Data Privacy Statement
Last updated: 24/09/2025
Short & Clear: What is this about? The protection of your personal data is very important to us. In this policy, we explain transparently what data we collect, what we use it for, and what rights you have in this regard. We, Akarion AG in Germany and Akarion GmbH in Austria, process your data jointly in order to offer you our services and operate our website.
General information and contact details
This privacy policy applies to the processing of personal data by the Akarion Group (“Akarion”). Separate agreements apply to specific processing, e.g., in the case of employment relationships.
Akarion reserves the right to change this privacy policy at any time with future effect. The current version is available here.
The joint controllers for the processing of personal data by Akarion, its processors, or the processing of personal data in connection with this website are:
Akarion AG
Theatinerstr. 8
C/O ARQIS
80333 München
Germany
M: +49 89 628 265 64
T: info@akarion.com
Akarion GmbH
Peter-Behrens-Platz 4
Tabakfabrik Linz
4020 Linz
Austria
M: +43 732 931637
T: info@akarion.com
Both represented by Sven Meise.
Within the company, the management is responsible for all processing procedures relating to personal data. An internal audit has shown that there is currently no need for a dedicated data protection officer.
Responsibilities are divided as follows:
Akarion GmbH
- Responsibility for the planning, development, and technical operation of the software.
- Ensuring ongoing technical support for the software products.
- Collaborating with Akarion AG to ensure the smooth integration of the software solutions into the sales channels and to support marketing.
Akarion AG
- Responsibility for the administrative and commercial management of the group of companies, including accounting, controlling, and financial planning.
- Developing and implementing sales and marketing strategies for the group's products.
- Providing support services for customers, including handling customer inquiries that are not related to technical issues.
Joint tasks
- Managing and maintaining customer databases and ensuring compliance with all relevant data protection laws.
- Joint coordination of strategic decisions regarding the further development of the software and marketing.
1. Data processing
Akarion only processes personal data to the extent necessary for the respective processing purpose and/or covered by your consent. This also applies to the duration of the processing.
Advertisement
Used for the targeted marketing of services and software solutions by evaluating and using personal data for individualized marketing measures as well as analyzing and optimizing marketing activities in compliance with applicable data protection and security requirements.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Interested parties | Surname, first name | Personal Data |
| Email address | Personal Data | |
| Phone number | Personal Data | |
| Company affiliation | Personal Data | |
| Customers | Surname, first name | Personal Data |
| Email address | Personal Data | |
| Company affiliation | Personal Data | |
| Phone number | Personal Data | |
| Type of user access (subscription type) | Personal Data |
Storage Period: Customer support tickets and correspondence
Legal basis:
- Legitimate Interest (Art. 6 Sec. 1 lit. f)
- The processing of personal data in the context of the processing activity 'Advertisement' by Akarion AG and Akarion GmbH is based on the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest consists in the targeted marketing of SaaS services and GRC software solutions to potential customers and interested parties in order to expand business, increase the relevance of marketing measures and better address customer interests. Only the data required for this purpose is processed and the interests of the data subjects are protected by appropriate technical and organizational measures (ISO 27001:2022, GDPR-compliant, access controls). Help and objection options are provided.
Storage period: Customer support tickets and correspondence (Dauer: 7 Years)
Customer support data (tickets, emails, chat messages) are stored in order to be able to fulfill legal obligations to provide evidence and documentation in the event of disputes or support contracts. This data is also required for the fulfillment of warranty and support obligations.
Third party applications: Hubspot, Google Workspace, Slack, Microsoft Ads, LinkedIn, Google Ads
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, inc | United States of America (USA) | Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0) |
Customer onboarding
Serves the structured and secure admission of new customers to the platform and associated services, including the processing of relevant personal and company-related data to ensure the basis for contract processing, establishment of user access, technical and organizational integration and compliance with contractual, legal and security requirements.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Customers | Surname, first name | Personal Data |
| Email address | Personal Data | |
| Phone number | Personal Data | |
| Company affiliation | Personal Data | |
| Function | Personal Data | |
| Authorizations within the software | Personal Data |
Storage Period: Contract documents with customers and partners
Legal basis:
- Contract (Art. 6 Sec. 1 lit. b)
- The processing of personal data in the context of customer onboarding is carried out to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR. This includes in particular the creation and management of customer access, communication for onboarding purposes, technical and organizational integration as well as support and assistance with the introduction of the SaaS platform and its functions.
Storage period: Contract documents with customers and partners (Dauer: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third party applications: Akarion GRC Cloud, Google Workspace, Hubspot, Slack
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| Google LLC | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, inc | United States of America (USA) | Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0) |
Customer Support
Serves to efficiently process and document customer and end user requests in order to provide technical and organizational support regarding GRC SaaS solutions, ensure customer satisfaction and enable continuous product improvements. The processing of personal data takes place exclusively for the fulfillment of the contract and in compliance with legal and regulatory requirements.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Customers | Surname, first name | Personal Data |
| Phone number | Personal Data | |
| Email address | Personal Data | |
| Company affiliation | Personal Data |
Storage Period: Customer support tickets and correspondence
Legal basis:
- Contract (Art. 6 Sec. 1 lit. b)
- The processing of personal data in the context of the processing activity 'Customer Support' at Akarion is carried out in accordance with Art. 6 para. 1 lit. b GDPR to fulfill contractual obligations towards customers and end users of the SaaS GRC solutions. The aim is the efficient processing and resolution of support requests, the implementation of onboarding and training measures and the improvement of customer satisfaction and products. The processing is necessary to fulfill the concluded contract or to carry out pre-contractual measures that are carried out at the request of the data subject.
- Legitimate Interest (Art. 6 Sec. 1 lit. f)
- In addition, a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR may exist for the optimization of service quality, product improvement based on support feedback and IT security. Processing is necessary to safeguard these legitimate interests and does not conflict with the interests, fundamental rights and freedoms of the data subjects.
Storage period: Customer support tickets and correspondence (Dauer: 7 Years)
Customer support data (tickets, emails, chat messages) are stored in order to be able to fulfill legal obligations to provide evidence and documentation in the event of disputes or support contracts. This data is also required for the fulfillment of warranty and support obligations.
Third party applications: Google Workspace, Hubspot, Slack
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| Google LLC | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, inc | United States of America (USA) | Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0) |
Marketing Automation
Used for the automated planning, implementation and optimization of marketing measures to effectively address and inform existing and potential customers, increase brand awareness, generate prospective customers and measure the success of campaigns.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Interested parties | Email address | Personal Data |
| Surname, first name | Personal Data | |
| Interests according to newsletter registration | Personal Data | |
| Company affiliation | Personal Data |
Storage Period: No additional retention period
Legal basis:
- Legitimate Interest (Art. 6 Sec. 1 lit. f)
- The processing of personal data in the context of marketing automation is carried out to safeguard the company's legitimate interests in providing targeted information to existing and potential customers, efficiently carrying out marketing campaigns and increasing brand awareness. A balancing of interests test has shown that the company's interests do not outweigh the rights and freedoms of the data subjects, as data subjects can object to the processing at any time and all statutory information and protection obligations are complied with.
Storage period: No additional retention period (Dauer: None)
If the legal basis for processing no longer applies, the data will be deleted immediately
Third party applications: Hubspot
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Monitoring and operation
Serves to ensure secure, stable and legally compliant operation of the cloud-based IT infrastructure and all key systems and SaaS platforms. Processing enables the continuous monitoring, early detection and rectification of disruptions or security incidents as well as the technical and organizational implementation of all relevant security, compliance and availability requirements. The aim is to sustainably protect critical business processes and the processed personal data while at the same time complying with legal and normative requirements.
Data subjects:
| Data Subject Category | Data Categories | Storage Period | Classification |
|---|---|---|---|
| Contact persons (inside and outside the client's company) | Surname, first name | Until the end of the contract term | Personal Data |
| Email address | Until the end of the contract term | Personal Data | |
| Phone number | Until the end of the contract term | Personal Data | |
| Company affiliation | Until the end of the contract term | Personal Data | |
| Job title | Until the end of the contract term | Personal Data | |
| Department affiliation | Until the end of the contract term | Personal Data | |
| Responsibilities for documented objects, processes, events | Until the end of the contract term | Personal Data | |
| Software user | Interface and user language | Until the end of the contract term | Personal Data |
| User role | Until the end of the contract term | Personal Data | |
| Authorizations within the software | Until the end of the contract term | Personal Data | |
| Status of user access (active / inactive) | Until the end of the contract term | Personal Data | |
| Actions within the software | Until the end of the contract term | Personal Data | |
| IP address | Application logs from SaaS platform | Personal Data | |
| Persons who come into contact with the client via the software | Name or labeling | Until the end of the contract term | Personal Data |
| Information from inquiry text | Until the end of the contract term | Personal Data | |
| Personal data in statements of facts | Until the end of the contract term | Personal Data | |
| IP address | Application logs from SaaS platform | Personal Data | |
| Time at which the portal is accessed and time at which a message is sent | Until the end of the contract term | Personal Data |
Legal basis:
- Legitimate Interest (Art. 6 Sec. 1 lit. f)
- The processing of personal data as part of the processing activity "monitoring and operation" of the entire cloud-based IT infrastructure and SaaS platforms is necessary to safeguard the legitimate interests of Akarion GmbH. The legitimate interest is to ensure secure, stable, available and legally compliant IT operations. This includes in particular the detection and resolution of security incidents, the protection of critical data (e.g. customer data, source code repositories), ensuring compliance also in accordance with ISO 27001:2022 and the continuous monitoring of the performance and integrity of the systems. The interests of data subjects are safeguarded through data minimization, technical and organizational protective measures and transparent processes. A balancing of interests has shown that there are no overriding interests or fundamental rights of the data subjects.
Storage period: Until the end of the contract term (Dauer: None)
Third party applications: Akarion GRC Cloud, Atlas MongoDB, Sentry, Cloudflare, Amazon Web Services, Datadog, Heroku, DeepL, OVHcloud
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| MongoDB Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Functional Software, Inc. | United States of America (USA) | Data Privacy Framework (Privacy Shield 2.0) |
| Cloudflare, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Amazon Web Services, Inc. | United States of America (USA) | Data Privacy Framework (Privacy Shield 2.0), Approved code of conduct |
| Datadog, Inc | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, inc | United States of America (USA) | Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0) |
Newsletter
Provides targeted information to existing and potential customers and partners about news, developments and events in the field of GRC software solutions in order to strengthen customer loyalty and promote knowledge transfer.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Newsletter subscribers | Email address | Personal Data |
| Interests according to newsletter registration | Personal Data | |
| Surname, first name | Personal Data | |
| Company affiliation | Personal Data |
Storage Period: No additional retention period
Legal basis:
- Consent (Art. 6 Sec. 1 lit. a)
- The processing of personal data for sending the newsletter is based on the consent of the data subjects in accordance with Art. 6 para. 1 lit. a GDPR. The recipients have expressly consented to receiving the newsletter and can revoke their consent at any time.
Storage period: No additional retention period (Dauer: None)
If the legal basis for processing no longer applies, the data will be deleted immediately
Third party applications: Hubspot
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Recruiting
Used to implement measures to recruit, select and hire qualified employees in order to cover the company's personnel requirements and ensure that open positions are filled effectively.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Applicants | Surname, first name | Personal Data |
| Date of birth | Personal Data | |
| Email address | Personal Data | |
| Place of birth | Personal Data | |
| Marital status | Personal Data | |
| Citizenship | Personal Data | |
| Language skills | Personal Data | |
| Qualification | Personal Data | |
| Degrees and qualifications | Personal Data | |
| Salary | Personal Data | |
| Responsibilities for documented objects, processes, events | Personal Data |
Storage Period: Applicant data (persons not recruited)
Legal basis:
- Contract (Art. 6 Sec. 1 lit. b)
- The processing of personal data in the context of recruiting activities serves the implementation of pre-contractual measures, which are carried out at the request of the data subject, or is necessary for the fulfillment of an employment contract (Art. 6 para. 1 lit. b GDPR). For example, application documents are processed in order to check suitability and carry out the selection process.
Storage period: Applicant data (persons not recruited) (Dauer: 210 Days)
Documents and data of applicants who are not hired must be kept for a limited period of time for reasons of possible later legal claims (discrimination, equal treatment).
Third party applications: Hubspot, Google Workspace
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
Conclusion of contract
Used for the initiation, legally compliant execution and management of contractual relationships with business partners, in particular to ensure compliance with legal, contractual and regulatory requirements in connection with the provision of GRC software solutions. Processing is carried out for the transparent creation, coordination and archiving of contract documents in compliance with the highest data protection and security standards on the basis of a cloud-based infrastructure.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Customers | Surname, first name | Personal Data |
| Email address | Personal Data | |
| Phone number | Personal Data | |
| Date of birth | Personal Data | |
| Place of birth | Personal Data | |
| Financial resources | Personal Data | |
| Bank details | Personal Data | |
| Account details | Personal Data | |
| State-assigned ID | Personal Data | |
| Company affiliation | Personal Data | |
| External consultants | Surname, first name | Personal Data |
| Email address | Personal Data | |
| Phone number | Personal Data | |
| Date of birth | Personal Data | |
| Place of birth | Personal Data | |
| Financial resources | Personal Data | |
| Bank details | Personal Data | |
| Account details | Personal Data | |
| State-assigned ID | Personal Data | |
| Occupational health data | Special Categories of Personal Data | |
| Company affiliation | Personal Data | |
| Suppliers | Surname, first name | Personal Data |
| Email address | Personal Data | |
| Phone number | Personal Data | |
| Date of birth | Personal Data | |
| Place of birth | Personal Data | |
| Financial resources | Personal Data | |
| Bank details | Personal Data | |
| Account details | Personal Data | |
| State-assigned ID | Personal Data | |
| Occupational health data | Special Categories of Personal Data | |
| Company affiliation | Personal Data |
Storage Period: Contract documents with customers and partners
Legal basis:
- Contract (Art. 6 Sec. 1 lit. b)
- The processing of personal data within the scope of the processing activity "conclusion of contract" is carried out for the performance of a contract or for the implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR. This includes all activities that are necessary for the establishment, legally compliant processing and administration of contractual relationships with customers, service providers and partners (e.g. collection and administration of contact data, exchange of contractual documents, communication in the context of contract creation and execution).
- Legal obligation (Art. 6 Sec. 1 lit. c)
- z. E.g. § 132 BAO (Austrian Federal Fiscal Code), § 257 HGB (German Commercial Code)
In addition, processing is carried out in accordance with Art. 6 para. 1 lit. c GDPR, insofar as this is necessary to fulfill legal obligations (e.g. commercial and tax retention obligations in Austria and Germany).
- z. E.g. § 132 BAO (Austrian Federal Fiscal Code), § 257 HGB (German Commercial Code)
Storage period: Contract documents with customers and partners (Dauer: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third party applications: Hubspot, Google Workspace, Slack
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, inc | United States of America (USA) | Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0) |
Website & SEO
Enables the provision and optimization of the company website and all associated online presences in order to provide interested parties and customers with comprehensive information on GRC solutions and services, facilitate communication, analyze user behavior, ensure the security and functionality of the systems and ensure compliance with relevant legal and normative requirements.
Data subjects:
| Data Subject Category | Data Categories | Classification |
|---|---|---|
| Website visitors | IP address | Personal Data |
| Use of technologies | Personal Data | |
| Company affiliation | Personal Data | |
| Electronic ID | Personal Data | |
| Actions on the website | Personal Data | |
| Surname, first name | Personal Data | |
| Phone number | Personal Data |
Storage Period: No additional retention period
Legal basis:
- Legitimate Interest (Art. 6 Sec. 1 lit. f)
- The processing of personal data in the context of the provision, maintenance and optimization of the company website is mainly based on legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. These consist in particular in the external presentation of the Akarion Group, the maintenance of IT security, the analysis for optimization and reach measurement as well as the efficient processing of contact requests. The legitimate interests prevail, as users have reasonable expectations regarding processing in the context of website operation and the use of cloud-based, security-certified IT systems and appropriate technical and organizational measures, including ISO 27001:2022 certification, are implemented to protect the data.
- Consent (Art. 6 Sec. 1 lit. a)
- If and insofar as consent is required for certain data processing operations (e.g. when using cookies or external tools such as Hubspot for user-based analysis), the processing is based on Art. 6 para. 1 lit. a GDPR. Consent is obtained transparently via the consent management banner and can be revoked at any time.
Storage period: No additional retention period (Dauer: None)
If the legal basis for processing no longer applies, the data will be deleted immediately
Third party applications: Google Workspace, Hubspot, Slack, Google Ads, Microsoft Ads, LinkedIn, Sales Viewer, Sales Navigator, CookieFirst
Third country transfers:
| Organization | Country | Safeguards |
|---|---|---|
| Google LLC | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States of America (USA) | Standard contractual clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, inc | United States of America (USA) | Standard contractual clauses, Binding coporate rules, Data Privacy Framework (Privacy Shield 2.0) |
2. Rights of data subjects
2.1. Right to information, correction, blocking, deletion
Within the framework of the statutory provisions, you are entitled to request information about your personal data, its origin, possible recipients, and the purpose of processing at any time and free of charge. In addition, you are entitled to request the deletion of data concerning your person, any correction thereof, or the restriction of processing.
2.2. Right to object
If the processing of data concerning you is not based on the consent of the data subject, the data subject is entitled to object to the processing by Akarion at any time. Akarion points out that the statutory retention periods remain unaffected by any objection.
You may revoke your consent to the processing of your personal data at any time without giving reasons. To do so, please contact Akarion informally at: datenschutz@akarion.com, by mail, verbally when contacting us, or use any links provided (e.g., unsubscribe from the newsletter).
2.3. Right to data portability
You have the right at any time to request the transfer of data that we process automatically on the basis of your consent or in fulfillment of a contract to yourself or to a third party. The data will be provided in a machine-readable format, as far as technically possible.
2.4. Exercising your rights as a data subject
If you wish to exercise any of the rights listed above, please contact: datenschutz@akarion.com or contact Akarion by mail at the address above.
2.5. Right to lodge a complaint with the competent supervisory authority
If you fear that Akarion is handling your personal data improperly, you are entitled to lodge a complaint with the competent supervisory authority at any time.
The supervisory authorities responsible for us are:
In Austria:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
T: +43 1 52 152-0
M: dsb@dsb.gv.at
In Germany:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
m: poststelle@lda.bayern.de
3. Disclosure of personal data
The processing of personal data at Akarion is partly carried out by processors. Akarion only uses processors who offer sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that processing is carried out in accordance with data protection requirements and that the rights of the data subject are protected. The processing of personal data by Akarion's processors is always based on a corresponding contract between Akarion and the processor.
Unless expressly agreed otherwise or another legal basis permits or requires the disclosure of your data, third parties will not have access to your data.
4. Data security
Akarion maintains technical and organizational measures to ensure data security, in particular to protect personal data from risks during data transmission and from disclosure to third parties. Akarion employees are trained and obliged to handle personal data with care.
When using this website, encrypted transmission via SSL (Secure Socket Layer) or TLS (Transport Layer Security) takes place, provided that the website is accessed at https://akarion.com.