Version 2 · 21 Apr 2026
The controller responsible for the processing of personal data on the Platform within the meaning of Art 4 no. 7 GDPR is:
Temporary in preview phase: GZE Advisory
Email: privacy@fractionista.com
For the purposes of this Privacy Policy, "Fractionista", "we", or "us" means the above controller. "You" means the natural person whose personal data we process — typically the individual Account holder on the Platform, or a natural person acting for a Company User.
2.1 This Privacy Policy applies to personal data processed through the web application at app.fractionista.com and the authentication subdomain auth.fractionista.com (the "Platform").
2.2 The marketing website at fractionista.com / www.fractionista.com is a separate WordPress installation and is governed by a separate privacy notice.
2.3 The Platform is offered exclusively to entrepreneurs (B2B). If you are acting for a legal entity, this Policy applies to your personal data as a natural person (e.g. your name, email, photo), while the legal entity itself is not a data subject under the GDPR.
Capitalised terms not defined here have the meaning given in the Terms of Service. "GDPR" means Regulation (EU) 2016/679. "DSG" means the Austrian Datenschutzgesetz. "Processing", "personal data", "controller", and "processor" are used as defined in Art 4 GDPR.
We process the following categories of personal data, in each case only as necessary for the purposes set out in §5.
en / de).{firstname}-{12hex}).HttpOnly, Secure, SameSite=Lax cookie).Automated database triggers record every change to CxO profile, Company profile, Job Offer, and notification-preference records. Each audit entry contains: entity type and ID, action, field name, old value, new value, actor user ID, timestamp, and the acting IP address. Audit entries are visible only to administrators.
The table below shows why we process each category of data and on which legal basis under Art 6 GDPR.
Purpose Categories (§4) Legal basis Creating your Account, authenticating you, providing the Platform, letting you publish and discover profiles and offers 4.1, 4.2, 4.3, 4.4, 4.5, 4.7 Art 6(1)(b) GDPR — performance of the contract with you (the Terms of Service) Processing Company subscriptions, issuing invoices, handling failed payments 4.1 (Company), 4.3, 4.6 Art 6(1)(b) — contract; and Art 6(1)(c) — legal obligation (tax / accounting law, in particular BAO, UGB) Sending transactional emails (magic-link, welcome, verification, admin notifications) 4.1 Art 6(1)(b) — contract Quality review and plausibility checks on submitted profiles 4.2, 4.3, 4.8 Art 6(1)(f) — legitimate interest in maintaining the integrity and quality of the marketplace Security, fraud prevention, abuse monitoring, enforcement of the Terms (including anti-scraping under §12 of the Terms) 4.1, 4.7, 4.8 Art 6(1)(f) — legitimate interest in the security of the Platform and its Users Maintaining the audit trail for dispute resolution, security forensics, and regulatory compliance 4.8 Art 6(1)(f) — legitimate interest; and Art 6(1)(c) where applicable Measuring aggregated performance of the Platform via Vercel Speed Insights (cookie-less, no personal profiles) 4.7 Art 6(1)(f) — legitimate interest in operating a performant service Sending non-transactional communications (e.g. newsletter) if you opt in 4.1, 4.5 Art 6(1)(a) — your consent (withdrawable at any time) Responding to authorities, enforcing or defending legal claims Any of the above Art 6(1)(c) or (f)Our legitimate-interest analysis for §6(1)(f) purposes weighs the interests above against your reasonable expectations and the limited scope of the data processed. You may object to any legitimate-interest-based processing as described in §12.
Most personal data is collected directly from you. If you choose Google sign-in, we receive a limited set of profile data from Google (given name, family name, email, avatar URL). You can avoid this by using magic-link sign-in instead. We do not enrich your profile with data obtained from third-party data brokers.
The Platform implements a tiered visibility model for CxO Candidate data. The tier that applies depends on the role and subscription status of the viewing User. The tiers are enforced server-side — lower-tier viewers never receive the restricted fields at all.
Viewer What they see Unauthenticated visitors and CxO peers (Tier 1) First name + last initial, silhouette avatar, country, CxO roles. Not shown: city, photo, biography, LinkedIn, hours, experience details. Company on Free tier (Tier 2) Tier 1 fields plus initials avatar, industries, collaboration types. Real name, photo, biography, and LinkedIn remain withheld. Company on paid tier (Tier 3) Full profile with real photo; last name may still be abbreviated if the CxO Candidate has set that preference. You / administrators (Tier 4) Full, unrestricted view.Company profiles and Job Offers are generally visible to all authenticated Users and may, depending on settings, be surfaced on public pages.
This tiered model is a privacy-by-design feature, but it is not absolute: a User who has legitimately viewed data at a given tier could, in breach of the Terms, copy, store, or share it. The Terms (see §12 of the Terms) prohibit such misuse and provide a contractual penalty; we monitor for and enforce against such breaches, but we cannot guarantee the actions of third parties after disclosure.
Profile photos and Company logos are stored in a private cloud-storage bucket operated by Supabase. Access is controlled by short-lived signed URLs issued by the Platform in accordance with the tiered visibility rules in §7. When a User disables publication or deletes their account, new signed URLs are no longer issued, and any previously issued signed URL expires within minutes.
We use only strictly necessary cookies and minimal, cookie-less performance measurement. We do not use any advertising cookies, tracking pixels, cross-site trackers, or third-party analytics services (no Google Analytics, no Meta Pixel, no Hotjar, no LinkedIn Insight Tag).
sb-<project-ref>-auth-token — set by Supabase to maintain your authenticated session. HttpOnly, Secure, SameSite=Lax. Rolling lifetime, refreshed per session.NEXT_LOCALE (or equivalent next-intl cookie) — stores your chosen interface language. Default lifetime one year.These cookies are strictly necessary to provide the Platform you have requested and do not require consent under § 165 Abs 3 TKG 2021 (Austrian implementation of Art 5(3) ePrivacy Directive).
We use Vercel Speed Insights to collect anonymous, aggregated performance metrics (page load times, core web vitals). Vercel Speed Insights does not set any cookies and does not build user profiles. Legal basis: Art 6(1)(f) GDPR, our legitimate interest in the operability of the Service. You may object as described in §12.
On your first visit, we display an information banner confirming our use of strictly necessary cookies. The banner does not request consent, because we do not use consent-requiring cookies.
We disclose personal data only to the categories of recipients listed below. Each sub-processor acts on our documented instructions under a data-processing agreement that complies with Art 28 GDPR.
Recipient Function Data shared Location of processing Safeguards Supabase (Supabase Inc., via Supabase EU entity) Database, authentication, storage All Account, profile, offer, subscription, audit and storage data (§4.1–4.8) EU region (Frankfurt) DPA (GDPR addendum); EU-hosted data; SCCs where onward transfers occur Vercel (Vercel Inc.) Application hosting, CDN, serverless functions, Speed Insights HTTP requests, IP, user-agent, performance metrics Frankfurt (EU) for primary hosting; Vercel's global edge network for static assets DPA; EU-US Data Privacy Framework (for US processing by parent entity); SCCs Stripe (Stripe Payments Europe Ltd.) Payment processing, subscription management, invoicing (Company Users only) Company name, billing email, billing address, VAT ID, card data (handled by Stripe; not passed to us), transaction data Ireland (EU); some processing in the US by Stripe Inc. DPA; EU-US Data Privacy Framework; SCCs; PCI-DSS Resend (Resend, Inc.) Transactional email delivery Recipient email, first name, email subject and body EU region (Frankfurt) DPA; EU-US Data Privacy Framework; SCCs Google (Google Ireland Ltd.) — only if you use Google sign-in OAuth authentication; we receive your given name, family name, email and avatar URL from Google Authentication handshake data Global (Google infrastructure) EU-US Data Privacy Framework; SCCs; your use of Google sign-in is optional (magic-link is the alternative) Our legal, tax, and IT advisors Professional advice, accounting, support Only what is necessary for the engagement EU/EEA Professional secrecy obligations; DPAs where applicable Competent authorities Compliance with binding legal requests Only what is legally required Austria / EU Statutory basisWe do not sell personal data. We do not share personal data with advertising networks.
Our primary infrastructure is hosted within the EU. Limited transfers to third countries (primarily the United States) occur where a sub-processor's parent entity, support organisation, or global edge network is based there. For all such transfers, we rely on:
You may request further information on the specific safeguards applicable to any transfer by contacting us at privacy@fractionista.com.
We retain personal data only for as long as necessary for the purposes for which it was collected, and thereafter only as required by law.
Data Retention Active Account data (§4.1–4.5, §4.7) For the duration of the Account. Inactive Accounts We reserve the right to delete Accounts that have had no successful sign-in for an extended period, typically at least 24 months. Where practicable, we will notify you in advance and give you a reasonable opportunity to reactivate the Account before deletion. Soft-deleted Accounts 28 days after the deletion request or the inactivity-based soft-deletion. During this grace period the Account can be restored on request. After the grace period, the Account and cascading personal data are permanently deleted. Billing and transactional data (§4.6) 7 years from the end of the relevant fiscal year, as required by § 132 BAO and § 212 UGB (Austrian tax and commercial law). This includes a mirror of relevant Stripe webhook events. Audit log (§4.8) 24 months from the time of the recorded action, after which entries are automatically pruned. Server logs (Vercel) Short rolling window managed by Vercel (approximately 24 hours by default). Transactional email logs (Resend) Approximately 30 days on Resend's side. Data retained under a legal hold (litigation, regulatory investigation) For the duration of the hold.We are exploring additional features that may involve further processing of personal data, including:
None of these features is live at the date of this Policy. Before we activate any such feature, we will update this Policy, notify you in a reasonable manner, and — where the feature would involve automated decision-making with legal or similarly significant effects within the meaning of Art 22 GDPR — obtain the legal basis required by that provision (typically your explicit consent). Until then, the only processing performed on the Platform is the operational processing described in §§4–10.
We do not currently carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art 22 GDPR. Human reviewers (administrators) make activation and verification decisions; technical filtering and search (e.g. narrowing Job Offer lists by country) is not automated decision-making in the Art 22 sense.
If this changes, §13 applies.
We apply the following technical and organisational measures:
auth.uid() so that each User can access only their own data.No system is ever completely secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (Austrian DSB) without undue delay and, where the risk is high, notify affected Users in accordance with Art 33–34 GDPR.
Security disclosures can be reported to security@fractionista.com.
Under Chapter III of the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, email us at privacy@fractionista.com. We will respond without undue delay and in any event within one month of receipt (extendable by two months for complex requests, with notice to you). We may ask for proof of identity where reasonably necessary to prevent unauthorised disclosure.
We are not required to appoint a data protection officer under Art 37 GDPR. The general privacy contact is privacy@fractionista.com.
The Platform is not intended for and not directed at persons under eighteen (18) years of age. We do not knowingly process the personal data of minors. If we become aware that we have collected data from a minor, we will delete it without delay.
We may update this Policy from time to time to reflect changes in our practices, our sub-processor landscape, or applicable law. Material changes will be notified by email and/or in-app notice at least thirty (30) days before they take effect, and we may re-prompt you for acceptance when you next use the Platform. Non-material changes may take effect immediately.
Each version of this Policy carries a version identifier and an effective date; the version currently in force is the one that applies to your use of the Platform.
Fractionista — in the preview phase temporarily operated by GZE Advisory
Privacy: privacy@fractionista.com
Security disclosures: security@fractionista.com
General legal: legal@fractionista.com