Eine Plattform für alle Ihre Daten.

DSGVO-konformGehostet in EuropaEntwickelt in ÖsterreichHauptsitz in Wien

Urheberrecht © 2026 Layest FlexCo

Layest

Privacy Policy

1. Preamble

1.1 With this Privacy Policy, we, Layest FlexCo, Company Register No. (FN) 647731x, Prinz-Eugen-Straße 2/5, 1040 Vienna, Austria (hereinafter referred to as "we", "us" or "Layest"), inform our Customers, Users authorised by our Customers, and visitors to our website about the processing of their personal data and the rights available to them.

1.2 We process personal data exclusively on the basis of statutory provisions, in particular the General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG"), and other applicable data protection laws.

1.3 This Privacy Policy applies to the use of our website at https://layest.com, including all subpages, and to the use of our Digital Platform, including the digital services, AI-powered functions, automations, interfaces and integrations provided through it.

1.4 Our Digital Platform is intended exclusively for businesses. Consumers are excluded from its use. Where Customers are legal entities, this Privacy Policy applies in particular to the personal data of the natural persons acting on behalf of the Customer, including contact persons, authorised representatives, employees and Users.

1.5 This Privacy Policy is available online at https://layest.com/privacy.

2. Definitions

2.1 "Digital Platform" means the digital platform offered and operated by Layest at www.layest.com, together with related applications, services, interfaces, integrations and web tools.

2.2 "Customer" means a natural or legal person that, acting as a business, enters into a contractual relationship with Layest or uses the Digital Platform.

2.3 "User" means a natural person authorised by the Customer to use the Digital Platform, including employees, officers, agents, advisers or other persons within the Customer's sphere of responsibility.

2.4 "Customer Content" means all content, data, documents, information, inputs, prompts, files, configurations, interface data and other materials entered, uploaded, provided or retrieved by the Customer or a User in or through the Digital Platform, or otherwise processed through it.

2.5 "Output" means all content, data, communications, actions or other results generated, proposed, modified, summarised, classified or output by the Digital Platform, AI agents, AI models, workflows, automations or integrations.

2.6 In all other respects, the definitions in the GDPR apply, in particular those of "personal data", "processing", "controller", "processor", "recipient" and "consent".

3. Controller responsible for the processing of personal data

3.1 The controller responsible under data protection law for the processing of personal data in accordance with this Privacy Policy is:

Layest FlexCo
Company Register No. (FN) 647731x
Prinz-Eugen-Straße 2/5, 1040 Vienna, Austria
Email: [email protected]

3.2 Where we process personal data on behalf of a Customer, we do not act as controller but as processor within the meaning of Article 4(8) GDPR. Further details are set out in Section 8 of this Privacy Policy and in the applicable Data Processing Agreement.

4. Access to and provision of our website

4.1 When you access and use our website, we process certain personal data that your browser automatically transmits to us in order to establish a connection, display the website correctly and ensure its technical functionality. This may include, in particular, the IP address, date and time of the request, time-zone difference, content of the request, access status, volume of data transferred, browser type and version, operating system, referrer URL, hostname of the accessing device and internet access provider.

4.2 The legal basis for this processing is our overriding legitimate interest pursuant to Article 6(1)(f) GDPR in the technical provision, stability and secure display of our website. The processing is technically necessary for the website to be displayed.

4.3 To provide our website and the Digital Platform, we use Amazon Web Services ("AWS") as a hosting and infrastructure service provider, in particular Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. To the extent that AWS processes personal data on our behalf, AWS is engaged as a processor. We have entered into the relevant agreements pursuant to Article 28 GDPR.

4.4 As a rule, the data are processed only for as long as necessary to provide the website, maintain the connection and ensure technical security. Unless a longer period is required in a particular case, server and security logs are generally stored for up to 30 days and subsequently deleted or anonymised.

4.5 Data may be stored for longer where this is necessary to investigate security incidents, pursue misuse, defend against or assert legal claims, or comply with legal obligations.

5. Website security and use of Cloudflare

5.1 To provide our website and the Digital Platform securely and with high performance, we use Cloudflare as a content delivery network, reverse proxy and security service. The provider is, in particular, Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, or the relevant Cloudflare group company.

5.2 Cloudflare processes, in particular, technical access data, IP addresses, header information, device and browser information, and security-related event data in order to deliver content efficiently, defend against attacks, detect automated access and increase the availability of our services.

5.3 The legal basis is our overriding legitimate interest pursuant to Article 6(1)(f) GDPR in the secure, stable and high-performance provision of our website and Digital Platform and in preventing attacks and misuse.

5.4 To the extent that Cloudflare processes personal data outside the European Union or the European Economic Area, this is done on the basis of appropriate safeguards within the meaning of Articles 44 et seq. GDPR, in particular Standard Contractual Clauses or, where applicable, an adequacy decision of the European Commission.

6. Web tools, fonts, cookies and local storage

6.1 We currently do not use analytics, tracking or marketing tools on our website unless such tools are separately disclosed and based on an appropriate legal basis. Should we use such tools in the future, we will provide separate information and, where required, obtain your consent in advance.

6.2 The "Poppins" font used by us is provided locally or through our own technical infrastructure. External font providers such as Google Fonts or Adobe Fonts CDN are not integrated unless expressly stated otherwise.

6.3 Cookies are small text files that may be stored on your device. Local storage is a local storage area in your browser in which information may be stored. We use cookies and local storage only to the extent necessary for the operation of the website, the Digital Platform, login, security, storage of technical settings or other functions, or where you have consented to further use.

6.4 Cloudflare may set technically necessary cookies, in particular for bot detection, defence against automated attacks and maintenance of security. This may include the "__cf_bm" cookie, which generally expires after a short period.

6.5 Within the Digital Platform, technically necessary cookies or local-storage entries may be used, in particular for login, session management, authentication, security checks, language settings, User preferences, consent status or temporary technical states.

6.6 You can delete or restrict cookies and local-storage data through your browser settings. Disabling technically necessary storage mechanisms may result in our website or Digital Platform not functioning, or functioning only to a limited extent.

6.7 We currently do not use web beacons or comparable tracking pixels on our website unless such technologies are separately disclosed and based on an appropriate legal basis.

7. Use of our Digital Platform and services where we act as controller

7.1 In certain areas of the use of our Digital Platform, we process personal data as controller within the meaning of Article 4(7) GDPR. This applies in particular to purposes for which we determine the purposes and means of processing ourselves.

7.2 For the registration and administration of accounts, we process, in particular, basic account, contact, company, role, authorisation, login and authentication data. The purpose is to set up, administer and secure access to the Digital Platform. Depending on the data subject concerned, the legal basis is the performance of a contract or steps taken prior to entering into a contract pursuant to Article 6(1)(b) GDPR, as well as our legitimate interest and the Customer's legitimate interest in setting up and administering User access pursuant to Article 6(1)(f) GDPR.

7.3 To provide, administer and invoice our services, we process, in particular, contract, Customer, User, billing, payment, usage, quota and communication data. The legal basis is Article 6(1)(b) GDPR where the processing is necessary for the performance of a contract, and Article 6(1)(f) GDPR where we pursue legitimate interests in the proper provision of services, billing and customer support.

7.4 For payment processing, payment and transaction data may be transmitted to Stripe. The provider is, in particular, Stripe Payments Europe, Limited, Dublin, Ireland. Depending on the specific payment transaction, Stripe may act as an independent controller or as a service provider. The legal basis is Article 6(1)(b) GDPR or our legitimate interest pursuant to Article 6(1)(f) GDPR in secure and efficient payment processing.

7.5 For transactional communications, in particular emails concerning accounts, security, contract changes, password resets, system notices, invoices or mandatory product-related information, we process, in particular, names, email addresses, account information and communication content. The legal basis is Article 6(1)(b) GDPR or our legitimate interest pursuant to Article 6(1)(f) GDPR in providing information necessary in connection with the use of our Digital Platform.

7.6 Where we offer newsletters or marketing communications, we process personal data only on the basis of your consent pursuant to Article 6(1)(a) GDPR or, where permissible, on the basis of our legitimate interest in direct marketing to existing business Customers pursuant to Article 6(1)(f) GDPR. You may withdraw your consent at any time with effect for the future and object to marketing communications at any time.

7.7 For quality assurance, product improvement, usage statistics, troubleshooting and capacity planning, we process technical usage, telemetry, log and metadata. Where possible, this is done in anonymised or aggregated form. The legal basis is our legitimate interest pursuant to Article 6(1)(f) GDPR in improving our Digital Platform and ensuring its security and stability. These data are generally stored for up to seven years and subsequently deleted or further anonymised, unless longer retention is required for operational or legal reasons.

7.8 To ensure IT security, prevent misuse and combat fraud, we process, in particular, log data, IP addresses, device and browser information, security events, access data, audit logs, usage limits and other technical metadata. The legal basis is our overriding legitimate interest pursuant to Article 6(1)(f) GDPR in security, integrity and the prevention of misuse. Where special categories of personal data are concerned, we additionally rely on Article 9(2)(f) GDPR to the extent necessary for the establishment, exercise or defence of legal claims.

7.9 For the pursuit and defence of legal claims and compliance with legal obligations, we may disclose personal data to lawyers, tax advisers, auditors, experts, courts, authorities or other competent bodies. The legal basis is Article 6(1)(c) GDPR where a legal obligation applies, and Article 6(1)(f) GDPR where we pursue legitimate interests in the establishment, exercise or defence of legal claims.

7.10 We generally store business and tax-relevant data for seven years in accordance with statutory retention obligations, in particular pursuant to Section 212 UGB and Section 132 BAO, and for longer where required due to ongoing proceedings, limitation periods or other legal obligations.

8. Processing of Customer Content as processor

8.1 To the extent that Customers or Users process personal data as Customer Content through the Digital Platform, in particular through inputs, prompts, uploads, data sources, interfaces, workflows, AI agents, automations or Outputs, the Customer generally acts as controller within the meaning of Article 4(7) GDPR and Layest acts as processor within the meaning of Article 4(8) GDPR.

8.2 In this area, processing is carried out on the documented instructions of the Customer and in accordance with a Data Processing Agreement pursuant to Article 28 GDPR. The Customer is responsible, in particular, for lawfulness, legal bases, information obligations, data subject rights, deletion periods, purpose limitation and the permissibility of processing Customer Content.

8.3 Customer Content may contain personal data, in particular in prompts, files, documents, emails, messages, databases, connected systems, interface queries, AI-agent executions and Outputs. As a rule, Layest has no influence over which personal data the Customer or User processes in the Digital Platform.

8.4 To the extent that the Digital Platform uses AI models, third-party services, interfaces or integrations, personal data may be transferred to subprocessors or, depending on the Customer's selection and configuration, to independent controllers. Details are set out in the Data Processing Agreement and the service description.

8.5 Irrespective of our role as processor, we may process certain technical metadata, billing data, security logs and misuse data as controller where this is necessary for billing, IT security, prevention of misuse, stability, record-keeping or legal enforcement. In this respect, the information in Section 7 applies in particular.

9. Communications between you and us

9.1 If you contact us by email, contact form, through the Digital Platform or by any other means, we process the personal data that you provide to us in connection with your enquiry. This includes, in particular, your name, email address, company, position, the content of the enquiry, communication history and other information provided by you.

9.2 We process these data to respond to your enquiry, handle your request, take steps prior to entering into a contract, manage existing contractual relationships, or safeguard our rights and interests.

9.3 Depending on the circumstances, the legal basis is Article 6(1)(b) GDPR where the communication serves the performance of a contract or steps prior to entering into a contract, and Article 6(1)(f) GDPR based on our legitimate interest in service-oriented communication, documentation and the handling of requests.

9.4 We generally store communication data for the duration of processing the request and for up to three years after the most recent communication, unless longer statutory retention obligations, limitation periods or legitimate interests apply.

10. Recipients and transfers to third countries

10.1 We disclose personal data only to the extent necessary for the purposes stated in this Privacy Policy, where a legal basis applies, or where we are legally required to do so.

10.2 Possible recipients of personal data include, in particular:

  • Hosting, cloud, CDN, security and IT service providers, in particular AWS and Cloudflare;
  • Payment service providers, in particular Stripe;
  • Amazon Web Services (AWS) as the operator of Amazon Bedrock. Bedrock provides the AI models used by the platform, in particular Anthropic Claude (Sonnet, Opus) and selected OpenAI models. According to the information provided by AWS, the respective model providers do not have access to the processed prompts and outputs and do not use them to train their own models;
  • Providers of transactional communications, support, monitoring, troubleshooting or administration services;
  • Tax advisers, auditors, lawyers, experts and other professional advisers;
  • Courts, authorities, public prosecutors, supervisory authorities and other public bodies where this is legally required or necessary for legal enforcement;
  • Affiliated companies, subcontractors and service providers where this is necessary for the performance of a contract.

10.3 To the extent that recipients act as processors, we enter into agreements pursuant to Article 28 GDPR.

10.4 Where personal data are transferred to countries outside the European Union or the European Economic Area, this takes place only where the requirements of Articles 44 et seq. GDPR are met, in particular on the basis of an adequacy decision of the European Commission, Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914, or other appropriate safeguards.

10.5 Processing through Amazon Bedrock is configured to take place within a region in the European Union specified by us. This is continuously ensured for the use of Anthropic Claude. Availability of OpenAI models in European AWS regions is currently being rolled out. We verify the applicable region before production use and update this information where necessary.

11. Provision of personal data

11.1 The provision of personal data is generally neither legally nor contractually required. However, certain personal data, in particular contact, registration, contract, billing, payment and usage data, are necessary to enter into and perform a contract, set up an account, use the Digital Platform or process an enquiry.

11.2 If you do not provide required personal data, we may be unable to enter into a contract, set up an account, provide services, process payments or handle enquiries.

12. Automated decision-making, including profiling

12.1 We do not use decision-making based solely on automated processing, including profiling, within the meaning of Article 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

12.2 Depending on how it is used by the Customer, the Digital Platform may provide AI-powered functions, AI agents, automations and workflows. Where Customers use such functions to process personal data, the legal assessment of and responsibility for that specific use generally lies with the relevant Customer.

12.3 Where you interact with an AI system within the Digital Platform, such as an AI copilot or an AI agent, this will be appropriately identified in the User interface. This identification serves to comply with the transparency obligations under Article 50 of the AI Act.

13. Your rights as a data subject

13.1 Subject to the requirements of the applicable statutory provisions, you have, in particular, the following rights:

  • Right of access pursuant to Article 15 GDPR;
  • Right to rectification pursuant to Article 16 GDPR;
  • Right to erasure pursuant to Article 17 GDPR;
  • Right to restriction of processing pursuant to Article 18 GDPR;
  • Right to data portability pursuant to Article 20 GDPR;
  • Right to object to processing based on Article 6(1)(e) or (f) GDPR pursuant to Article 21 GDPR;
  • Right to withdraw consent at any time pursuant to Article 7(3) GDPR, without affecting the lawfulness of processing carried out before the withdrawal.

13.2 If you wish to exercise any of these rights, please contact us at [email protected].

13.3 If there are reasonable doubts concerning your identity, we may request additional information necessary to confirm your identity.

13.4 If you believe that the processing of your personal data infringes data protection law, you have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, email: [email protected].

14. Retention periods

14.1 We store personal data only for as long as necessary for the respective purposes, statutory retention obligations apply, or legitimate interests, in particular the establishment, exercise or defence of legal claims, justify further storage.

14.2 Registration and account data are generally stored for the duration of the active account or contractual relationship and are subsequently deleted or anonymised unless retention obligations or legitimate interests prevent this.

14.3 Business, contractual and tax-relevant data are generally stored for seven years unless longer statutory obligations, limitation periods or ongoing proceedings require longer storage.

14.4 Technical security and log data are generally stored only for an appropriate period unless, in a particular case, they are required for longer to investigate security incidents, misuse or legal claims.

14.5 As part of technical backups, data may be retained for a limited period beyond the periods specified in this Policy before being removed during scheduled deletion cycles.

15. Contact and amendments to this Privacy Policy

15.1 For data protection matters, you can contact us using the following details:

Layest FlexCo
Prinz-Eugen-Straße 2/5, 1040 Vienna, Austria
Email: [email protected]

15.2 We reserve the right to amend this Privacy Policy from time to time, in particular due to technical, legal, regulatory or organisational changes.

15.3 The current version of this Privacy Policy is available at https://layest.com/privacy.

Neugierig auf Layest? Fragen Sie Ihre Lieblings-KI

Privacy Policy | Layest