Privacy Policy

2. What data we process

We only process personal data to the extent necessary for operating our website and providing our service. The following categories of data may be collected:

When visiting the website (server log files)

When you visit our website, our hosting provider automatically collects technical data transmitted by your browser:

• Browser type and version
• Operating system
• Referrer URL (previously visited website)
• Date and time of access
• IP address (truncated where technically possible)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the website).

When making a booking

To process your SUP rental, we collect:

• First and last name
• Email address
• Phone number (optional)
• Rental period and location
• Payment data (see section 4 — we never see your full card details)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

When contacting us by email

When you contact us by email, we process the data you provide (email address, name, message content) to handle your enquiry.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in responding to your enquiry).

3. Cookies and similar technologies

We only use strictly necessary cookies on this website. These are required for the website to function correctly — for example, to store your cookie preference.

We use no tracking, no analytics tools, no advertising cookies. No connection to Google Analytics, Facebook Pixel, or comparable services.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the operation of the website).

You can disable cookie storage in your browser settings at any time — the website will remain usable.

4. Payment processing

Bookings are paid online. We use the following payment processors:

Stripe

Stripe Payments Europe, Limited
1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland

Stripe processes card payments (Visa, Mastercard, Maestro), Apple Pay, and Google Pay. Stripe processes payment data directly — we never see your full card details. Stripe is certified under the EU Standard Contractual Clauses. Privacy policy: stripe.com/at/privacy.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

5. Email delivery

For sending booking confirmations, codes, and rental-related information, we use the service SendGrid:

Twilio Inc. (SendGrid)
101 Spear Street, Fifth Floor
San Francisco, CA 94105, USA

Data transfer to the USA is safeguarded by a data processing agreement with SendGrid and the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). SendGrid is also certified under the EU-US Data Privacy Framework.

Data processed: email address, name (if provided), content of emails sent.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

6. Booking system

The booking system runs on the domain clickandpaddle.store.rentals and is own infrastructure of Click&Share GmbH. Data you enter during the booking process (name, email, chosen location, rental period, payment confirmation) is processed and stored on our servers.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR for tax-related retention.

7. Hosting

This website is hosted by:

Vercel Inc.
340 S Lemon Ave #4133
Walnut, CA 91789, USA

Vercel provides the technical hosting of the website. Data transfer to the USA is safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). The processor is certified under the EU-US Data Privacy Framework. A data processing agreement pursuant to Art. 28 GDPR is in place with Vercel.

Server log files (see section 2) are created automatically by Vercel and deleted after a short time.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the website).

8. Embedded services

Google Maps

Our location pages contain embedded maps from Google Maps. We use a click-to-load approach: the map is only loaded after your active confirmation. Only then is data (in particular your IP address) transmitted to Google.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy policy: policies.google.com/privacy.

Legal basis: Art. 6(1)(a) GDPR (consent via click-to-load).

PaddleBot (Chatwith)

Our FAQ section includes an embedded chatbot, operated by:

Chatwith (chatwith.tools)

When you use the PaddleBot, your messages are transmitted to the provider. A data processing agreement is in place with Chatwith.
Privacy policy: chatwith.tools/privacy.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient customer support) and Art. 6(1)(a) GDPR (consent through active use).

9. Storage duration

We only store your data for as long as necessary for the respective purpose:

• Server log files: typically no more than 30 days
• Booking data and invoices: 7 years after the end of the financial year (per § 132 BAO — Austrian Federal Fiscal Code)
• Email correspondence: until your enquiry is resolved, then retained as required by statutory retention obligations
• Cookie settings: up to 12 months, or until you actively change them

10. Your rights

Under the GDPR you have the following rights:

• Access to the personal data stored about you (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR), unless statutory retention obligations apply
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)
• Withdrawal of consent with future effect (Art. 7(3) GDPR)

To exercise your rights, an informal email to thomas@clickandshare.at is sufficient.

11. Right to lodge a complaint

You have the right to lodge a complaint with the data protection authority if you believe that the processing of your personal data violates the GDPR.

12. Changes to this policy

We may update this privacy policy if legal requirements or our services change. The current version is always available on this page. Material changes will be communicated in an appropriate manner (e.g. a notice on the homepage).

Last updated: 28 June 2026