Data Controller

mrocon GmbH

Untere Berggasse 11, 7323 Ritzing, Austria

Email: mro@mrocon.at

General

We process personal data in compliance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG). Personal data is only collected and processed to the extent necessary for the provision of our services.

The legal basis for data processing is outlined per service below, in accordance with Art. 6(1) GDPR.

Registration & Login (Auth0)

We use Auth0 (by Okta) for authentication and user management. The following data is collected upon registration and login:

• Email address
• Encrypted password (hashed, never stored in plain text)
• Login timestamps and session metadata

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (provision of the service).

Auth0 processes data in the EU region (Frankfurt). For any data transfers outside the EU, EU Standard Contractual Clauses (SCCs) apply.

Payment Processing (Stripe)

We use Stripe for payment processing. The following data may be collected:

• Name and email address
• Payment information (credit card, SEPA, PayPal, etc.)
• Billing address
• Transaction history

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

No full card numbers are stored on our servers. All payment data is handled directly by Stripe in accordance with PCI DSS standards.

Hosting (PythonAnywhere)

Our web application backend is hosted on PythonAnywhere. The following data may be logged:

• IP address
• Access time

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring security and stability of the service.

The VRM desktop application runs locally on your machine and does not transmit data to our servers beyond authentication and license verification.

AI Services (Bring Your Own Key)

VRM operates on a zero-knowledge, Bring Your Own Key (BYOK) model. Your AI API keys (OpenAI, Anthropic, Google Gemini, Groq, etc.) are:

• Stored only in your browser's local storage
• Never transmitted to or stored on our servers
• Used exclusively for direct API calls from your client

We have no access to your API keys, your prompts, or your AI-generated results.

Cookies

We use only essential cookies required for the operation of the service:

• Auth0 session cookie — maintains your authenticated session
• Flask session cookie — server-side session management

We do not use tracking cookies, advertising cookies, or analytics cookies. No third-party tracking scripts are loaded.

Google Fonts

This website uses Google Fonts loaded from external Google servers. When you visit a page, your browser downloads the required font files, which transmits your IP address to Google.

For more information, see Google's Privacy Policy.

Data Sharing

We share personal data only with the following third-party processors, strictly for the purposes described above:

• Auth0 / Okta — authentication and identity management
• Stripe — payment processing
• PythonAnywhere — application hosting

Your data is never shared for advertising purposes, sold to third parties, or used for profiling.

Data Retention

Personal data is retained only as long as necessary for the purpose it was collected. After the end of a contractual relationship and expiry of any statutory retention period (e.g., 7 years for accounting records under Austrian law), data is deleted.

Your Rights Under GDPR

As a data subject, you have the following rights:

To exercise any of these rights, contact us at mro@mrocon.at.

Right to Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority:

Austrian Data Protection Authority (Datenschutzbehörde)

Barichgasse 40-42, 1030 Vienna, Austria

Website: www.dsb.gv.at

Data Security

All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. We take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse.