gegenstand.at is a service available across Austria for contactless handovers and luggage storage via smart lockers. 1,300+ smart lockers in Austria, many accessible 24/7. Cities include: Wien, Graz, Linz, Salzburg, Innsbruck. Prices per box size for the first 24 hours: XS €2.99 · S €3.99 · M €4.99 · L €5.99. With return (2× 24 h): XS €4.99 · S €5.99 · M €6.99 · L €7.99. €0.99 per additional usage day. Cancellation fee: €1.99 (one-way) or €2.99 (with return). As of: 14 May 2026. Operator: Mirafox UG (Germany), operating in Austria. Support: support@gegenstand.at.
Last updated: .
Effective: January 18, 2026
Privacy Policy
This privacy policy informs you about which personal data we collect when using gegenstand.de, how we use it, and what rights you have.
1. Data Controller
2. What Data Do We Collect?
3. Use of Your Data
4. Data Sharing
5. Your Rights
6. Data Storage
7. Data Processing (Location)
8. Cookies
9. Cloudflare
10. MyFlexBox
11. PayPal
12. Stripe
13. Social Media
14. Server Log Files
15. Right to Lodge a Complaint
16. Contact
1. Data Controller
The party responsible for the processing of your personal data is:
Mirafox UG (haftungsbeschränkt)
Leipziger Str. 49
10117 Berlin, Germany
Email: info@gegenstand.de
2. What Data Do We Collect?
At Mirafox UG (haftungsbeschränkt) (gegenstand.de), protecting your privacy is of utmost importance. We collect and process your personal data responsibly. This privacy policy explains what personal data we collect, how we use it, and for what purpose.
2.1 Data You Provide to Us
This includes personal data you submit when using our services, such as when creating an account, booking a handover box, subscribing to our newsletter, or communicating with our customer service. This data includes your personal details (first and last name, address, phone number, email address), password, payment information, and communication data.
2.2 Data We Collect from You
We collect information about how you use our services, such as which locations you view, which features you use, and the timing, frequency, and duration of your activities. This includes transaction data and technical access and device data.
2.3 Data from Third Parties
We may collect additional data from third parties such as payment service providers and combine it with your personal data. We ensure that these partners are authorized to collect and transmit this data.
3. Use of Your Data
3.1 Provision of Our Services
We process your contact data to coordinate the booking of handover boxes, provide access codes, and enable the handover. Your payment information is used to process payments for booked services.
Legal basis: Article 6(1)(b) GDPR.
3.2 Email Communication
We use your email address to inform you about the status of your bookings. This includes notifications about booking confirmations, access codes, and pickup notifications. Occasionally, with your consent, we may send you promotional materials.
Legal basis: Article 6(1)(b) GDPR (contract) or Article 6(1)(a) GDPR (consent).
3.3 Customization and Improvement of Our Services
We use your data to personalize and continuously improve our services. This includes optimizing the user-friendliness of our platform.
Legal basis: Article 6(1)(f) GDPR.
3.4 Data Security
We use your data to ensure security on our platform. This includes verification of accounts and activities as well as detection and prevention of misuse.
Legal basis: Article 6(1)(f) GDPR.
3.5 Legal Obligations
In some cases, we process your data due to legal requirements, such as compliance with tax retention obligations.
Legal basis: Article 6(1)(c) GDPR.
4. Data Sharing
We only share your data when legally permitted and necessary:
4.1 Smart Locker Partner (myflexbox)
For the provision of handover boxes, we work with MYFLEXBOX Germany GmbH. When you make a booking, the necessary access data (access codes, box number, location) is provided through their system. We do not share personal customer data with myflexbox unless this is absolutely necessary for the provision of the service.
4.2 Payment Service Providers
For payment processing, we use external service providers (see sections 11 and 12). The data entered during the payment process is transmitted to them.
4.3 Technical Service Providers
We transmit data to technical infrastructure providers (hosting, email providers) to provide our services.
4.4 Authorities
Your data will be transmitted to authorities such as the police or tax office when we are legally obligated to do so.
5. Your Rights
Under the General Data Protection Regulation, you have the following rights:
Right of access (Art. 15 GDPR): You can request information about your stored data.
Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data.
Right to erasure (Art. 17 GDPR): You can request deletion of your data.
Right to restriction (Art. 18 GDPR): You can request restriction of processing.
Right to data portability (Art. 20 GDPR): You can receive your data in a machine-readable format.
Right to object (Art. 21 GDPR): You can object to the processing.
Right to withdraw consent (Art. 7(3) GDPR): You can withdraw your consent at any time.
Contact us at info@gegenstand.de to exercise these rights.
6. Data Storage
We store your personal data for the duration of your use of our services. Additionally, your data is stored for up to 36 months after the last activity and then deleted, unless statutory retention obligations apply (e.g., tax retention obligation of 10 years).
If you wish to delete your account, you can do so through your account settings or contact us at info@gegenstand.de.
7. Data Processing (Location)
gegenstand.de primarily processes your data within the EU and the EEA. In exceptional cases, data may need to be transferred to partners outside the EU/EEA. In such cases, we ensure adequate data protection through EU standard contractual clauses or comparable safeguards.
8. Cookies
8.1 Types of Cookies
Transient cookies: These are deleted when you close your browser. They contain session cookies for assigning your requests during a session.
Persistent cookies: These are automatically deleted after a set period. You can delete these at any time in your browser settings.
8.2 Purpose of Use
Technically necessary cookies: These are required for the operation of our website.
Legal basis: Article 6(1)(f) GDPR.
Optional cookies: We only use these with your consent to analyze and improve our website.
Legal basis: Article 6(1)(a) GDPR.
9. Cloudflare
We use Cloudflare functions on our website, a CDN service provided by Cloudflare Germany GmbH. Traffic between your browser and our website is routed through the Cloudflare network. Your IP address and other data may be collected in the process.
Cloudflare may also process data in the USA. We have implemented appropriate safeguards, including EU standard contractual clauses.
Legal basis: Article 6(1)(f) GDPR.
More information: https://www.cloudflare.com/privacypolicy/
10. MyFlexBox
For the provision of smart locker services, we work with MYFLEXBOX Germany GmbH (Maximiliansplatz 17, 80333 Munich, Germany).
10.1 Access Data
MyFlexBox provides the necessary access data (access codes, box number, location) to enable access to the boxes.
10.2 Data Sharing
We do not share personal customer data with MyFlexBox unless this is absolutely necessary for the provision of the service and has been expressly agreed with the customer.
10.3 Video Surveillance
Video cameras are installed at myflexbox parcel boxes and are appropriately marked. Image data (appearance, behavior), location, and time of the recording are captured. The recording is carried out to protect property (particularly the parcel boxes and the items contained therein) and to secure evidence.
The recording is deleted after 7 days, unless it is further processed for the investigation of a crime. The recordings may be shared with police and law enforcement authorities, courts, or insurance companies.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in protecting property).
More information: https://myflexbox.de/datenschutz
11. PayPal
We offer payment via PayPal on our website. The provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
If you choose to pay via PayPal, the payment data you enter will be transmitted to PayPal.
Legal basis: Article 6(1)(b) GDPR.
More information: https://www.paypal.com/webapps/mpp/ua/privacy-full
12. Stripe
We offer payment via Stripe on our website. The provider is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
If you choose to pay with Stripe, personal data (contact details, payment data) will be transmitted to Stripe. Stripe also processes your data in the USA and has concluded EU standard contractual clauses and is certified under the EU-US Data Privacy Framework.
Legal basis: Article 6(1)(b) GDPR.
More information: https://stripe.com/privacy
14. Server Log Files
To operate and maintain the security of our website, we automatically collect and store information in server log files that your browser automatically transmits to us:
IP address, date and time of the request, content of the request (specific page), access status/HTTP status code, amount of data transferred, website from which the request originated, browser, operating system, and language.
This data is deleted after 14 days.
Legal basis: Section 25(2) TDDDG.
15. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection authority if you believe that the processing of your personal data violates the GDPR.
Competent supervisory authority:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin, Germany
https://www.datenschutz-berlin.de
16. Contact
If you have any questions about this privacy policy or the processing of your personal data, you can reach us at:
Mirafox UG (haftungsbeschränkt)
Leipziger Str. 49
10117 Berlin, Germany
Email: info@gegenstand.de
13. Social Media
gegenstand.de is present on various social networks. When you interact with us through these platforms, your data is processed by us and the respective network operator.
13.1 Instagram
Instagram is part of Meta Platforms Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. Meta Platforms Inc. is part of the EU-US Data Privacy Framework. The data controller for users in the EU is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
When you visit our Instagram profile or interact with us (comment, like), your data is processed in accordance with Instagram's privacy policy.
Legal basis: Article 6(1)(f) GDPR.
More information: https://privacycenter.instagram.com/policy/
13.2 LinkedIn
The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The parent company LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA is part of the EU-US Data Privacy Framework.
When you visit our LinkedIn company page or interact with us, your data is processed in accordance with LinkedIn's privacy policy.
Legal basis: Article 6(1)(f) GDPR.
More information: https://www.linkedin.com/legal/privacy-policy
13.3 TikTok
The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Irland (for users in the EEA).
When you visit our TikTok profile or interact with our content, your data is processed in accordance with TikTok's privacy policy. TikTok may process data in countries outside the EEA.
Legal basis: Article 6(1)(f) GDPR.
More information: https://www.tiktok.com/legal/privacy-policy-eea