Privacy | Cevio

01

Data Controller

Responsible within the meaning of the General Data Protection Regulation (GDPR):

Company: Cevio e.U.
Owner: Tobias Sonnleitner
Address: Stadlergasse 9a/3, 1130 Wien, Österreich
Email: contact@cevio.at
Website: cevio.at

02

General Information on Data Processing

We only process personal data of our users to the extent necessary for providing our websites, services and content. Processing is based on the following legal bases under Art. 6(1) GDPR:

Art. 6(1)(a) GDPR — consent of the user.
Art. 6(1)(b) GDPR — performance of a contract (e.g. use of the Steam Hour Idler).
Art. 6(1)(c) GDPR — legal obligation (e.g. retention of invoices).
Art. 6(1)(f) GDPR — legitimate interest (e.g. IT security, analytics).

The provisions described in this privacy policy apply to all websites and subdomains operated under cevio.at, in particular:

cevio.at: Main website
idler.cevio.at: Steam Hour Idler

Minimum age. Our services are intended for persons who have reached the age of 14 (§ 4(4) DSG — Austrian Data Protection Act). Persons under 14 may only use our services with the consent of a legal guardian. Should we become aware that personal data of persons under 14 has been processed without appropriate consent, we will delete this data immediately.

03

Hosting & Server Infrastructure

Our websites and services are operated on servers in Austria. Web hosting and a virtual server (V-Server) are provided by World4You Internet Services GmbH (Hafenstraße 47–51, 4020 Linz, Austria). Our applications run on the V-Server via PM2 with Caddy as a reverse proxy.

When accessing our pages, the following technical data is automatically recorded in server log files:

IP address (anonymised after 7 days)
Date and time of the request
Accessed page / URL
Browser type and version
Operating system
Referrer URL

This data is processed to ensure smooth operation and to detect and prevent attacks (Art. 6(1)(f) GDPR).

Hosting provider: World4You Internet Services GmbH, Linz, Austria
Server location: Austria (EU)
Reverse proxy: Caddy Server
CDN / DNS: Cloudflare, Inc. (USA) — Standard Contractual Clauses per Art. 46 GDPR

04

Website Usage

When visiting our websites (cevio.at and subdomains), the server log data mentioned above is collected. Additionally, we use:

Google Fonts. We use fonts from Google LLC. When loading the page, a connection to Google servers is established, whereby your IP address is transmitted to Google. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in consistent presentation).

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data transmitted: IP address, browser information
Google Privacy: policies.google.com/privacy

Contact forms. Data collected through our contact forms (name, email, message) is used exclusively for processing your inquiry and is not shared with third parties. Legal basis is Art. 6(1)(b) GDPR.

External JavaScript libraries (CDN). For animations on our websites we use the JavaScript library anime.js, loaded via a Content Delivery Network (CDN) from Cloudflare (cdnjs.cloudflare.com). When loading, a connection to the CDN server is established, whereby your IP address is transmitted to Cloudflare.

Library: anime.js (animation framework)
Loaded via: cdnjs.cloudflare.com (Cloudflare, Inc., USA)
Data transmitted: IP address, browser information
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in functional presentation)

05

Contact

When you contact us by email or contact form, your information is stored for processing the inquiry. We do not share this data without your consent. Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest).

Your data will be deleted once the purpose of storage no longer applies and no legal retention obligations exist.

06

Email Communication

We send transactional emails as part of our services. These are exclusively service-related messages — we do not send promotional or newsletter emails unless you have explicitly consented.

Occasions for email sending:

Registration confirmation and welcome email
Password reset
Payment confirmations and invoices
Important changes to your account or our services
Security notifications (e.g. login from a new device)

Email sent via: World4You SMTP server (Austria, EU)
Sender address: noreply@cevio.at / contact@cevio.at
Processed data: Email address, name (if available), reason for the message
Legal basis: Art. 6(1)(b) GDPR (contract performance) or (f) (legitimate interest)

Emails are sent via the SMTP servers of our hosting provider World4You. All data remains in Austria (EU). No external email marketing services are used.

07

Steam Hour Idler (idler.cevio.at)

The Cevio Steam Hour Idler is a SaaS service that automatically increases Steam game hours in the background. Registration is required for use.

7.1 Registration & user account. During registration, we collect the following data:

Email address
Password (stored hashed, not in plain text)
Registration timestamp
IP address at the time of registration

Legal basis: Art. 6(1)(b) GDPR (contract performance).

7.2 Steam credentials. To use the service, you must provide your Steam credentials (username and password). This data is particularly sensitive and is treated by us with the utmost care:

Steam credentials are stored encrypted on our servers.
The data is used exclusively for the boosting service.
No transfer to third parties — under no circumstances.
Steam Guard / 2FA codes are only used temporarily for authentication and are not stored permanently.
You can delete your Steam data from your account at any time.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

7.3 Usage data. During use of the service, we store:

Boosted games and their App IDs
Session times and total hours
Selected package and its status
Account status (Idling, Offline, Paused)

This data serves the functionality of the service and billing. Legal basis: Art. 6(1)(b) GDPR.

7.4 Account deletion. You can request deletion of your account and all associated data at any time. After deletion, all personal data including Steam credentials will be irrevocably removed, unless legal retention obligations apply.

08

Payment Processing

For paid packages of our services we offer three payment methods: Stripe, PayPal, and bank transfer. Payment data is transmitted directly to the respective provider — we do not store credit card or full bank details on our servers.

Stripe.

Payment provider: Stripe, Inc. (USA) — Standard Contractual Clauses per Art. 46 GDPR
Data transmitted: Amount, package name, email address, Stripe customer ID
Stored by us: Stripe customer ID, subscription status, payment timestamp — no card data
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Stripe Privacy: stripe.com/at/privacy

PayPal.

Payment provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg
Data transmitted: Amount, package name, email address, PayPal transaction ID
Stored by us: PayPal transaction ID, payment status, payment timestamp — no PayPal login data
Legal basis: Art. 6(1)(b) GDPR (contract performance)
PayPal Privacy: paypal.com/at/legalhub/privacy-full

Bank transfer. If you choose bank transfer, the transfer runs through your own bank to ours. We receive the standard transfer information (sender name, IBAN, amount, reference) needed to allocate the payment. This data is processed for accounting purposes and is retained as required by Austrian commercial and tax law.

Data received: Sender name, IBAN, amount, payment reference
Stored by us: For accounting and statutory retention only
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligation)

Invoice data (amount, date, package) is retained for 7 years in accordance with the Austrian Federal Fiscal Code (Bundesabgabenordnung — BAO).

09

Cookies

Our websites use cookies. These are divided into:

Technically necessary cookies. These are required for website operation (e.g. session cookies, login status, OAuth tokens). They are set without consent (Art. 6(1)(f) GDPR).

Session cookie: Maintaining the login session — expires at end of session
Auth token: Authentication for the Steam Hour Idler — expires after 7 days
Cookie consent: Storage of your cookie preferences — expires after 12 months

Functional cookies. Store preferences such as language settings or theme preferences. Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).

Analytics cookies. Only set with your consent and used for anonymised analysis of usage behaviour. Details under Section 10.

You can delete cookies or prevent their storage at any time in your browser settings. Some website features may be restricted as a result. Full details and on-page controls live on the cookie policy page.

10

Analytics & Tracking

We use a self-hosted analytics system to evaluate website usage. No data is transmitted to external providers.

IP addresses are processed anonymously.
No personal profiles are created.
No sharing with third parties.
Opt-out is available at any time via the cookie banner.

The collected data includes:

Pages visited and time spent
Referrer (which page you came from)
Device type, browser and operating system
Approximate location (country level)
Time of visit

No Google Analytics. We deliberately do not use Google Analytics or comparable services from external providers. Our entire analytics system is self-hosted and the data remains entirely on our servers in Austria (EU).

Legal basis: Art. 6(1)(a) GDPR (consent) or (f) (legitimate interest).

11

Third Parties & External Services

Below we inform you about the external services we use and to which data may be transmitted:

World4You. Our websites and applications are hosted by World4You Internet Services GmbH (Austria). World4You processes technical data within the hosting agreement. All data remains in Austria (EU).

Provider: World4You Internet Services GmbH, Hafenstraße 47–51, 4020 Linz, Österreich
Privacy: world4you.com/de/datenschutz

Cloudflare. We use Cloudflare (Cloudflare, Inc., USA) as a CDN and DNS provider. Cloudflare may process technical data (IP address). Standard Contractual Clauses per Art. 46 GDPR apply.

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Purpose: CDN, DNS, DDoS protection, SSL
Privacy: cloudflare.com/privacypolicy

Stripe. For payment processing, we use Stripe, Inc. (USA). Stripe processes payment data according to its own privacy policy. Standard Contractual Clauses per Art. 46 GDPR apply.

Provider: Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA
Purpose: Payment processing
Privacy: stripe.com/at/privacy

PayPal. For payment processing, we additionally offer PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg).

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg
Purpose: Payment processing
Privacy: paypal.com/at/legalhub/privacy-full

Google Fonts. Fonts are loaded from Google servers. Your IP address is transmitted to Google LLC (USA). Legal basis: Art. 6(1)(f) GDPR.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy: policies.google.com/privacy

Steam / Valve. The Steam Hour Idler interacts with the Steam platform (Valve Corporation, USA). Steam credentials are used exclusively for authentication and providing the boosting service. Valve only receives standard login requests — no additional data is transmitted to Valve.

Provider: Valve Corporation, P.O. Box 1688, Bellevue, WA 98009, USA
Purpose: Authentication and provision of the boosting service
Privacy: store.steampowered.com/privacy_agreement

Discord bots. Cevio operates Discord bots for various community servers. During bot operation, the following data may be processed:

Discord user ID and username
Server ID (Guild ID) of the respective Discord server
Message content, if relevant for bot functions (e.g. ticket system, commands)
Interaction data (executed commands, button clicks)

This data is processed exclusively for providing the respective bot functionality. Message content is not permanently stored unless required for the respective function (e.g. ticket archiving at the server administrator's request). Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

Social media links. Our websites contain links to external social media platforms. Clicking these links redirects you to the respective platform. A connection to the provider is only established when you click — no data is transmitted to social media platforms as long as you don't actively click the links (no social media plugins or trackers). Data processing on the respective platforms is subject to the privacy policies of the respective providers.

12

Data Processing Agreements (DPA)

Where we use external service providers that process personal data on our behalf, we have concluded Data Processing Agreements (DPA) per Art. 28 GDPR. These agreements ensure that data processing by our processors complies with GDPR requirements.

World4You: DPA per Art. 28 GDPR — hosting and email delivery (data processing in Austria)
Cloudflare: Data Processing Addendum (DPA) — CDN, DNS, DDoS protection (Standard Contractual Clauses per Art. 46 GDPR)
Stripe: Data Processing Agreement (DPA) — payment processing (Standard Contractual Clauses per Art. 46 GDPR)
PayPal: Processing within the EU (Luxembourg) — DPA per Art. 28 GDPR

For third-country transfers (USA), we rely on the Standard Contractual Clauses approved by the European Commission per Art. 46(2)(c) GDPR and, where applicable, the EU–U.S. Data Privacy Framework.

13

Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access — you can find out at any time what data we have stored about you (Art. 15 GDPR).
Rectification — you have the right to have incorrect data corrected (Art. 16 GDPR).
Erasure — you can request deletion of your data, provided no retention obligation exists (Art. 17 GDPR).
Restriction — you can request restriction of processing (Art. 18 GDPR).
Data portability — you have the right to receive your data in a common format (Art. 20 GDPR).
Objection — you can object to processing at any time, particularly for direct marketing (Art. 21 GDPR).

Furthermore, you have the right to withdraw any given consent at any time (Art. 7(3) GDPR). Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

To exercise your rights, please contact us by email at contact@cevio.at. We will process your request without undue delay, and within one month at the latest.

Right to lodge a complaint. You have the right to lodge a complaint with the Austrian data protection authority:

Authority: Österreichische Datenschutzbehörde
Address: Barichgasse 40–42, 1030 Wien
Web: dsb.gv.at
Email: dsb@dsb.gv.at

14

Data Retention

We store personal data only as long as necessary for the respective purpose:

Server logs: 7 days (IP anonymised)
Contact inquiries: Until resolved, max. 6 months
User accounts (Idler): Until account deletion
Steam credentials: Until account deletion or manual removal
Billing data: 7 years (legal retention requirement, BAO)
Transactional emails: Email logs max. 30 days, then deleted
Discord bot data: Only during active use, no permanent storage of message content
Cookies: Depending on type: session to max. 12 months

15

Data Security

We implement technical and organisational measures to protect your data from unauthorised access, loss or misuse:

SSL/TLS encryption for all websites and services
Encrypted storage of sensitive data (especially Steam credentials)
Passwords are exclusively stored hashed
Regular security updates and server maintenance
Access restrictions on databases and systems
Cloudflare protection against DDoS and malicious requests
Separate databases for authentication and application data
Reverse proxy (Caddy) with automatic HTTPS certificate management

16

Changes to this Privacy Policy

We reserve the right to adjust this privacy policy as needed to adapt to changed legal situations or changes to our services. The current version can always be found on this page. For significant changes, we will inform registered users by email.

Last updated: 7 May 2026

Privacy.

Privacy policy