Privacy Policy / Datenschutzerklärung

Last updated: 2025-04-11

1. Data Controller
2. Processing Purposes and Legal Basis
3. Data Categories
4. Retention Periods
5. International Transfers
6. Your Rights
7. Processing Agreement (Art. 30 AVV)
8. Contact / Data Subject Requests

1. Data Controller

MABAAM Ltd.
1010 Vienna, Austria
Email: privacy@mabaam.ai
(Represented by the managing director named in the imprint)

2. Processing Purposes and Legal Basis

We process personal data for the following purposes:

Contract performance (Art. 6(1)(b) GDPR): Provision of the MABAAM software license, customer portal, and subscription management.
Consent (Art. 6(1)(a) GDPR): Sending of marketing communications (if opted in) and optional analytics.
Legitimate interest (Art. 6(1)(f) GDPR): Security monitoring, fraud prevention, and improvement of our services.

3. Data Categories

We process the following categories of personal data:

Email address
Full name (if provided)
License key(s) and subscription status
IP address and session ID (for authentication and security)
Usage logs (e.g., login events, license activations)

4. Retention Periods

User data (account information, license data): Retained until the account is deleted or the user requests erasure.
Audit logs (GoBD compliance): 10 years from the date of creation (as required by German/Austrian tax and accounting regulations).
Contractual data (invoices, subscription records): 7 years as required by Austrian commercial law.

5. International Transfers

All personal data is stored and processed exclusively on servers located within the European Union (EU) or the European Economic Area (EEA). We utilise Hetzner (Germany/Finnland) as our infrastructure provider. No transfers to third countries take place. Our Data Processing Agreement (DPA) with Hetzner ensures compliance with Art. 28 GDPR.

6. Your Rights

Under the GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of your personal data.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your data ('right to be forgotten').
Right to restriction of processing (Art. 18): Request limited processing.
Right to data portability (Art. 20): Receive a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.

To exercise any of these rights, please use our GDPR request portal or contact us at privacy@mabaam.ai.

7. Processing Agreement (Art. 30 AVV)

We maintain a data processing agreement (Auftragsverarbeitungsvertrag – AVV) with each processor, as required by Art. 28 GDPR. Our current sub-processors are listed in our Data Processing Agreement (DPA). The AVV documents all processing activities, purposes, and security measures.

8. Contact / Data Subject Requests

For any questions or requests regarding your personal data, please contact our Data Protection Officer (DPO) at dpo@mabaam.ai or via the GDPR request portal.