Privacy policy

The controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of your user-related data is:

We process the following categories of personal data that you provide to us in the course of using the SaaS solution or that arise through such use:

• Contact and master data: surname, first name, business e-mail address, telephone number, position, company affiliation.
• Contract and billing data: order history, selected services, billing addresses, payment information, VAT ID.
• Technical usage data (log files): IP address, time stamp of access, type of access (e.g. API call or web login), browser information, operating system, device ID.
• Support data: content of support requests, ticket history.

We process your data exclusively for the following purposes and on the basis of the following legal grounds:

Within our company, only those bodies receive access to your data which require it for the performance of our contractual and statutory obligations. In addition, we transfer data to the following categories of recipients:

• Hosting provider: The Aison platform is operated exclusively in data centres within the European Union. Frontend and backend are provided through Hostinger International Ltd. (Hostinger) at the server location Frankfurt, Germany. The primary data storage and processing for authentication, database and storage is carried out through Supabase Inc. (Supabase) in the West EU (Ireland) region, AWS Region eu-west-1.
• Subprocessor: The technical development, maintenance and operation of the Aison platform is carried out by Quantflow Ai AG (Quantflow), Marktstrasse 4, 9435 Heerbrugg SG, Switzerland. For Switzerland, an adequacy decision of the EU Commission is in place. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Quantflow.
• Use of AI services: For specialised technical processing tasks within the platform operations, we use the API of OpenAI, L.L.C., USA (OpenAI). The processing is carried out on the basis of a data processing agreement. OpenAI is obliged not to use the transmitted data for training its models. The AI-supported processing concerns exclusively tasks such as PDF extraction, generation of embeddings, semantic similarity calculation, distinctiveness analysis and reasoning within the scope of the trade mark analysis. Personal data of the platform‘s users are not affected.
• Public authorities: insofar as we are required to do so by law or court order.

Third country transfer:

Should we transfer data to countries outside the European Economic Area (EEA) or Switzerland, we ensure that an adequate level of data protection is guaranteed (e.g. through EU standard contractual clauses or adequacy decisions).

We store your personal data for as long as is necessary to fulfil the purposes mentioned above:

• Contract data: are stored for the duration of the contractual relationship and for 10 years after its termination (in accordance with retention periods under tax and commercial law).
• User accounts: are deactivated upon termination of the contract or upon explicit instruction of the customer's administratoand deleted after a grace period, unless statutory retention obligations preclude this.
• Log files: are deleted on a rotating basis after a maximum of 90 days, unless further storage is required for evidentiary purposes in connection with specific security incidents.
• Analysis results: analyses of trade mark collisions are generally deleted automatically after 90 days.

Insofar as we process your personal data (as admin/user), you have the following rights:

• Right of access (Art. 15 GDPR): You may request information about the data processed by us concerning you.
• Rectification (Art. 16 GDPR): You may request the rectification of incorrect data.
• Erasure (Art. 17 GDPR): You may, under certain conditions, request the erasure of your data.
• Restriction of processing (Art. 18 GDPR): You may request the restriction of processing.
• Data portability (Art. 20 GDPR): You have the right to receive data in a structured, commonly used format.
• Right to object (Art. 21 GDPR): You may object at any time to the processing of your data based on legitimate interests.

To exercise these rights, please contact us at the address indicated above.

Right to lodge a complaint: Without prejudice to any other legal remedy, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent supervisory authority is the State Commissioner for Data Protection and the Right of Access to Information of Brandenburg, Stahnsdorfer Damm 77, 14532 Kleinmachnow.

Withdrawal of consent: Insofar as we process data on the basis of your consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of the processing carried out until then (Art. 7(3) GDPR).

In the context of processing your customer master data and user data (B2B), no automated decision-making within the meaning of Art. 22 GDPR takes place.

We employ comprehensive technical and organisational security measures (TOMs) to protect your managed data against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures correspond to the current state of the art („State of the Art“) and include, among other things:

• Encryption: data transmission via TLS/SSL and encryption of stored sensitive data (data at rest).
• Access control: strict role and authorisation concepts (least-privilege principle).
• Redundancy: regular backups and redundant system architecture to ensure availability.

For details, please refer to the annex to our DPA (Technical and Organisational Measures).