• visitors of our website
• users of the platform and workspaces
• workspace members and administrators
• individuals whose personal data is processed through connected accounts and integrations (for example email recipients, contacts, calendar invitees, and collaborators)

We process personal data in accordance with the principles of the GDPR, in particular purpose limitation, data minimization, and storage limitation. We implement safeguards to reduce the amount of personal data processed to what is necessary for the respective purpose.

1. Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Acava GmbH
[ADDRESS]
Email: [EMAIL]
Registered in the commercial register (Handelsregister) at [REGISTER_COURT] under HRB [HRB_NUMBER].

Privacy contact for data protection requests:
Email: [PRIVACY_EMAIL]

2. Roles Under GDPR (Controller and Processor)

Controller. Acava acts as a data controller for personal data that we process for our own purposes, including account administration, authentication, billing, security, fraud prevention, service operation, and product analytics (where applicable).

Processor. When Acava processes Customer Content from connected accounts and integrations (including emails, calendars, files, contacts, messages, prompts, and outputs) on your instructions, Acava acts as a data processor on your behalf. In such cases, the Data Processing Agreement (DPA) governs the processing and the allocation of responsibilities.

Workspace responsibility. If you are a workspace owner or administrator, you are responsible for ensuring that you have a valid legal basis to process personal data of workspace members and third parties through the Services and to instruct Acava accordingly. This includes informing data subjects as required and ensuring that any necessary consents or other legal bases are in place.

3. Categories of Personal Data

We may process the following categories of personal data:

• Account data (name, email, authentication identifiers and login events via Auth0)
• Billing data (billing address, invoices, payment status, and payment metadata via payment providers)
• Workspace data (workspace name, membership, roles, permissions, configuration settings)
• Connected account and integration metadata (provider identifiers, scopes/permissions, sync state, tokens where applicable)
• Customer Content processed through integrations (emails, calendar entries, files, messages, prompts, outputs, contacts, and related content)
• Action metadata (for example timestamps, action type, recipient identifiers, system status, error messages, request identifiers, audit trails)
• Usage and performance data (aggregated, privacy-friendly analytics via Plausible, where applicable)
• Security and audit logs (access logs, device/session identifiers, security events)
• Support communications (if you contact us)

We do not intentionally collect special categories of personal data (Art. 9 GDPR). However, such data may be included in Customer Content provided by you or processed through connected accounts (for example within email content). In those cases, you control whether such data is processed through the Services and must ensure an appropriate legal basis.

4. Sources of Personal Data

We collect personal data from:

• you directly (for example when creating an account, configuring a workspace, or contacting support)
• your organization or workspace administrators (for example when they invite you to a workspace)
• connected accounts and integrations that you authorize (for example Google or Microsoft services), including Customer Content and related metadata

In particular, personal data of third parties (for example email recipients, contacts, calendar invitees, and file collaborators) may be processed when it appears in Customer Content or metadata obtained through connected accounts.

5. Purposes of Processing

We process personal data for the following purposes:

• Providing and operating the Services (including maintaining accounts and workspaces)
• Authentication, access control, and account security
• Performing Actions configured by users (including automated, background, or scheduled actions)
• Syncing and processing Customer Content through connected accounts and integrations
• Preventing abuse, fraud, and security incidents, and ensuring auditability
• Billing, subscription management, and accounting
• Improving reliability, performance, and functionality of the Services
• Compliance with legal obligations and enforcing our terms
• Support and communications

6. Legal Bases (Art. 6 GDPR)

We rely on the following legal bases, depending on context and purpose:

• Art. 6(1)(b) GDPR (performance of contract) for providing the Services, enabling workspaces, and performing Actions you request or configure
• Art. 6(1)(c) GDPR (legal obligation) for compliance, record-keeping, and applicable statutory requirements
• Art. 6(1)(f) GDPR (legitimate interests) for security, service integrity, abuse prevention, fraud prevention, incident response, operational reliability, and ensuring auditability
• Art. 6(1)(a) GDPR (consent) where required, for example for optional features or specific processing that requires consent under applicable law

Legitimate interests. Our legitimate interests include keeping the Services secure, preventing misuse and fraud, maintaining availability and performance, ensuring auditability, defending legal claims, and improving the Services. We balance these interests against your rights and freedoms and implement safeguards (for example access controls, minimization of logged data, and retention limits).

Where Acava acts as a processor (see Section 2), the legal basis for processing Customer Content is determined by you as controller, and the processing is performed under the DPA on your documented instructions.

7. Use of AI Providers

To generate Outputs and provide AI functionality, Customer Content may be processed by AI providers, including OpenAI, Google (Gemini), and Anthropic (Claude), acting as processors or subprocessors, as applicable. This processing may include understanding content, summarization, drafting, classification, extraction, and similar AI-assisted features.

Customer Content is not used to train general AI models unless you explicitly opt into such functionality (if offered). If we offer an opt-in training or improvement feature, it will be clearly described in product and requires your explicit consent.

We take steps to limit access and use of Customer Content by AI providers to what is necessary for providing the requested functionality, subject to the DPA, contractual safeguards, and appropriate technical and organizational measures.

8. Automated Processing and AI Outputs

The Services use AI-assisted processing to generate Outputs and may support automated or scheduled Actions configured by users. AI-generated Outputs can be inaccurate, incomplete, or inappropriate for your use case.

No replacement of human decision-making. The Services are not designed to replace human decision-making. You remain responsible for evaluating Outputs and for exercising appropriate human oversight over Actions, including automated or scheduled Actions, especially where required by law or internal policies.

No solely automated legal decisions by default. Acava does not intend to make solely automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR. However, users may configure Actions (including automated or scheduled actions) that can produce external effects (for example sending messages or creating calendar events). You remain responsible for such configurations and for ensuring appropriate human oversight where required.

If you believe a specific feature constitutes profiling or automated decision-making within the meaning of Art. 22 GDPR in your use case, please contact us at [PRIVACY_EMAIL] so we can assess the configuration and provide appropriate information and safeguards.

9. Recipients and Categories of Recipients

We may disclose personal data to the following categories of recipients, as necessary for the purposes described above:

• Hosting and infrastructure providers (for example Hetzner Cloud, EU)
• Authentication providers (Auth0)
• Analytics providers (Plausible) where applicable
• AI providers (for example OpenAI, Google, Anthropic) to deliver AI functionality
• Payment processors and billing service providers
• Customer support and operational tooling providers (where used)
• Professional advisors (lawyers, auditors) where necessary
• Authorities or other recipients where legally required

Recipients process personal data either (i) on our documented instructions for the purposes described in this Privacy Policy where Acava acts as controller, or (ii) as subprocessors under the DPA where Acava acts as processor, in each case subject to appropriate contractual, technical, and organizational safeguards.

When Acava acts as a processor, disclosures to subprocessors occur under the DPA. A current list of subprocessors and their locations is made available under the DPA or on request.

10. Subprocessors (Processor Context)

When we act as a processor, we use carefully selected subprocessors for hosting, authentication, analytics, AI processing, and infrastructure. These may include:

• Hosting providers in the European Union (Hetzner Cloud)
• Auth0 for authentication
• Plausible.io for privacy-friendly analytics (where applicable)
• AI providers (OpenAI, Google, Anthropic)
• Payment processors

Subprocessors process personal data only on documented instructions and subject to the DPA, including appropriate confidentiality obligations, technical and organizational measures, and restrictions on engaging further subprocessors.

A current list of subprocessors, including locations and the relevant processing, is available in the DPA or upon request, consistent with the DPA.

11. Cookies, Similar Technologies, and Website Analytics

Cookies. Our website is designed to work without tracking cookies. We may use technically necessary cookies or similar technologies (e.g. session cookies) where required for the operation, security, and basic functionality of the website and Services (for example to maintain a session or to protect against abuse). Such technically necessary technologies are used on the basis of Art. 6(1)(f) GDPR and, where applicable, Section 25(2) of the German Telecommunications-Telemedia Data Protection Act (TTDSG) (or any successor provision), and to provide the requested service under applicable local law.

No marketing or advertising cookies. We do not use marketing, tracking, or advertising cookies.

Plausible analytics. We use Plausible Analytics, a privacy-friendly analytics solution. Plausible is designed to operate without cookies and without persistent identifiers. Analytics data is aggregated.

Depending on the configuration, limited technical information (for example a truncated IP address, browser or user agent information, and page interaction events) may be processed to produce aggregated statistics. We configure analytics to minimize data collection and avoid unnecessary tracking.

If a consent requirement applies in your jurisdiction due to specific configurations or additional tools, we will implement an appropriate consent mechanism. If you notice behavior that appears inconsistent with this policy, please contact us at [PRIVACY_EMAIL].

12. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, subject to legal obligations and legitimate retention needs. Retention periods may vary depending on the specific processing context, workspace configuration, and applicable legal requirements.

• Account and workspace data: retained for the duration of your account or workspace membership and as needed for service administration.
• Customer Content (processor context): retained as long as configured by you or as long as your account is active, subject to your deletion/export actions and the DPA.
• Billing and accounting records: retained as required by applicable law, including applicable commercial and tax retention obligations.
• Security logs and action metadata: retained for a limited period necessary for security, auditing, fraud prevention, incident response, and may be retained longer where needed to establish, exercise, or defend legal claims.

After termination, Customer Content is deleted after a reasonable export period unless legal retention obligations apply or retention is necessary to establish, exercise, or defend legal claims. Specific retention settings may also be controlled by workspace configuration.

13. International Data Transfers

We primarily process data within the EU/EEA. Where personal data is transferred outside the EU/EEA (for example to certain AI providers or service providers), we implement appropriate safeguards under GDPR, such as:

• Standard Contractual Clauses (SCCs)
• additional technical and organizational measures where required
• adequacy decisions where applicable

You may request further information about transfer safeguards by contacting us at [PRIVACY_EMAIL], subject to confidentiality and security constraints.

14. Your Rights

Depending on the applicable law, you have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR), in particular where we rely on legitimate interests
• Withdraw consent at any time (Art. 7(3) GDPR) where processing is based on consent (withdrawal does not affect the lawfulness of processing before withdrawal)

To exercise your rights, contact us at [PRIVACY_EMAIL]. We may request information to verify your identity.

You also have the right to lodge a complaint with a supervisory authority. You can contact the supervisory authority in your place of residence, workplace, or where an alleged infringement occurred, or the authority competent for Acava's establishment. Competent authority for Acava's establishment:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
https://www.lda.bayern.de

Processor context note. If Acava acts as a processor for Customer Content, you (or your workspace owner/controller) are the primary point of contact for data subject requests related to that Customer Content. We will assist controllers as required under the DPA.

15. Information for Individuals Whose Data We Process via Connected Accounts (Art. 14 GDPR)

If your personal data is processed because it appears in Customer Content or metadata from a user's connected account (for example you are an email recipient, contact, calendar invitee, or file collaborator), the following applies:

• Source: the data originates from the user's connected account or integration that the user authorized.
• Purpose: enabling the Services for the user, including organizing, summarizing, drafting, and performing user-configured Actions.
• Legal basis: typically Art. 6(1)(b) GDPR (contract) and/or Art. 6(1)(f) GDPR (legitimate interests) in the controller context, and user-determined legal basis in the processor context.
• Recipients: categories described in Sections 9 and 10.
• Retention: described in Section 12, subject to user/workspace configuration and the DPA.

Acava does not have a direct relationship with such individuals and processes such data solely on behalf of the relevant user/controller, unless Acava acts as controller for a specific processing activity described in this policy.

Providing individual notice to every affected third party may be impossible or involve disproportionate effort, especially for large contact and communication graphs. Where permitted, Acava may rely on the exception under Art. 14(5)(b) GDPR for providing information, while still implementing appropriate safeguards and transparency through this policy and through contractual commitments with customers via the DPA.

If you are such an individual and wish to exercise your rights, you may contact the relevant user/controller (for example the organization operating the workspace) or contact us at [PRIVACY_EMAIL]. We will route the request as appropriate and consistent with the DPA and applicable law.

16. Security Measures

Acava implements appropriate technical and organizational measures (TOMs) to protect personal data, including: encryption in transit, access controls, principle of least privilege, audit logging, token management, secure infrastructure configuration, incident response procedures, and regular security improvements.

No system can be guaranteed to be 100% secure. You are responsible for keeping your credentials secure and for properly configuring workspace permissions and connected account scopes.

17. Requirement to Provide Data

Certain personal data is necessary to provide the Services (for example account identifiers for authentication and billing information for paid plans). If you choose not to provide required data, we may not be able to provide the Services or certain features.

Connecting third-party accounts is optional. If you connect accounts, the Services will process the associated Customer Content and metadata as configured by you.

18. Changes to this Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. We will inform users in an appropriate manner (for example in-product notice or email) where required.

Where Acava acts as a processor, this Privacy Policy is supplemented and specified by our Data Processing Agreement (DPA).