Skip to content

Data Privacy Statement

General Information and Contact

The protection of your personal data is very important to us. In this statement, we transparently explain what data we collect, what we use it for, and what rights you have in this regard. We, that is Akarion AG in Germany and Akarion GmbH in Austria, process your data jointly to offer you our services and operate our website. 

This privacy policy applies to the processing of personal data by the Akarion corporate group ("Akarion"). For special processing activities, e.g., in employment relationships, separate agreements are used.
Akarion reserves the right to change this privacy policy at any time with effect for the future. The current version is available at this location.

Joint controllers for the processing of personal data by Akarion, their data processors, or the processing of personal data in connection with this website are:

 

Akarion AG
Theatinerstr. 8
c/o ARQIS
80333 München
Germany
T: +43 732 931637
M: info@akarion.com

Akarion GmbH
Tabakfabrik Linz
Peter-Behrens-Platz 4
4020 Linz
Austria
T: +43 732 931637
M: info@akarion.com

Both represented by Sven Meise.

Within the company, management is responsible for all processing activities regarding personal data. An internal review revealed that no dedicated data protection officer is currently required.

 

The responsibilities are divided as follows:

Akarion GmbH

  • Responsibility for planning, development, and technical operation of the software.
  • Ensuring ongoing support for software products at the technical level.
  • Collaboration with Akarion AG to ensure smooth integration of software solutions into sales channels and to support marketing.

Akarion AG

  • Responsibility for administrative and commercial management of the corporate group, including accounting, controlling, and financial planning.
  • Development and implementation of sales and marketing strategies for the corporate group's products.
  • Provision of support services to customers, including handling customer inquiries that do not relate to technical matters.

Joint Tasks

  • Management and maintenance of customer databases as well as ensuring compliance with all relevant data protection laws.
  • Joint coordination on strategic decisions regarding software development and marketing.

 

1. Data Processing

Akarion generally processes personal data only to the extent necessary for the respective processing purpose and/or covered by your consent. This also applies to the duration of processing.
 

Advertisement

Serves the targeted marketing of services and software solutions through analysis and use of personal data for individualized marketing measures as well as analysis and optimization of marketing activities in compliance with applicable data protection and security requirements.

Data Subjects:

  • Prospects
  • Customers


Data Categories:

  • Name, First Name
  • Email Address
  • Phone Number
  • Company Affiliation
  • Type of User Access (Subscription Type)


Legal Basis:

  • Legitimate Interest (Art. 6 Para. 1 lit. f)
    • The processing of personal data within the framework of the 'Advertisement' processing activity by Akarion AG and Akarion GmbH is based on legitimate interest according to Art. 6 Para. 1 lit. f GDPR. The legitimate interest consists in targeted marketing of SaaS services and GRC software solutions to potential customers and prospects to expand business, increase the relevance of marketing measures, and better address customer interests. Only data necessary for this purpose is processed and the interests of data subjects are protected through appropriate technical and organizational measures (ISO 27001:2022, GDPR-compliant, access controls). Help and objection options are provided.


Retention PeriodCustomer Support Tickets and Correspondence (Duration: 7 Years)
Customer support data (tickets, emails, chat messages) are retained to comply with legal proof and documentation obligations in case of disputes or support contracts. This data is also required for fulfilling warranty and support obligations.


Third-Party ApplicationsHubspot, Google Workspace, Slack, Microsoft Ads, LinkedIn, Google Ads


Third Country Transfers:

Organization Country Appropriate Safeguards
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Google LLC United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States (USA) Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0)

 

Customer Onboarding

Serves the structured and secure onboarding of new customers to the platform and associated services, including the processing of relevant personal and business data to establish the foundation for contract execution, setup of user access, technical and organizational integration, as well as fulfillment of contractual, legal, and security-related requirements.

Data Subjects:

  • Customers


Data Categories:

  • Name, First Name
  • Email Address
  • Phone Number
  • Company Affiliation
  • Role/Function
  • Permissions within the Software


Legal Basis:

  • Contract Performance (Art. 6 Para. 1 lit. b)
    • The processing of personal data in the context of customer onboarding is carried out to fulfill a contract or to carry out pre-contractual measures according to Art. 6 Para. 1 lit. b GDPR. This includes in particular the creation and management of customer access, communication for onboarding purposes, technical and organizational integration, as well as support and assistance in the introduction of the SaaS platform and its functions.


Retention PeriodContract Documents with Customers and Partners (Duration: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons as well as for asserting or defending claims.
Third-Party ApplicationsAkarion GRC Cloud, Google Workspace, Hubspot, Slack
Third Country Transfers:

Organization Country Appropriate Safeguards
Google LLC United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States (USA) Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0)

 

Customer Support

Serves the efficient processing and documentation of customer and end-user inquiries to provide technical and organizational support regarding GRC-SaaS solutions, ensure customer satisfaction, and enable continuous product improvements. The processing of personal data is carried out exclusively for contract fulfillment and in consideration of legal and regulatory requirements.

Data Subjects:

  • Customers


Data Categories:

  • Name, First Name
  • Phone Number
  • Email Address
  • Company Affiliation


Legal Basis:

  • Contract Performance (Art. 6 Para. 1 lit. b)
    • The processing of personal data within the framework of the 'Customer Support' processing activity at Akarion is carried out according to Art. 6 Para. 1 lit. b GDPR to fulfill contractual obligations towards customers and end users of the SaaS-GRC solutions. The goal is the efficient processing and resolution of support requests, the implementation of onboarding and training measures, as well as the improvement of customer satisfaction and products. The processing is necessary to fulfill the concluded contract or to carry out pre-contractual measures that occur at the request of the data subject.
  • Legitimate Interest (Art. 6 Para. 1 lit. f)
    • Additionally, a legitimate interest according to Art. 6 Para. 1 lit. f GDPR may exist for optimizing service quality, product improvement based on support feedback, and IT security. The processing is necessary to protect these legitimate interests and does not conflict with the interests, fundamental rights, and freedoms of the data subjects.


Retention PeriodCustomer Support Tickets and Correspondence (Duration: 7 Years)
Customer support data (tickets, emails, chat messages) are retained to comply with legal proof and documentation obligations in case of disputes or support contracts. This data is also required for fulfilling warranty and support obligations.
Third-Party ApplicationsGoogle Workspace, Hubspot, Slack
Third Country Transfers:

Organization Country Appropriate Safeguards
Google LLC United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States (USA) Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0)

 

Marketing Automation

Serves the automated planning, implementation, and optimization of marketing measures for effective outreach and information to existing and potential customers, increasing brand awareness, generating prospects, and measuring campaign success.

Data Subjects:

  • Prospects


Data Categories:

  • Email Address
  • Name, First Name
  • Interests according to Newsletter Registration
  • Company Affiliation


Legal Basis:

  • Legitimate Interest (Art. 6 Abs. 1 lit. f)
    • The processing of personal data in the context of marketing automation is carried out to protect the legitimate interests of the company in targeted information to existing and potential customers, efficient execution of marketing campaigns, and increasing brand awareness. An interest balancing test has shown that the company's interests do not outweigh the rights and freedoms of the data subjects, as data subjects can object to the processing at any time and all legal information and protection obligations are met.


Retention PeriodNo Additional Retention Period (Dauer: None)
If the legal basis for processing ceases to exist, the data is immediately deleted
Third-Party ApplicationsHubspot
Third Country Transfers:

Organization Country Appropriate Safeguards
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)

 

Monitoring and Operations

Dient der Gewährleistung eines sicheren, stabilen und rechtskonformen Betriebs der cloud-basierten IT-Infrastruktur sowie aller wesentlichen Systeme und SaaS-Plattformen. Die Verarbeitung ermöglicht die kontinuierliche Überwachung, frühzeitige Erkennung und Behebung von Störungen oder Sicherheitsvorfällen sowie die technische und organisatorische Umsetzung aller relevanten Sicherheits-, Compliance- und Verfügbarkeitsanforderungen. Ziel ist der nachhaltige Schutz kritischer Geschäftsprozesse und der verarbeiteten personenbezogenen Daten bei gleichzeitiger Einhaltung gesetzlicher sowie normativer Vorgaben.

Data Subjects:

  • Customers
  • Prospects


Data Categories:

  • Name, First Name
  • Email Address
  • Phone Number
  • Hash Value of User Password
  • IP Address
  • Technology Usage
  • Actions within the Software
  • Permissions within the Software


Legal Basis:

  • Legitimate Interest (Art. 6 Abs. 1 lit. f)
    • The processing of personal data within the framework of the "Monitoring and Operations" processing activity of the entire cloud-based IT infrastructure and SaaS platforms is necessary to protect the legitimate interests of Akarion GmbH. The legitimate interest consists in ensuring secure, stable, available, and compliant IT operations. This includes in particular the detection and resolution of security incidents, protection of critical data (e.g., customer data, source code repositories), ensuring compliance including according to ISO 27001:2022, as well as continuous monitoring of system performance and integrity. The interests of data subjects are protected through data minimization, technical and organizational security measures, and transparent processes. An interest balancing assessment has shown that no overriding interests or fundamental rights of data subjects conflict with this.


Retention PeriodApplication Logs from SaaS Platform (Dauer: 1 Year)
System and access logs from the SaaS environment, including log data on user logins, changes in settings, API calls, and security-relevant events. These logs serve traceability, security, error analysis, and compliance (including ISO 27001, GDPR).
Third-Party ApplicationsAkarion GRC Cloud, Atlas MongoDB, Sentry, Cloudflare, Amazon Web Services, Datadog, Heroku, DeepL, OVHcloud
Third Country Transfers:

Organization Country Appropriate Safeguards
MongoDB Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Functional Software, Inc. United States (USA) Data Privacy Framework (Privacy Shield 2.0)
Cloudflare, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Amazon Web Services, Inc. United States (USA) Data Privacy Framework (Privacy Shield 2.0), Genehmigter Verhaltenskodex
Datadog, Inc United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States (USA) Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0)

 

 

Newsletter

Dient der gezielten Information von bestehenden und potenziellen Kunden sowie Partnern über Neuigkeiten, Entwicklungen und Veranstaltungen im Bereich GRC-Softwarelösungen, um die Kundenbindung zu stärken und den Wissenstransfer zu fördern.

Data Subjects:

  • Newsletter Subscribers


Data Categories:

  • Email Address
  • Interests according to Newsletter Registration
  • Name, First Name
  • Company Affiliation


Legal Basis:

  • Consent (Art. 6 Abs. 1 lit. a)
    • The processing of personal data for sending newsletters is based on the consent of the data subjects according to Art. 6 Para. 1 lit. a GDPR. Recipients have expressly consented to receiving the newsletter and can revoke their consent at any time.


Retention PeriodNo Additional Retention Period (Dauer: None)
If the legal basis for processing ceases to exist, the data is immediately deleted
Third-Party ApplicationsHubspot
Third Country Transfers:

Organization Country Appropriate Safeguards
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)

 

 

Recruiting

Dient der Durchführung von Maßnahmen zur Gewinnung, Auswahl und Einstellung qualifizierter Mitarbeitender, um den Personalbedarf des Unternehmens zu decken und eine effektive Besetzung offener Positionen sicherzustellen.

Data Subjects:

  • Applicants


Data Categories:

  • Name, First Name
  • Date of Birth
  • Email Address
  • Place of Birth
  • Marital Status
  • Citizenship
  • Language Skills
  • Qualification
  • Abschlüsse und Qualifikationen
  • Salary
  • Responsibilities for Documented Objects, Processes, Events


Legal Basis:

  • Contract Performance (Art. 6 Abs. 1 lit. b)
    • The processing of personal data in the context of recruiting activities serves to carry out pre-contractual measures that occur at the request of the data subject, or is necessary for the fulfillment of an employment contract (Art. 6 Para. 1 lit. b GDPR). For example, application documents are processed to assess suitability and conduct the selection process.


Retention PeriodApplicant Data (Non-Hired Persons) (Dauer: 210 Days)
Documents and data of applicants who are not hired must be retained for a limited time due to possible later legal claims (discrimination, equal treatment).
Third-Party ApplicationsHubspot, Google Workspace
Third Country Transfers:

Organization Country Appropriate Safeguards
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Google LLC United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)

 

 

Contract Conclusion

Dient der Anbahnung, rechtssicheren Durchführung und Verwaltung von Vertragsverhältnissen mit Geschäftspartnern, insbesondere zur Gewährleistung gesetzlicher, vertraglicher und regulatorischer Anforderungen im Zusammenhang mit der Bereitstellung von GRC-Softwarelösungen. Die Verarbeitung erfolgt zur transparenten Erstellung, Abstimmung und Archivierung von Vertragsdokumenten unter Einhaltung höchster Datenschutz- und Sicherheitsstandards auf Basis einer cloudbasierten Infrastruktur.

Data Subjects:

  • Customers
  • Externe Berater/innen
  • Lieferanten/innen


Data Categories:

  • Name, First Name
  • Email Address
  • Phone Number
  • Date of Birth
  • Place of Birth
  • Financial Resources
  • Bank Connection Data
  • Account Data
  • Government-Assigned ID
  • Company Affiliation
  • Occupational Health Data


Legal Basis:

  • Contract Performance (Art. 6 Abs. 1 lit. b)
    • The processing of personal data within the framework of the "Contract Conclusion" processing activity is carried out to fulfill a contract or to carry out pre-contractual measures according to Art. 6 Para. 1 lit. b GDPR. This includes all activities necessary for establishing, legally secure handling, and managing contractual relationships with customers, service providers, and partners (for example, collection and management of contact data, exchange of contract documents, communication in the context of contract creation and execution).
  • Legal Obligation (Art. 6 Para. 1 lit. c)
    • e.g., § 132 BAO (Austrian Federal Tax Code), § 257 HGB (German Commercial Code) 
       
      Additionally, processing is carried out according to Art. 6 Para. 1 lit. c GDPR, insofar as this is necessary to fulfill legal obligations (e.g., commercial and tax law retention obligations in Austria and Germany).


Retention PeriodVertragsunterlagen mit Kunden und Partnern (Dauer: 10 Jahre)
Verträge sowie zugehörige Korrespondenz mit Kunden und Partnern werden aus handels- und steuerrechtlichen Gründen sowie zur Geltendmachung oder Verteidigung von Ansprüchen aufbewahrt.
Third-Party ApplicationsHubspot, Google Workspace, Slack
Third Country Transfers:

Organization Country Appropriate Safeguards
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Google LLC United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States (USA) Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0)

 

 

Website & SEO

Ermöglicht die Bereitstellung und Optimierung der Unternehmenswebseite sowie aller dazugehörigen Online-Präsenzen, um Interessenten und Kunden umfassende Informationen zu GRC-Lösungen und Dienstleistungen zugänglich zu machen, die Kommunikation zu erleichtern, das Nutzerverhalten zu analysieren, die Sicherheit und Funktionsfähigkeit der Systeme zu gewährleisten und die Einhaltung relevanter gesetzlicher und normativer Anforderungen sicherzustellen.

Data Subjects:

  • Website Visitors


Data Categories:

  • IP Address
  • Technology Usage
  • Company Affiliation
  • Electronic ID
  • Actions on the Website
  • Name, First Name
  • Phone Number


Legal Basis:

  • Legitimate Interest (Art. 6 Abs. 1 lit. f)
    • The processing of personal data in the context of providing, maintaining, and optimizing the company website is predominantly based on legitimate interests according to Art. 6 Para. 1 lit. f GDPR. These consist in particular in the external representation of the Akarion Group, maintaining IT security, analysis for optimization and reach measurement, as well as efficient processing of contact requests. The legitimate interests prevail because users have reasonable expectations regarding processing in the context of website operation as well as the use of cloud-based, security-certified IT systems, and appropriate technical and organizational measures, including ISO 27001:2022 certification, are implemented to protect the data.
  • Consent (Art. 6 Abs. 1 lit. a)
    • Insofar as consent is required for certain data processing operations (e.g., when using cookies or external tools like Hubspot for user-based analysis), the processing is based on Art. 6 Para. 1 lit. a GDPR. Consent is obtained transparently via the consent management banner and can be revoked at any time.


Retention PeriodNo Additional Retention Period (Dauer: None)
If the legal basis for processing ceases to exist, the data is immediately deleted
Third-Party ApplicationsGoogle Workspace, Hubspot, Slack, Google Ads, Microsoft Ads, LinkedIn, Sales Viewer, Sales Navigator, CookieFirst
Third Country Transfers:

Organization Country Appropriate Safeguards
Google LLC United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
HubSpot, Inc. United States (USA) Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0)
Salesforce.com, inc United States (USA) Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0)



 

2. Data Subject Rights

2.1. Right to Information, Correction, Blocking, Deletion

Within the framework of legal provisions, you are entitled to request information about data concerning you, its origin, possible recipients, and the purpose of processing free of charge at any time. Furthermore, you are entitled to request the deletion of data concerning you, any correction thereof, or the restriction of processing.

2.2. Right to Object

If the processing of data concerning you is not based on the consent of the data subject, they are entitled to object to the processing by Akarion at any time. Akarion points out that the statutory retention periods remain unaffected by any possible objection.
You can revoke consent you have given for the processing of your personal data at any time without giving reasons. Please contact Akarion informally at: datenschutz@akarion.com, by mail, verbally when making contact, or use any provided links (e.g., unsubscribe from newsletter).

2.3. Right to Data Portability

You have the right at any time to request the delivery of data that we process automatically based on your consent or in fulfillment of a contract, to yourself or to third parties. The provision is made, insofar as technically possible, in a machine-readable format.

2.4. Exercise of Data Subject Rights

Should you wish to exercise any of the listed rights/your rights, please feel free to contact: datenschutz@akarion.com or contact Akarion by mail at the address given above.

2.5. Right to Complain to the Competent Supervisory Authority

Should you suspect improper handling of data concerning you by Akarion, you are entitled to file a complaint with the competent supervisory authority at any time.

The supervisory authorities responsible for us are:

In Austria:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
T: +43 1 52 152-0
M: dsb@dsb.gv.at

In Germany:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
m: poststelle@lda.bayern.de

3. Disclosure of Personal Data

The processing of personal data at Akarion is partially carried out by data processors. Akarion only uses such data processors that provide sufficient guarantees that appropriate technical and organizational measures are implemented so that processing is carried out in accordance with data protection requirements and that protect the rights of the data subject. The processing of personal data by Akarion's data processors is always based on a corresponding contract between Akarion and the data processor.
Third parties do not receive access to your data unless something else has been expressly agreed or another legal basis permits or requires the disclosure.

4. Data Security

Akarion maintains technical and organizational measures to ensure data security, particularly to protect personal data from dangers during data transmission and from being accessed by third parties. Akarion's employees are trained and obligated to handle personal data carefully.
When using this website, encrypted transmission via SSL (Secure Socket Layer) or TLS (Transport Layer Security) takes place, provided the website is accessed at https://akarion.com.