Cookie Policy

1. Introduction

This Cookie Policy explains how Mav9 Technologies GmbH ("Mav9," "we," "us," or "our") uses cookies and similar tracking technologies when you visit our website at mav9.com and any associated subdomains, or when you use the Mav9 platform as an Authorised User.

This policy should be read alongside our Privacy Policy, which provides comprehensive information about how we process personal data, and our Terms of Service, which govern your use of the Services.

Controller information:

• Mav9 Technologies GmbH, Mühsamstraße 69, 10249 Berlin, Germany

• HRB 275780 B, AG Charlottenburg — VAT: DE456799572

• Email: Turn on Javascript to see the email adress [code: p01]

For users in the United Kingdom, the controller is Mav9 Technologies Ltd, C/O Windsor House Station Court, Station Road, Great Shelford, Cambridge, CB22 5NE (Company No. 17029756).

2. What Are Cookies?

Cookies are small text files that are placed on your computer or mobile device when you visit a website. They are widely used to make websites work efficiently, to provide reporting information, and to assist with personalisation.

First-party cookies are set directly by the website you are visiting (mav9.com). Third-party cookies are set by a domain other than the website you are visiting — for example, by analytics or advertising services embedded in the page.

In addition to cookies, we may use similar technologies such as:

• Local storage — data stored in your browser's local storage that persists across sessions

• Session storage — data stored in your browser that is cleared when the tab or window is closed

• Pixel tags / web beacons — tiny invisible images embedded in web pages or emails to track interactions

When we refer to "cookies" in this policy, we mean cookies and all similar tracking technologies unless otherwise stated.

3. Legal Framework

Our use of cookies is governed by multiple legal frameworks depending on your location. We apply the strictest standard globally to ensure compliance across all jurisdictions.

3.1 European Union — GDPR and ePrivacy Directive

Under Article 5(3) of the ePrivacy Directive (2002/58/EC), as interpreted by the Court of Justice of the European Union in Planet49 (Case C-673/17), storing or accessing information on a user's device requires the user's prior, informed, and freely given consent — except where the cookie is strictly necessary to provide a service explicitly requested by the user.

The General Data Protection Regulation (EU) 2016/679 ("GDPR") applies to the processing of any personal data collected through cookies. Article 6(1)(a) GDPR requires that consent be freely given, specific, informed, and unambiguous. Article 7 GDPR sets out conditions for valid consent, including that withdrawal must be as easy as giving consent.

3.2 Germany — TDDDG (§ 25)

The Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), which replaced the TTDSG, implements the ePrivacy Directive in German law. Section 25(1) TDDDG provides:

"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information."

Section 25(2) TDDDG provides an exception for cookies that are strictly necessary for providing a telemedia service explicitly requested by the user.

In accordance with the guidance of the Datenschutzkonferenz (DSK — Conference of German Data Protection Authorities), our consent mechanism ensures that:

• Consent is obtained before any non-essential cookies are set

• Rejecting cookies is as easy as accepting them (no dark patterns)

• Users receive clear and comprehensive information about each cookie category

• Consent can be withdrawn at any time with the same ease as it was given

• Consent records are documented and retained for audit purposes

As of 1 April 2025, the German Consent Management Ordinance (Einwilligungsverwaltungsverordnung) under § 26 TDDDG provides a legal framework for recognised consent management services. We monitor developments in this area and will adopt a recognised service when available and appropriate.

3.3 United Kingdom — UK GDPR and PECR

The Privacy and Electronic Communications Regulations 2003 (PECR), as amended, require prior consent for non-essential cookies. The UK GDPR provides the standard for valid consent. The Information Commissioner's Office (ICO) guidance confirms that:

• Implied consent (e.g., "by continuing to browse") is not valid

• Pre-ticked boxes are not valid consent

• Cookie walls that deny access unless all cookies are accepted are generally not compliant

3.4 United States — CCPA/CPRA and State Privacy Laws

While US federal law does not currently require cookie consent banners, several state privacy laws impose disclosure and opt-out obligations:

• California (CCPA/CPRA): Requires disclosure of cookie-based data collection and an opt-out mechanism for "sale" or "sharing" of personal information for cross-context behavioural advertising. We honour Global Privacy Control (GPC) signals natively as valid opt-out requests.

• Other states (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, etc.): Similar opt-out requirements for targeted advertising. We extend the same protections to residents of all US states with comprehensive privacy laws.

Mav9 does not sell personal information and does not share personal information for cross-context behavioural advertising.

4. How We Obtain Your Consent

When you first visit our website, a cookie consent banner is displayed. This banner:

1. Blocks all non-essential cookies until you make a choice — no analytics, functional, performance, marketing, or other non-essential cookies are loaded before you consent

2. Provides equal prominence to "Accept All" and "Reject All" buttons, in compliance with DSK guidance and ICO recommendations

3. Offers granular control — you can accept or reject individual cookie categories (Necessary, Functional, Analytics, Performance, Advertisement) via the preference centre

4. Links to this Cookie Policy for full transparency before you make a choice

5. Records your consent with a timestamp, consent ID, and the specific categories you accepted or rejected, retained for audit purposes

Your consent preferences are stored in the cookieyes-consent cookie for 12 months. You may change or withdraw your consent at any time (see Section 9).

5. Cookie Categories and Inventory

We categorise cookies into six groups based on their purpose. Below is a comprehensive inventory of all cookies used on mav9.com and the Mav9 platform.

5.1 Strictly Necessary Cookies

Consent required: No — these cookies are exempt under § 25(2) TDDDG, Article 5(3) ePrivacy Directive, and Regulation 6(4) PECR because they are strictly necessary to provide a service you have explicitly requested.

Purpose: These cookies are essential for the website and platform to function. They enable consent preference storage and core site functionality. They do not collect personally identifiable information for marketing or analytics purposes.

Cookie inventory:

5.2 Functional Cookies

Consent required: Yes — under § 25(1) TDDDG, Article 6(1)(a) GDPR, and PECR Regulation 6.

Purpose: Functional cookies enable enhanced functionality and personalisation, such as remembering your language preferences, region, or display settings. They may be set by us or by third-party providers whose services we have integrated. If you do not allow these cookies, some or all of these features may not function properly.

Cookie inventory:

5.3 Analytics Cookies

Consent required: Yes — under § 25(1) TDDDG, Article 6(1)(a) GDPR, and PECR Regulation 6.

Purpose: Analytics cookies help us understand how visitors interact with our website and platform by collecting and reporting information on usage patterns. This data is used to improve user experience, identify issues, and measure the effectiveness of content. All analytics data is processed within the European Union.

Cookie inventory:

5.4 Performance Cookies

Consent required: Yes — under § 25(1) TDDDG, Article 6(1)(a) GDPR, and PECR Regulation 6.

Purpose: Performance cookies collect information about how the website performs — such as page load times, error rates, and server response times — to help us maintain and improve technical quality. These cookies do not collect information that identifies individual visitors.

Cookie inventory:

5.5 Advertisement / Marketing Cookies

Consent required: Yes — under § 25(1) TDDDG, Article 6(1)(a) GDPR, and PECR Regulation 6.

Purpose: Advertisement cookies are used to deliver relevant advertising content and to measure the effectiveness of marketing campaigns. These cookies may track your browsing activity across websites and build a profile of your interests. We only set these cookies with your explicit prior consent.

Cookie inventory:

5.6 Uncategorised Cookies

Purpose: Cookies that have not yet been classified into the above categories. These may appear temporarily when new third-party services are integrated or when scripts set cookies that have not yet been reviewed.

Cookie inventory:

6. Third-Party Cookies and Data Transfers

Some cookies on our website are set by third-party services. When these third parties process personal data collected via cookies, they may act as independent controllers or joint controllers. The following third parties set cookies on mav9.com:

• PostHog, Inc. (San Francisco, USA / EU-hosted) — Product analytics. All data processed in the EU (Frankfurt). Covered by SCCs.

For full details on international data transfers and safeguards, see Section 8 of our Privacy Policy.

7. Website Analytics Without Cookies

Our website (mav9.com) is hosted on Framer, which provides built-in website analytics. Framer's analytics are:

• Aggregated and anonymised — no individual visitor profiles are created

• Cookie-free — no cookies are set for this purpose

• Server-side — data is processed on Framer's servers without accessing your device

This means that basic website analytics (page views, traffic sources, geographic regions) are collected without requiring your consent, as no information is stored on or accessed from your device.

8. How Long Do Cookies Last?

Cookies have different lifespans depending on their purpose:

• Session cookies are temporary and are deleted when you close your browser.

• Persistent cookies remain on your device for a set period or until you manually delete them. Examples: cookieyes-consent (1 year), PostHog analytics cookie (1 year).

The specific duration for each cookie is listed in Section 5 above.

9. How to Manage and Revoke Your Cookie Consent

You have full control over your cookie preferences at all times.

9.1 Via Our Cookie Preference Centre

You can change or withdraw your cookie consent at any time by clicking the "Cookie Settings" link in the footer of every page on our website. This opens the CookieYes preference centre, where you can:

• View all cookie categories and their purposes

• Enable or disable individual categories

• Withdraw consent for all non-essential cookies with a single click

In accordance with DSK guidance, withdrawing consent requires no more effort than initially giving it.

9.2 Via Browser Settings

Most web browsers allow you to manage cookies through their settings. You can:

• View and delete existing cookies

• Block all cookies or only third-party cookies

• Configure exceptions for specific websites

Please note that blocking all cookies may impair the functionality of some website features, particularly login and authentication.

Common browser cookie management pages:

• Chrome: Settings → Privacy and Security → Cookies and other site data

• Firefox: Settings → Privacy & Security → Cookies and Site Data

• Safari: Preferences → Privacy → Manage Website Data

• Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data

9.3 Via Global Privacy Control (GPC)

We natively respect Global Privacy Control (GPC) signals sent by your browser. If your browser sends a GPC signal, we treat it as a valid opt-out of all non-essential cookies and do not set marketing or analytics cookies. This is in compliance with the CCPA/CPRA and aligns with the recommendations of several European data protection authorities.

9.4 Via Do Not Track (DNT)

While the Do Not Track (DNT) browser signal does not have a universally agreed legal standard, we honour DNT signals by not loading marketing cookies when detected.

10. Cookie Audits and Governance

To maintain audit readiness for SOC 2 Type II and ISO/IEC 27001:2022 compliance, we maintain the following cookie governance practices:

• Quarterly cookie audits — We scan mav9.com and the Mav9 platform quarterly using automated cookie scanning tools to identify all cookies, classify them, and verify that our cookie inventory is accurate and complete.

• Change management — Any new cookie or tracking technology must be reviewed and approved by the privacy team before deployment. This includes assessing the cookie's purpose, legal basis, data collected, retention period, and third-party data sharing.

• Consent record retention — All consent records (consent ID, timestamp, user agent, categories consented to) are retained for a minimum of 3 years for audit and compliance purposes, as evidence that valid consent was obtained.

• Vendor assessments — All third-party cookie providers are subject to our vendor security assessment process, including review of their SOC 2 reports, data processing agreements, and international transfer safeguards.

• Continuous monitoring — Our consent management platform (CookieYes) is monitored to ensure that non-essential cookies are effectively blocked prior to consent and that consent is properly recorded.

The results of cookie audits are documented and available for review by auditors upon request.

11. Children's Data

Our website and platform are designed for B2B professionals. We do not knowingly collect personal data via cookies from individuals under 16 years of age (EEA) or 13 years of age (UK/US). Our cookie consent mechanism requires an affirmative action that we reasonably expect only adults in a professional context to perform.

12. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in law, regulation, our use of cookies, or audit findings. We will notify you of material changes by:

• Updating the "Effective Date" at the top of this policy

• Displaying a notice on our website for at least 30 days

• Resetting your cookie consent preferences so that you can make a fresh, informed choice about the updated cookie categories

Minor, non-substantive changes (such as corrections of typographical errors) may be made without advance notice.

13. Your Rights

Depending on your jurisdiction, you may have additional rights in relation to the personal data collected via cookies, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. For full details, see Section 11 of our Privacy Policy.

To exercise any of these rights, contact Turn on Javascript to see the email adress [code: p01].

14. Supervisory Authorities

If you believe our use of cookies violates your data protection rights, you have the right to lodge a complaint with a supervisory authority:

• Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit

• United Kingdom: Information Commissioner's Office (ICO), or its successor body, the Information Commission

• Other EU Member States: The supervisory authority of your habitual residence or place of work

15. Contact Us

For any questions about this Cookie Policy or our use of cookies and tracking technologies:

• Email: Turn on Javascript to see the email adress [code: p01]

• Security concerns: Turn on Javascript to see the email adress [code: s01]

• EU Post: Mav9 Technologies GmbH, Attn: Privacy, Mühsamstraße 69, 10249 Berlin, Germany

• UK Post: MAV9 Technologies Ltd, C/O Windsor House Station Court, Station Road, Great Shelford, Cambridge, CB22 5NE

[ End of Cookie Policy ]

Last updated: 19 March 2026 | Effective date: 19 March 2026

© 2026 Mav9 Technologies GmbH.