Privacy Policy

Data protection is of particular importance to Marsstein GmbH (hereinafter: "We", "Us"). With the following information, we provide you with an overview of the processing of your personal data on our website https://www.marsstein.ai/ (hereinafter "Website") as well as in connection with the use of our AI-powered compliance automation platform (hereinafter "Platform"). We also want to inform you about your rights under data protection law. The processing of your personal data by us is always carried out in accordance with the General Data Protection Regulation (hereinafter "GDPR") and all applicable national data protection provisions, in particular the German Federal Data Protection Act (BDSG) and the German Telecommunications-Telemedia Data Protection Act (TDDDG).

The controller within the meaning of the GDPR is: Marsstein GmbH Bücklestraße 3 78467 Konstanz, Germany Managing Director: Zhihu Chen Commercial Register: Amtsgericht Freiburg, HRB 734736 VAT ID: DE459902246 Email: info@marsstein.ai Phone: +49 176 70560292 You can contact us directly with any questions or suggestions regarding data protection and to exercise your rights.

This privacy policy is based on the terminology of the GDPR. For simplification, we explain the most important terms: • Personal data: Any information relating to an identified or identifiable natural person (e.g., name, email address, IP address). • Processing: Any operation in connection with personal data, such as collection, storage, use, transmission, or deletion. • Controller: The natural or legal person that determines the purposes and means of processing personal data. • Processor: A natural or legal person that processes personal data on behalf of the controller (e.g., hosting providers, email services). • Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes.

We may receive personal data in the following ways: • Information provided by you: You have the ability to provide information about yourself on our website and platform (e.g., during registration, in contact inquiries, or in the course of compliance processing). • Automatically collected data: Through the use of our website and platform, technical data is automatically collected and generated (e.g., server log files, session data). • Data collected by third parties: When signing in via Google or Apple, we receive profile data (name, email address, and possibly profile picture) from the respective provider.

Below we provide you with an overview of the personal data we process, for what purposes, and on what legal basis. Providing your personal data is always voluntary. However, certain functionalities may only be available if you provide your data (e.g., registration, contact form). The processing of your personal data may be based on the following legal grounds: • Art. 6(1)(a) GDPR (Consent): Where we obtain your consent for specific processing. • Art. 6(1)(b) GDPR (Contract performance): Where processing is necessary for the performance of a contract or for pre-contractual measures. • Art. 6(1)(c) GDPR (Legal obligation): Where we are subject to a legal obligation requiring processing. • Art. 6(1)(f) GDPR (Legitimate interests): Where processing is necessary for our legitimate interests, provided your interests, fundamental rights, and freedoms do not override them.

When you visit our website, we collect technically necessary data via server log files that are automatically transmitted to our server: • Browser type and version • Operating system used • Referrer URL (previously visited website) • Hostname of the accessing computer • Date and time of the server request • IP address The temporary storage of this data is necessary for the course of a website visit to display our website to you. This processing is technically required to ensure the functionality of the website and the security of our information technology systems. The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the provision, security, and stability of our website. Log files are stored for security purposes (e.g., to investigate abuse or fraud) for a maximum of 7 days and then deleted. For the provision of our website, we use the hosting infrastructure of Railway Corporation, 1 Ferry Building Suite 200, San Francisco, CA 94111, USA. Data may be processed on servers located within the European Union. Where a transfer to the USA takes place, this is done on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

We use only technically necessary cookies on our website and platform. These are text files that your browser automatically creates and stores on your device. The following cookies are set: • Session cookies (authentication): When logging into our platform, HTTP-only cookies for session management are set (access token, refresh token). These cookies are technically necessary to identify you as a logged-in user and to ensure the security of your session. The cookies are deleted when the session or token expires. • Invitation cookie: When registering via an invitation link, a temporary cookie is set to ensure your association with the inviting organization. We do not use analytical cookies, marketing cookies, or tracking cookies. Next.js telemetry is disabled. The legal basis for the use of necessary cookies is Art. 6(1)(f) GDPR. Our legitimate interest lies in the technically flawless provision of our platform. For contractual partners using contractually owed services via our platform, the legal basis is Art. 6(1)(b) GDPR.

To use our platform, creating a user account is required. We process the following personal data: • Email address • Name (optional) • Profile picture (optional, when signing in via Google or Apple) • Organization membership • Time of registration • Time of consent to privacy policy and terms of service • Marketing consent (if given) Registration is available via passwordless login code (OTP via email), Google OAuth, or Apple Sign-In. When signing in via Google OAuth, your name, email address, and possibly your profile picture are transmitted from Google to us. When signing in via Apple Sign-In, your email address (possibly a masked address from Apple) and possibly your name are transmitted. The legal basis for processing is Art. 6(1)(b) GDPR (contract performance). Data is stored for the duration of the contractual relationship. After account deletion, data is deleted within 30 days, with the email address anonymized and the name removed. In the course of platform use, the following data is also processed: • Chat messages with the AI assistant • Document content and comments • Compliance questionnaire responses (e.g., company information, processing activities, technical and organizational measures) • Task and risk assignments • Uploaded files (PDF, DOCX, images, Excel) • Electronic signatures for document approvals • Audit logs (user ID, action, IP address, user agent)

Our platform uses artificial intelligence (AI) to assist with compliance tasks. In this context, personal data is transmitted to the AI service provider Google LLC (Google Gemini API). As part of AI-powered processing, the following data may be transmitted to Google: • Chat messages and queries you send to the AI assistant • Compliance questionnaire responses (company information such as name, industry, number of employees, processing activities) • Content of uploaded documents (to the extent you make them available to the AI assistant) • Document values and content needed for text generation The transmission takes place exclusively for the purpose of providing AI-powered compliance features. Google processes the data in accordance with Google Cloud terms of use and does not use data submitted via the Gemini API to train its own models. The legal basis for processing is Art. 6(1)(b) GDPR (contract performance), as AI-powered compliance support is an essential part of our contractually owed service. Third-country transfer: Personal data may be transferred to Google LLC in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework. In addition, we have agreed Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with Google. Important: Please do not enter sensitive personal data within the meaning of Art. 9 GDPR (e.g., health data, religious beliefs) in your queries to the AI assistant unless this is strictly necessary for your compliance documentation. Additionally, the following AI components are operated locally without data being transmitted to external services: • Text vectorization (embedding models) for semantic search in your documents • Full-text search in the knowledge base

When you contact us via email, your inquiry including all resulting personal data (name, email address, content of inquiry) is stored and processed for the purpose of handling your request. The processing of this data is based on Art. 6(1)(b) GDPR, insofar as your inquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, the processing is based on our legitimate interest in effectively handling inquiries directed to us (Art. 6(1)(f) GDPR). The data you send to us will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage ceases to apply. Mandatory legal provisions — in particular statutory retention periods — remain unaffected.

For sending transactional emails (e.g., invitations, approval requests, notifications about document comments), we use the external service Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. The following data is processed: • Recipient's email address • Recipient's name • Subject and content of the email (e.g., invitation links, document titles) • Time of sending Email sending serves communication with our users in the context of platform use, in particular for organization invitations, document approval notifications, and comment notifications. The legal basis for email sending is Art. 6(1)(b) GDPR (contract performance). We have concluded a Data Processing Agreement (DPA) with Resend. Personal data may be transferred to the USA. Resend commits to appropriate data protection standards on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. For sending login codes (OTP), we also use the SMTP service of Twilio SendGrid, Inc., 1801 California Street Suite 500, Denver, CO 80202, USA. Only your email address and the login code are transmitted. Twilio is certified under the EU-U.S. Data Privacy Framework.

We process personal data that we receive from you in the context of our business relationship. In the context of contract initiation or performance, we process the following personal data: • Master data (e.g., first and last name, address) • Contact data (e.g., email address, phone number) • Organization data (e.g., company name, industry, website) • Billing and payment data We use the collected data to conclude and perform our contracts with customers, in particular in connection with providing our platform as Software-as-a-Service (SaaS). The legal basis is Art. 6(1)(b) GDPR (contract performance and pre-contractual measures). We delete your personal data as soon as it is no longer necessary for the purpose for which it was collected and no statutory retention obligations prevent deletion (e.g., commercial and tax law retention periods of up to 10 years pursuant to §§ 147 AO, 257 HGB).

In the course of our data processing, we use the following third-party providers: a) Hosting and Infrastructure Railway Corporation, 1 Ferry Building Suite 200, San Francisco, CA 94111, USA. Railway provides the hosting infrastructure for our platform. Technical data (IP address, access data) is processed. Legal basis: Art. 6(1)(f) GDPR. Third-country transfer: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. b) Authentication (SuperTokens) We operate SuperTokens as a self-hosted authentication service within our infrastructure. No data is transmitted to third parties. SuperTokens manages your session cookies and login data exclusively on our own servers. c) AI Service (Google Gemini API) Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Details on AI-powered data processing can be found in Section 8 of this privacy policy. d) Authorization Management (Permit.io) Permit.io, Inc. We use Permit.io for role-based access control in our platform. User IDs, organization IDs, and role assignments are transmitted. Legal basis: Art. 6(1)(b) GDPR (contract performance). We have concluded a Data Processing Agreement. e) Email Delivery (Resend / SendGrid) Details on email delivery can be found in Section 10 of this privacy policy. f) Fonts (Google Fonts) Our website uses fonts from Google LLC via the Google Fonts service. When loading fonts, your IP address is transmitted to Google. Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in a consistent visual presentation of our website. Google is certified under the EU-U.S. Data Privacy Framework. g) Web Research (SearXNG / Tavily) For automated web research as part of AI-powered company enrichment, we operate SearXNG as a self-hosted meta search engine within our infrastructure. SearXNG routes search queries to public search engines (e.g., Google, DuckDuckGo). Only publicly available company information (e.g., company name, website) is used as search terms — no personal data of users. As a fallback service, we use Tavily, Inc., USA. Only public company information is transmitted in this case as well. Legal basis: Art. 6(1)(b) GDPR (contract performance). We have concluded appropriate Data Processing Agreements (DPAs) with all processors to ensure that your personal data is processed only according to our instructions and in compliance with the GDPR.

Where we transfer personal data to recipients outside the EU or EEA, we ensure compliance with Art. 44 et seq. GDPR. This means that we verify how an adequate level of protection can be ensured before any transfer. An adequate level of protection can be ensured by: • An adequacy decision by the European Commission (e.g., the EU-U.S. Data Privacy Framework pursuant to Art. 45(3) GDPR) • Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR • Other safeguards regulated in Art. 46 et seq. GDPR The following services transfer data to the USA: • Google LLC (Gemini API, Google Fonts) — Certified under the EU-U.S. Data Privacy Framework • Resend, Inc. (email delivery) — Standard Contractual Clauses • Twilio SendGrid, Inc. (SMTP) — Certified under the EU-U.S. Data Privacy Framework • Railway Corporation (hosting) — Standard Contractual Clauses • Permit.io, Inc. (authorization management) — Data Processing Agreement • Tavily, Inc. (web research, fallback) — Data Processing Agreement Note: The USA is considered a country with a level of data protection that may not be equivalent to EU standards. There is a risk that US authorities may access personal data. We have put in place the aforementioned safeguards to ensure an adequate level of protection. You may request a copy of the agreed safeguards from us.

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your personal data: • Encryption of data in transit using TLS 1.3 • Encryption of data at rest using AES-256 • Strict tenant isolation (multi-tenancy) between customer organizations • Role-based access controls with fine-grained permission management • Tamper-proof audit logs with hash chains for traceability • Regular security audits • Separate databases per service (authentication, document management, AI agent)

The personal data we process is deleted in accordance with legal requirements as soon as consent is revoked or other legal permissions cease to apply. The following retention periods apply: • Account data: Deletion within 30 days of account termination. The email address is anonymized, the name removed, and the account is deleted from the authentication service and authorization management. • Server log files: Deletion after a maximum of 7 days. • Audit logs: Retention according to configurable retention period (default: 7 years) to comply with commercial and tax law obligations. • Chat histories and documents: Deletion upon account deletion, unless statutory retention obligations prevent this. • Commercial and tax law data: Retention for up to 10 years pursuant to §§ 147 AO, 257 HGB. Where personal data cannot be deleted because it is required for other legally permissible purposes, processing is restricted to those purposes. You can at any time request the deletion of your account and request an export of your stored data in machine-readable format (JSON) via the platform.

Under the GDPR, you have the following rights: • Right of access (Art. 15 GDPR): You have the right to request information about your personal data stored by us. Our platform offers a data export function that allows you to retrieve your data at any time. • Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate or the completion of incomplete personal data. • Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data. You can request the deletion of your account at any time via the platform. • Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing of your personal data. • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Our platform offers a JSON export function. • Right to object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(f) GDPR. • Right to withdraw consent (Art. 7(3) GDPR): You have the right to withdraw any consent given at any time. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal. To exercise your rights, contact us at info@marsstein.ai. You also have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg Lautenschlagerstraße 20 70173 Stuttgart https://www.baden-wuerttemberg.datenschutz.de

We may update this privacy policy from time to time to reflect changes in our data processing practices or legal requirements. Changes will be published on this page with an updated date. For significant changes, we will notify you via email or through our platform. We recommend that you review this privacy policy regularly.