Privacy Policy

Last updated: 10/05/2026 

Short & Easy to Understand: What is this about? The protection of your personal data is very important to us. In this statement, we transparently explain which data we collect, what we use it for, and what rights you have in this regard. We, meaning Akarion AG in Germany and Akarion GmbH in Austria, jointly process your data in order to offer you our services and operate our website.

General information and contact

This Privacy Policy applies to the processing of personal data by the Akarion group of companies ("Akarion"). Separate agreements apply to specific processing activities, e.g. in the context of employment relationships.
Akarion reserves the right to amend this Privacy Policy at any time with effect for the future. The current version is available here.

The joint controllers responsible for the processing of personal data by Akarion, its processors, or the processing of personal data in connection with this website are:

Akarion AG

P: +49 89 628 265 64
E: info@akarion.com

Akarion GmbH

P: +43 732 931637
E: info@akarion.com

Both represented by Sven Meise.
Within the company, the management is responsible for all processing procedures relating to personal data. An internal review determined that a separate data protection officer is currently not required.

Responsibilities are divided as follows:

Akarion GmbH

 

• Responsible for the planning, development, and technical operation of the software.
• Ensuring ongoing support for the software products at the technical level.
• Collaboration with Akarion AG to ensure smooth integration of the software solutions into the sales channels and to support marketing.

Akarion AG

• Responsible for the administrative and commercial management of the group of companies, including accounting, controlling, and financial planning.
• Development and implementation of sales and marketing strategies for the products of the group of companies.
• Provision of support services for customers, including handling customer inquiries that do not relate to technical matters.

Joint tasks

• Management and maintenance of the customer databases as well as ensuring compliance with all relevant data protection laws.
• Joint coordination on strategic decisions regarding the further development of the software and marketing.

 

1. Data processing

As a rule, Akarion processes personal data only to the extent necessary for the respective processing purpose and/or covered by your consent. This also applies to the duration of processing.
 

Advertisement

Used for the targeted marketing of services and software solutions by evaluating and using personal data for individualized marketing measures as well as analyzing and optimizing marketing activities in compliance with applicable data protection and security requirements.

Data subjects: Interested parties, Employees of client companies
Legal basis: Legitimate Interest (Art. 6 Sec. 1 lit. f)
Retention period: Opt-Out (Duration: None)

Third-party applications:

 

Conclusion of contract

Used for the initiation, legally compliant execution and management of contractual relationships with business partners, in particular to ensure compliance with legal, contractual and regulatory requirements in connection with the provision of GRC software solutions. Processing is carried out for the transparent creation, coordination and archiving of contract documents in compliance with the highest data protection and security standards on the basis of a cloud-based infrastructure.

Data subjects: Employees of client companies, External consultants, Suppliers, Employees of client companies
Legal basis: Contract (Art. 6 Sec. 1 lit. b), Legal obligation (Art. 6 Sec. 1 lit. c)
Retention period: Contract documents with customers and partners (Duration: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third-party applications:

 

Customer onboarding

Serves the structured and secure admission of new customers to the platform and associated services, including the processing of relevant personal and company-related data to ensure the basis for contract processing, establishment of user access, technical and organizational integration and compliance with contractual, legal and security requirements.

Data subjects: Software user
Legal basis: Contract (Art. 6 Sec. 1 lit. b)
Retention period: Contract documents with customers and partners (Duration: 10 Years)
Contracts and related correspondence with customers and partners are retained for commercial and tax law reasons and for the assertion or defense of claims.
Third-party applications:

 

Customer Support

Serves to efficiently process and document customer and end user requests in order to provide technical and organizational support regarding GRC SaaS solutions, ensure customer satisfaction and enable continuous product improvements. The processing of personal data takes place exclusively for the fulfillment of the contract and in compliance with legal and regulatory requirements.

Data subjects: Employees of client companies
Legal basis: Contract (Art. 6 Sec. 1 lit. b), Legitimate Interest (Art. 6 Sec. 1 lit. f)
Retention period: Customer support tickets and correspondence (Duration: 7 Years)
Customer support data (tickets, emails, chat messages) are stored in order to be able to fulfill legal obligations to provide evidence and documentation in the event of disputes or support contracts. This data is also required for the fulfillment of warranty and support obligations.
Third-party applications:

 

Marketing Automation

Used for the automated planning, implementation and optimization of marketing measures to effectively address and inform existing and potential customers, increase brand awareness, generate prospective customers and measure the success of campaigns.

Data subjects: Interested parties
Legal basis: Legitimate Interest (Art. 6 Sec. 1 lit. f)
Retention period: Opt-Out (Duration: None)

Third-party applications:

 

Monitoring and operation

Serves to ensure secure, stable and legally compliant operation of the cloud-based IT infrastructure and all key systems and SaaS platforms. Processing enables the continuous monitoring, early detection and rectification of disruptions or security incidents as well as the technical and organizational implementation of all relevant security, compliance and availability requirements. The aim is to sustainably protect critical business processes and the processed personal data while at the same time complying with legal and normative requirements.

Data subjects: Software user, Contact persons (inside and outside the client's company), Persons who come into contact with the client via the software
Legal basis: Processor contract (Art. 28)
Retention period: Until the end of the contract term (Duration: None)

Third-party applications:

 

Newsletter

Provides targeted information to existing and potential customers and partners about news, developments and events in the field of GRC software solutions in order to strengthen customer loyalty and promote knowledge transfer.

Data subjects: Newsletter subscribers
Legal basis: Consent (Art. 6 Sec. 1 lit. a)
Retention period: Opt-Out (Duration: None)

Third-party applications:

 

Recruiting

Used to implement measures to recruit, select and hire qualified employees in order to cover the company's personnel requirements and ensure that open positions are filled effectively.

Data subjects: Applicants
Legal basis: Contract (Art. 6 Sec. 1 lit. b)
Retention period: Applicant data (persons not recruited) (Duration: 6 Months)
Documents and data of applicants who are not hired must be kept for a limited period of time for reasons of possible later legal claims (discrimination, equal treatment).
Third-party applications:

 

Website & SEO

Enables the provision and optimization of the company website and all associated online presences in order to provide interested parties and customers with comprehensive information on GRC solutions and services, facilitate communication, analyze user behavior, ensure the security and functionality of the systems and ensure compliance with relevant legal and normative requirements.

Data subjects: Website visitors
Legal basis: Legitimate Interest (Art. 6 Sec. 1 lit. f), Consent (Art. 6 Sec. 1 lit. a)
Retention period: Application logs from SaaS platform (Duration: 1 Year)
System and access logs from the SaaS environment, including log data on user logins, changes to settings, API calls and security-related events. These logs are used for traceability, security, error analysis and compliance (e.g. ISO 27001, GDPR).
Third-party applications:

 

2. Data Subject Rights

2.1. Right to Information, Rectification, Restriction, Erasure

Within the framework of the statutory provisions, you are entitled at any time to request, free of charge, information about the data concerning your person, its origin, possible recipients, and the purpose of the processing. Furthermore, you are entitled to request the deletion of data concerning your person, any correction thereof, or the restriction of processing.

2.2. Right to Object

If the processing of data concerning your person is not based on the consent of the data subject, the data subject is entitled at any time to object to the processing by Akarion. Akarion points out that the statutory retention periods remain unaffected by any possible objection.
You may revoke your consent to the processing of your personal data at any time without stating reasons. Please contact Akarion informally at: datenschutz@akarion.com, by post, verbally when making contact, or use any provided links (e.g. unsubscribe in the newsletter).

2.3. Right to Data Portability

You have the right at any time to request the release of data that we process automatically on the basis of your consent or in fulfillment of a contract, either to yourself or to third parties. Where technically feasible, the data will be provided in a machine-readable format.

2.4. Exercising Data Subject Rights

If you wish to exercise one of the listed rights/your rights, please contact: datenschutz@akarion.com or contact Akarion by post at the address stated above.

2.5. Right to Lodge a Complaint with the Competent Supervisory Authority

If you suspect improper handling of the data concerning your person by Akarion, you are entitled at any time to lodge a complaint with the competent supervisory authority.

The supervisory authorities responsible for us are:

In Austria:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
T: +43 1 52 152-0
M: dsb@dsb.gv.at

In Germany:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
m: poststelle@lda.bayern.de

3. Disclosure of Personal Data

At Akarion, personal data is processed in part by processors. In doing so, Akarion uses only those processors that provide sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that the processing is carried out in accordance with data protection requirements and ensures the protection of the rights of the data subject. The processing of personal data by Akarion's processors is in any case based on a corresponding contract between Akarion and the processor.
Third parties will not be granted access to your data unless expressly agreed otherwise or another legal basis permits or requires the disclosure.

4. Data Security

Akarion maintains technical and organizational measures to ensure data security, in particular to protect personal data against risks during data transmission and against access by third parties. Akarion's employees are trained in and obligated to handle personal data carefully.
When using this website, encrypted transmission by means of SSL (Secure Socket Layer) or TLS (Transport Layer Security) takes place, provided that the website is accessed via https://akarion.com .