Logo

Data privacy policy

M&A Media Services GmbH (“MAMS” / mandaco)
Version: April 2026

M&A Media Services GmbH attaches great importance to the protection of your privacy and your personal data, as well as to the necessary level of data security, and therefore collects, processes and uses your personal data exclusively in accordance with the principles described below and the applicable requirements of the EU General Data Protection Regulation and the German Federal Data Protection Act.

I. Name and address of the controller

II. Your personal data

III. General information on data processing

IV. Provision of the website and creation of log files / protocol files

V. Communication

V.1 Email communication

V.2 Newsletter and newsletter tracking

VI. Use of cookies

VII. Plugins and tools

VII.1 Use of Matomo

VII.2 Use of Overloop

VII.3 Use of Ticketareo

VII.4 Use of Zapier

VII.5 Use of Vimeo

VII.6 Processing of application and course participation documents (Career in M&A)

VIII. Rights of the data subject

IX. Automated decision-making and profiling

X. Links to other websites

XI. Security

XII. Availability and changes

 

I. Name and address of the controller

The controller within the meaning of the EU General Data Protection Regulation (“GDPR”) and other national data protection laws of the EU Member States as well as other applicable data protection provisions for the operation of the websites www.manda.co and www.ma-review.de and their subdomains (hereinafter the “Website”) is:

M&A Media Services GmbH
Habenschadenstr. 16
82049 Pullach
Germany

Tel.: +49 179 4483063
Email: hello@manda.co

Represented by the Managing Director Stefan Schneider

(hereinafter referred to as the “Company”, “MAMS”, “mandaco”, or “we”).

If you wish to object to the collection, processing or use of your data by us in accordance with this privacy policy, either in whole or for individual measures, you may send your objection by email, fax or letter to the contact details listed above. You may also obtain information about your personal data free of charge at any time via the above contact details.

II. Your personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). It is not necessary for you to provide us with personal data when visiting our Website. Personal data such as your name, telephone number, postal and email address, date of birth and telephone number will only be collected if you voluntarily provide this data to us or consent to its collection. For technically necessary data, please refer to the explanations under “IV. Provision of the Website and creation of log files” and “V. Use of cookies”.

III. General information on data processing

1. Scope of the processing of personal data

Via this Website, we process personal data (hereinafter also referred to as “data”) of data subjects, i.e. website visitors, insofar as this is necessary to provide a functional website as well as our content and services. As a rule, the processing of our users’ personal data only takes place if the user has consented to the processing. An exception applies where the processing of the data is permitted by law, required for the performance of a contract, or technically necessary.

2. Legal basis for the processing of personal data

Where we obtain the consent of the data subject for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis. For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre-contractual measures. Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis. In cases where vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis. If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis for the processing.

3. Data deletion and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted when a statutory retention period expires, unless continued storage of the data is necessary for the performance of a contract.

IV. Provision of the website and creation of log files / protocol files

1. Description and scope of data processing

When using the Website for informational purposes only, we collect only the personal data that your browser transmits to our server or provider and that is technically necessary to display our Website and ensure its stability and security. This includes information such as your IP address, information about your browser, operating system and device, referrer, date and time of access, and other data.

Our Website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All data processed in connection with the use of this Website is stored on servers located in Germany.

Hetzner acts as a processor pursuant to Art. 28 GDPR. A corresponding data processing agreement (DPA) has been concluded with Hetzner, ensuring that your personal data is processed solely in accordance with our instructions and in compliance with applicable data protection regulations.

Hetzner is used in the interest of providing our online offering in a secure, fast and reliable manner. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s device. For this purpose, the user’s IP address must remain stored for the duration of the session.

All of the above information is stored in log files in order to ensure the functionality of the Website. In addition, the data serves to ensure the necessary security of our information technology systems. The server-side log files are used only for error analysis. The data is not evaluated for marketing purposes.

4. Duration of storage

Users’ IP addresses are anonymized as soon as they are no longer required for the purpose for which they were collected. This is the case when the respective user session ends. The storage duration of the log files for the above-mentioned purposes is a maximum of 14 days.

5. Possibility of objection and deletion

The collection of data for the provision of the Website and the storage of data in log files is absolutely necessary for the operation of the Website. Consequently, there is no possibility for the user to object.

V. Communication

V.1 Email communication

1. Description and scope of data processing

Our Website provides the option to contact us via a stated email address. In any case, the user’s personal data transmitted in this context will be stored. The scope of processed personal data and the specific personal data processed may vary depending on the nature of the contact. This includes in particular the following data:

  1. your salutation and first and last name;

  2. your company;

  3. your communication data (email address, telephone number);

  4. the resulting correspondence.

Your data and the resulting correspondence are processed exclusively by us. The data is not passed on to third parties. The data is used solely for the conversation initiated by the user in order to contact you by telephone, post or email regarding your inquiry. The provision of data is voluntary.

2. Legal basis for data processing

The legal basis for processing the data transmitted in the course of sending an email is Art. 6(1)(a) GDPR. If the user’s contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6(1)(b) GDPR.

3. Purpose of data processing

The processing of the personal data you voluntarily provide to us by email is carried out solely for the purpose of contacting you or answering your questions about our activities.

3. Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of personal data transmitted by email, this is the case when the respective conversation with the user has ended. The conversation is deemed to have ended when the circumstances indicate that the matter in question has been conclusively clarified.

4. Possibility of objection and deletion

The user has the option at any time to withdraw consent to the processing of personal data. If the user contacts us by email or via the form, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. The withdrawal can be made at any time using the contact details under Sections I and II as well as via the following email address: hello@manda.co. All personal data stored in the course of contacting us will be deleted in this case.

V.2 Newsletter and newsletter tracking

1. Description and scope of data processing

Our Website offers the opportunity to subscribe to an email newsletter. If you sign up for our newsletter, we use the necessary data you provide to send you our email newsletter in accordance with your consent. We send newsletters at regular intervals in order to share news, offers and information from the field of MAMS.

If you sign up for an electronic newsletter, we may in particular process the following data:

  1. your email address,

  2. whether you have consented to or objected to receiving such communications, including date and time,

  3. company name,

  4. first and last name.

If you have subscribed to the newsletter, we collect, process and use the data you provide exclusively for sending the newsletter and monitoring its success. We generally personalize our newsletters with the name of the recipient in order to provide a better experience.

For the technical implementation of the dispatch, your personal data is transferred to the service Mailchimp of Intuit Inc., 2700 Coast Avenue, Mountain View, CA 94043, USA (hereinafter “Mailchimp”), which processes the data made available to us as a processor pursuant to Art. 28 GDPR while ensuring the necessary data security measures. The contractual relationship has been agreed on the basis of Standard Contractual Clauses. In addition, Mailchimp is certified under the EU-US Data Privacy Framework (DPF). Mailchimp uses the data exclusively for sending the newsletter and evaluating the success of the newsletter. Further information about Mailchimp can be found on the website: https://mailchimp.com/. Further information about Mailchimp’s handling of personal data can be found at https://www.intuit.com/privacy/statement/.

I have taken note of the privacy policy of M&A Media Services GmbH and consent to the storage and processing of the data I have provided for newsletters addressed to me regarding products of your company and to the storage of such data in our CRM system for further marketing activities. I have been informed that this consent is voluntary and that I may revoke it at any time informally by telephone or in writing without giving reasons (see also the section on Overloop).

Subscription to the email newsletter takes place via a double opt-in procedure set up by the system. This means that after entering your data, you will receive an email containing a confirmation link. This confirmation email serves to authorize the owner of the specified email address to receive the newsletter. Only after confirmation is the email address included in the mailing list. The following data is stored: registration data, time of registration, confirmation, unsubscription, IP address and changes to the stored data. Collecting this data is necessary in order to be able to trace any possible misuse of the email address of the data subject and to protect the controller.

To further improve the newsletter offering, open rates are tracked in order to evaluate the success of a newsletter campaign. Further information on data analysis by Mailchimp newsletters can be found at https://mailchimp.com/de/help/about-open-tracking/.

2. Legal basis for data processing

The legal basis for the processing of data transmitted in connection with the provision and dispatch of the newsletter, as well as for the temporary storage of data for success analysis, is Art. 6(1)(a) GDPR. We have an interest in direct marketing and in evaluating the success of your reaction to the content of the newsletter in order to position ourselves successfully in the market.

3. Purpose of data processing

The processing of personal data by us and our service provider Mailchimp serves exclusively to handle and send newsletters and to evaluate the success of the respective newsletter. Statistics on your use of and response to our newsletter help us to better tailor our offerings to the interests of our subscribers. This also constitutes the necessary legitimate interest in the processing of the data.

4. Duration of storage

Your data is stored on certified Mailchimp servers worldwide or in the USA. The data will be deleted as soon as it is no longer required for the purpose for which it was collected. This applies to the personal data you have provided to us for the purpose of subscribing to and receiving the newsletter when you withdraw your consent to processing. After unsubscribing from the newsletter, all stored data will be deleted.

5. Possibility of objection and deletion

You may withdraw your consent to the processing of personal data for receiving the newsletter at any time. You may unsubscribe from the newsletter at any time. This can be done by sending us a message via the contact form, by email (hello@manda.co), or via the unsubscribe link provided in the newsletter.

VI. Use of cookies and local storage

1. Description and scope of data processing

We use cookies and your browser’s local storage to make your visit to our Website more convenient. Cookies are small text files stored on your device that allow us, among other things, to recognize your browser. Cookies enable us to improve the convenience and quality of the services offered on the Website. Cookies are also used to analyze the use of the Website.

Some of the cookies we use are deleted again after the end of your browser session, i.e. after you close your browser (so-called “session cookies”). Other cookies remain on your device for their respective period of validity (see below) and enable us to recognize your browser the next time you visit.

A list of the cookies used can be found in the section “Plugins and Tools” of this privacy policy, where you will find an overview of the cookies used, their periods of validity, and the respective opt-out options.

We store only necessary information in your browser’s local storage, such as language settings.

2. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies and local storage entries is Art. 6(1)(f) GDPR. The setting of these cookies and local storage entries is carried out in accordance with Section 25(2) no. 2 TTDSG.

The legal basis for the processing of personal data using cookies for analysis or marketing purposes is your consent given via the cookie banner in accordance with Art. 6(1)(a) GDPR. Section 25(1) TTDSG applies to the setting of cookies.

3. Purpose of data processing

The purpose of using technically necessary cookies is to enable you to use our Website. Some functions on our Website cannot be provided without the use of cookies or local storage. For these functions, it is necessary that the browser is recognized again after a page change. The user data collected by technically necessary cookies is not used to create user profiles.

The use of statistics and personalization cookies serves the purpose of improving the quality of our Website and its content on the basis of the consent you have given. By using cookies, we learn how our Website is used so that we can continuously optimize our offering.

For information on the purpose of and objection options for cookies used for statistical and marketing purposes, please refer to the explanations in the relevant section of this privacy policy.

4. Duration of storage, possibility of objection and deletion

Cookies are stored on the user’s device and transmitted by the device to our Website. Therefore, you as the user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for the Website, it may no longer be possible to use all functions of the Website in full.

VII. Plugins and tools

VII.1 Use of Matomo

1. Description and scope of data processing

We have integrated the open-source web analytics service Matomo (formerly Piwik) on our Website. We do not use Matomo cookies on our Website. This enables us to analyze how often web pages are accessed or website functions are used.

When individual pages of our Website are accessed, the following data is automatically transmitted by the internet browser used on your device to our web server by means of the integrated script:

  1. IP address of the user’s accessing system

  2. the webpage accessed and the time of access

  3. the website from which the user came to the accessed website (referrer)

  4. the subpages accessed from the accessed website

  5. the duration of the visit to the website

  6. the frequency of access to the website

  7. country of origin – device used, operating system and browser.

We have implemented Matomo without the use of cookies. The following necessary cookies are only set if you reject tracking by Matomo:

  • piwik_ignore – if you opt out of tracking using the iframe opt-out procedure, Matomo sets a cookie called piwik_ignore

  • MATOMO_SESSID – MATOMO_SESSID is a temporary, short-lived cookie that provides a random number to prevent CSRF security issues while users opt out of tracking.

2. Purpose and legal basis of data processing

The analysis of the above data serves the purpose of improving the quality of our Website and its content. In this way, we can determine how our Website is used and continuously optimize our offering.

The legal basis for the processing of personal data for statistical purposes is our legitimate interest in optimizing our offering, Art. 6(1)(f) GDPR.

3. Possibility of withdrawal, objection and removal

You may object at any time with future effect to the collection, storage and use of data by Matomo in the following way.

Please note, however, that if you deactivate or opt out, you may not be able to use all functions of the Website to their full extent.

For more information about Matomo’s open source project and the software’s privacy settings, visit https://matomo.org/.

Further information about the open-source project Matomo and the software’s privacy settings can be found at https://matomo.org/.

VII.2 Use of Overloop

1. Description and scope of data processing

Overloop is a sales engagement and CRM platform that collects and processes data for personalized outbound campaigns, integrating email, LinkedIn, and call activities.

Overloop processes personal data such as user details, contact information, and usage data. This data is used for service improvement, user support, and campaign management.

Overloop processes server logs, including IP address, geolocation, and browser type, to monitor usage. These logs are stored for one month and backed up for one year. For prospecting purposes, Overloop collects and enriches customer-provided lead data (names, emails, positions, etc.) using third-party services such as Hunter.io and Briteverify. Additionally, contact files uploaded by users are stored until account closure. This data is used to improve the service, customer support, and user experience.

Further information on data processing by Overloop can be found at: https://overloop.com/.

2. Legal basis and purpose of data processing

The legal basis for using Overloop as a sales prospecting and CRM platform is Art. 6(1)(a) GDPR.

3. Duration of storage

Data will be deleted as soon as it is no longer required for the purpose for which it was collected. Server logs are deleted after one month and backed up for one year.

4. Right to object and deletion

You may withdraw your consent to the processing of personal data for CRM purposes at any time with future effect and without giving reasons. The withdrawal can be made at any time using the contact details provided above or via email at hello@manda.co.

VII.3 Use of ticketareo

1. Description and scope of data processing

ticketareo is an event management platform provided by ticketareo GmbH, Jakob-Huber-Str. 2, 82110 Germering, Germany (hereinafter “ticketareo”), designed to facilitate the organization and management of events of various kinds.

We use ticketareo to organize and manage different types of events. This includes creating event websites, managing registrations and ticket sales, and enabling live event streaming.

Through ticketareo, we collect personal data required for event registration and participation. This typically includes:

  • Name and contact details (e.g., email address, phone number)

  • Payment information for ticket purchases

  • Any additional information provided during event registration

Further information on data processing by ticketareo can be found at: https://ticketareo.de/.

2. Legal basis and purpose of data processing

The processing of personal data via ticketareo is carried out for the purpose of event organization, ticket sales, and the provision of event-related information. The legal basis is the performance of a contract pursuant to Art. 6(1)(b) GDPR, as well as our legitimate interest pursuant to Art. 6(1)(f) GDPR in the efficient organization and execution of events.

3. Duration of storage

Data will be deleted as soon as it is no longer required for the purpose for which it was collected. Server logs are deleted after one month.

4. Right to object and deletion

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. We will no longer process your personal data unless our legitimate grounds override your interests, rights, and freedoms. Objections can be submitted at any time using the contact details provided above or via email at hello@manda.co.

VII.4 Use of Zapier

1. Description and scope of data processing

We use the tool Zapier, provided by Zapier, Inc., 548 Market St. #62411, San Francisco, CA 94104-5401, USA, to automate processes between different online software applications, particularly to transfer data from our newsletter tool Mailchimp to our CRM system Overloop.

Zapier facilitates the integration and execution of actions or commands between different third-party applications.

Zapier accesses information necessary to execute these actions or commands. This includes collecting required credentials and relevant content from integrated third-party applications. Please note that Zapier is not responsible for the data processing practices of third-party applications; such processing is governed by their respective policies.

2. Legal basis for data processing

The legal basis for the use of Zapier is Art. 6(1)(f) GDPR. Our legitimate interest lies in automating processes (e.g., newsletter workflows) to improve the customer experience.

3. Purpose of data processing

The purpose of data processing is to connect various software applications to improve data flow and ultimately enhance your customer experience.

4. Duration of storage

Data storage durations at Zapier vary by category:

  1. Zap content: stored for 7 days in logs, 29–69 days in the account, and up to 4 months in backups

  2. Zap metadata: same storage duration, additionally used for internal analysis by Zapier

  3. Zap metrics/statistical metadata: stored in our Zapier account and used for internal analysis

5. Right to object and deletion

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. Objections can be submitted via the contact details above or via email at hello@manda.co.

VII.5 Use of Vimeo

1. Description and scope of data processing

We embed videos on our website via Vimeo. Vimeo is a platform provided by Vimeo.com, Inc., 330 West 34th Street, 5th Floor, New York, NY 10001, USA.

We use Vimeo because local hosting is not sufficiently powerful to deliver videos.

When you click on a video, a connection to Vimeo is established to embed the video on our site. This results in a request to Vimeo servers, which are located worldwide, including in the EU and the UK. We have no control over which data is transmitted after clicking the video. For details, please refer to Vimeo’s privacy policy.

When visiting a page with embedded Vimeo content, Vimeo receives information about the page you visited. Personal data may be transmitted regardless of whether you are logged into a Vimeo account. If logged in, the data is linked to your profile.

Vimeo uses this data for advertising, market research, and to tailor its website. Data processing may also take place outside the EU. Appropriate contractual safeguards (e.g., Standard Contractual Clauses) are in place.

2. Legal basis and purpose

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in providing a functional website, reducing server load, and improving loading times.

3. Duration of storage

Data is deleted once it is no longer required or if you withdraw your consent.

4. Right to object

You can object at any time:

a) by preventing cookie storage via browser settings
b) via hello@manda.co

Note: disabling Vimeo may limit website functionality.

Further information: https://vimeo.com/

VII.6 Processing of Application and Course Participation Documents (Career in M&A)

Description and scope of data processing

As part of applications for the Career in M&A program (e.g., curriculum, workshops, recruiting events), we process submitted application documents such as CVs and supporting materials.

This may include:

  • Personal details (name, date of birth, gender)

  • Contact data (email, phone, address)

  • Education, grades, experience, internships

  • Skills and qualifications

  • Certificates and references

  • Photo (optional)

  • Additional voluntary data (e.g., hobbies)

  • Special categories of data (Art. 9 GDPR), if voluntarily provided

Purpose

  • Conducting and managing the application process

  • Selecting participants (40–50 students/year)

  • Program organization with partners

  • Inclusion in applicant pool (with consent)

Legal basis

  • Art. 6(1)(b) GDPR (pre-contractual measures)

  • Art. 6(1)(a) GDPR (consent for applicant pool)

  • Art. 9(2)(a) GDPR (special data categories, if provided)

Recipients

  • Authorized staff of M&A Media Services GmbH

  • Partner companies and service providers

  • IT and hosting providers (e.g., Overloop, ticketareo)

  • Video tools (Zoom, Vimeo)

Transfers outside the EU only occur with appropriate safeguards (Art. 46 GDPR).

Retention

  • Program: up to 6 months after completion

  • Applicant pool: up to 24 months (with consent)

Withdrawal and objection

You may withdraw consent at any time via hello@manda.co.

Voluntary provision

Providing data is voluntary but required for participation.

VIII. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing takes place, you may request the following information from the controller:

  1. the purposes for which the personal data are processed;

  2. the categories of personal data concerned;

  3. the recipients or categories of recipients to whom your personal data have been or will be disclosed;

  4. the planned duration of storage of your personal data or, if specific information is not possible, the criteria used to determine that period;

  5. the existence of the right to rectification or erasure of your personal data, a right to restriction of processing by the controller, or a right to object to such processing;

  6. the existence of a right to lodge a complaint with a supervisory authority.

You also have the right to request information as to whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with such transfer.

To exercise your right of access free of charge, please contact us using the contact details provided in our legal notice (see Section I).

2. Right to rectification

You have the right to obtain from the controller the rectification and/or completion of inaccurate or incomplete personal data concerning you without undue delay.

3. Right to restriction of processing

You may request the restriction of processing of your personal data under the following conditions:

  1. if you contest the accuracy of your personal data for a period enabling the controller to verify its accuracy;

  2. if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

  3. if the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims; or

  4. if you have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.

Where processing has been restricted, such data may—apart from storage—only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing is lifted, you will be informed by the controller beforehand.

4. Right to erasure

a) Obligation to erase

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase such data immediately where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  2. you withdraw your consent on which the processing is based pursuant to Art. 6(1)(a) GDPR and there is no other legal ground for the processing;

  3. you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object pursuant to Art. 21(2) GDPR;

  4. the personal data have been unlawfully processed;

  5. the erasure is required for compliance with a legal obligation under Union or Member State law to which the controller is subject;

  6. the personal data have been collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR.

b) Information to third parties

Where the controller has made your personal data public and is obliged pursuant to Art. 17(1) GDPR to erase it, the controller shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, those personal data.

c) Exceptions

The right to erasure does not apply where processing is necessary:

  1. for exercising the right of freedom of expression and information;

  2. for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority;

  3. for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;

  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

  5. for the establishment, exercise, or defense of legal claims.

d) Withdrawal of consent

You have the right to withdraw your consent under data protection law at any time. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. Right to notification

If you have exercised your right to rectification, erasure, or restriction of processing, the controller is obliged to communicate such rectification, erasure, or restriction to all recipients to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about those recipients.

6. Right to data portability

You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance, where:

  1. the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR; and

  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

7. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process your personal data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling related to direct marketing. If you object, your personal data will no longer be processed for these purposes.

You may exercise this right by automated means using technical specifications, notwithstanding Directive 2002/58/EC.

8. Right to withdraw consent

You have the right to withdraw your consent under data protection law at any time. The withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This does not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between you and the controller;

  2. is authorized by Union or Member State law and includes suitable safeguards; or

  3. is based on your explicit consent.

Such decisions shall not be based on special categories of personal data pursuant to Art. 9(1) GDPR unless Art. 9(2)(a) or (g) applies and appropriate safeguards are in place.

In such cases, the controller shall implement suitable measures to safeguard your rights and freedoms, including at least the right to obtain human intervention, to express your point of view, and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority shall inform you of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

IX. Automated decision-making and profiling

We do not use automated decision-making or profiling.

X. Links to other websites

This privacy policy applies only to MAMS. External links are governed by third-party policies.

XI. Security

We implement appropriate technical and organizational measures. Data transmission is encrypted via SSL/TLS.

XII. Availability and changes

This privacy policy is valid as of April 2026.

It may be updated at any time. The current version is available at: https://manda.co/privacy-policy