Privacy Policy
Last updated: 11/05/2026
Short & easy to understand: What is this about? Protecting your personal data is very important to us. In this statement, we transparently explain what data we collect, what we use it for, and what rights you have in this regard. We, Akarion AG in Germany and Akarion GmbH in Austria, process your data jointly in order to offer you our services and operate our website.
General Information and Contact
This Privacy Policy applies to the processing of personal data by the Akarion group of companies (“Akarion”). Separate agreements apply to specific processing activities, e.g. in the context of employment relationships.
Akarion reserves the right to amend this Privacy Policy at any time with effect for the future. The current version is available here.
The joint controllers for the processing of personal data by Akarion, its processors, or the processing of personal data in connection with this website are:
Akarion AG
C/O ARQIS
80333 München
Germany
P: +49 89 628 265 64
E: info@akarion.com
Akarion GmbH
Tabakfabrik Linz
4020 Linz
Austria
P: +43 732 931637
E: info@akarion.com
Both represented by Sven Meise.
Within the company, the management is responsible for all processing of personal data. An internal review determined that currently no dedicated data protection officer is required.
Responsibilities are divided as follows:
Akarion GmbH
- Responsibility for the planning, development, and technical operation of the software.
- Ensuring ongoing support for the software products at the technical level.
- Cooperation with Akarion AG to ensure smooth integration of the software solutions into the sales channels and to support marketing.
Akarion AG
- Responsibility for the administrative and commercial management of the corporate group, including accounting, controlling, and financial planning.
- Development and implementation of sales and marketing strategies for the products of the corporate group.
- Provision of support services for customers, including handling customer inquiries that do not relate to technical matters.
Joint tasks
- Management and maintenance of the customer databases as well as ensuring compliance with all relevant data protection laws.
- Joint coordination on strategic decisions regarding the further development of the software and marketing.
1. Data processing
As a rule, Akarion processes personal data only to the extent necessary for the respective processing purpose and/or covered by your consent. This also applies to the duration of the processing.
Advertisement
Used for the targeted marketing of services and software solutions by evaluating and using personal data for individualized marketing measures as well as analyzing and optimizing marketing activities in compliance with applicable data protection and security requirements.
Data subjects: Interested parties, Employees of client companies
Legal basis: Legitimate Interest (Art. 6 Sec. 1 lit. f)
Retention period: Opt-Out (Duration: None)
Third-party applications:
- Hubspot (HubSpot Germany GmbH)
- Google Workspace (Google Cloud EMEA Limited - Ireland)
- Microsoft Advertising (Microsoft Ireland Operations Limited - Ireland)
- LinkedIn (LinkedIn Ireland Unlimited Company - Ireland)
- Google Ads (Google Cloud EMEA Limited - Ireland)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States of America (USA) | Onward transfer from Google Workspace, Onward transfer from Google Ads | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Microsoft Corporation | United States of America (USA) | Onward transfer from Microsoft Advertising | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| LinkedIn Corp. | United States of America (USA) | Onward transfer from LinkedIn | Data Privacy Framework (Privacy Shield 2.0) |
Conclusion of contract
Used for the initiation, legally compliant execution and management of contractual relationships with business partners, in particular to ensure compliance with legal, contractual and regulatory requirements in connection with the provision of GRC software solutions. Processing is carried out for the transparent creation, coordination and archiving of contract documents in compliance with the highest data protection and security standards on the basis of a cloud-based infrastructure.
Data subjects: Employees of client companies, External consultants
Legal basis: Contract (Art. 6 Sec. 1 lit. b), Legal obligation (Art. 6 Sec. 1 lit. c)
Retention period: Contract documents with customers and partners (Duration: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third-party applications:
- Google Workspace (Google Cloud EMEA Limited - Ireland)
- Hubspot (HubSpot Germany GmbH)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| Google LLC | United States of America (USA) | Onward transfer from Google Workspace | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Customer onboarding
Serves the structured and secure admission of new customers to the platform and associated services, including the processing of relevant personal and company-related data to ensure the basis for contract processing, establishment of user access, technical and organizational integration and compliance with contractual, legal and security requirements.
Data subjects: Software user
Legal basis: Contract (Art. 6 Sec. 1 lit. b)
Retention period: Contract documents with customers and partners (Duration: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third-party applications:
- Google Workspace (Google Cloud EMEA Limited - Ireland)
- Akarion GRC Cloud (Akarion GmbH - Austria)
- Hubspot (HubSpot Germany GmbH)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| Google LLC | United States of America (USA) | Onward transfer from Google Workspace | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Customer Support
Serves to efficiently process and document customer and end user requests in order to provide technical and organizational support regarding GRC SaaS solutions, ensure customer satisfaction and enable continuous product improvements. The processing of personal data takes place exclusively for the fulfillment of the contract and in compliance with legal and regulatory requirements.
Data subjects: Employees of client companies
Legal basis: Contract (Art. 6 Sec. 1 lit. b), Legitimate Interest (Art. 6 Sec. 1 lit. f)
Retention period: Customer support tickets and correspondence (Duration: 7 Years)
Customer support data (tickets, emails, chat messages) are stored in order to be able to fulfill legal obligations to provide evidence and documentation in the event of disputes or support contracts. This data is also required for the fulfillment of warranty and support obligations.
Third-party applications:
- Akarion GRC Cloud (Akarion GmbH - Austria)
- Google Workspace (Google Cloud EMEA Limited - Ireland)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| Google LLC | United States of America (USA) | Onward transfer from Google Workspace | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Marketing Automation
Used for the automated planning, implementation and optimization of marketing measures to effectively address and inform existing and potential customers, increase brand awareness, generate prospective customers and measure the success of campaigns.
Data subjects: Interested parties
Legal basis: Legitimate Interest (Art. 6 Sec. 1 lit. f)
Retention period: Opt-Out (Duration: None)
Third-party applications:
- Hubspot (HubSpot Germany GmbH)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Newsletter
Provides targeted information to existing and potential customers and partners about news, developments and events in the field of GRC software solutions in order to strengthen customer loyalty and promote knowledge transfer.
Data subjects: Newsletter subscribers
Legal basis: Consent (Art. 6 Sec. 1 lit. a)
Retention period: Opt-Out (Duration: None)
Third-party applications:
- Hubspot (HubSpot Germany GmbH)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Recruiting
Used to implement measures to recruit, select and hire qualified employees in order to cover the company's personnel requirements and ensure that open positions are filled effectively.
Data subjects: Applicants
Legal basis: Contract (Art. 6 Sec. 1 lit. b)
Retention period: Applicant data (persons not recruited) (Duration: 6 Months)
Documents and data of applicants who are not hired must be kept for a limited period of time for reasons of possible later legal claims (discrimination, equal treatment).
Third-party applications:
- Hubspot (HubSpot Germany GmbH)
- Google Workspace (Google Cloud EMEA Limited - Ireland)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States of America (USA) | Onward transfer from Google Workspace | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Website & SEO
Enables the provision and optimization of the company website and all associated online presences in order to provide interested parties and customers with comprehensive information on GRC solutions and services, facilitate communication, analyze user behavior, ensure the security and functionality of the systems and ensure compliance with relevant legal and normative requirements.
Data subjects: Website visitors
Legal basis: Legitimate Interest (Art. 6 Sec. 1 lit. f), Consent (Art. 6 Sec. 1 lit. a)
Retention period: Application logs from SaaS platform (Duration: 1 Year)
System and access logs from the SaaS environment, including log data on user logins, changes to settings, API calls and security-related events. These logs are used for traceability, security, error analysis and compliance (e.g. ISO 27001, GDPR).
Third-party applications:
- Hubspot (HubSpot Germany GmbH)
- Google Ads (Google Cloud EMEA Limited - Ireland)
- Microsoft Advertising (Microsoft Ireland Operations Limited - Ireland)
- LinkedIn (LinkedIn Ireland Unlimited Company - Ireland)
- Sales Viewer (Salesviewer GmbH - Germany)
- Sales Navigator (LinkedIn Ireland Unlimited Company - Ireland)
- CookieFirst (Digital Data Solutions B.V. - Netherlands)
Third-country transfers:
| Organization | Country | Source | Safeguards |
|---|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Onward transfer from Hubspot | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States of America (USA) | Onward transfer from Google Ads | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Microsoft Corporation | United States of America (USA) | Onward transfer from Microsoft Advertising | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| LinkedIn Corp. | United States of America (USA) | Onward transfer from LinkedIn, Onward transfer from Sales Navigator | Data Privacy Framework (Privacy Shield 2.0) |
2. Data Subject Rights
2.1. Right to Information, Rectification, Restriction, Erasure
Within the scope of the statutory provisions, you are entitled at any time to request free information about the data concerning your person, their origin, possible recipients, and the purpose of the processing. Furthermore, you are entitled to request the deletion of data concerning your person, any correction thereof, or the restriction of processing.
2.2. Right to Object
If the processing of data concerning your person is not based on the consent of the data subject, the latter is entitled at any time to object to the processing by Akarion. Akarion points out that the statutory retention periods remain unaffected by any possible objection.
You may revoke your consent to the processing of your personal data at any time without stating reasons. Please contact Akarion informally at: datenschutz@akarion.com, by post, verbally when making contact, or use any provided links (e.g. unsubscribe in the newsletter).
2.3. Right to Data Portability
You have the right at any time to request the handover of data that we process automatically on the basis of your consent or in fulfillment of a contract, either to yourself or to third parties. Provision shall be made, insofar as technically possible, in a machine-readable format.
2.4. Exercise of Data Subject Rights
If you wish to exercise one of the listed rights/your rights, please contact: datenschutz@akarion.com or contact Akarion by post at the address given above.
2.5. Right to Lodge a Complaint with the Competent Supervisory Authority
If you fear improper handling of the data concerning your person by Akarion, you are entitled at any time to lodge a complaint with the competent supervisory authority.
The supervisory authorities responsible for us are:
In Austria:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
T: +43 1 52 152-0
M: dsb@dsb.gv.at
In Germany:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
m: poststelle@lda.bayern.de
3. Transfer of Personal Data
At Akarion, the processing of personal data is partly carried out by processors. In doing so, Akarion only uses processors that provide sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that processing is carried out in accordance with data protection requirements and ensures the protection of the rights of the data subject. The processing of personal data by Akarion's processors is in any case carried out on the basis of a corresponding contract between Akarion and the processor.
Third parties shall not be granted access to your data unless expressly agreed otherwise or another legal basis permits or requires the transfer.
4. Data Security
Akarion maintains technical and organizational measures to ensure data security, in particular to protect personal data against risks during data transmission and against access by third parties. Akarion's employees are trained in the careful handling of personal data and are obliged to do so.
When using this website, encrypted transmission by means of SSL (Secure Socket Layer) or TLS (Transport Layer Security) takes place, provided that the website is accessed via https://akarion.com .