Privacy Policy

1. Introduction

We process personal data in line with EU GDPR. By using our service, you agree to this Privacy Policy.

2. Data Controller and Contact

Controller: MABTED GmbH, Gertigstraße 5, 22303 Hamburg, Germany – privacy@mabted.com

3. Categories of Data

Contact data; account data (settings, preferences)
Influencer data (names, email addresses, social media handles, follower counts, niches)
Brand data (company names, contact persons)
Campaign and engagement data (contracts, budgets, periods, deliverables)
Performance metrics (TKP, ROAS, engagement rates, revenue data)
Shopify account data and revenue information
Gmail account data and email threads
Application and usage data (rules, schedules, logs, IP/browser/device)

4. Purpose and Legal Basis

Purpose	Legal Basis
Provide and operate service	Art. 6(1)(b) GDPR
User communication	Art. 6(1)(b) GDPR
Security/misuse prevention	Art. 6(1)(f) GDPR
Product improvement	Art. 6(1)(f) GDPR
Legal compliance	Art. 6(1)(c) GDPR

5. Recipients and Transfers

We share data only when legally permitted, contractually necessary, or with your consent. Third-country transfers are made under Art. 46 GDPR safeguards (SCCs / Data Privacy Framework).

Current processors (as of 4 May 2026):

Recipient	Location	Purpose
Supabase Inc.	EU (Frankfurt)	Hosting, database, storage, authentication
Vercel Inc.	EU (fra1, since 2026-05) / formerly USA	Frontend & serverless function hosting
Google Ireland Ltd. (Gmail / Workspace)	Ireland (EU/USA)	Gmail integration: send & read messages via OAuth
Google Ireland Ltd. (Google Analytics 4)	Ireland (EU/USA)	Aggregate web analytics (consent-gated; IP anonymisation)
Microsoft Ireland Operations Ltd. (Microsoft Clarity)	Ireland (EU/USA)	Anonymised session replay (separate consent; input masked)
Anthropic, PBC	USA	AI-powered analysis in Pearl assistant, negotiation extraction, screenshot & writing-style analysis (Zero Data Retention requested; no model-training use per Anthropic Commercial Terms & DPA; DPF-certified)
OpenAI, OpCo, LLC	USA	AI vision for research imports (Storyclash)
Mistral AI SAS	France (EU)	AI OCR/vision for research imports
Apify Technologies s.r.o.	Czech Republic (EU/US infra)	Profile-picture enrichment & Instagram story scraping
Shopify Inc.	Canada	Coupon & order tracking, seeding orders
Stripe Payments Europe Ltd.	Ireland	Payment processing (where enabled)

Detailed data categories and transfer bases are documented in the DPA.

No automated decision-making with legal effect (Art. 22 GDPR): No solely automated decision-making within the meaning of Art. 22 GDPR producing legal effects or similarly significant effects on data subjects takes place. AI suggestions (e.g. negotiation extraction, email drafts, screenshot analysis) are reviewed and released by a human before they take effect.

6. Google User Data Usage

Our application uses the Google OAuth 2.0 API to connect your Gmail account. Below we disclose what Google user data is accessed and how it is used.

Google user data accessed:

Your Google account email address (via the "openid" and "email" scopes) to identify the connected account
Gmail message content, headers, and metadata (via the "gmail.readonly" scope) to read and display email threads within the application
Gmail send capability (via the "gmail.send" scope) to send emails on behalf of the user directly from the application

How Google user data is used:

Email address: Displayed in settings to identify the connected Gmail account
Gmail read access: To fetch and display email conversations related to influencer communications within the application
Gmail send access: To send outreach and communication emails to influencers directly from the application using the user's Gmail account
Refresh tokens are encrypted (AES-256) and stored in our database solely for the purpose of refreshing access tokens for the above functionalities

Restrictions on use:

Google user data is not shared with or sold to third parties
Google user data is not used for advertising purposes
Google user data is not used for purposes beyond the functionality described above
Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements

Revoking access:

Users can disconnect their Gmail integration at any time via Settings > Email > "Disconnect" in the application
Upon disconnection, stored tokens are immediately deleted from our database
Users can also revoke access directly via their Google Account security settings under "Third-party apps with account access"

7. Storage Duration

Data retention only as long as necessary; deletion/anonymization within 30 days after account deletion.

8. Cookies and Tracking

We use strictly necessary cookies, and — only with your consent — analytics and session-replay cookies. You can withdraw your consent at any time via the "Cookie settings" link in the footer.

Cookie / technology	Provider	Purpose	Lifetime	Legal basis
Supabase Auth (sb-*)	Supabase Inc.	Session management (strictly necessary)	Session – 30 days	Art. 6(1)(b) GDPR
tmp_cookie_consent	MABTED GmbH	Stores your cookie choice (strictly necessary)	12 months	Art. 6(1)(f) GDPR
locale	MABTED GmbH	Language preference (strictly necessary)	12 months	Art. 6(1)(f) GDPR
_ga, ga*, _gid	Google Ireland Ltd. (GA4)	Aggregate web analytics with IP anonymisation	Up to 13 months	Art. 6(1)(a) GDPR (consent)
_clck, _clsk, CLID, SM	Microsoft Ireland Operations Ltd. (Clarity)	Anonymised session replay — keystrokes are masked	Up to 12 months	Art. 6(1)(a) GDPR (separate consent)

Microsoft Clarity records anonymised session activity (clicks, scroll, mouse). Keystrokes are masked by default and are not recorded. You may consent to or refuse this tool independently.

9. Your Rights

Access, rectification, erasure (Art. 15-17 GDPR)
Restriction (Art. 18 GDPR)
Portability (Art. 20 GDPR)
Objection (Art. 21 GDPR)
Withdrawal of consent with effect for the future (Art. 7(3) GDPR)
Complaint to a supervisory authority (Art. 77 GDPR)

Logged-in users will find pre-filled templates under Settings → Privacy & Account (path: /settings/privacy). Otherwise, write to support@mabted.com. We confirm receipt within 72 hours and complete processing within the statutory one-month deadline (Art. 12(3) GDPR). Processing is free of charge.

10. Data Security

TLS encryption in transit and AES-256 at rest, role-based access system, encrypted API tokens and access keys, logging of all access, regular security updates; EU hosting (Frankfurt/Amsterdam).

11. Changes

We may update this policy; the latest version can be found on our website.

12. Contact

Contact: privacy@mabted.com or the Hamburg Commissioner for Data Protection and Freedom of Information.