PRIVACY POLICY

Introduction

This Privacy Policy explains how Muvamo (“we”, “our”, “us”) processes personal data when you visit www.muvamo.com (the “Website”), interact with our social-media channels, purchase our digital or printed products, book on-location photo-shoots, or use any of our ancillary services.
We are established in Austria and comply with (i) the EU General Data Protection Regulation 2016/679 (“GDPR”), (ii) the Austrian Data-Protection Act (“DSG”) and (iii) the Austrian Telecommunications Act 2021 (“TKG 2021”).

1 Controller & contact details

  • Controller: Michael Föls
  • Address: Ringelseegasse 17/3, 1210 Vienna, Austria
  • E-mail: office@muvamo.com
  • Telephone: +43 6649388206

2 Core principles

We collect only the data we need, for clearly defined purposes.
Every processing activity has a lawful basis under Article 6 GDPR.
We implement technical and organisational measures to safeguard confidentiality, integrity and availability of your data.
You can exercise your data-subject rights at any time (see section 14).

3 What data we process

  • Identification details such as name, postal address, telephone number, e-mail address and social-media handle.
  • Contract-related data such as bookings, invoices, purchases of guides, vouchers or deals.
  • Content that you provide (photos, videos, reviews, messages).
  • Usage data produced by your device (pages viewed, clicks, scroll depth, referring URLs, truncated IP address, date/time).
  • Marketing metrics (newsletter opens, campaign performance, cookie or pixel IDs).
  • Location data if you actively enable GPS for walking routes.
  • Device information (browser type, operating system, screen size, language).

4 Legal bases under Article 6 GDPR

  • Consent (Art 6 (1)(a)) – e.g. optional cookies or pixels, newsletter registration, GPS-based navigation, embedded third-party media that is not technically necessary.
  • Contract (Art 6 (1)(b)) – e.g. fulfilling photo-shoot bookings, sending paid guides, managing user accounts.
  • Legal obligation (Art 6 (1)(c)) – e.g. Austrian tax and accounting rules.
  • Legitimate interests (Art 6 (1)(f)) – e.g. server security logs, essential cookies, aggregated audience measurement, fraud prevention, CDN caching and affiliate-link attribution.

We have documented legitimate-interest assessments to ensure that our interests do not override yours.

5 Where we obtain your data

  • Directly from you when you complete forms, e-mail us, comment or make a purchase.
  • Automatically from your device via server logs, cookies and similar technologies.
  • From partners such as payment providers, affiliate networks or tour operators.

6 Hosting, content delivery & encryption

The Website is hosted in an EU/EEA data centre and is distributed worldwide through Amazon Web Services (“AWS”) CloudFront CDN. All traffic — including between the origin server and CloudFront edge nodes — is encrypted with TLS. Cached objects are kept only as long as necessary for performance.

6 A Contact and enquiry forms

If you write to us or use any enquiry form we process your name, contact details, IP address, time stamp and the content of your message solely to answer your request and for related administration. The legal basis is either our legitimate interest in efficient communication or, where your request is aimed at a contract, Article 6 (1)(b). We erase these messages six months after the last reply unless statutory retention duties require longer storage.

7 Server log files

For security, troubleshooting and abuse-prevention purposes our servers store truncated IP addresses, date and time of access, requested URL, referrer and user-agent. The basis is our legitimate interest in maintaining a stable and secure service. Logs are deleted automatically after 30 days.

7 A User accounts (optional feature)

If you choose to register, we store the e-mail address, password (hashed) and display name you provide. Optional profile fields (photo, shipping address, social-media handle) are processed only with your consent. You may delete your account at any time; the associated personal data will then be erased or anonymised within 30 days unless statutory duties require longer storage.

7 B Comment function

Where a comment feature is available we publish the comment together with the chosen display name and time of posting. For security we also log the commenter’s IP address and hold it for up to one year in order to defend against unlawful content or rights violations. If a third party complains that a comment is unlawful we may contact the commenter via the e-mail address supplied. The legal basis is either contract performance (making the feature available) or our legitimate interest in protecting readers and enforcing rights.

8 Individual processing activities

8.1 Social-media embeds

We sometimes embed posts or reels from Facebook, Instagram, TikTok, Pinterest or X. These providers receive your IP address and may set cookies once you actively click “Load content” in the consent-management banner. Processing rests on your consent.

8.2 Mapbox

We use Mapbox to display interactive maps. A truncated IP address is transmitted; precise geolocation is requested only when you explicitly enable GPS in your browser. The map itself is loaded on the basis of our legitimate interest in user-friendly navigation; GPS use requires consent.

8.3 GetYourGuide availability widgets

When you open a tour widget your device contacts GetYourGuide GmbH (Germany) to fetch live availability. If you click through and book, the subsequent processing is necessary for contract performance.

8.4 Affiliate programmes and display advertising

We finance our content partly through affiliate links and ads. We participate in the programmes of

– Expedia Group, Inc. (USA) for accommodation, flights and packages; cookies are set for tracking commissions and have a validity window defined in the Expedia affiliate dashboard. help.affiliates.expediagroup.com
– GetYourGuide GmbH (Germany) for tours and activities (tracking cookies set only if you consent).
– Breeze eSIM / eSIM Go Ltd. (UK/USA) for travel eSIM data plans; Breeze records a pseudonymous ID and pays up to 20 % commission. Breeze eSIM

Affiliate networks (e.g. Awin, CJ, Partnerize) may place or read cookies to measure conversions and calculate commissions. Such marketing cookies and similar identifiers are loaded only if you opt-in via the consent-management platform. If you refuse, only contextual (non-personalised) ads or plain links are shown.

8.5 Google Analytics 4 (cookieless)

This website uses its own web analysis service. This service does not use any personal data. No data is read or stored on the or stored on the website visitor’s end device. The IP address of the website visitor is anonymized. This is done due to overriding legitimate interest in improving the stability and stability and functionality of our website in accordance with Art. 6 para. 1. f) GDPR. It is not possible to reverse-engineer or recognize the website visitor beyond the website are not possible. Cookies are not set and not used.

Web analysis enables the website operator to record and analyze how website visitors use this website. For this purpose, the website operator receives miscellaneous usage data, such as usage time, page views, dwell time, operating systems, or screen resolution. It is also possible to record whether website visitors perform certain actions, such as clicks or purchases.

The anonymized analysis data is transferred to Google Analytics without the use of personal data of the website visitor. There, it is usually stored on a Google server in the USA. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Profiling or a link to other sources is not possible as a result of this anonymized analysis data.
Please refer to Google’s privacy policy for information on the handling of user data at Google Analytics: https://support.google.com/analytics/answer/6004245?hl=en.

8.6 Metricool

Metricool sets a cookie to provide multi-channel analytics and campaign management. We load it only with your consent.

8.7 Facebook Pixel

The Meta Pixel helps us measure campaign performance and – if you consent – build custom audiences for retargeting.

8.8 Hotjar

Hotjar records mouse movements, clicks and scroll depth in anonymised form for UX optimisation. It runs only with consent.

8.9 Mailchimp

If you sign up for the newsletter, Mailchimp stores your e-mail address and engagement metrics on US servers that participate in the EU–US Data Privacy Framework. A double-opt-in e-mail verifies your consent.

8.10 Google Workspace (Gmail)

We handle everyday correspondence through Google Workspace. Data may transit through or be stored in US data centres; transfers are protected by the Data Privacy Framework and Standard Contractual Clauses.

8.11 AWS CloudFront CDN

When your browser fetches images or files from the CDN, CloudFront logs a truncated IP address, user-agent and time stamp for less than 24 hours to detect abuse and to optimise delivery. The basis is our legitimate interest in fast, secure distribution.

8.12 Embedded media players (YouTube, Vimeo, Spotify, TikTok)

Videos and audio are loaded only after you have actively consented; without consent we display a placeholder.

8.13 Interactive polls and forms (Typeform, Pinpoll)

If present, these widgets load only with your consent and transmit IP address plus your answers to the provider’s EU or US infrastructure under SCCs.

9 Cookies and similar technologies

We use a GDPR-compliant Consent-Management Platform (CMP). On your first visit you see a banner where you can:

  1. Accept only essential cookies (session ID, consent log, security tokens).
  2. Allow functional/analytics tools (e.g. Mapbox tiles, cookieless Google Analytics).
  3. Opt-in to marketing or personalisation cookies (e.g. Facebook Pixel, Hotjar, Metricool, affiliate tracking).

You can change or revoke your choice at any time via the “Privacy settings” link in the footer. Rejecting non-essential cookies may prevent certain functions such as embedded videos or maps from working.

10 International transfers

Where providers are outside the EEA (notably in the United States) we rely on either

  • the EU–US Data Privacy Framework where the provider is certified, or
  • Standard Contractual Clauses 2021/914/EU together with encryption and other supplementary safeguards.

Copies of SCCs are available on request.

11 Retention and deletion

  • Contract and invoice data are kept for seven years under Austrian commercial and tax law.
  • Newsletter data remain until you unsubscribe; thereafter we store proof of consent for three further years.
  • Photo-shoot contracts are retained for three years after completion (general limitation period).
  • Contact-form messages are deleted six months after the last reply unless they lead to a contract.
  • Google Analytics raw logs are truncated and deleted after 14 months; Metricool and Hotjar data after one year.
  • Server log files are purged after 30 days.
  • Affiliate cookies expire according to the partner’s programme, never longer than 24 months.

Encrypted back-ups are rotated after 30 days.

12 Security measures

We employ TLS encryption, multi-factor authentication, role-based access controls, daily encrypted off-site back-ups, and regular vulnerability scans. All processors have signed Article 28 GDPR data-processing agreements.

13 Automated decision-making and profiling

We do not make decisions that produce legal effects based solely on automated processing within the meaning of Article 22 GDPR. Limited audience segmentation for advertising occurs only when you have consented to marketing cookies.

14 Your rights

Under Articles 12–23 GDPR you may request access, rectification, erasure, restriction, data portability, or object to processing based on legitimate interests. You may withdraw any consent at any time. You also have the right to complain to a supervisory authority.

15 How to exercise your rights

Please write to office@muvamo.com and attach proof of identity. We will reply without undue delay and at the latest within one month (extendable by two months for complex cases).
To cancel the newsletter click “unsubscribe” in any Mailchimp e-mail.

16 Supervisory authority

Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria. Tel. +43 1 521 52-0, e-mail dsb@dsb.gv.at, website https://www.dsb.gv.at

17 Embedded content and external links

Embedded media from third-party platforms is loaded only after you have given consent; otherwise a static placeholder is shown. Our site also contains links to external pages we do not control; their privacy notices apply once you leave our domain.

18 Children

Our services are not directed at persons under 14 years. We do not knowingly collect data from minors. If you believe a child has provided us with personal data, please contact us so we can delete it.

19 Changes to this policy & purpose change clause

We may update this Privacy Policy to reflect legal, technical or business developments. The “last updated” date indicates the latest revision. Where changes are material we will announce them via banner or e-mail where appropriate.
If we intend to process your data for a new purpose we will notify you in advance, as required by Article 13 (3) GDPR.

20 Questions?

Write to office@muvamo.com or the postal address in section 1. We will be happy to help.

Version: 1.0.0 – Last updated 21 May 2025

Explore
Vienna
Vienna
Things to do in Vienna
Vienna
Vienna Food Guide
Vienna
Where to stay
Vienna
Best Vienna City Pass
Vienna
Schönbrunn Palace
Vienna
St. Stephen’s Cathedral
Vienna
Vienna Giant Ferris Wheel
Vienna
Upper Belvedere
Vienna
Vienna State Opera 
Vienna
Hofburg Palace
Vienna
Prater
Vienna
0