Dark LogoLight Logo
DEEN

Privacy Policy

Because nobody likes to read long legal texts.

This Privacy Policy explains how we handle your personal data, why we process it, and what rights you have under the GDPR when you interact with services of Routerfishers.

Pick what you’re about to do and we’ll show you, in simple language, what happens with your data. The full legal policy is right below if you want all the details.

If you just browse around

What happens if you visit our website?

We run our website with a strict privacy-first philosophy. No tracking. No analytics. No marketing pixels. No third-party scripts watching you.

  • Our server creates minimal technical log files (IP address, timestamp, browser info) only to keep the site secure and functioning.
  • We do not set analytics, marketing, or profiling cookies. In fact, we avoid cookies entirely unless a server-side session is technically unavoidable.
  • We use no external services that track or fingerprint you.

You can read, scroll and click in peace like it’s 1999.

Our Privacy Policy Is Open Source and Free to Reuse

We made our Privacy Policy open source so anyone can reuse the overall structure and wording style for their own purposes. If you do, you remain fully responsible for your own legal compliance. Always adapt the content, purposes, and legal bases to your specific business and processing activities. Routerfishers is not responsible for how this text is used outside of our own services.

01Controller & Contact

Routerfishers

Vienna, Austria

Website: https://routerfishers.com

Contact for privacy: privacy@routerfishers.com

02Scope of This Privacy Policy

This Privacy Policy covers every piece of personal data we process, whether it happens inside our own infrastructure or through strictly selected service providers acting on our instructions. “Personal data” means anything that can be linked to a real human being (Art. 4(1) GDPR).

We process data only where it’s necessary to provide, secure, and run our services, online or offline. This policy applies to:

  • Every online or offline property we operate (website, landing pages, custom-built tools)
  • Our official communication channels, including email and social platforms
  • Any mobile applications we release now or in the future

In simple terms: if you interact with us through one of these channels, this Privacy Policy applies. If we ever work with your data outside these channels, you’ll know, because we’ll tell you upfront, clearly, and before anything happens.

03Your Rights under the GDPR

Under the General Data Protection Regulation (GDPR), you have several rights regarding how your personal data is handled. You can exercise any of these rights at any time by contacting us at privacy@routerfishers.com.

  • Right of access (Art. 15 GDPR): Request information about the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): Correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17 GDPR): Request deletion of your data, unless we must keep it due to legal obligations.
  • Right to restriction of processing (Art. 18 GDPR): Request limited processing under specific circumstances.
  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests.
  • Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format or request its transfer to another controller.

Your Right to Lodge a Complaint (Art. 77 GDPR)

If you believe the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for Routerfishers is:

Austrian Data Protection Authority

Barichgasse 40–42

1030 Vienna, Austria

Phone: +43 1 52 152-0

Email: dsb@dsb.gv.at

04Data We Process & Retention Periods

When You Visit Our Website

When you land on our website, you’re stepping into a privacy friendly designed environment, which means we operate with a strict privacy-first, zero-bullshit philosophy. No surveillance. No analytics. No marketing scripts. No shadow profiles. No “optimisation tools.”

  • Basic log files (IP address, timestamp, browser type, referrer URL)

Retention: Server logs are deleted automatically after 7 days, unless a security incident requires temporary extended retention.

When Requesting a Free Security Check

When you request a free security check, we need a bit more information, but still only what’s absolutely necessary.

  • Your form input (name, email, message) and the report are stored only on our own servers in Vienna, fully controlled and secured by us. No external tools. No cloud CRMs.
  • We don’t use Google reCAPTCHA. Instead, we built custom background honeypots and behaviour checks that detect bots automatically. Spam is filtered before it reaches us, and we never see or store those submissions. We use your information only to create your free security check using OSINT. No marketing. No profiling. No repurposing.

Retention: If we do not start working together, your data is deleted immediately or at the latest after 90 days. If we work together, retention follows the contractual period.

When We Work Together

When you become our customer or partner, we process personal data solely to fulfill our contractual obligations and to deliver the service. Depending on the service (e.g. penetration testing, phishing simulations), this may involve highly confidential information or larger volumes of personal data. The exact scope of data processing is always defined and agreed upon before entering into a contract. Where personal data is processed, a Data Processing Agreement (DPA) is concluded. Your personal data are used exclusively for the agreed services and never for other purposes.

Retention: Data is kept only for the duration of the contract. After termination, it is deleted unless legal retention duties (e.g. tax or accounting laws) require us to store it longer.

When You Apply For A Job

If you apply for a job with us, we process the data you provide (e.g. CV, contact details, qualifications) to review your application and conduct the recruitment process.

Retention: Job application data is stored for 6 months + 1 month to defend against legal claims under the Austrian Equal Treatment Act (Gleichbehandlungsgesetz).

When You Contact Us Via Phone or Email

If you contact us by phone or email, we process the data necessary to handle your request (e.g. phone number, name, email address, and the content of your inquiry).

Retention: Communication data is stored only as long as needed to handle your inquiry or maintain our relationship, unless legal retention (e.g. commercial law, evidence in disputes) requires longer storage.

05Purposes and Legal Bases (Art. 6 GDPR)

  • Art. 6(1)(b) GDPR – Contract or pre-contractual steps
    Used when you contact us, request a free security check, or when we work together.
  • Art. 6(1)(f) GDPR – Legitimate interests
    Ensuring secure website operation, preventing abuse, running anti-spam systems, maintaining server logs, and enabling efficient communication.
  • Art. 6(1)(c) GDPR – Legal obligation
    Applies when accounting, documentation, or law enforcement regulations require us to retain certain data.

We rarely rely on consent because we use zero marketing cookies, no tracking, and no third-party analytics. Privacy is the default.

06Data Residency and Subprocessors

We use carefully selected subprocessors to host infrastructure and provide critical security functionality. Subprocessors only act on our documented instructions and are bound by Data Processing Agreements (Art. 28 GDPR).

Servers and Primary Data Location

All servers used to host our website and products operate in Vienna, Austria. No personal data is routed through third countries unless explicitly stated in this policy.

Our hosting provider (subprocessor) is Netcup GmbH, Germany.

Hosting & Infrastructure

  • Provider: Netcup GmbH (Germany)
  • Location: Vienna (AT) and Germany
  • Purpose: Hosting our website and Routerfishers products

Our infrastructure runs on hardened Linux-based or self-developed operating systems using fully self-hosted, open-source tooling wherever possible. These systems do not transmit personal data to external vendors. All processing remains completely under our control, with no third-party analytics, telemetry, or tracking.

07Employee Systems & Internal Security Environment

All employees work on hardened, company-controlled Windows machines. These systems follow strict security baselines, enforced update policies, and multi-layered access controls to prevent unauthorized access.

Every device runs modern endpoint protection and antivirus. For security reasons, we do not publicly disclose vendor names or specific protective technologies. Regardless of the tools in use, all processing is performed exclusively under GDPR-compliant conditions and never outside of the EU/EEA without legal guarantees.

Employee systems never transmit personal data to antivirus vendors, cloud services, or third-party processors unless a legal basis and a data processing agreement exist. The internal security environment is continuously monitored, access is restricted on a strict need-to-know basis, and every workstation is isolated, logged, and audited.

08Law Enforcement & Authorities

We do not share your personal data with authorities unless we are legally obligated to do so. This can happen under Art. 6(1)(c) GDPR where there is a legal obligation, for example in the context of terrorism, criminal investigations, or national security.

As a cybersecurity company, we may occasionally be approached by law enforcement or regulators. If that happens, we:

  • Carefully review and validate the request.
  • Strictly limit disclosure to the minimum amount of data required by law and directly tied to our services.
  • Inform affected customers where legally and practically possible.

We will never give out your data voluntarily or for any purpose other than what the law explicitly requires.

09Data Protection Measures

We take the protection of your data very seriously. To safeguard it, we apply industry-grade and state-of-the-art security controls:

  • Managed & secured devices only – all processing is done on company-owned devices with enforced security policies.
  • Endpoint protection – every system runs advanced Endpoint Detection & Response (EDR) and modern antivirus software.
  • Full logging & monitoring – relevant activity is continuously logged and monitored.
  • Isolated environments – your data is processed in hardened, separated environments not directly accessible from the public internet.
  • Strict access control – only authorised staff directly involved in your project may access your data, and always on a need-to-know basis.
  • Regular updates & hardening – systems are kept up-to-date, hardened, and are regularly assessed against modern threats.

10Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Updates become effective once published on our website.

If we make significant changes, especially involving new subprocessors, you will be notified in advance by email or another prominent notice. You will be informed at least 30 days in advance of such changes taking effect.

You have the right to object to the use of a new subprocessor. Please note that an objection may result in termination of the contract if the purchased services rely on these subprocessors.

We will not appoint a subprocessor that would process personal data from our contractual relationship in a way that violates EU/EEA data protection standards.

This Privacy Policy is open source so anyone can reuse the overall structure and wording style for their own purposes. If you do, you remain fully responsible for your own legal compliance. Always adapt the content, purposes, and legal bases to your specific business and processing activities. Routerfishers is not responsible for how this text is used outside of our own services.