Skip to content

Data Privacy Statement

Last updated: 24/09/2025 

Short & Clear: What is this about? The protection of your personal data is very important to us. In this policy, we explain transparently what data we collect, what we use it for, and what rights you have in this regard. We, Akarion AG in Germany and Akarion GmbH in Austria, process your data jointly in order to offer you our services and operate our website.

General information and contact details

This privacy policy applies to the processing of personal data by the Akarion Group (“Akarion”). Separate agreements apply to specific processing, e.g., in the case of employment relationships.
Akarion reserves the right to change this privacy policy at any time with future effect. The current version is available here.

The joint controllers for the processing of personal data by Akarion, its processors, or the processing of personal data in connection with this website are:

Akarion AG
Theatinerstr. 8
C/O ARQIS
80333 München
Germany

M: +49 89 628 265 64
T: info@akarion.com

Akarion GmbH
Peter-Behrens-Platz 4
Tabakfabrik Linz
4020 Linz
Austria

M: +43 732 931637
T: info@akarion.com


 Both represented by Sven Meise.
Within the company, the management is responsible for all processing procedures relating to personal data. An internal audit has shown that there is currently no need for a dedicated data protection officer.

Responsibilities are divided as follows:

Akarion GmbH

  • Responsibility for the planning, development, and technical operation of the software.
  • Ensuring ongoing technical support for the software products.
  • Collaborating with Akarion AG to ensure the smooth integration of the software solutions into the sales channels and to support marketing.

Akarion AG

  • Responsibility for the administrative and commercial management of the group of companies, including accounting, controlling, and financial planning.
  • Developing and implementing sales and marketing strategies for the group's products.
  • Providing support services for customers, including handling customer inquiries that are not related to technical issues.

Joint tasks

  • Managing and maintaining customer databases and ensuring compliance with all relevant data protection laws.
  • Joint coordination of strategic decisions regarding the further development of the software and marketing.

 

1. Data processing

Akarion only processes personal data to the extent necessary for the respective processing purpose and/or covered by your consent. This also applies to the duration of the processing.

Advertisement

Used for the targeted marketing of services and software solutions by evaluating and using personal data for individualized marketing measures as well as analyzing and optimizing marketing activities in compliance with applicable data protection and security requirements.

Data subjects:

Data Subject Category Data Categories Classification
Interested parties Surname, first name Personal Data
  Email address Personal Data
  Phone number Personal Data
  Company affiliation Personal Data
Customers Surname, first name Personal Data
  Email address Personal Data
  Company affiliation Personal Data
  Phone number Personal Data
  Type of user access (subscription type) Personal Data

Storage Period: Customer support tickets and correspondence


Legal basis:
  • Legitimate Interest (Art. 6 Sec. 1 lit. f)
    • The processing of personal data in the context of the processing activity 'Advertisement' by Akarion AG and Akarion GmbH is based on the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest consists in the targeted marketing of SaaS services and GRC software solutions to potential customers and interested parties in order to expand business, increase the relevance of marketing measures and better address customer interests. Only the data required for this purpose is processed and the interests of the data subjects are protected by appropriate technical and organizational measures (ISO 27001:2022, GDPR-compliant, access controls). Help and objection options are provided.

Storage period: Customer support tickets and correspondence (Dauer: 7 Years)
Customer support data (tickets, emails, chat messages) are stored in order to be able to fulfill legal obligations to provide evidence and documentation in the event of disputes or support contracts. This data is also required for the fulfillment of warranty and support obligations.
Third party applications: Hubspot, Google Workspace, Slack, Microsoft Ads, LinkedIn, Google Ads
Third country transfers:
Organization Country Safeguards
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Google LLC United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States of America (USA) Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0)

 

Customer onboarding

Serves the structured and secure admission of new customers to the platform and associated services, including the processing of relevant personal and company-related data to ensure the basis for contract processing, establishment of user access, technical and organizational integration and compliance with contractual, legal and security requirements.

Data subjects:

Data Subject Category Data Categories Classification
Customers Surname, first name Personal Data
  Email address Personal Data
  Phone number Personal Data
  Company affiliation Personal Data
  Function Personal Data
  Authorizations within the software Personal Data

Storage Period: Contract documents with customers and partners


Legal basis:
  • Contract (Art. 6 Sec. 1 lit. b)
    • The processing of personal data in the context of customer onboarding is carried out to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR. This includes in particular the creation and management of customer access, communication for onboarding purposes, technical and organizational integration as well as support and assistance with the introduction of the SaaS platform and its functions.

Storage period: Contract documents with customers and partners (Dauer: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third party applications: Akarion GRC Cloud, Google Workspace, Hubspot, Slack
Third country transfers:
Organization Country Safeguards
Google LLC United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States of America (USA) Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0)

 

Customer Support

Serves to efficiently process and document customer and end user requests in order to provide technical and organizational support regarding GRC SaaS solutions, ensure customer satisfaction and enable continuous product improvements. The processing of personal data takes place exclusively for the fulfillment of the contract and in compliance with legal and regulatory requirements.

Data subjects:

Data Subject Category Data Categories Classification
Customers Surname, first name Personal Data
  Phone number Personal Data
  Email address Personal Data
  Company affiliation Personal Data

Storage Period: Customer support tickets and correspondence


Legal basis:
  • Contract (Art. 6 Sec. 1 lit. b)
    • The processing of personal data in the context of the processing activity 'Customer Support' at Akarion is carried out in accordance with Art. 6 para. 1 lit. b GDPR to fulfill contractual obligations towards customers and end users of the SaaS GRC solutions. The aim is the efficient processing and resolution of support requests, the implementation of onboarding and training measures and the improvement of customer satisfaction and products. The processing is necessary to fulfill the concluded contract or to carry out pre-contractual measures that are carried out at the request of the data subject.
  • Legitimate Interest (Art. 6 Sec. 1 lit. f)
    • In addition, a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR may exist for the optimization of service quality, product improvement based on support feedback and IT security. Processing is necessary to safeguard these legitimate interests and does not conflict with the interests, fundamental rights and freedoms of the data subjects.

Storage period: Customer support tickets and correspondence (Dauer: 7 Years)
Customer support data (tickets, emails, chat messages) are stored in order to be able to fulfill legal obligations to provide evidence and documentation in the event of disputes or support contracts. This data is also required for the fulfillment of warranty and support obligations.
Third party applications: Google Workspace, Hubspot, Slack
Third country transfers:
Organization Country Safeguards
Google LLC United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States of America (USA) Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0)

 

Marketing Automation

Used for the automated planning, implementation and optimization of marketing measures to effectively address and inform existing and potential customers, increase brand awareness, generate prospective customers and measure the success of campaigns.

Data subjects:

Data Subject Category Data Categories Classification
Interested parties Email address Personal Data
  Surname, first name Personal Data
  Interests according to newsletter registration Personal Data
  Company affiliation Personal Data

Storage Period: No additional retention period


Legal basis:
  • Legitimate Interest (Art. 6 Sec. 1 lit. f)
    • The processing of personal data in the context of marketing automation is carried out to safeguard the company's legitimate interests in providing targeted information to existing and potential customers, efficiently carrying out marketing campaigns and increasing brand awareness. A balancing of interests test has shown that the company's interests do not outweigh the rights and freedoms of the data subjects, as data subjects can object to the processing at any time and all statutory information and protection obligations are complied with.

Storage period: No additional retention period (Dauer: None)
If the legal basis for processing no longer applies, the data will be deleted immediately
Third party applications: Hubspot
Third country transfers:
Organization Country Safeguards
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)

 

Monitoring and operation

Serves to ensure secure, stable and legally compliant operation of the cloud-based IT infrastructure and all key systems and SaaS platforms. Processing enables the continuous monitoring, early detection and rectification of disruptions or security incidents as well as the technical and organizational implementation of all relevant security, compliance and availability requirements. The aim is to sustainably protect critical business processes and the processed personal data while at the same time complying with legal and normative requirements.

Data subjects:

Data Subject Category Data Categories Storage Period Classification
Contact persons (inside and outside the client's company) Surname, first name Until the end of the contract term Personal Data
  Email address Until the end of the contract term Personal Data
  Phone number Until the end of the contract term Personal Data
  Company affiliation Until the end of the contract term Personal Data
  Job title Until the end of the contract term Personal Data
  Department affiliation Until the end of the contract term Personal Data
  Responsibilities for documented objects, processes, events Until the end of the contract term Personal Data
Software user Interface and user language Until the end of the contract term Personal Data
  User role Until the end of the contract term Personal Data
  Authorizations within the software Until the end of the contract term Personal Data
  Status of user access (active / inactive) Until the end of the contract term Personal Data
  Actions within the software Until the end of the contract term Personal Data
  IP address Application logs from SaaS platform Personal Data
Persons who come into contact with the client via the software Name or labeling Until the end of the contract term Personal Data
  Information from inquiry text Until the end of the contract term Personal Data
  Personal data in statements of facts Until the end of the contract term Personal Data
  IP address Application logs from SaaS platform Personal Data
  Time at which the portal is accessed and time at which a message is sent Until the end of the contract term Personal Data

Legal basis:
  • Legitimate Interest (Art. 6 Sec. 1 lit. f)
    • The processing of personal data as part of the processing activity "monitoring and operation" of the entire cloud-based IT infrastructure and SaaS platforms is necessary to safeguard the legitimate interests of Akarion GmbH. The legitimate interest is to ensure secure, stable, available and legally compliant IT operations. This includes in particular the detection and resolution of security incidents, the protection of critical data (e.g. customer data, source code repositories), ensuring compliance also in accordance with ISO 27001:2022 and the continuous monitoring of the performance and integrity of the systems. The interests of data subjects are safeguarded through data minimization, technical and organizational protective measures and transparent processes. A balancing of interests has shown that there are no overriding interests or fundamental rights of the data subjects.

Storage period: Until the end of the contract term (Dauer: None)

Third party applications: Akarion GRC Cloud, Atlas MongoDB, Sentry, Cloudflare, Amazon Web Services, Datadog, Heroku, DeepL, OVHcloud
Third country transfers:
Organization Country Safeguards
MongoDB Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Functional Software, Inc. United States of America (USA) Data Privacy Framework (Privacy Shield 2.0)
Cloudflare, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Amazon Web Services, Inc. United States of America (USA) Data Privacy Framework (Privacy Shield 2.0), Approved code of conduct
Datadog, Inc United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States of America (USA) Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0)

 

Newsletter

Provides targeted information to existing and potential customers and partners about news, developments and events in the field of GRC software solutions in order to strengthen customer loyalty and promote knowledge transfer.

Data subjects:

Data Subject Category Data Categories Classification
Newsletter subscribers Email address Personal Data
  Interests according to newsletter registration Personal Data
  Surname, first name Personal Data
  Company affiliation Personal Data

Storage Period: No additional retention period


Legal basis:
  • Consent (Art. 6 Sec. 1 lit. a)
    • The processing of personal data for sending the newsletter is based on the consent of the data subjects in accordance with Art. 6 para. 1 lit. a GDPR. The recipients have expressly consented to receiving the newsletter and can revoke their consent at any time.

Storage period: No additional retention period (Dauer: None)
If the legal basis for processing no longer applies, the data will be deleted immediately
Third party applications: Hubspot
Third country transfers:
Organization Country Safeguards
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)

 

Recruiting

Used to implement measures to recruit, select and hire qualified employees in order to cover the company's personnel requirements and ensure that open positions are filled effectively.

Data subjects:

Data Subject Category Data Categories Classification
Applicants Surname, first name Personal Data
  Date of birth Personal Data
  Email address Personal Data
  Place of birth Personal Data
  Marital status Personal Data
  Citizenship Personal Data
  Language skills Personal Data
  Qualification Personal Data
  Degrees and qualifications Personal Data
  Salary Personal Data
  Responsibilities for documented objects, processes, events Personal Data

Storage Period: Applicant data (persons not recruited)


Legal basis:
  • Contract (Art. 6 Sec. 1 lit. b)
    • The processing of personal data in the context of recruiting activities serves the implementation of pre-contractual measures, which are carried out at the request of the data subject, or is necessary for the fulfillment of an employment contract (Art. 6 para. 1 lit. b GDPR). For example, application documents are processed in order to check suitability and carry out the selection process.

Storage period: Applicant data (persons not recruited) (Dauer: 210 Days)
Documents and data of applicants who are not hired must be kept for a limited period of time for reasons of possible later legal claims (discrimination, equal treatment).
Third party applications: Hubspot, Google Workspace
Third country transfers:
Organization Country Safeguards
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Google LLC United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)

 

Conclusion of contract

Used for the initiation, legally compliant execution and management of contractual relationships with business partners, in particular to ensure compliance with legal, contractual and regulatory requirements in connection with the provision of GRC software solutions. Processing is carried out for the transparent creation, coordination and archiving of contract documents in compliance with the highest data protection and security standards on the basis of a cloud-based infrastructure.

Data subjects:

Data Subject Category Data Categories Classification
Customers Surname, first name Personal Data
  Email address Personal Data
  Phone number Personal Data
  Date of birth Personal Data
  Place of birth Personal Data
  Financial resources Personal Data
  Bank details Personal Data
  Account details Personal Data
  State-assigned ID Personal Data
  Company affiliation Personal Data
External consultants Surname, first name Personal Data
  Email address Personal Data
  Phone number Personal Data
  Date of birth Personal Data
  Place of birth Personal Data
  Financial resources Personal Data
  Bank details Personal Data
  Account details Personal Data
  State-assigned ID Personal Data
  Occupational health data Special Categories of Personal Data
  Company affiliation Personal Data
Suppliers Surname, first name Personal Data
  Email address Personal Data
  Phone number Personal Data
  Date of birth Personal Data
  Place of birth Personal Data
  Financial resources Personal Data
  Bank details Personal Data
  Account details Personal Data
  State-assigned ID Personal Data
  Occupational health data Special Categories of Personal Data
  Company affiliation Personal Data

Storage Period: Contract documents with customers and partners


Legal basis:
  • Contract (Art. 6 Sec. 1 lit. b)
    • The processing of personal data within the scope of the processing activity "conclusion of contract" is carried out for the performance of a contract or for the implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR. This includes all activities that are necessary for the establishment, legally compliant processing and administration of contractual relationships with customers, service providers and partners (e.g. collection and administration of contact data, exchange of contractual documents, communication in the context of contract creation and execution).
  • Legal obligation (Art. 6 Sec. 1 lit. c)
    • z. E.g. § 132 BAO (Austrian Federal Fiscal Code), § 257 HGB (German Commercial Code) 
       
      In addition, processing is carried out in accordance with Art. 6 para. 1 lit. c GDPR, insofar as this is necessary to fulfill legal obligations (e.g. commercial and tax retention obligations in Austria and Germany).

Storage period: Contract documents with customers and partners (Dauer: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third party applications: Hubspot, Google Workspace, Slack
Third country transfers:
Organization Country Safeguards
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Google LLC United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States of America (USA) Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0)

 

Website & SEO

Enables the provision and optimization of the company website and all associated online presences in order to provide interested parties and customers with comprehensive information on GRC solutions and services, facilitate communication, analyze user behavior, ensure the security and functionality of the systems and ensure compliance with relevant legal and normative requirements.

Data subjects:

Data Subject Category Data Categories Classification
Website visitors IP address Personal Data
  Use of technologies Personal Data
  Company affiliation Personal Data
  Electronic ID Personal Data
  Actions on the website Personal Data
  Surname, first name Personal Data
  Phone number Personal Data

Storage Period: No additional retention period


Legal basis:
  • Legitimate Interest (Art. 6 Sec. 1 lit. f)
    • The processing of personal data in the context of the provision, maintenance and optimization of the company website is mainly based on legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. These consist in particular in the external presentation of the Akarion Group, the maintenance of IT security, the analysis for optimization and reach measurement as well as the efficient processing of contact requests. The legitimate interests prevail, as users have reasonable expectations regarding processing in the context of website operation and the use of cloud-based, security-certified IT systems and appropriate technical and organizational measures, including ISO 27001:2022 certification, are implemented to protect the data.
  • Consent (Art. 6 Sec. 1 lit. a)
    • If and insofar as consent is required for certain data processing operations (e.g. when using cookies or external tools such as Hubspot for user-based analysis), the processing is based on Art. 6 para. 1 lit. a GDPR. Consent is obtained transparently via the consent management banner and can be revoked at any time.

Storage period: No additional retention period (Dauer: None)
If the legal basis for processing no longer applies, the data will be deleted immediately
Third party applications: Google Workspace, Hubspot, Slack, Google Ads, Microsoft Ads, LinkedIn, Sales Viewer, Sales Navigator, CookieFirst
Third country transfers:
Organization Country Safeguards
Google LLC United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
HubSpot, Inc. United States of America (USA) Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States of America (USA) Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0)


 

2. Rights of data subjects

2.1. Right to information, correction, blocking, deletion

Within the framework of the statutory provisions, you are entitled to request information about your personal data, its origin, possible recipients, and the purpose of processing at any time and free of charge. In addition, you are entitled to request the deletion of data concerning your person, any correction thereof, or the restriction of processing.

2.2. Right to object

If the processing of data concerning you is not based on the consent of the data subject, the data subject is entitled to object to the processing by Akarion at any time. Akarion points out that the statutory retention periods remain unaffected by any objection.
You may revoke your consent to the processing of your personal data at any time without giving reasons. To do so, please contact Akarion informally at: datenschutz@akarion.com, by mail, verbally when contacting us, or use any links provided (e.g., unsubscribe from the newsletter).

2.3. Right to data portability

You have the right at any time to request the transfer of data that we process automatically on the basis of your consent or in fulfillment of a contract to yourself or to a third party. The data will be provided in a machine-readable format, as far as technically possible.

2.4. Exercising your rights as a data subject

If you wish to exercise any of the rights listed above, please contact: datenschutz@akarion.com or contact Akarion by mail at the address above.

2.5. Right to lodge a complaint with the competent supervisory authority

If you fear that Akarion is handling your personal data improperly, you are entitled to lodge a complaint with the competent supervisory authority at any time.

The supervisory authorities responsible for us are:

In Austria:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
T: +43 1 52 152-0
M: dsb@dsb.gv.at

In Germany:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
m: poststelle@lda.bayern.de

3. Disclosure of personal data

The processing of personal data at Akarion is partly carried out by processors. Akarion only uses processors who offer sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that processing is carried out in accordance with data protection requirements and that the rights of the data subject are protected. The processing of personal data by Akarion's processors is always based on a corresponding contract between Akarion and the processor.
Unless expressly agreed otherwise or another legal basis permits or requires the disclosure of your data, third parties will not have access to your data.

4. Data security

Akarion maintains technical and organizational measures to ensure data security, in particular to protect personal data from risks during data transmission and from disclosure to third parties. Akarion employees are trained and obliged to handle personal data with care.
When using this website, encrypted transmission via SSL (Secure Socket Layer) or TLS (Transport Layer Security) takes place, provided that the website is accessed at https://akarion.com.