Privacy Policy

We process personal data in line with EU GDPR. By using our service, you agree to this Privacy Policy.

Controller: MABTED GmbH, Gertigstraße 5, 22303 Hamburg, Germany – privacy@mabted.com

- Contact data; account data (settings, preferences) - Influencer data (names, email addresses, social media handles, follower counts, niches) - Brand data (company names, contact persons) - Campaign and engagement data (contracts, budgets, periods, deliverables) - Performance metrics (TKP, ROAS, engagement rates, revenue data) - Shopify account data and revenue information - Gmail account data and email threads - Application and usage data (rules, schedules, logs, IP/browser/device)

| Purpose | Legal Basis | |----------------|------------------------------| | Provide and operate service | Art. 6(1)(b) GDPR | | User communication | Art. 6(1)(b) GDPR | | Security/misuse prevention | Art. 6(1)(f) GDPR | | Product improvement | Art. 6(1)(f) GDPR | | Legal compliance | Art. 6(1)(c) GDPR |

Sharing only when legally permitted or consented. Typical recipients: Supabase Inc. (hosting, database, authentication), Vercel Inc. (frontend hosting), Google Ireland Ltd. (Gmail integration), Shopify Inc. (Shopify integration), Stripe Payments Europe Ltd. (payment processing, if used). Third countries only with guarantees (Art. 46 GDPR).

Our application uses the Google OAuth 2.0 API to connect your Gmail account. Below we disclose what Google user data is accessed and how it is used. Google user data accessed: - Your Google account email address (via the "openid" and "email" scopes) to identify the connected account - Gmail message content, headers, and metadata (via the "gmail.readonly" scope) to read and display email threads within the application - Gmail send capability (via the "gmail.send" scope) to send emails on behalf of the user directly from the application How Google user data is used: - Email address: Displayed in settings to identify the connected Gmail account - Gmail read access: To fetch and display email conversations related to influencer communications within the application - Gmail send access: To send outreach and communication emails to influencers directly from the application using the user's Gmail account - Refresh tokens are encrypted (AES-256) and stored in our database solely for the purpose of refreshing access tokens for the above functionalities Restrictions on use: - Google user data is not shared with or sold to third parties - Google user data is not used for advertising purposes - Google user data is not used for purposes beyond the functionality described above - Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements Revoking access: - Users can disconnect their Gmail integration at any time via Settings > Email > "Disconnect" in the application - Upon disconnection, stored tokens are immediately deleted from our database - Users can also revoke access directly via their Google Account security settings under "Third-party apps with account access"

Data retention only as long as necessary; deletion/anonymization within 30 days after account deletion.

- Sessions - Preferences - Anonymous analytics

- Access, rectification, erasure (Art. 15-17 GDPR) - Restriction (Art. 18 GDPR) - Portability (Art. 20 GDPR) - Objection (Art. 21 GDPR) Contact us at privacy@mabted.com to exercise your rights. We respond within 30 days.

TLS encryption in transit and AES-256 at rest, role-based access system, encrypted API tokens and access keys, logging of all access, regular security updates; EU hosting (Frankfurt/Amsterdam).

We may update this policy; the latest version can be found on our website.

Contact: privacy@mabted.com or the Hamburg Commissioner for Data Protection and Freedom of Information.