Privacy Policy
This Privacy Policy describes our procedures on the collection and use of your personal data when you use the Services or visit the Website.
It also explains your privacy rights and how the law protects you.
1. Contact address
Routerfishers Vienna, Austria
Website: https://routerfishers.com
Contact for privacy: privacy@routerfishers.com
2. Data Processed
When You Visit Our Website
We only process data that are strictly necessary for the functionality and security of the website. This includes, for example:
Technical details such as your IP address when using Google reCAPTCHA 2.0 (security service).
Basic website log files, which are collected automatically for security purposes.
We do not use marketing cookies or tracking tools. Any cookies in use are strictly limited to what is necessary for the proper functioning of the website.
When We Work Together
When you become our customer or partner, we process personal data solely for the purpose of fulfilling our contractual obligations. Depending on the specific service provided – such as penetration testing or phishing simulations – this may involve the processing of highly confidential information or large volumes of personal data.
The exact scope of data processing is always defined and agreed upon before entering into a contract. Where legally required, a Data Processing Agreement (DPA) is concluded.
Your personal data are used exclusively for the agreed services and never for any other purpose.
You may exercise your rights as a data subject under the GDPR at any time, including the rights of access, rectification, erasure, restriction of processing, objection, and data portability.
3. Data Residency
Servers and Prime data residency
All servers are located in Vienna, Austria.
Our hosting provider (sub-processor) is Netcup GmbH, Germany.
Additional Services
reCAPTCHA Security Check
To protect our website from spam and abuse, we use Google reCAPTCHA.
This service checks whether the input on our site (e.g., in forms) is made by a human.
When you use reCAPTCHA, personal data such as your IP address, device and browser information, and usage behavior may be sent to Google LLC (USA).
This data transfer outside the EU is based on Standard Contractual Clauses (SCCs) to ensure adequate protection.
The legal basis for this processing is our legitimate interest (Art. 6(1)(f) GDPR) in protecting our website from misuse and automated attacks.
For more information, see Google’s Privacy Policy: https://policies.google.com/privacy
4. Your rights
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
– Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you.
– Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data.
– Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, provided that no legal obligation requires us to retain them.
– Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing in certain circumstances.
– Right to object (Art. 21 GDPR): You may object to the processing of your personal data, in particular when it is based on our legitimate interests.
– Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, and machine-readable format, or to have it transmitted directly to another controller.
You can exercise your GDPR rights (Art. 15–22 GDPR) at any time by contacting us at privacy@routerfishers.com.
In addition, you have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR) if you believe that your data have been processed unlawfully.
5. Data Retention
We only keep personal data for as long as it is necessary for the stated purposes or to meet legal obligations.
Examples:
If you apply for a job, we keep your application data for 6 months plus 1 additional month to comply with the Austrian Equal Treatment Act (Gleichbehandlungsgesetz) and possible legal claims.
If you are our customer or partner, we keep personal data only for the duration of the contract. After termination, the data is deleted immediately, unless legal retention duties (e.g., tax or accounting laws) require us to keep it longer.
Technical logs or security-related data are only kept for a short period (usually days to weeks), unless needed to investigate abuse or security incidents.
After these periods, your data is securely deleted
6. Law Enforcement
We do not share your personal data with authorities unless we are legally obligated to do so.
This can happen under GDPR Art. 6(1)(c) when there is a legal requirement, for example in the context of a terrorism or national security investigations.
As a cybersecurity company, we are sometimes approached by law enforcement or regulators. If that happens, we will:
check the request very carefully.
We strictly limit and only disclose the bare minimum amount of data required by law and tied to our services.
We will inform you whenever legally possible.
We will never give out your data voluntarily or for any purpose other than what the law explicitly requires.
7. Data Protection Measures
We take the protection of your data very seriously.
To protect it, we apply industry-grade and state-of-the-art security controls:
Managed & secured devices only – all processing is done on company-owned devices with enforced security policies.
Endpoint protection – every system runs advanced EDR (Endpoint Detection & Response) and modern antivirus software.
Full logging & monitoring – all activity is continuously logged and monitored to detect anomalies.
Isolated environments – your data is processed in hardened, separated environments that are not accessible from the public internet.
Strict access control – only authorized staff directly involved in your project may access your data, and always on a need-to-know basis.
Regular updates & hardening – systems are kept up-to-date, hardened, and penetration-tested against modern threats.
8. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Updates become effective once published on our website.
If we make significant changes, especially involving new subprocessors, you will be notified in advance by email or another prominent notice.
You will be informed at least 30 days in advance of any such changes taking effect.
You have the right to object to the use of a new subprocessor.
Please note that an objection will result in termination of the contract, in case your purchased services rely on these subprocessors.
We will never appoint a subprocessor affecting the processing of personal data from our contractual relationship located outside the EU/EEA.