Privacy Policy
Last updated: September 24, 2025
Short & Simple: What is this about? The protection of your personal data is very important to us. In this statement, we transparently explain what data we collect, what we use it for, and what rights you have in this regard. We—that is, Akarion AG in Germany and Akarion GmbH in Austria—process your data jointly to provide you with our services and operate our website.
General Information and Contact
This Privacy Policy applies to the processing of personal data by the Akarion Group (“Akarion”). Separate agreements apply to specific processing activities, such as those related to employment relationships.
Akarion reserves the right to amend this Privacy Policy at any time with future effect. The current version is available here.
Joint controllers for the processing of personal data by Akarion, its processors, or the processing of personal data in connection with this website are:
Akarion AG
Theatinerstr. 8
c/o ARQIS
80333 Munich
Germany
M: +49 89 628 265 64
T: info@akarion.com
Akarion GmbH
Peter-Behrens-Platz 4
Tabakfabrik Linz
4020 Linz
Austria
M: +49 89 628 265 64
T: info@akarion.com
Both represented by Sven Meise.
Within the company, the management is responsible for all processing operations involving personal data. An internal review has determined that a dedicated data protection officer is not currently required.
Responsibilities are divided as follows:
Akarion GmbH
- Responsibility for the planning, development, and technical operation of the software.
- Ensuring ongoing technical support for the software products.
- Collaboration with Akarion AG to ensure the smooth integration of software solutions into sales channels and to support marketing.
Akarion AG
- Responsibility for the administrative and commercial management of the corporate group, including accounting, controlling, and financial planning.
- Development and implementation of sales and marketing strategies for the group’s products.
- Providing support services to customers, including handling customer inquiries that do not relate to technical issues.
Joint Responsibilities
- Management and maintenance of customer databases, as well as ensuring compliance with all relevant data protection laws.
- Joint coordination of strategic decisions regarding the further development of the software and marketing.
1. Data Processing
Akarion generally processes personal data only to the extent necessary for the respective processing purpose and/or covered by your consent. This also applies to the duration of the processing.
Advertising
Serves the targeted marketing of services and software solutions through the evaluation and use of personal data for personalized marketing measures, as well as the analysis and optimization of marketing activities, taking into account applicable data privacy and security requirements.
Data subjects:
| Data Categories | Classification | |
|---|---|---|
| Prospective customers | Last name, first name | Personal data |
| Email address | Personal data | |
| Phone number | Personal data | |
| Company affiliation | Personal data | |
| Customers | Last name, first name | Personal data |
| Email address | Personal data | |
| Company affiliation | Personal data | |
| Phone number | Personal data | |
| Type of user access (subscription type) | Personal data |
Retention period: Customer support tickets and correspondence
Legal basis:
- Legitimate interest (Art. 6(1)(f))
- The processing of personal data as part of the "Advertisement" processing activity by Akarion AG and Akarion GmbH is based on legitimate interest pursuant to Art. 6(1)(f) GDPR. The legitimate interest consists of the targeted marketing of SaaS services and GRC software solutions to potential customers and prospects in order to expand the business, increase the relevance of marketing measures, and better address customer interests. Only the data necessary for this purpose is processed, and the interests of data subjects are safeguarded through appropriate technical and organizational measures (ISO 27001:2022, GDPR-compliant, access controls). Options for assistance and objection are provided.
Retention period: Customer support tickets and correspondence (Duration: 7 years)
Customer support data (tickets, emails, chat messages) is retained to fulfill legal obligations regarding evidence and documentation in the event of disputes or support contracts. This data is also necessary for the fulfillment of warranty and support obligations.
Third-party applications: HubSpot, Google Workspace, Slack, Microsoft Ads, LinkedIn, Google Ads
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, Inc. | United States (USA) | Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0) |
Customer Onboarding
Serves to facilitate the structured and secure onboarding of new customers into the platform and associated services, including the processing of relevant personal and corporate data, to ensure the foundation for contract execution, user account setup, technical and organizational integration, and the fulfillment of contractual, legal, and security-related requirements.
Data subjects:
| Data subject category | Data Categories | Classification |
|---|---|---|
| Customers | Last name, first name | Personal data |
| Email address | Personal data | |
| Phone number | Personal data | |
| Company affiliation | Personal data | |
| Position | Personal data | |
| Permissions within the software | Personal data |
Retention period: Contract documents with customers and partners
Legal basis:
- Contract performance (Art. 6(1)(b))
- The processing of personal data in the context of customer onboarding is carried out for the purpose of fulfilling a contract or taking pre-contractual measures in accordance with Art. 6(1)(b) GDPR. This includes, in particular, the creation and management of customer accounts, communication for onboarding purposes, technical and organizational integration, as well as support and assistance with the implementation of the SaaS platform and its functions.
Retention period: Contract documents with customers and partners (Duration: 10 years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law purposes, as well as to assert or defend claims.
Third-party applications: Akarion GRC Cloud, Google Workspace, Hubspot, Slack
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| Google LLC | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, Inc. | United States (USA) | Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0) |
Customer Support
Serves to efficiently process and document customer and end-user inquiries in order to provide technical and organizational support regarding the GRC SaaS solutions, ensure customer satisfaction, and enable continuous product improvements. The processing of personal data is carried out exclusively for the purpose of fulfilling the contract and in compliance with legal and regulatory requirements.
Data subjects:
| Data subjects | Data Categories | Classification |
|---|---|---|
| Customers | Last name, first name | Personal data |
| Phone number | Personal data | |
| Email address | Personal data | |
| Company affiliation | Personal data |
Retention period: Customer support tickets and correspondence
Legal basis:
- Contract performance (Art. 6(1)(b))
- The processing of personal data as part of the "Customer Support" processing activity at Akarion is carried out in accordance with Art. 6(1)(b) GDPR to fulfill contractual obligations toward customers and end users of the SaaS GRC solutions. The purpose is the efficient handling and resolution of support requests, the implementation of onboarding and training measures, and the improvement of customer satisfaction and products. The processing is necessary to fulfill the concluded contract or to carry out pre-contractual measures at the request of the data subject.
- Legitimate Interest (Art. 6(1)(f))
- Additionally, a legitimate interest pursuant to Art. 6(1)(f) GDPR may exist for the optimization of service quality, product improvement based on support feedback, and IT security. The processing is necessary to safeguard these legitimate interests and does not conflict with the interests, fundamental rights, and freedoms of the data subjects.
Retention period: Customer support tickets and correspondence (Duration: 7 years)
Customer support data (tickets, emails, chat messages) is retained to fulfill legal obligations regarding evidence and documentation in the event of disputes or support contracts. This data is also necessary for the fulfillment of warranty and support obligations.
Third-party applications: Google Workspace, Hubspot, Slack
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| Google LLC | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, Inc. | United States (USA) | Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0) |
Marketing Automation
Used for the automated planning, execution, and optimization of marketing activities to effectively engage and inform existing and potential customers, increase brand awareness, generate leads, and measure campaign success.
Data subjects:
| Data subject category | Data Categories | Classification |
|---|---|---|
| Prospects | Email address | Personal data |
| Last name, first name | Personal data | |
| Interests as per newsletter subscription | Personal data | |
| Company affiliation | Personal data |
Retention period: No additional retention period
Legal basis:
- Legitimate interest (Art. 6(1)(f))
- The processing of personal data in the context of marketing automation is carried out to safeguard the company’s legitimate interests in providing targeted information to existing and potential customers, efficiently conducting marketing campaigns, and increasing brand awareness. A balancing test has determined that the company’s interests do not outweigh the rights and freedoms of the data subjects, as data subjects may object to the processing at any time and all legal information and protection obligations are fulfilled.
Retention period: No additional retention period (Duration: None)
If the legal basis for processing ceases to apply, the data will be deleted immediately
Third-party applications: Hubspot
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
Monitoring and operation
Serves to ensure the secure, stable, and legally compliant operation of the cloud-based IT infrastructure as well as all essential systems and SaaS platforms. The processing enables continuous monitoring, early detection, and resolution of malfunctions or security incidents, as well as the technical and organizational implementation of all relevant security, compliance, and availability requirements. The goal is the sustainable protection of critical business processes and the processed personal data while complying with legal and regulatory requirements.
Data subjects:
| Data subject category | Data categories | Retention period | Classification |
|---|---|---|---|
| Contact persons (within and outside the client’s organization) | Last name, first name | Until the end of the contract term | Personal data |
| Email address | Until the end of the contract term | Personal data | |
| Phone number | Until the end of the contract term | Personal data | |
| Employment status | Until the end of the contract term | Personal data | |
| Job title | Until the end of the contract term | Personal data | |
| Department | Until the end of the contract term | Personal data | |
| Responsibilities for documented objects, processes, and events | Until the end of the contract term | Personal data | |
| Software users | Interface or user language | Until the end of the contract term | Personal data |
| User role | Until the end of the contract term | Personal data | |
| Permissions within the software | Until the end of the contract term | Personal data | |
| User access status (active / inactive) | Until the end of the contract term | Personal data | |
| Actions within the software | Until the end of the contract term | Personal data | |
| IP address | Application logs from SaaS platform | Personal data | |
| Individuals who contact the client via the software | Name or identifier | Until the end of the contract term | Personal data |
| Information from the inquiry text | Until the end of the contract term | Personal data | |
| Personal data in factual descriptions | Until the end of the contract term | Personal data | |
| IP address | Application logs from SaaS platform | Personal data | |
| Time of accessing the portal and time of sending a message | Until the end of the contract term | Personal data |
Legal basis:
- Legitimate interest (Art. 6(1)(f))
- The processing of personal data as part of the "Monitoring and Operation" processing activity for the entire cloud-based IT infrastructure and SaaS platforms is necessary to safeguard the legitimate interests of Akarion GmbH. The legitimate interest consists of ensuring secure, stable, available, and legally compliant IT operations. This includes, in particular, the detection and resolution of security incidents, the protection of critical data (e.g., customer data, source code repositories), ensuring compliance, including with ISO 27001:2022, and the continuous monitoring of system performance and integrity. The interests of data subjects are safeguarded through data minimization, technical and organizational safeguards, and transparent processes. A balancing of interests has determined that there are no overriding interests or fundamental rights of the data subjects that would preclude this.
Retention period: Until the end of the contract term (Duration: None)
Third-party applications: Akarion GRC Cloud, Atlas MongoDB, Sentry, Cloudflare, Amazon Web Services, Datadog, Heroku, DeepL, OVHcloud
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| MongoDB Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Functional Software, Inc. | United States (USA) | Data Privacy Framework (Privacy Shield 2.0) |
| Cloudflare, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Amazon Web Services, Inc. | United States (USA) | Data Privacy Framework (Privacy Shield 2.0), Approved Code of Conduct |
| Datadog, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, Inc | United States (USA) | Standard contractual clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0) |
Newsletter
Serves to provide targeted information to existing and potential customers and partners about news, developments, and events in the field of GRC software solutions in order to strengthen customer loyalty and promote knowledge transfer.
Data subjects:
| Data subject category | Data categories | Classification |
|---|---|---|
| Newsletter subscribers | Email address | Personal data |
| Interests as per newsletter registration | Personal data | |
| Last name, first name | Personal data | |
| Company affiliation | Personal data |
Retention period: No additional retention period
Legal basis:
- Consent (Art. 6(1)(a))
- The processing of personal data for the purpose of sending the newsletter is based on the consent of the data subjects in accordance with Art. 6(1)(a) GDPR. Recipients have expressly consented to receiving the newsletter and may revoke their consent at any time.
Retention period: No additional retention period (Duration: None)
If the legal basis for processing ceases to apply, the data will be deleted immediately
Third-party applications: Hubspot
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
Recruiting
Used to carry out measures for the recruitment, selection, and hiring of qualified employees to meet the company’s staffing needs and ensure effective filling of open positions.
Data subjects:
| Data subject category | Data categories | Classification |
|---|---|---|
| Applicants | Last name, first name | Personal data |
| Date of birth | Personal data | |
| Email address | Personal data | |
| Place of birth | Personal data | |
| Marital status | Personal data | |
| Citizenship | Personal data | |
| Language skills | Personal information | |
| Qualifications | Personal Information | |
| Degrees and qualifications | Personal information | |
| Salary | Personal data | |
| Responsibilities for documented objects, processes, and events | Personal data |
Retention period: Applicant data (unhired individuals)
Legal basis:
- Performance of a contract (Art. 6(1)(b))
- The processing of personal data in the context of recruitment activities serves to carry out pre-contractual measures taken at the request of the data subject or is necessary for the performance of an employment contract (Art. 6(1)(b) GDPR). For example, application documents are processed to assess suitability and conduct the selection process.
Retention period: Applicant data (non-hired individuals) (Duration: 210 days)
Documents and data from applicants who are not hired must be retained for a limited period due to potential future legal claims (discrimination, equal treatment).
Third-party applications: Hubspot, Google Workspace
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
Conclusion of Contract
Serves to initiate, legally compliantly execute, and manage contractual relationships with business partners, in particular to ensure compliance with legal, contractual, and regulatory requirements in connection with the provision of GRC software solutions. Processing is carried out for the transparent creation, coordination, and archiving of contractual documents in compliance with the highest data privacy and security standards based on a cloud-based infrastructure.
Data subjects:
| Data subject category | Data Categories | Classification |
|---|---|---|
| Customers | Last name, first name | Personal data |
| Email address | Personal data | |
| Phone number | Personal data | |
| Date of birth | Personal data | |
| Place of birth | Personal data | |
| Funding | Personal data | |
| Bank account information | Personal data | |
| Account information | Personal data | |
| Government-issued ID | Personal data | |
| Company affiliation | Personal data | |
| External consultants | Last name, first name | Personal data |
| Email address | Personal data | |
| Phone number | Personal data | |
| Date of birth | Personal data | |
| Place of birth | Personal data | |
| Funding | Personal data | |
| Bank account information | Personal data | |
| Account information | Personal data | |
| Government-issued ID | Personal data | |
| Occupational health data | Special categories of personal data | |
| Employment status | Personal data | |
| Suppliers | Last name, first name | Personal data |
| Email address | Personal data | |
| Phone number | Personal data | |
| Date of birth | Personal data | |
| Place of birth | Personal data | |
| Funding | Personal data | |
| Bank account information | Personal data | |
| Account information | Personal data | |
| Government-issued ID | Personal data | |
| Occupational health data | Special categories of personal data | |
| Employment status | Personal data |
Retention period: Contract documents with customers and partners
Legal basis:
- Contract performance (Art. 6(1)(b))
- The processing of personal data within the scope of the processing activity "Contract Conclusion" is carried out for the purpose of fulfilling a contract or taking pre-contractual measures in accordance with Art. 6(1)(b) GDPR. This includes all activities necessary for the establishment, legally compliant execution, and administration of contractual relationships with customers, service providers, and partners (for example, collection and management of contact data, exchange of contract documents, communication in connection with contract drafting and execution).
- Legal obligation (Art. 6(1)(c))
- e.g., § 132 BAO (Austrian Federal Tax Code), § 257 HGB (German Commercial Code)
Additionally, processing is carried out in accordance with Art. 6(1)(c) GDPR to the extent necessary to fulfill legal obligations (e.g., commercial and tax law retention obligations in Austria and Germany).
- e.g., § 132 BAO (Austrian Federal Tax Code), § 257 HGB (German Commercial Code)
Retention period: Contract documents with customers and partners (Duration: 10 years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons, as well as to assert or defend claims.
Third-party applications: Hubspot, Google Workspace, Slack
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Google LLC | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, Inc. | United States (USA) | Standard contractual clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0) |
Website & SEO
Enables the provision and optimization of the company website and all associated online presences to provide prospects and customers with comprehensive information on GRC solutions and services, facilitate communication, analyze user behavior, ensure the security and functionality of the systems, and ensure compliance with relevant legal and regulatory requirements.
Data subjects:
| Data subject category | Data Categories | Classification |
|---|---|---|
| Website visitors | IP address | Personal data |
| Use of technologies | Personal data | |
| Company affiliation | Personal Data | |
| Electronic ID | Personal data | |
| Website activity | Personal data | |
| Last name, first name | Personal data | |
| Phone number | Personal data |
Retention period: No additional retention period
Legal basis:
- Legitimate interest (Art. 6(1)(f))
- The processing of personal data in connection with the provision, maintenance, and optimization of the company website is primarily based on legitimate interests pursuant to Art. 6(1)(f) GDPR. These include, in particular, the public image of the Akarion Group, the maintenance of IT security, analysis for optimization and reach measurement, and the efficient handling of contact requests. The legitimate interests prevail, as users have reasonable expectations regarding processing in the context of website operation and the use of cloud-based, security-certified IT systems, and appropriate technical and organizational measures, including ISO 27001:2022 certification, are implemented to protect the data.
- Consent (Art. 6(1)(a))
- If and to the extent that consent is required for certain data processing operations (e.g., when using cookies or external tools such as HubSpot for user-based analysis), the processing is based on Art. 6(1)(a) GDPR. Consent is obtained transparently via the consent management banner and may be revoked at any time.
Retention period: No additional retention period (Duration: None)
If the legal basis for processing ceases to apply, the data will be deleted immediately
Third-party applications: Google Workspace, Hubspot, Slack, Google Ads, Microsoft Ads, LinkedIn, Sales Viewer, Sales Navigator, CookieFirst
Transfers to third countries:
| Organization | Country | Appropriate safeguards |
|---|---|---|
| Google LLC | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| HubSpot, Inc. | United States (USA) | Standard Contractual Clauses, Data Privacy Framework (Privacy Shield 2.0) |
| Salesforce.com, Inc. | United States (USA) | Standard Contractual Clauses, Binding Corporate Rules, Data Privacy Framework (Privacy Shield 2.0) |
2. Data Subject Rights
2.1. Right to access, rectification, restriction, and erasure
Within the framework of legal provisions, you are entitled at any time and free of charge to request information regarding the data concerning you, its origin, potential recipients, and the purpose of processing. Furthermore, you are entitled to request the erasure of data concerning you, any correction thereof, or the restriction of processing.
2.2. Right to Object
If the processing of data concerning you is not based on your consent, you are entitled at any time to object to such processing by Akarion. Akarion notes that statutory retention periods remain unaffected by any such objection.
You may revoke any consent you have given for the processing of your personal data at any time without providing a reason. To do so, please contact Akarion informally at: datenschutz@akarion.com, by mail, verbally when contacting us, or use any links provided (e.g., unsubscribe from the newsletter).
2.3. Right to Data Portability
You have the right at any time to request that data we process automatically based on your consent or in fulfillment of a contract be provided to you or to a third party. The data will be provided, to the extent technically possible, in a machine-readable format.
2.4. Exercising Data Subject Rights
If you wish to exercise any of the listed rights, please contact us at: data privacy@akarion.com or write to Akarion at the address provided above.
2.5. Right to lodge a complaint with the competent supervisory authority
If you suspect that Akarion is handling your personal data improperly, you are entitled at any time to file a complaint with the competent supervisory authority.
The supervisory authorities responsible for us are:
In Austria:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
T: +43 1 52 152-0
M: dsb@dsb.gv.at
In Germany:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
m: poststelle@lda.bayern.de
3. Disclosure of Personal Data
At Akarion, the processing of personal data is carried out in part by data processors. Akarion only uses data processors that provide sufficient guarantees that appropriate technical and organizational measures are implemented to ensure that processing is carried out in accordance with data protection requirements and that the rights of the data subject are safeguarded. The processing of personal data by Akarion’s data processors is always based on a corresponding contract between Akarion and the data processor. Unless expressly agreed otherwise or another
legal basis permits or requires the disclosure, third parties will not have access to your data.
4. Data Security
Akarion maintains technical and organizational measures to ensure data security, in particular to protect personal data from risks during data transfers and from disclosure to third parties. Akarion employees are trained in the careful handling of personal data and are obligated to do so.
When using this website, encrypted transmission via SSL (Secure Socket Layer) or TLS (Transport Layer Security) takes place, provided the website is accessed at https://akarion.com.