Privacy Policy

We believe privacy is a fundamental right — not fine print. This policy explains clearly and honestly what personal data we collect, why we collect it, and what we do with it. We will never sell your personal data. We will never use your data to train AI models. We will always give you control over your information.

1. Who We Are

1.1 Data Controllers

Depending on where you are located, the controller of your personal data is:

• Mav9 Technologies GmbH — European Union / Global — Mühsamstraße 69, 10249 Berlin, Germany – HRB 275780 B, AG Charlottenburg – VAT: DE456799572

• Mav9 Technologies Ltd — United Kingdom — C/O Windsor House Station Court, Station Road, Great Shelford, Cambridge, CB22 5NE – Company No. 17029756

Managing Directors: Andreas Groke, Marius Groke

If you are located in the EEA or Switzerland, Mav9 Technologies GmbH is your data controller. If you are located in the United Kingdom, MAV9 Technologies Ltd is your data controller. For all other locations, Mav9 Technologies GmbH is your data controller unless otherwise specified in your agreement with us.

Both entities are established in their respective jurisdictions and do not require the appointment of an EU or UK representative under Article 27 of the EU GDPR or UK GDPR respectively.

1.2 Data Protection Contact

We have not appointed a Data Protection Officer because we are not legally required to do so under § 38 of the German Federal Data Protection Act (BDSG) read together with Article 37 of the EU GDPR. Instead, you may contact our dedicated internal privacy team for any questions or requests:

• Email: Turn on Javascript to see the email adress [code: p01]

• Postal address: Mav9 Technologies GmbH, Attn: Privacy, Mühsamstraße 69, 10249 Berlin, Germany

2. Scope of This Policy

2.1 What This Policy Covers

This Privacy Policy applies to personal data we process when you:

• Visit our website at mav9.com and any associated subdomains

• Use the Mav9 platform as an Authorised User of one of our customers

• Submit forms on our website (waitlist sign-ups, contact forms, demo requests)

• Participate in sales, demo, or onboarding calls

• Submit feature requests or bug reports through our feedback channels

• Apply for a job with us

• Receive communications from us (newsletters, changelogs, marketing emails)

• Sign documents via our electronic signature service

• Interact with us on social media (LinkedIn)

2.2 What This Policy Does Not Cover

Customer Data processed on behalf of our clients: When our customers (venture capital and private equity firms) upload or process data through the Mav9 platform, we act as a data processor on their behalf. That processing is governed by our Data Processing Agreement (DPA), available at trust.mav9.com, not this Privacy Policy. If your personal data was submitted to our platform by one of our customers, please contact that organisation directly regarding your data rights.

2.3 How This Policy Relates to Other Documents

This Privacy Policy is part of a suite of legal documents available at our Trust Center (trust.mav9.com): the Master Service Agreement (MSA), the Terms of Service (ToS), the Data Processing Agreement (DPA), the Cookie Policy, the Acceptable Use Policy (AUP), and the Service Level Agreement (SLA). In the event of conflict between this Privacy Policy and the DPA with respect to the processing of Personal Data, the DPA shall prevail.

3. Data We Collect

We collect different types of data depending on how you interact with us. We have organised this section by category of data subject.

3.1 Website Visitors

• Technical data — IP address (anonymised), browser type/version, OS, screen resolution, device type — Automatically via your browser

• Usage data — Pages visited, time spent, referral source, click paths — Framer built-in analytics (no cookies, aggregated/anonymised)

• Contact data — Name, email, company name, job title, phone number, message — When you submit a contact form, demo request, or web form

• Waitlist data — Name, email, company name — When you sign up for our waitlist

• Cookie/tracking data — See Section 6 and Appendix A — Via cookies (non-essential only with your consent)

3.2 Platform Users (Authorised Users)

• Account data — Name, email, job title, profile picture, preferences — Provided by you/your organisation during onboarding

• Authentication data — Username, hashed password, SSO tokens, MFA details, session tokens, login timestamps — Generated during authentication via Auth0

• Usage/analytics data — Feature usage patterns, session duration, interaction logs — Collected automatically via PostHog (EU-hosted)

• Communication data — Support tickets, feedback, correspondence — When you contact us

• E-signature data — Name, email, IP address, signature image, signed documents, timestamps — When you sign documents via DocuSign

3.3 Sales and Demo Call Participants

• Audio/video data — Voice recordings, video feeds (if camera on) — Recorded via Google Meet (only with your explicit consent)

• Transcripts — Written transcripts, meeting summaries — Generated via Google Meet, processed in Notion

We will always ask for your explicit consent before recording any call. You may decline to be recorded, and we will still conduct the meeting. Under German law (§ 201 StGB — Verletzung der Vertraulichkeit des Wortes), recording conversations without consent is a criminal offence. We take this obligation extremely seriously.

3.4 Data Collected from Public Sources (Data Enrichment)

In accordance with Article 14 GDPR, we inform you that we collect certain professional data from publicly accessible sources to enrich our platform's knowledge graph and provide comprehensive B2B insights to our customers.

• Professional data — Public directorships, investments, company roles — Public company registries (UK Companies House, German Handelsregister, etc.)

• Public profile data — Name, current role, professional summaries — Public professional networks (e.g. LinkedIn public profiles)

• News/media data — Press releases, news articles, public company websites — Automated web research via Perplexity AI

If your data is processed for this purpose, you have the right to object to its inclusion. Contact Turn on Javascript to see the email adress [code: p01]. We will process your objection without undue delay and cease processing your data for this purpose unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

3.5 Feedback and Support Users

• Contact data — Name, email address — Provided by you

• Feedback content — Feature requests, bug descriptions, screenshots, comments, votes — Submitted via Featurebase

• Communication data — Changelog subscriptions, notification emails — When you subscribe to product updates

3.6 Newsletter and Marketing Recipients

• Contact data — Name, email address — Provided when you subscribe or opt in

• Engagement data — Email open rates, click-through rates, unsubscribe status — Collected automatically by Brevo

• Marketing analytics — Conversion events, ad interactions — Via LinkedIn Insight Tag (only with your consent)

3.7 Job Applicants

• Identification data — Name, date of birth, nationality, photograph — Provided in your application

• Contact data — Email, phone number, postal address — Provided in your application

• Professional data — CV, cover letter, work history, education, qualifications — Submitted via website, email, or LinkedIn

• Assessment data — Interview notes, test results, references — Generated during recruitment

3.8 Data We Do Not Collect

• We do not collect special categories of data (Article 9 GDPR) unless voluntarily included by you in free-text fields.

• We do not buy personal data from data brokers.

• We do not use your data to train AI models (see Section 5).

• We do not sell or share your personal data. Ever.

3.9 Whether Providing Data Is Required

In accordance with Article 13(2)(e) GDPR, we inform you: the provision of your personal data when using our platform is a contractual requirement necessary to perform the agreement between your organisation and Mav9. If you do not provide the required account and authentication data, we cannot provide you with access to the Services. The provision of data when submitting contact forms, demo requests, or waitlist sign-ups is voluntary; however, without this information we cannot respond to your enquiry. The provision of data for marketing purposes is entirely voluntary and has no impact on your ability to use the Services.

4. How We Use Your Data

We only process personal data when we have a lawful basis to do so. The list below maps each processing purpose to the applicable legal basis under the EU GDPR.

• Providing the Mav9 platform — Art. 6(1)(b) Contract — Processing account/auth data to deliver services under the MSA/ToS

• Managing sales and CRM — Art. 6(1)(f) Legitimate interest — Organising leads and pipelines in our Notion CRM

• Recording sales/demo calls — Art. 6(1)(a) Consent — Recording via Google Meet; transcripts processed in Notion

• Public data enrichment — Art. 6(1)(f) Legitimate interest — Gathering professional data from public sources for B2B insights

• AI-powered analysis — Art. 6(1)(b) Contract — Using AI models for investment analysis as a core platform feature

• Account creation/auth — Art. 6(1)(b) Contract — Creating accounts, identity verification via Auth0, session security

• Electronic signatures — Art. 6(1)(b) Contract — Processing via DocuSign to execute agreements

• Responding to enquiries — Art. 6(1)(b)/(f) — Responding to contact forms, demos, support. LI: responsive service

• Waitlist management — Art. 6(1)(a) Consent — Processing registration and notifying about product availability

• Newsletter/marketing — Art. 6(1)(a) Consent — Sending updates via Brevo. Unsubscribe at any time

• Product analytics — Art. 6(1)(a)/Art. 6(1)(f) — Consent for cookies (§25 TDDDG); LI for aggregate analysis via PostHog

• Website analytics — Art. 6(1)(f) Legitimate interest — Framer built-in analytics: aggregated, anonymised, no cookies

• Marketing/retargeting — Art. 6(1)(a) Consent — LinkedIn Insight Tag. Only with explicit prior consent

• Feature requests/bugs — Art. 6(1)(b)/(f) — Managing feedback via Featurebase

• Security/fraud prevention — Art. 6(1)(f) Legitimate interest — Protecting platform via Cloudflare CDN/WAF/DDoS protection

• Recruitment — Art. 6(1)(b)/§26 BDSG — Assessing suitability for positions applied for

• Legal/tax compliance — Art. 6(1)(c) Legal obligation — Retaining records per German HGB/AO requirements

• Compliance/audit — Art. 6(1)(c)/(f) — Maintaining SOC 2/ISO 27001 compliance via Vanta

4.1 When We Rely on Legitimate Interest

Where we rely on legitimate interest (Art. 6(1)(f) GDPR), we have conducted a balancing test (Legitimate Interest Assessment) to confirm that our interests do not override your fundamental rights and freedoms. You may request a copy of our assessments by contacting Turn on Javascript to see the email adress [code: p01].

4.2 Your Right to Object (Article 21 GDPR)

Important: You have the right to object at any time to the processing of your personal data which is based on our legitimate interests (Art. 6(1)(f) GDPR), on grounds relating to your particular situation. Upon receiving your objection, we will cease processing your data for that purpose unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.

Where your personal data is processed for direct marketing purposes (including profiling related to direct marketing), you have an absolute, unconditional right to object at any time. We will stop processing your data for direct marketing immediately upon receiving your objection.

To exercise your right to object, email Turn on Javascript to see the email adress [code: p01] or use the unsubscribe link in any marketing communication.

5. Artificial Intelligence and Automated Processing

5.1 How We Use AI

The Mav9 platform uses artificial intelligence to deliver core features:

• Intelligent data enrichment — structuring, deduplicating, and linking data across sources

• Research synthesis — generating investment research summaries and insights

• Agent-based automation — AI agents performing tasks such as document analysis

• Portfolio analytics — AI-powered analysis of fund performance and investor data

5.2 AI Service Providers

• Amazon Web Services — AWS Bedrock — EU (Frankfurt) — LLM inference

• Microsoft — Azure OpenAI Service — EU — LLM inference

• Google Cloud — Vertex AI — EU — LLM inference

• Perplexity AI — Perplexity API — USA — Real-time research/information retrieval

5.3 We Do Not Train AI on Your Data

We do not use your personal data or customer data to train, fine-tune, or improve any AI or machine learning model. This is a contractual commitment in our DPA and is mirrored in our agreements with all AI sub-processors. All AI processing within the platform is inference-only (generating outputs from pre-trained models). AI model inference does not constitute model training.

5.4 Automated Decision-Making and Profiling

Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our AI systems are decision-support tools, not decision-makers. All AI outputs within the Mav9 platform require human review and judgement before any action is taken. We do not make any automated decisions that produce legal effects or similarly significant effects on individuals.

5.5 EU AI Act Compliance and Transparency

We classify our AI systems under the risk framework of the EU AI Act (Regulation (EU) 2024/1689). In compliance with the transparency requirements of Article 50 (applicable from 2 August 2026): (a) you will always know when you are interacting with an AI system — AI-generated insights and outputs are clearly identifiable, typically presented within a dedicated AI chat interface; and (b) where our AI agents synthesise external research or compile data, outputs feature explicit citations to original sources so you can verify information manually.

6. Cookies and Tracking Technologies

6.1 Our Cookie Consent Approach

Under § 25 of the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), and the Privacy and Electronic Communications Regulations 2003 (PECR) in the UK, we require your explicit prior consent before setting any non-essential cookies. Strictly necessary cookies (Cloudflare security, Auth0 session management) are set without consent because they are technically required for the website or platform to function securely — specifically, they provide bot protection, DDoS mitigation, rate limiting, CSRF protection, and session state management. All other cookies are only set after you have given your explicit consent via our cookie consent banner.

6.2 Cookie Categories

For an exhaustive list, see Appendix A and our separate Cookie Policy at trust.mav9.com.

• Strictly Necessary (no consent required): Cloudflare security cookies, Auth0 session cookies, cookie consent storage.

• Analytics (consent required): PostHog product analytics.

• Marketing (consent required): LinkedIn Insight Tag.

6.3 How to Manage and Revoke Cookies

You have absolute control over your cookie preferences. You may revoke your consent at any time via the cookie settings accessible from the footer of every page of our website. In accordance with the guidance of the Datenschutzkonferenz (DSK), revoking your consent requires no more effort than initially providing it. You can also manage preferences via your browser settings or by sending a Global Privacy Control (GPC) signal, which we natively respect.

7. Who We Share Your Data With

We share personal data only when necessary and only with the categories of recipients described below. We never sell your personal data.

• Cloud Infrastructure: AWS (primary hosting, EU), Google Cloud (AI/storage, EU), Microsoft Azure (AI, EU)

• Platform Services: Auth0 (authentication), PostHog (analytics, EU), DocuSign (e-signatures), GraphDB/Ontotext (graph database, EU), Daytona (sandboxed compute, EU)

• Web and CDN: Framer (website hosting, EU), Cloudflare (CDN/security, global with EU primary)

• Marketing: LinkedIn (conversion tracking, with consent), Brevo (email marketing, EU)

• Internal Tools and CRM: Notion (CRM, documentation, call transcripts), Slack (internal communications), Google Workspace including Google Meet (email, documents, call recordings)

• Security and Compliance: Vanta (compliance monitoring), Perplexity AI (AI-powered research)

• Feedback: Featurebase (product feedback and feature requests)

For full geographic locations and transfer mechanisms, see Section 8 and Appendix B.

8. International Data Transfers

8.1 Where Your Data Goes

Our primary data processing infrastructure is hosted on Amazon Web Services within the European Union (Frankfurt, Germany). All primary databases and their routine backups are hosted strictly within the EU. However, some service providers are based in or operate from the United States.

8.2 Transfer Mechanisms

We use the following legal mechanisms to safeguard international transfers: (a) EU-US Data Privacy Framework (DPF) for certified US recipients; (b) EU Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914; (c) UK International Data Transfer Addendum issued by the ICO under section 119A of the DPA 2018; and (d) UK-US Data Bridge for DPF-certified US recipients.

8.3 Supplementary Measures for US Transfers

For transfers to the United States where the recipient is not certified under the EU-US Data Privacy Framework (notably Perplexity AI, Vanta, and Featurebase), we rely on SCCs supplemented by a Transfer Impact Assessment (TIA). Our TIA evaluates the legal framework of the recipient country, the specific nature and sensitivity of the data transferred, and the technical and organisational measures implemented by the recipient. Supplementary measures include: contractual prohibitions on government access disclosure, encryption in transit and at rest, data minimisation (only query data is sent, not bulk Customer Data), and access controls limiting processing to the specific service purpose.

8.4 Data Transfer Map

• AWS, GCP, Azure — EU (data centres + backups) — No transfer (EU processing)

• PostHog Cloud EU — EU (Frankfurt) — No transfer (EU processing)

• Framer, GraphDB, Daytona, Brevo — EU — No transfer

• Auth0 (Okta) — EU tenant — DPF + SCCs

• DocuSign — EU / US — DPF + SCCs

• Cloudflare — Global (EU-primary) — DPF + SCCs

• LinkedIn — Ireland + US — DPF + SCCs

• Google Workspace (incl. Meet) — EU (with global processing) — DPF + SCCs

• Perplexity AI — USA — SCCs + TIA

• Notion — USA — DPF + SCCs

• Slack (Salesforce) — USA — DPF + SCCs

• Vanta — USA — SCCs + TIA

• Featurebase — USA — SCCs + TIA

9. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. The following list sets out our retention periods for each category of data:

• Account data — Duration of agreement + 90 days — Contractual necessity; DPA Section 2.5

• Authentication/session data — Duration of agreement + 90 days — Contractual necessity; security

• Product analytics (PostHog) — 24 months from collection — Legitimate interest; product improvement

• Call recordings/transcripts — 12 months, or until purpose fulfilled — Consent; withdrawn = immediate deletion

• Consent records (calls) — Duration of agreement + 3 years — Legal obligation; proof of consent

• Waitlist/marketing data — Until unsubscribe + 3 years (consent proof) — Consent; legal obligation (proof)

• Public enrichment data — Until objection or data becomes stale — Legitimate interest; right to object

• E-signature data — 10 years from execution — Legal obligation (German HGB §257)

• Feedback (Featurebase) — Duration of agreement + 12 months — Legitimate interest; product development

• LinkedIn marketing data — Until consent withdrawal + 30 days — Consent

• Security/fraud logs — 12 months from event — Legitimate interest; security

• Job application data — 6 months post-recruitment process — BDSG §26; AGG claim limitation period

• Financial/tax records — 10 years from end of fiscal year — Legal obligation (HGB §257, AO §147)

• KYC/AML data (if applicable) — 5 years after end of business relationship — Legal obligation (GwG §8)

10. Data Security

Our security measures are designed to meet the requirements of SOC 2 Type II and ISO/IEC 27001:

• Technical Measures: AES-256 encryption at rest, TLS 1.2+ in transit, mandatory MFA for all production access, WAF/DDoS protection via Cloudflare, regular vulnerability scanning, annual penetration testing by qualified third-party assessors.

• Organisational Measures: Role-based access controls (RBAC) based on the principle of least privilege, strict change management via CI/CD pipelines, employee confidentiality obligations and background checks, continuous SOC 2/ISO 27001 monitoring via Vanta.

• Breach Notification: We will notify the relevant supervisory authority where feasible within 72 hours of discovering a qualifying breach, and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Current certification status is available at trust.mav9.com.

11. Your Rights

11.1 Rights Under EU and UK GDPR

Depending on your jurisdiction, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy.

• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.

• Right to erasure (Art. 17): Request deletion of your data where there is no compelling reason for continued processing.

• Right to restriction (Art. 18): Request that we restrict processing in certain circumstances.

• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.

• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing (see Section 4.2 for details).

• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

• Right not to be subject to automated decisions (Art. 22): Not to be subject to decisions based solely on automated processing (see Section 5.4).

11.2 How to Exercise Your Rights

To exercise any of these rights, email Turn on Javascript to see the email adress [code: p01]. We will acknowledge your request within five (5) Business Days and respond substantively within one (1) month. If your request is complex or we receive a high volume of requests, we may extend this by a further two (2) months, and we will inform you of any extension within the first month. We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.

11.3 Your Right to Complain

Right to complain to Mav9 (UK users): Under the Data (Use and Access) Act 2025, Section 103 (inserting Section 164A into the Data Protection Act 2018), expected to be effective mid June 2026, you have a statutory right to complain directly to us if you believe that the way we process your personal data breaches data protection legislation.

To submit a data protection complaint:

• Email: Turn on Javascript to see the email adress [code: p01] (include "Data Protection Complaint" in the subject line)

We will: (a) acknowledge receipt of your complaint within thirty (30) days; (b) investigate your complaint without undue delay; (c) inform you of the outcome and any actions taken; and (d) record the complaint and its resolution for audit and compliance purposes.

Right to complain to a supervisory authority: You also have the right to lodge a complaint with a data protection supervisory authority. In Germany: the Berliner Beauftragte für Datenschutz und Informationsfreiheit. In the UK: the Information Commissioner's Office (ICO), or its successor body, the Information Commission. In any other EU Member State: the supervisory authority of your habitual residence or place of work.

12. Data Portability and Service Switching

In accordance with the EU Data Act (Regulation (EU) 2023/2854), we support your right to export your data and switch to another provider free of technical or commercial barriers. Standard data exports (CSV, JSON, API) are provided free of charge once per twelve (12)-month period and upon termination.

13. Children's Data

Our platform is designed for B2B professionals. We do not knowingly collect personal data from individuals under 16 years of age (EEA) or 13 years of age (UK/US). If we become aware that we have collected data from a child, we will delete it promptly.

14. Third-Party Links and Services

Our Services may integrate with external platforms (such as LinkedIn for marketing or DocuSign for contracts). When you interact directly with these third-party services, their respective privacy policies apply. We encourage you to review their privacy practices before engaging with them.

15. Changes to This Policy

We may update this policy periodically to reflect changes in law, regulation, or our data practices. We will notify you of material changes by email or website notice at least thirty (30) days before the changes take effect. The effective date at the top of this policy indicates when it was last updated. Minor, non-substantive changes (such as corrections of typographical errors) may be made without advance notice.

16. Jurisdiction-Specific Provisions

16.1 Germany

Our processing is regulated by the EU GDPR, the German Federal Data Protection Act (BDSG), and the TDDDG. Mav9 is not required to appoint a DPO under § 38 BDSG but maintains a dedicated internal privacy team. Our competent supervisory authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

16.2 United Kingdom

Our processing is regulated by the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. The DUAA's new right to complain directly to controllers takes effect 19 June 2026 (see Section 11.3). Our competent supervisory authority is the Information Commissioner's Office (ICO), or its successor body, the Information Commission, established under the DUAA.

16.3 California, USA (CCPA/CPRA)

The following disclosures are provided in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Even where Mav9 may not meet the CCPA's applicability thresholds, we provide these disclosures voluntarily as a commitment to transparency for our US clients and their data subjects.

We do not sell or share personal information. Mav9 does not sell personal information (as defined under CCPA § 1798.140(ad)) and does not share personal information for cross-context behavioural advertising (as defined under CCPA § 1798.140(ah)). We have not sold or shared personal information in the preceding 12 months.

Service provider status: When Mav9 processes personal information on behalf of our customers, we act as a "service provider" as defined in CCPA § 1798.140(ag). We process personal information solely to provide the Services and do not retain, use, or disclose personal information for any purpose other than performing the Services, except as permitted by the CCPA.

Categories of personal information collected in the preceding 12 months:

• A. Identifiers — Yes — Name, email, IP address, account name — Directly from you; your employer — Providing Services; authentication

• B. Customer records (Cal. Civ. Code §1798.80(e)) — Yes — Name, company, phone number — Directly from you — Account management; CRM

• C. Protected characteristics — No

• D. Commercial information — Yes — Subscription records, purchase history — Business records — Billing; account management

• E. Biometric information — No

• F. Internet/network activity — Yes — Browsing history, interactions with platform — Automatically collected — Analytics; security

• G. Geolocation data — No (precise) — Approximate location from IP only — Automatically collected — Security

• H. Sensory data — Yes (if consent) — Audio/video from recorded calls — Google Meet (with consent) — Sales enablement

• I. Professional/employment info — Yes — Job title, company, role — From you; public sources — CRM; enrichment

• J. Education information — No

• K. Inferences — Yes — Preferences, characteristics from analytics — Platform usage data — Product improvement

• L. Sensitive personal information — No

Categories of personal information disclosed for a business purpose in the preceding 12 months: Identifiers (A) and Internet/network activity (F) to analytics providers (PostHog); Identifiers (A) to authentication providers (Auth0); Professional information (I) to CRM tools (Notion); Identifiers (A) to email service providers (Brevo). No personal information was sold or shared.

California consumer rights: California residents have the following rights under the CCPA/CPRA: the right to know what personal information we collect and how it is used and shared; the right to delete personal information (subject to exceptions); the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (though we do not sell or share); the right to limit the use of sensitive personal information (though we do not collect sensitive PI as defined by the CCPA); and the right to non-discrimination for exercising your CCPA rights.

To exercise any CCPA right, contact Turn on Javascript to see the email adress [code: p01] or submit a request via trust.mav9.com/privacy-request. We will verify your identity before processing your request. We will respond within forty-five (45) days, with one forty-five (45) day extension if reasonably necessary. We honour Global Privacy Control (GPC) signals natively as valid opt-out requests.

16.4 Other US State Privacy Laws

To the extent that privacy laws of other US states (including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others) apply to our processing of personal information, we extend the rights described in Section 16.3 to residents of those states. Where a state law provides additional or different rights, we will comply with those requirements.

17. Contact Us

For any questions about this Privacy Policy or our data practices:

• Email: Turn on Javascript to see the email adress [code: p01]

• Security concerns: Turn on Javascript to see the email adress [code: s01]

• EU Post: Mav9 Technologies GmbH, Attn: Privacy, Mühsamstraße 69, 10249 Berlin, Germany

• UK Post: MAV9 Technologies Ltd, C/O Windsor House Station Court, Station Road, Great Shelford, Cambridge, CB22 5NE

Appendix A: Cookie Declaration

Strictly Necessary Cookies (No Consent Required)

• __cf_bm, cf_clearance, __cflb, __cfruid, _cfuvid — Cloudflare — Security, bot management, rate limiting, DDoS protection — 30 min – Session

• Auth0 session cookies — Auth0 (Okta) — Session state, CSRF protection, authentication — Session

• Cookie consent — Mav9 — Stores your cookie consent preferences — 12 months

Analytics Cookies (Consent Required)

• ph__posthog — PostHog — Product analytics, user interaction tracking — 1 year

Marketing Cookies (Consent Required)

• li_fat_id, bcookie, lidc, etc. — LinkedIn — Conversion attribution, retargeting — 24h – 1 year

Appendix B: Sub-Processor List

We provide at least 30 days' advance notice via our Trust Center before engaging a new sub-processor. The current list is also maintained at trust.mav9.com.

• Amazon Web Services (AWS) — Cloud infrastructure — All platform data + backups — EU (Frankfurt)

• Google Cloud Platform — Cloud infrastructure/AI — Platform services data — EU

• Microsoft Azure — AI model inference — Analysis input/output — EU

• Auth0 (Okta, Inc.) — Authentication, SSO — Account credentials — EU tenant

• PostHog, Inc. — Product analytics — Usage data — EU (Frankfurt)

• DocuSign, Inc. — Electronic signatures — Name, email, signed docs — EU / US

• Cloudflare, Inc. — CDN, security — IP address, traffic data — Global (EU-primary)

• Framer B.V. — Website hosting — Visitor data, forms — EU (NL)

• LinkedIn (Microsoft) — Marketing measurement — Website usage — Ireland + US

• Brevo (Sendinblue) — Email marketing — Name, email — EU (FR)

• Featurebase, Inc. — Feedback, changelogs — Name, email, feedback — USA

• Perplexity AI, Inc. — AI-powered research — Query data — USA

• Notion Labs, Inc. — CRM, docs, call transcripts — Leads, business data — USA

• Slack (Salesforce, Inc.) — Internal comms — Business communications — USA

• Google Workspace — Docs, email, Meet recordings — Waitlist, call recordings — EU / Global

• Vanta, Inc. — Security monitoring — Security posture data — USA

• GraphDB (Ontotext) — Graph database — Linked data — EU

• Daytona — Agent compute — Code execution data — EU

• Cookieyes - Cookie Banner - EU

[ End of Privacy Policy ]

© 2026 Mav9 Technologies GmbH.