1)(b), Art. 6(1)(f)USA via SCC

    YouTube

    Embedded video contentArt. 6(1)(f), Art. 6(1)(a) (with consent)
    USA via SCC

    Spotify

    Embedded audio contentArt. 6(1)(f), Art. 6(1)(a) (with consent)
    UK (adequate protection)

    Zoom
    Online meetings and webinars
    Art. 6(1)(b), Art. 6(1)(f)USA via SCC

    Stripe

    Payment processingArt. 6(1)(b), Art. 6(1)(f)
    USA via SCC

    LinkedIn

    Social media integration
    Art. 6(1)(f), Art. 6(1)(a) (with consent)
    USA via SCC

    Instagram / Meta

    Social media integrationArt. 6(1)(f), Art. 6(1)(a) (with consent)
    USA via SCC

    Elfsight widgets

    Interactive content & social media feedsArt. 6(1)(f), Art. 6(1)(a) (with consent)
    Varies (check provider)

  • When you contact us, the following applies:

    • We store your name, email, and message to respond appropriately.

    • Legal basis: Art. 6(1)(b) GDPR (contractual/pre-contractual) or Art. 6(1)(f) GDPR (legitimate interest).

    • Data is deleted once the communication purpose is fulfilled unless retention is legally required.

  • Under Austrian law and EU GDPR, you have the right to:

    1. Access your personal data

    2. Rectify inaccurate or incomplete data

    3. Request erasure (“right to be forgotten”)

    4. Restrict processing under certain conditions

    5. Data portability (structured, machine-readable format)

    6. Object to processing based on legitimate interest or direct marketing

    7. Withdraw consent at any time

    8. Lodge a complaint with the Austrian Data Protection Authority (DSB)

    To exercise your rights, contact: connect@humanitywhatmatters.com

    • Personal data is retained only as long as necessary for the stated purposes.

    • Statutory retention periods under Austrian commercial and tax law are respected.

    • Data is deleted or anonymized once the purpose ceases.

  • We implement technical and organizational measures to protect personal data, including:

    • SSL/TLS encryption for website connections

    • Secure storage and access controls

    • Limitation of access to authorized personnel only