PRIVACY POLICY
1. INTRODUCTION AND SCOPE OF THIS PRIVACY POLICY
1.1 Purpose of This Privacy Policy
This Privacy Policy (“Privacy Policy”) describes how MauTech, operated by Mauseth Technologies ENK, Org. No. 925392243 (“MauTech,” “we,” “us,” or “our”), collects, uses, discloses, transfers, and otherwise Processes Personal Data in connection with:
our websites, landing pages, and funnels, including but not limited to pages under the mautech.co domain and subdomains (the “Website”);
our software-as-a-service products and platforms, including:
Axel AI (conversational AI agent);
MauTech Voice Assistant (AI voice receptionist);
MauTech Growth System (automation, CRM, review system, and websites/funnels);
any related dashboards, integrations, APIs, and back-end tools (collectively, the “Services”); and
any related communications, support interactions, and business operations.
This Privacy Policy is intended to provide legally required notices and disclosures under applicable privacy and data protection laws and to clarify, with maximum specificity, the respective responsibilities of:
Clients (our business customers), and
MauTech (as a SaaS provider, Data Processor, and Service Provider).
This Privacy Policy is not intended to provide legal advice to Client or to any End User.
1.2 Relationship to Other Legal Documents
This Privacy Policy forms part of, and is incorporated by reference into, our:
Terms of Service (“TOS”); and
Data Processing Addendum (“DPA”), where applicable.
In the event of conflict:
The DPA governs the Processing of Personal Data solely in the context of MauTech acting as a Data Processor/Service Provider on behalf of Client.
This Privacy Policy governs MauTech’s Processing of Personal Data where MauTech acts as a Data Controller for its own business purposes or where required by Applicable Privacy Laws.
The TOS governs the commercial and contractual relationship between MauTech and Client.
Nothing in this Privacy Policy shall be construed to expand MauTech’s obligations beyond those explicitly stated herein, in the TOS, or in the DPA.
1.3 Material Scope of This Privacy Policy
This Privacy Policy applies to Personal Data that MauTech Processes in the following contexts:
Client Data (B2B Contacts)
Contact details of Client representatives (e.g., name, business email, business phone, role, company information) in connection with sales, onboarding, and support.
End User Data (Client’s Customers and Leads)
Personal Data of individuals who interact with the Services through:
webchat powered by Axel AI;
SMS conversations;
voice calls handled by MauTech Voice Assistant;
web forms, “free estimate” forms, lead capture forms, and booking forms;
review request flows and feedback forms.
Website Visitors
Personal Data collected from individuals who visit our Website, such as device identifiers, IP addresses, and cookie-related data, subject to cookie and tracking disclosures provided separately (see future DEL 3).
Billing and Transactional Data
Personal Data related to billing and payments where necessary to process subscription Fees, using third-party payment providers (e.g., Stripe).
Technical and Usage Data
Log files, system events, communication metadata, and Usage Data generated in connection with the operation, security, and improvement of the Services.
1.4 Geographic and Jurisdictional Scope
This Privacy Policy is designed to be compatible with, and provide mandated disclosures under, the following privacy regimes (collectively, “Applicable Privacy Laws”):
EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”);
UK GDPR and the UK Data Protection Act 2018;
California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA);
Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada;
Australian Privacy Act 1988 and the Australian Privacy Principles (“APPs”); and
other substantially similar global privacy frameworks to the extent applicable.
MauTech provides Services globally and Processes Personal Data in:
Norway;
the United States; and
other jurisdictions where our Sub-Processors or infrastructure providers operate, as detailed in our DPA and subsequent sections of this Privacy Policy.
1.5 No Consumer-Facing Contract; B2B Focus
The Services are marketed and provided exclusively to business Clients, not to individual consumers acting in a purely personal, family, or household capacity.
When we Process Personal Data about End Users (the customers of our Clients), we do so on behalf of Client, under Client’s instructions and as described in the DPA.
The contractual relationship exists only between MauTech and the Client (the business). End Users are not contracting parties to the TOS or the DPA.
Nothing in this Privacy Policy creates any:
third-party beneficiary rights,
direct contractual relationship, or
independent obligations
between MauTech and End Users beyond what Applicable Privacy Laws require.
2. IDENTITY AND CONTACT DETAILS OF MAUTECH
2.1 Data Controller Identity (for MauTech’s Own Processing)
For Processing where MauTech determines the purposes and means (for example, Client billing, Website analytics, internal business operations, and certain marketing activities), MauTech acts as a Data Controller or equivalent under Applicable Privacy Laws.
Legal entity:
Company Brand: MauTech
Legal Entity: Mauseth Technologies ENK
Org. No: 925392243
Registered Address: Solbakken 32D, 6429 Molde, Norway
2.2 Processor / Service Provider Role (for Client Data)
For Processing that MauTech performs on behalf of a Client—for example, handling End User chat, SMS, voice calls, review flows, and bookings via the Services—MauTech acts as:
a Data Processor under GDPR and UK GDPR;
a Service Provider or Contractor under CCPA/CPRA; and
a similar “processor-type” role under other privacy regimes.
In these cases:
Client is solely responsible for determining the purposes and means of Processing;
MauTech Processes Personal Data strictly in accordance with Client’s documented instructions as set forth in the DPA and the TOS.
2.3 Contact Details for Privacy Matters
For any questions, requests, or concerns about this Privacy Policy or our data protection practices, you may contact us at:
Support Email: [email protected]
Legal/Privacy Email: [email protected]
Where required by law, MauTech may designate a Data Protection Officer (DPO) or equivalent; if so, relevant information will be made available in the final section of the full Privacy Policy (see future DEL 6).
3. KEY ROLES AND RESPONSIBILITY ALLOCATION
3.1 Client as Data Controller / “Business”
For Personal Data relating to End Users (Client’s own customers, leads, and contacts), Client is:
the Data Controller under GDPR / UK GDPR; and
the Business under CCPA/CPRA.
This means Client is solely responsible for:
Determining which Personal Data is collected from End Users;
Determining how that data is used, for what purposes, and on what legal basis;
Providing all required privacy notices to End Users;
Obtaining all required consents (e.g., for SMS, email, voice calls, recording, profiling, and marketing);
Handling and responding to Data Subject / consumer rights requests from End Users;
Configuring the Services (prompts, automations, workflows, message templates) in a lawful manner;
Ensuring that any use of AI Output is appropriate, accurate, and compliant;
Ensuring compliance with telemarketing, spam, and electronic communications laws;
Ensuring that any Personal Data submitted into the Services is lawful, relevant, and not excessive.
MauTech does not provide legal advice to Client on compliance strategy or obligations under privacy, consumer protection, or telemarketing laws.
3.2 MauTech as Data Processor / Service Provider
Where MauTech Processes Personal Data on behalf of Client in connection with the provision of the Services, MauTech:
acts solely on documented instructions from Client (as laid out in the DPA, TOS, and system configuration);
implements appropriate technical and organizational security measures as described in the DPA and subsequent sections of this Privacy Policy;
does not determine the purposes or essential means of Processing End User Personal Data;
does not “sell” or “share” Personal Information as those terms are defined under CCPA/CPRA;
does not use End User Personal Data for its own independent marketing or cross-context behavioral advertising.
Client acknowledges and agrees that any AI Output or communication generated by the Services toward End Users is treated as Client’s own communication, generated under Client’s instructions and control.
3.3 MauTech as Independent Controller
MauTech acts as an independent Data Controller (or equivalent) with respect to:
Contact details of Client representatives for contract administration, support, and billing;
Usage Data, logs, and diagnostic data used for security, fraud prevention, abuse detection, and service improvement;
Aggregated and anonymized analytics;
Internal business operations necessary to run MauTech (accounting, invoicing, legal compliance, dispute handling).
In these contexts, we determine the purposes and means of Processing and process Personal Data on the legal bases described in Section 4 below.
3.4 No Joint Controllership
Client and MauTech expressly agree that:
They are not joint controllers under GDPR/UK GDPR;
Each party determines its own independent purposes and means of Processing where it acts as a Controller;
Each party is independently responsible for its own compliance obligations under Applicable Privacy Laws.
4. APPLICABLE PRIVACY FRAMEWORKS AND NO-LEGAL-ADVICE DISCLAIMER
4.1 Global Regulatory Alignment
This Privacy Policy is drafted to align with the core requirements of:
GDPR and UK GDPR (including principles of lawfulness, fairness, transparency, data minimization, purpose limitation, storage limitation, integrity, and confidentiality);
CCPA/CPRA for California residents;
PIPEDA for Canadian data subjects;
Australian Privacy Act and APPs for Australian individuals;
analogous frameworks in other jurisdictions where the Services may be used.
However, Client remains fully responsible for:
determining which laws apply to its use of the Services;
implementing necessary local notices, consents, and internal policies;
complying with sector-specific regulation (e.g., healthcare, finance, legal, automotive safety).
4.2 No Legal Advice; Client’s Own Counsel
Nothing in this Privacy Policy, the TOS, or the DPA:
constitutes legal advice;
creates a solicitor-client or attorney-client relationship;
substitutes for consultation with appropriately qualified counsel.
Client must obtain its own legal advice regarding:
marketing practices;
telemarketing and TCPA compliance;
GDPR/CCPA/other privacy law compliance;
AI usage, profiling, and automated decision-making in its specific industry;
retention, deletion, and record-keeping practices.
MauTech is not responsible for Client’s legal strategy or risk assessment.
5. LEGAL BASES FOR PROCESSING (GDPR / UK GDPR CONTEXT)
Where GDPR or UK GDPR applies, MauTech relies on one or more of the following legal bases when acting as a Controller for its own Processing:
5.1 Performance of a Contract (Article 6(1)(b) GDPR)
We Process Personal Data where necessary to:
enter into, perform, and administer the contractual relationship with Client;
provide, maintain, and support the Services;
manage user accounts, credentials, and access rights;
handle billing, subscription management, and payment processing;
respond to support requests and technical issues.
5.2 Legitimate Interests (Article 6(1)(f) GDPR)
We Process Personal Data based on our legitimate interests, provided such interests are not overridden by the rights and freedoms of data subjects, including:
maintaining and improving the security, stability, and performance of the Services;
preventing fraud, abuse, misuse, and unauthorized access;
logging, monitoring, and auditing system events;
improving and optimizing the Services (e.g., aggregate analytics, product development);
internal business operations such as planning, reporting, and governance;
enforcing our TOS, DPA, and other legal rights.
Where required, we perform a legitimate interest assessment (LIA) to weigh our interests against data subjects’ rights.
5.3 Consent (Article 6(1)(a) GDPR)
In limited circumstances, we may rely on consent, for example:
for specific categories of cookies or tracking technologies (as required by local law);
for certain optional marketing communications to Clients or prospects (e.g., newsletters).
Where we rely on consent:
consent must be freely given, specific, informed, and unambiguous;
individuals may withdraw consent at any time, without affecting the lawfulness of Processing before withdrawal.
For End Users, Client is responsible for obtaining any required consent for its use of the Services and for its instructions to MauTech. MauTech relies on Client’s representation that valid consent has been obtained where Client indicates that consent is the relevant basis.
5.4 Legal Obligations (Article 6(1)(c) GDPR)
We Process Personal Data where necessary to comply with legal obligations, including but not limited to:
tax and accounting obligations;
responding to lawful requests from law enforcement or regulatory authorities;
complying with applicable sanctions, anti-money laundering, or fraud prevention requirements.
5.5 Vital Interests and Other Bases (Article 6(1)(d) and (e) GDPR)
In rare, exceptional circumstances, we may Process Personal Data to:
protect the vital interests of an individual (e.g., substantial and imminent risk of serious harm), or
perform a task carried out in the public interest, where such obligations apply.
This is not part of the normal scope of our Services but is included here for completeness.
6. CATEGORIES OF DATA SUBJECTS COVERED BY THIS POLICY
For clarity and to avoid any ambiguity, this Privacy Policy applies to the Processing of Personal Data relating to the following categories of individuals:
Client Representatives
employees, owners, officers, or agents of Client with whom MauTech interacts in the context of the business relationship.
End Users (Client’s Customers, Leads, and Contacts)
individuals who communicate with or are communicated to via the Services (chat, SMS, voice, email, forms, review flows) under Client’s control.
Website Visitors
any person visiting or interacting with the MauTech Website, subject to cookie and tracking notices.
Prospective Clients / Business Leads
individuals representing potential business customers contacted by MauTech in a B2B context.
This Privacy Policy does not apply to:
data relating solely to legal entities (company registration numbers, corporate financial data), except where combined with Personal Data;
anonymized or aggregated data that no longer identifies any individual.
MAUTECH PRIVACY POLICY
DEL 2 – DATA CATEGORIES, COLLECTION METHODS, AND PURPOSES OF PROCESSING
This Section of the Privacy Policy (“Section 2”) describes, in a detailed and exhaustive manner, the categories of Personal Data and other information that MauTech processes, the methods by which such data is collected, and the purposes for which such processing occurs.
For the avoidance of doubt, this Section 2 shall be interpreted in conjunction with DEL 1 – Scope, Roles, Legal Basis & Core Definitions, and all capitalized terms used herein shall have the meanings assigned to them in that section.
Nothing in this Section 2 shall be construed as creating any rights or obligations beyond those expressly set out in the applicable Data Processing Addendum (DPA), Terms of Service (TOS), and this Privacy Policy.
ARTICLE 2. OVERVIEW OF DATA PROCESSING
2.1 General Overview
MauTech processes Personal Data and other information in the context of:
Providing AI-based and automation-based Services (including Axel AI, MauTech Voice Assistant, MauTech Growth System, review management, CRM, and related tools) to Clients;
Processing data relating to End Users on behalf of Clients, in accordance with Client’s documented instructions;
Operating, securing, maintaining, and improving MauTech’s own websites, systems, and infrastructure;
Fulfilling legal obligations (including tax, accounting, and regulatory requirements).
As between the Parties, Client is the Data Controller / Business, and MauTech is the Data Processor / Service Provider with respect to End User data processed through the Services, except where MauTech acts as an independent Controller for limited purposes (e.g., billing, anti-fraud, and compliance as described in this Privacy Policy).
2.2 High-Level Categories of Personal Data
Without limitation, MauTech may process the following categories of data:
Identifiers and Contact Information;
Business and Account Information;
Communication Content and Interaction Data (SMS, chat, voice metadata);
Technical, Device, and Usage Data;
CRM, Profile, and Relationship Data;
Billing and Payment-Related Data;
AI Interaction, Automation, and Log Data;
Support, Feedback, and Correspondence Data;
Regulatory and Compliance-Related Data;
Aggregated, De-Identified, and Pseudonymized Data.
Detailed descriptions follow below.
ARTICLE 3. CATEGORIES OF PERSONAL DATA PROCESSED
3.1 Identifiers and Basic Contact Information
MauTech may process, for Clients and End Users:
Full name;
Email address;
Mobile and/or landline telephone number;
Username or user ID;
Company name;
Role or job title;
Country, state, city, or other location information as provided.
Primary sources:
Directly from Client;
Directly from End Users via forms, chat, SMS, or calls;
Via integrations configured by Client (e.g., CRM imports, GHL forms).
3.2 Business and Account Information
MauTech may process information relating to Client’s business and account configuration, including:
Company legal name and registration details;
Business address;
Industry / vertical (e.g., auto repair, solar, plumbing, etc.);
Subscription plan, tier, and modules enabled;
Account status (active, suspended, terminated);
Onboarding forms and internal notes regarding implementation;
User roles and permissions for Authorized Users.
3.3 Communication Content and Interaction Data
In the course of providing the Services, MauTech may process:
SMS and text message content, including inbound and outbound messages;
Chat conversations and transcripts from webchat widgets or embedded chat components;
Voice call metadata, including caller ID, phone numbers, call duration, time stamps, and routing information;
Call audio (where Client enables call recording) and associated transcriptions;
Voicemail content and any AI-generated call summaries;
Webform submissions and booking request details.
MauTech processes this data on behalf of Client to enable Axel AI, MauTech Voice Assistant, and related automation workflows.
3.4 Technical, Device, and Usage Data
MauTech may automatically collect and process:
IP address;
Device type, operating system, and browser type;
Language settings and time zone;
Referring URLs and pages visited;
Session identifiers and login timestamps;
Clickstream data within MauTech interfaces;
Log files, error logs, and diagnostic information;
Metadata related to delivery status of messages (SMS/email), call connection status, and API responses.
This includes both data from:
Website visitors (e.g., mautech.co and associated domains);
Users logged into MauTech-hosted dashboards or portals.
3.5 CRM, Profile, and Relationship Data
MauTech’s underlying CRM and automation platform may maintain and process:
Lead and contact records created by Client;
Appointment history and booking details;
Tags, segments, and pipeline stages;
Notes added by Client or its Authorized Users about End Users;
Communication history (messages sent, received, opened, replied, etc.);
Outcome data, such as whether a lead converted, responded, or unsubscribed.
All such data is considered Client Content and is processed by MauTech under the Client’s instructions.
3.6 Billing and Payment-Related Data
For billing and subscription management, MauTech (and/or its payment provider, such as Stripe) may process:
Client billing contact details;
Partial payment card information (tokenized by the payment processor);
Billing address;
Subscription plan and charges;
Payment history, invoices, refunds (if any), and chargebacks;
Tax-related identifiers or data required to issue legally compliant invoices.
MauTech does not store full card numbers; such details are handled by third-party payment processors under their own terms and security certifications.
3.7 AI Interaction, Automation, and Log Data
To operate Axel AI and MauTech Voice Assistant, MauTech may process:
Prompts and input text from End Users or Client;
Conversation flow configurations and prompt templates defined by Client;
AI-generated responses, suggestions, and decision outputs;
AI error logs and model interaction logs;
Internal scoring, classification, or intent-detection outputs;
Metadata describing which automated workflows were triggered, and why.
Where third-party LLMs (e.g., OpenAI) are used, such providers may receive those prompts and outputs as processors or sub-processors under a separate data processing framework.
3.8 Support, Feedback, and Correspondence Data
When Client or an End User contacts MauTech (e.g., via email, ticketing, or other channels), MauTech may process:
Identity and contact details;
Content of the inquiry or complaint;
Attachments, screenshots, and logs voluntarily provided;
Internal notes regarding incident handling;
Feedback regarding functionality, performance, or improvement requests.
MauTech may also process “Feedback” (as defined in the TOS) as non-confidential and use it to improve the Services.
3.9 Regulatory, Compliance, and Legal Data
MauTech may process limited personal information as necessary to:
Detect, investigate, or prevent fraud, abuse, or security incidents;
Respond to valid legal requests (e.g., subpoenas, court orders);
Maintain records necessary for tax, accounting, or regulatory compliance;
Enforce contractual rights under the TOS and DPA (e.g., logs related to misuse).
Such processing is carried out under legal obligation or legitimate interests, as applicable.
3.10 Aggregated, De-Identified, and Pseudonymized Data
MauTech may generate and process:
Aggregated statistics (e.g., total message volume, funnel conversion rates);
De-identified or pseudonymized usage metrics;
Performance statistics across Clients, provided no individual or specific Client is identifiable.
To the extent such data is not reasonably capable of identifying an individual or Client, it is not considered Personal Data under applicable law and may be used by MauTech for legitimate business purposes such as:
Improving AI models and system performance;
Capacity planning;
Pricing and product strategy;
Security monitoring and system optimization.
ARTICLE 4. METHODS OF DATA COLLECTION
4.1 Direct Collection from Client
MauTech may receive Personal Data and other information directly from Client when Client:
Registers for an account or signs an Order Form;
Submits onboarding forms or configuration documents;
Uploads, imports, or syncs contact lists;
Configures workflows, prompts, and CRM fields;
Communicates with MauTech regarding support, billing, or account management.
Client is solely responsible for ensuring that any Personal Data provided to MauTech is:
Accurate and up to date;
Collected lawfully;
Provided with an adequate legal basis (e.g., contract, consent, legitimate interests).
4.2 Direct Collection from End Users (On Behalf of Client)
MauTech may receive Personal Data directly from End Users, including through:
Web forms embedded on Client websites hosted by or integrated with MauTech;
Chat widgets powered by Axel AI;
SMS messages exchanged with Client’s dedicated numbers;
Inbound voice calls handled by MauTech Voice Assistant;
Review request flows and feedback forms.
In these scenarios:
Client is the Data Controller / Business responsible for providing appropriate privacy notices and obtaining any consents required by law from End Users;
MauTech acts strictly as Data Processor / Service Provider, processing End User Personal Data only on documented instructions from Client.
4.3 Automated Collection (Cookies, Logs, and Similar Technologies)
MauTech may automatically collect certain technical and usage data using:
Cookies and similar tracking technologies;
Server logs and diagnostic tools;
Web beacons, pixels, or tags in emails and dashboards;
API and webhook logs.
The specific use of cookies and similar tracking technologies is described in Privacy Policy – DEL 3 (Cookies, Tracking, Analytics & Third-Party Sharing).
4.4 Collection via Third-Party Integrations and Sub-Processors
MauTech may receive Personal Data indirectly via third-party systems that Client integrates, such as:
GoHighLevel (GHL) sub-accounts;
Twilio (SMS/voice);
Mailgun (email);
Stripe (billing and payments);
Other integrated CRMs or communication providers, as configured by Client.
In such cases:
MauTech processes the received data according to Client’s configuration and instructions;
The third-party provider processes data under its own privacy policy and terms;
MauTech does not control and is not responsible for how such third parties independently process Personal Data outside of MauTech’s instructions.
ARTICLE 5. PURPOSES OF PROCESSING AND LEGAL BASES
5.1 Provision and Operation of the Services
Purpose:
To provide, operate, configure, and maintain the Services purchased or otherwise used by Client, including AI-driven messaging, voice assistant functionality, CRM workflows, and review management.
Data Used:
Identifiers, contact information, business/account data, communication content, AI logs, CRM data, technical data.
Legal Basis (GDPR/UK GDPR):
Article 6(1)(b) – Performance of a contract (where MauTech contracts directly with Client);
Article 6(1)(f) – Legitimate interests in operating a functional SaaS platform;
For End Users, MauTech processes data as Processor, relying on Client’s chosen legal basis.
5.2 Customer Support, Incident Handling, and Service Quality
Purpose:
To provide support to Client, troubleshoot issues, investigate bugs or failures, and ensure the quality and reliability of the Services.
Data Used:
Identifiers, usage data, logs, communication content, support tickets, AI logs.
Legal Basis:
Article 6(1)(b) – Performance of the contract with Client;
Article 6(1)(f) – Legitimate interests in maintaining and improving the Services.
Client remains responsible for not transmitting unnecessary or excessive Personal Data in support communications.
5.3 Communications with Client (Administrative and Transactional)
Purpose:
To send Client:
Service-related announcements;
Billing or payment communications;
Security or compliance notices;
Updates regarding material changes to the Services or legal terms.
Data Used:
Client contact details, account information, subscription details.
Legal Basis:
Article 6(1)(b) – Performance of the contract;
Article 6(1)(c) – Compliance with legal obligations;
Article 6(1)(f) – Legitimate interests in keeping Client informed of essential operational matters.
These communications are not marketing communications and cannot generally be opted out of while maintaining an active account.
5.4 Security, Abuse Prevention, and Fraud Detection
Purpose:
To protect the integrity and security of the Services, including:
Detecting abusive or fraudulent use;
Preventing spam, telephony abuse, or unlawful content;
Protecting against unauthorized access, attacks, or misuse;
Enforcing MauTech’s Terms of Service.
Data Used:
Technical data, logs, IP addresses, communication metadata, account behavior patterns.
Legal Basis:
Article 6(1)(f) – Legitimate interests in securing systems and preventing abuse;
Where required, Article 6(1)(c) – Compliance with security-related legal obligations.
5.5 Billing, Invoicing, and Financial Administration
Purpose:
To process payments, manage subscriptions, prevent fraudulent charges, maintain financial records, and comply with tax and accounting obligations.
Data Used:
Billing contact details, payment-related data (via Stripe), invoice details, transaction history.
Legal Basis:
Article 6(1)(b) – Performance of a contract;
Article 6(1)(c) – Compliance with legal and tax obligations;
Article 6(1)(f) – Legitimate interests in managing business operations and preventing fraud.
5.6 Service Improvement, Analytics, and Development
Purpose:
To analyze usage trends, measure performance, and improve or develop new features in the Services.
Data Used:
Technical and usage data, aggregated AI interactions, anonymized or pseudonymized metrics.
Where reasonably possible, such data is processed in an aggregated or de-identified form.
Legal Basis:
Article 6(1)(f) – Legitimate interests in improving and optimizing the Services.
MauTech does not use identifiable End User data for interest-based advertising or cross-context behavioral advertising.
5.7 Legal, Regulatory, and Compliance Purposes
Purpose:
To comply with applicable laws, regulations, court orders, administrative requests, or to defend legal claims.
Data Used:
Identifiers, billing records, communication logs, and any other data reasonably required to meet a legal obligation.
Legal Basis:
Article 6(1)(c) – Compliance with a legal obligation;
Article 6(1)(f) – Legitimate interests in protecting MauTech’s legal rights.
5.8 Marketing to Clients (Not to End Users)
MauTech may, in limited circumstances, process Client contact details to send information about:
New features or Services;
Upgrades or enhancements;
Webinars or educational content relevant to the Services.
Such processing is strictly B2B, directed at Clients or prospective Clients, and not targeted at End Users of Clients.
Legal Basis:
Article 6(1)(f) – Legitimate interests in promoting MauTech’s Services;
Where required, consent under applicable marketing rules (e.g., opt-in email lists).
Client remains solely responsible for its own marketing activities toward End Users.
ARTICLE 6. NO SALE OR “SHARING” OF PERSONAL DATA FOR ADVERTISING
6.1 No “Sale” of Personal Data
MauTech does not sell Personal Data as “sale” is defined under:
The California Consumer Privacy Act (CCPA), as amended by CPRA;
Other equivalent jurisdictions that regulate “sale” of personal information.
MauTech does not exchange Personal Data for monetary or other valuable consideration for third-party marketing.
6.2 No “Sharing” for Cross-Context Behavioral Advertising
MauTech does not “share” Personal Data for cross-context behavioral advertising as defined under CPRA and similar laws.
MauTech does not use End User Personal Data to build advertising profiles;
MauTech does not permit third parties to track End Users across non-MauTech websites for targeted advertising purposes.
Any data sharing with sub-processors (e.g., GHL, Twilio, Mailgun, OpenAI, Stripe, hosting providers) is strictly for the purpose of delivering the Services and is covered under appropriate contractual safeguards (e.g., DPA, SCCs).
6.3 Client Responsibility for Independent Advertising Activities
If Client chooses to:
Export data from MauTech to external advertising platforms;
Use integrations with advertising tools;
Upload contact lists to third-party platforms for ads;
then:
Client acts as an independent Controller / Business for those advertising activities;
Client bears full responsibility for ensuring lawful basis, consent, and compliance;
MauTech is not responsible for such downstream advertising uses and assumes no liability thereof.
MAUTECH PRIVACY POLICY
PART 3 – COOKIES, TRACKING, ANALYTICS AND THIRD-PARTY SHARING
This Part 3 forms an integral component of the MauTech Privacy Policy and must be read together with the other Parts of the Policy, the MauTech Terms of Service (“TOS”), and the MauTech Data Processing Addendum (“DPA”). Capitalized terms used but not defined in this Part 3 have the meanings given elsewhere in the Privacy Policy or in the TOS/DPA.
3.1 Overview
MauTech uses cookies, software development kits (“SDKs”), pixels, tags, tracking scripts, log files, and similar technologies (“Tracking Technologies”) on:
MauTech-controlled websites and landing pages (collectively, the “Sites”); and
the MauTech Services, including but not limited to Axel AI, MauTech Voice Assistant, MauTech Growth System, associated CRM and automation modules, and related interfaces (collectively, the “Services”).
These Tracking Technologies are used to:
operate and secure the Sites and Services;
enable core functionality such as authentication, session management, and processing of forms and chat;
perform analytics and usage measurement;
detect fraud and abuse;
support diagnostics, logging and debugging; and
provide and improve the Services.
This Part 3 explains:
The categories of Tracking Technologies MauTech uses;
The purposes for which they are used;
The third-party providers that may receive data through such technologies; and
The respective responsibilities of MauTech and the Client for cookies, pixels, and other tracking on Client-controlled properties.
3.2 Categories of Cookies and Similar Technologies
Subject to applicable law, MauTech may use the following categories of cookies and similar technologies on the Sites and within the Services:
Strictly Necessary Cookies
Required for the operation and security of the Sites and Services.
Examples include cookies used for session management, authentication, load balancing, and fraud prevention.
These cookies are generally set in response to actions made by you (e.g., logging in, submitting forms) and cannot be switched off in MauTech’s systems without impairing core functionality.
Functional / Preference Cookies
Used to remember choices you make, such as language preferences, user interface settings, or display options, and to provide enhanced, more personalized features.
If disabled, some or all personalization features may not function properly.
Analytics and Performance Cookies
Used to collect information about how visitors use the Sites and Services, such as pages visited, time spent, links clicked, error codes, and general usage patterns.
These cookies help MauTech understand and measure the performance of its Sites and Services, improve stability and user experience, and perform aggregated reporting.
Advertising / Remarketing Technologies (Present or Future)
MauTech may, now or in the future, deploy limited remarketing or audience measurement tools on MauTech-controlled marketing Sites (but not within Client’s own deployments of the Services by default).
Where used, such tools may rely on cookies, pixels, or similar mechanisms provided by third parties (e.g., advertising networks) to build audiences and measure marketing campaign performance.
MauTech does not sell Personal Information or share Personal Information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).
Web Beacons, Pixels, SDKs, and Similar Technologies
Small graphic files or code snippets (e.g., tracking pixels, tags, JavaScript, SDKs embedded in apps or pages) that allow MauTech or its third-party providers to recognize a browser, device, email open, or specific interaction and to measure engagement or effectiveness.
Log Files and Device Identifiers
Server logs, IP addresses, device identifiers, user agent strings, timestamps, and related technical data, used for security, diagnostics, analytics, and forensic purposes.
3.3 First-Party Cookies on MauTech Sites
When you visit MauTech-controlled Sites (for example, marketing pages, documentation, demo pages operated directly by MauTech), MauTech may set first-party cookies that it controls. These first-party cookies are used to:
enable navigation and page rendering;
remember your session and authentication state if you log in;
process demo requests, contact forms, and other submissions;
perform security checks and prevent automated abuse;
measure traffic, engagement, and conversion on MauTech’s own Sites; and
support internal analytics and business intelligence.
Legal bases (for users in the EU/EEA/UK):
For strictly necessary cookies: legitimate interests (Art. 6(1)(f) GDPR) and/or performance of a contract (Art. 6(1)(b) GDPR).
For analytics or non-essential cookies: consent (Art. 6(1)(a) GDPR), where required by applicable law and obtained via a cookie banner or similar mechanism.
Where required, MauTech will provide a cookie banner or equivalent interface to obtain and record consent for non-essential cookies on its own Sites.
3.4 Analytics and Measurement Technologies
MauTech may use third-party analytics providers (such as, by way of example, Google Analytics or similar tools) to collect and analyze information about usage of the Sites and Services. These tools may collect information such as:
IP address;
browser type and version;
device type and operating system;
referring and exit pages;
time and date of visits;
approximate location (e.g., city/region based on IP);
clickstream and navigation paths;
error messages and performance metrics.
This information is generally used in aggregated or pseudonymized form to:
understand how the Sites and Services are used;
troubleshoot issues and improve performance;
plan capacity, scaling, and infrastructure;
evaluate features and user flows;
produce anonymized or aggregated statistics.
For EU/EEA/UK users, MauTech will, where required:
rely on consent for non-essential analytics cookies; and/or
configure analytics tools to use IP masking and other measures to limit identifiability, where appropriate.
You may be able to manage some analytics cookies through browser settings, third-party opt-out tools (e.g., analytics opt-out browser add-ons where offered by the provider), or through MauTech’s cookie banner where applicable. Disabling analytics cookies may impair MauTech’s ability to measure and improve its services but will not typically prevent basic use of the Sites.
3.5 Third-Party Cookies, Pixels, and Tracking on MauTech Sites
On MauTech-controlled Sites, MauTech may allow certain third-party providers to set or read cookies, pixels, or similar technologies, for example to:
measure the effectiveness of MauTech’s own marketing campaigns;
enable social media integrations;
provide security or anti-fraud services;
support A/B testing or personalization tools.
These third parties may include, for example:
analytics providers;
performance monitoring providers;
security, fraud detection, or bot detection providers;
optional marketing or social media platforms.
Such third parties process data as independent controllers or as processors/service providers to MauTech, depending on the specific arrangement. Their use of cookies and collected data is governed by their own privacy policies. MauTech does not control how these third parties internally use data beyond what is contractually agreed and required by law.
3.6 Tracking Technologies Within the Services (Client and End-User Interactions)
When Clients and their End Users interact with the Services (for example, via embedded chat widgets, SMS flows, call flows handled by MauTech Voice Assistant, or hosted booking pages), MauTech and its Sub-Processors may use Tracking Technologies to:
maintain session state for chat and web interactions;
route messages and calls appropriately;
associate messages with the correct Client account, pipeline, or workflow;
authenticate users or validate security tokens;
log events for security, auditing, and troubleshooting;
detect spam, abuse, or anomalous behavior;
measure performance and usage of specific features.
These technologies may be implemented via:
GHL’s platform cookies and scripts;
Twilio and Mailgun communication logs and technical identifiers;
OpenAI’s API logging mechanisms;
internal MauTech logging and monitoring tools.
The information collected in this context is used solely to provide, secure, support, and improve the Services and to comply with legal and contractual obligations. MauTech does not use such data for its own independent advertising or for cross-context behavioral advertising.
3.7 Client Responsibilities for Cookies, Pixels, and Tracking on Client Properties
Where a Client:
embeds MauTech widgets, scripts, or SDKs on its own websites, mobile applications, or other digital properties;
configures or deploys pixels, tags, cookies, or other tracking technologies (including third-party marketing pixels such as Meta Pixel, Google Ads tags, LinkedIn Insight tags, etc.) alongside or in connection with the Services; or
integrates the Services with other tools that themselves deploy cookies or tracking,
the Client is and remains solely responsible for:
Determining whether such cookies, pixels, and tracking technologies are lawful in the relevant jurisdictions;
Implementing and maintaining all required consent mechanisms, cookie banners, preference centers, and disclosures on its own properties;
Ensuring that End Users receive clear and sufficient information about cookies and tracking used on Client’s sites and apps;
Obtaining, recording, and managing any required consents (including for analytics, marketing, and cross-site tracking, where applicable);
Honoring End User choices and opt-out signals where required by law; and
Ensuring that its configuration and use of the Services, and any associated cookies and tracking technologies, comply with applicable laws, industry rules, and platform policies.
MauTech is not responsible for:
the Client’s independent placement or use of cookies, pixels, or tracking technologies on Client’s own properties;
the Client’s failure to implement adequate cookie notices, consent banners, or preference management tools;
any non-compliance by Client with e-privacy, cookie, or tracking-related legal requirements.
3.8 Categories of Third-Party Recipients and Data Shared via Tracking Technologies
Subject to and in accordance with the DPA and applicable law, MauTech may disclose or make available Personal Information and technical data collected via Tracking Technologies to the following categories of third-party recipients (“Sub-Processors” or service providers), solely for the purposes described in this Privacy Policy and the DPA:
Platform and CRM Infrastructure Providers
Example: GoHighLevel (GHL) or similar platforms used to host automations, pipelines, and interfaces.
Purpose: provide core CRM, automations, pipelines, workflows, and event logging.
Communications Providers
Example: Twilio (SMS/voice), Mailgun (email), and similar communications vendors.
Purpose: send, route, deliver, and log SMS messages, calls, and emails initiated via the Services; manage carrier-level metadata, delivery statuses, and error codes.
AI and Machine Learning Providers
Example: OpenAI or similar large language model/API providers.
Purpose: generate AI Output and process conversation content as instructed by Client, in accordance with applicable data protection terms.
Payment Processors and Billing Providers
Example: Stripe or similar payment platforms.
Purpose: process payments, handle billing events, and maintain transactional records.
Hosting, Cloud, and CDN Providers
Example: cloud infrastructure providers (such as AWS, Google Cloud, or similar), content delivery network providers (such as Cloudflare or similar).
Purpose: host and deliver the Sites and Services securely and efficiently; perform caching, DDoS protection, and performance optimization.
Analytics and Monitoring Providers
Example: analytics tools, performance monitoring tools, and logging services.
Purpose: measure performance, usage, and reliability; identify errors; improve the Services.
Security, Anti-Fraud, and Abuse-Prevention Providers
Purpose: detect and prevent fraudulent activity, spam, abuse, or malicious behavior affecting the Services or their infrastructure.
Professional Advisors and Legal/Compliance Providers
Example: legal counsel, auditors, or consultants.
Purpose: obtain professional advice, demonstrate compliance, and protect MauTech’s legal rights.
Each such provider processes data:
only for the limited purposes specified by MauTech;
under contractual obligations consistent with applicable data protection laws; and
subject to appropriate technical and organizational safeguards.
3.9 No Sale or “Sharing” for Cross-Context Behavioral Advertising
MauTech does not:
sell Personal Information as “sale” is defined under CCPA/CPRA or similar laws; or
“share” Personal Information for cross-context behavioral advertising under CCPA/CPRA.
Any disclosures to third-party providers as described in this Part 3 are made solely:
to operate, maintain, secure, and improve the Sites and Services;
as a “service provider” or “processor” on behalf of the Client or MauTech; or
as otherwise permitted or required by law (for example, to comply with legal obligations or to protect MauTech’s rights).
If MauTech’s practices were to change in the future in a way that would constitute a “sale” or “sharing” under applicable law, MauTech would update this Privacy Policy and, where required, provide appropriate notices and opt-out mechanisms.
3.10 Control of Cookies and Tracking Technologies
Depending on your location and applicable law, you may have the ability to control certain cookies and Tracking Technologies used on MauTech-controlled Sites by:
adjusting browser settings to block or delete cookies;
using in-browser tools to clear or limit tracking;
configuring device-level advertising settings;
using built-in “Do Not Track” or similar signals (subject to Section 6 – Do Not Track and similar signals, described in another Part of this Policy); and/or
using any cookie banner or preference center made available by MauTech.
Please note:
If you disable or reject certain cookies, some features of the Sites or Services may become unavailable or may not function correctly.
Managing cookies on MauTech’s Sites does not automatically manage cookies or tracking on Client-owned websites, applications, or platforms. Clients are responsible for providing their own mechanisms and notices on their properties.
MAUTECH PRIVACY POLICY
PART 4 – INTERNATIONAL DATA TRANSFERS, SECURITY MEASURES, AND DATA RETENTION
4. INTERNATIONAL DATA TRANSFERS
4.1 General Principle on Cross-Border Processing
MauTech operates as a globally oriented, U.S.-facing SaaS and AI services provider with infrastructure and subprocessors located in multiple jurisdictions. As a result, Personal Data and other information processed through the Services may be:
Collected in one country;
Stored in another country; and
Accessed, routed, or processed from yet other countries.
By using the Services, the Client and, where applicable, End Users explicitly acknowledge and consent to such cross-border transfers to the extent permitted by applicable law.
4.2 Primary Processing Locations
Personal Data processed by MauTech in connection with the Services may be stored and processed in, without limitation:
Norway – where MauTech (Mauseth Technologies ENK) is established and maintains certain business operations.
United States – where key SaaS infrastructure and subprocessors (such as GoHighLevel, Twilio, Mailgun, OpenAI, Stripe, and certain hosting providers) are located.
Other EEA / non-EEA jurisdictions – where subprocessors, telecom carriers, cloud providers, or integrated platforms maintain infrastructure, support personnel, or edge locations.
The specific set of processing locations may change over time as MauTech adjusts infrastructure, providers, and subprocessors.
4.3 Client as Controller – Responsibility for Transfer Legitimacy
For purposes of GDPR/UK GDPR and comparable regimes:
The Client is the Data Controller (or “Business” under CCPA/CPRA).
MauTech is the Data Processor (or “Service Provider” under CCPA/CPRA).
It is solely the Client’s responsibility to:
Determine whether its use of the Services involves transfers of Personal Data from the EEA, UK, Switzerland, Canada, or any other jurisdiction with data export rules;
Evaluate whether such transfers are lawful for Client’s specific processing context, industry, and data categories;
Provide appropriate notices and obtain all required consents from End Users before using the Services to process their data;
Implement and document its own transfer impact assessments, where required, under GDPR/UK GDPR and other regimes.
MauTech does not and cannot provide legal advice regarding Client’s cross-border transfer obligations and assumes no responsibility for Client’s compliance failures in this respect.
4.4 Transfer Mechanisms for EEA/UK/Swiss Data
Where MauTech processes Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland as a Processor:
MauTech may rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the primary transfer mechanism to non-EEA countries, including the United States, where no adequacy decision exists;
For the UK, MauTech may rely on:
The UK Information Commissioner’s Office’s International Data Transfer Addendum (IDTA) to the SCCs; or
Any UK-specific addendum or set of clauses lawfully adopted from time to time;
For Switzerland, MauTech applies the Swiss Federal Data Protection Act (FADP) interpretation of SCCs, including any adjustments required by Swiss authorities.
MauTech may update or replace such transfer mechanisms if regulations evolve, new frameworks are adopted, or authorities issue updated guidance.
4.5 Subprocessors and Cross-Border Transfers
Client acknowledges that MauTech uses subprocessors, including but not limited to:
GoHighLevel (GHL) – CRM, workflows, and automation;
Twilio – SMS/voice communications and related metadata routing;
Mailgun – transactional and automated email;
OpenAI – AI/LLM-based processing of input text, prompts, and conversation content;
Stripe – billing and payment processing;
Cloud hosting/CDN providers – including, without limitation, AWS, Google Cloud, Cloudflare, or similar.
These subprocessors may transfer, store, or process Personal Data in the United States or other jurisdictions. MauTech will implement contractual commitments with subprocessors that are intended to provide a level of data protection consistent with this Privacy Policy and applicable law, but:
MauTech does not control the internal compliance programs, technical security design, or legal interpretations used by such third parties and cannot guarantee their performance or legal sufficiency.
Client is responsible for reviewing, understanding, and accepting the privacy policies and terms of such subprocessors where required for Client’s compliance obligations.
4.6 Transfer Risk Assessments and Local Law Considerations
MauTech may, at its discretion, perform high-level transfer risk assessments to evaluate whether any third-country laws (e.g., surveillance laws) might impact the effectiveness of transfer safeguards. However:
Such assessments are not individualized legal opinions for the Client;
They do not relieve Client of its own obligation to conduct data protection impact assessments (DPIA) or transfer impact assessments (TIA) where applicable;
MauTech makes no warranty that its chosen mechanisms will satisfy regulatory expectations for every Client’s specific circumstances, sector, or data processing purposes.
Client accepts full responsibility for its use of the Services in light of applicable cross-border data transfer rules.
5. SECURITY MEASURES
5.1 General Security Commitment (Without Absolute Guarantee)
MauTech uses commercially reasonable and appropriate technical and organizational measures designed to protect Personal Data against:
Accidental or unlawful destruction;
Loss, alteration, unauthorized disclosure, or access;
Misuse or other unauthorized processing.
However:
MauTech explicitly does not guarantee absolute security, error-free performance, or immunity from cyberattacks, data breaches, or unauthorized access events. No system, platform, or technology can be guaranteed secure under all circumstances.
Client acknowledges and accepts this inherent risk as a condition of using the Services.
5.2 Technical and Organizational Measures
Without limiting the generality of the above, MauTech’s security program may include, as appropriate:
Access controls based on least privilege and role-based permissions;
Authentication requirements (such as password protections and, where available, multi-factor authentication);
Encryption in transit using industry-standard protocols (e.g., TLS) and, where appropriate, encryption at rest via underlying infrastructure providers;
Network-level protections, including firewalls, traffic filtering, and DDoS mitigation at provider level;
Logging and monitoring of system activities for security, debugging, and abuse detection;
Segregation of environments, where feasible, to reduce cross-tenant data exposure risk;
Employee confidentiality obligations and access limitations to production data based on job role and necessity.
Details and scope of technical measures may evolve as MauTech updates infrastructure and threat models.
5.3 Client’s Security Responsibilities
Client is solely responsible for:
Account Security
Protecting all login credentials, API keys, and access tokens;
Managing Authorized Users and access roles within the platform;
Promptly revoking access for departing personnel, contractors, or compromised accounts.
Endpoint and Environment Security
Ensuring that Client’s own devices, networks, and browsers are secure and free from malware or keyloggers;
Implementing local security controls, such as updated operating systems, antivirus tools, and network firewalls.
Configuration and Workflow Security
Carefully configuring workflows, automations, AI prompts, and routing rules;
Ensuring that sensitive data is not unnecessarily exposed or transmitted;
Avoiding inclusion of special categories of data (e.g., health data, financial account numbers, government ID numbers, etc.) unless explicitly required and lawfully justified.
Legal and Regulatory Security Compliance
Ensuring compliance with sector-specific security requirements (e.g., healthcare, finance, legal, or automotive standards);
Conducting any required DPIA, TIA, or security risk assessments;
Implementing additional safeguards where required by law or best practice for Client’s industry.
Any security incident arising from Client’s failure to fulfill its responsibilities—such as credential sharing, weak passwords, misconfigurations, or insecure endpoints—shall be the sole responsibility of Client.
5.4 Incident Detection, Response, and Notification
If MauTech becomes aware of a Security Incident involving unauthorized access to Personal Data stored on systems under MauTech’s direct control, MauTech will:
Conduct a reasonable investigation to determine the nature and scope of the incident;
Take appropriate steps to contain, mitigate, and remediate the incident;
Where required by applicable law and/or the DPA, notify the Client without undue delay, providing reasonably available information about:
The nature of the incident;
The categories of affected data (to the extent known);
High-level remedial actions taken or planned.
Client is responsible for:
Fulfilling any applicable legal notification obligations to data subjects, regulators, or third parties arising from the incident;
Determining whether and how to communicate with End Users;
Coordinating with MauTech where Client communication may reference MauTech’s role.
MauTech is not responsible for regulatory fines, damages, or legal costs imposed on Client arising from Client’s underlying processing operations or legal non-compliance.
6. DATA RETENTION AND DELETION
6.1 General Retention Principles
MauTech retains Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, in accordance with:
Applicable law;
Contractual requirements (e.g., limitation periods, accounting obligations);
Legitimate business interests (e.g., security logging, fraud prevention, dispute management).
Where reasonably possible, Personal Data may be anonymized or aggregated earlier so that it no longer qualifies as Personal Data under applicable law.
6.2 Retention by Category (Illustrative)
Without limiting or committing to specific fixed durations for all Clients, MauTech may apply the following retention patterns (subject to change based on legal, technical, or business needs):
Client Account Data (e.g., name, business contact details, subscription info)
Retained for the duration of the Client’s active relationship with MauTech and for a reasonable period thereafter (e.g., up to 6 years after termination) to:
Maintain records of contracts and transactions;
Address disputes or claims;
Comply with tax and bookkeeping requirements.
Billing and Payment Records
Retained for periods required by tax, accounting, anti-fraud, and financial recordkeeping laws in relevant jurisdictions (commonly 5–10 years, depending on applicable law).
Operational Logs, Usage Data, and Security Logs
Retained for a period necessary to:
Monitor system performance;
Detect and investigate security incidents or abuse;
Improve and maintain the Services;
Retention periods may range from several weeks to several years, based on the nature of the log and regulatory requirements.
AI Conversation Logs, SMS/Chat Content, Call Metadata
Retention tied to:
The operational needs of Client’s workflows (e.g., follow-up, dispute tracking);
Debugging and product improvement;
Legal or carrier policy requirements;
Where feasible, Client may request adjustments or shorter retention for some data categories through configuration, subject to technical and contractual limitations.
Support and Communication Records
Retained as long as necessary to:
Maintain an audit trail of support and account history;
Defend against potential claims;
Improve support quality.
6.3 Retention After Termination of Services
Upon termination or expiration of the contractual relationship between MauTech and Client:
MauTech may retain:
Essential billing and account records;
Minimal identifying information about the Client for legal, accounting, and anti-fraud purposes;
System logs and backups, to the extent required for security, integrity, and legal defense.
Personal Data processed on behalf of the Client as Controller will be:
Deleted, anonymized, or returned to Client in accordance with:
The Data Processing Addendum (DPA);
Applicable laws; and
MauTech’s standard backup and archival processes.
MauTech shall not be obligated to delete data from archival or backup systems immediately, provided that:
Such backups are reasonably protected; and
Data will be removed in the ordinary course of backup rotation and deletion cycles.
6.4 Client-Controlled Retention
Where the Services provide configuration options for Client to select or adjust retention periods (e.g., for certain logs, conversations, or End User data), Client:
Bears sole responsibility for configuring such settings;
Must ensure that configured retention periods comply with applicable laws and internal policies;
Must not rely on MauTech to automatically implement Client-specific legal retention rules.
6.5 Legal Holds and Preservation
If MauTech is required to retain or disclose Personal Data due to:
Legal obligations (e.g., court orders, subpoenas, regulatory requests);
Litigation holds;
Government investigations;
MauTech may suspend ordinary deletion or anonymization processes for relevant data until such obligations have been satisfied or lifted. Client will be notified to the extent permitted by law and contractual commitments.
6.6 Deletion Requests
Requests to delete or remove Personal Data must be handled in accordance with:
Client’s role as Controller (Client is primarily responsible for end-user deletion requests); and
MauTech’s obligations as Processor, as set forth in:
The DPA; and
Region-specific rights sections in this Privacy Policy (see Part 5).
MauTech will not be required to delete data that it is legally required, or reasonably needs, to retain.
5. DATA SUBJECT / CONSUMER RIGHTS AND REGION-SPECIFIC NOTICES
5.1 General Overview of Rights
5.1.1
Depending on the jurisdiction in which an individual resides, and depending on whether MauTech processes Personal Data as a Data Controller or exclusively as a Data Processor / Service Provider on behalf of a Client, the individual (“Data Subject” or “Consumer”) may have certain statutory rights with respect to their Personal Data or Personal Information.
5.1.2
Where MauTech processes Personal Data in its capacity as Data Processor / Service Provider on behalf of a Client (for example, when providing the Services to business clients who interact with their own End Users), MauTech acts solely on documented instructions from the Client. In such cases:
The Client is the Data Controller / Business and is solely responsible for fulfilling applicable rights requests from its End Users; and
MauTech will not independently respond to Data Subject or Consumer requests relating to data it processes solely on behalf of Client, except as required by law or as expressly provided for in the applicable Data Processing Addendum.
5.1.3
Where MauTech processes Personal Data in its capacity as an independent Data Controller (for example, in connection with its own website analytics, lead intake, B2B sales outreach, direct communications with Clients, or account administration), MauTech will handle applicable rights requests in accordance with the relevant privacy laws and this Privacy Policy.
5.1.4
All rights described in this Section 5 may be subject to:
statutory limitations and exemptions;
the need to verify the identity of the requester;
MauTech’s or Client’s overriding legitimate interests;
MauTech’s or Client’s legal obligations to retain certain information.
Nothing in this Privacy Policy shall be construed as granting broader rights than those available under applicable law.
5.2 Rights of Individuals in the European Economic Area (EEA) and United Kingdom (GDPR / UK GDPR)
5.2.1
Where the EU General Data Protection Regulation (GDPR) or the UK GDPR applies, and where MauTech acts as a Data Controller with respect to the Personal Data of an individual located in the EEA or the United Kingdom, such individual may have the following rights, subject to applicable legal conditions and limitations:
Right of Access: To obtain confirmation as to whether or not MauTech processes Personal Data concerning the individual, and, where that is the case, to access such Personal Data and certain related information.
Right to Rectification: To request correction of inaccurate Personal Data and to have incomplete Personal Data completed.
Right to Erasure (“Right to be Forgotten”): To request deletion of Personal Data where, for example, the data is no longer necessary for the purposes for which it was collected, consent is withdrawn (where processing is based on consent), or the Personal Data has been unlawfully processed, subject to statutory retention obligations and other lawful grounds for continued processing.
Right to Restriction of Processing: To request restriction of processing in certain circumstances, such as where the accuracy of the Personal Data is contested or the processing is alleged to be unlawful but the individual opposes erasure.
Right to Data Portability: To receive Personal Data provided to MauTech in a structured, commonly used, and machine-readable format, and to request that MauTech transmit such data to another controller, where technically feasible and where the processing is based on consent or contract and carried out by automated means.
Right to Object: To object, on grounds relating to the individual’s particular situation, to processing based on MauTech’s or Client’s legitimate interests, including profiling. MauTech or Client may continue processing if they demonstrate compelling legitimate grounds which override the interests, rights, and freedoms of the individual or for the establishment, exercise, or defense of legal claims.
Rights Related to Automated Decision-Making: To request human intervention, to express a view, and to contest a decision where MauTech makes solely automated decisions that produce legal effects concerning the individual or similarly significantly affect them, where required by law.
5.2.2
Where MauTech processes Personal Data solely as Processor / Service Provider on behalf of a Client subject to GDPR or UK GDPR, any Data Subject seeking to exercise their rights should direct the request to the relevant Client (Data Controller). MauTech will, upon request by the Client and in accordance with the applicable Data Processing Addendum, provide reasonable assistance to enable the Client to respond to such requests.
5.2.3
Right to Complaint to Supervisory Authority.
Individuals in the EEA or the United Kingdom have the right to lodge a complaint with a competent Data Protection Authority or Supervisory Authority, in particular in the Member State or jurisdiction of their habitual residence, place of work, or place of the alleged infringement. This right exists without prejudice to any other administrative or judicial remedy.
5.3 Rights of California Residents (CCPA / CPRA)
5.3.1
For residents of the State of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may provide specific rights with respect to “Personal Information,” when MauTech acts as a Business (for its own purposes) or as a Service Provider (processing on behalf of Clients).
Unless expressly stated otherwise, MauTech operates primarily as a Service Provider for its Clients with respect to End User data, and as a Business with respect to its direct website visitors, prospects, and Clients’ own business contact data.
5.3.2
MauTech, when acting as a Service Provider under CCPA/CPRA:
processes Personal Information solely on behalf of and under the instructions of the Client;
does not “sell” Personal Information as that term is defined in CCPA/CPRA;
does not “share” Personal Information for cross-context behavioral advertising;
does not use, retain, or disclose Personal Information for any purpose other than:
to perform Services for the Client;
to detect and prevent security incidents or fraud;
to comply with legal obligations;
for internal uses reasonably aligned with the expectations of the Client; or
as otherwise permitted under CCPA/CPRA.
5.3.3
Where MauTech acts as a Business with respect to California residents, the following rights may apply (subject to legal conditions and limitations):
Right to Know / Access: To request that MauTech disclose the categories and specific pieces of Personal Information collected about the individual, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom Personal Information is disclosed.
Right to Delete: To request deletion of Personal Information collected from the individual, subject to certain exceptions (for example, where the information is necessary to provide the Services, detect security incidents, comply with legal obligations, or perform other legally permitted functions).
Right to Correct: To request correction of inaccurate Personal Information maintained by MauTech.
Right to Limit Use and Disclosure of Sensitive Personal Information (if and to the extent MauTech processes any such categories as defined under CPRA), consistent with CPRA’s scope and limitations.
Right to Non-Discrimination: MauTech will not discriminate against individuals for exercising their CCPA/CPRA rights, such as by denying services, charging different prices, or providing a different level or quality of services, except where permitted by law (for example, in connection with bona fide loyalty, rewards, or pricing programs that are reasonably related to the value of the data).
5.3.4
Opt-Out of Sale or Sharing.
MauTech does not sell or share Personal Information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. Accordingly, there is no “Do Not Sell or Share My Personal Information” mechanism required for MauTech’s own operations at this time. If MauTech’s practices materially change in the future, MauTech will update this Privacy Policy and, where required, provide appropriate opt-out mechanisms.
5.3.5
Requests by End Users Whose Data Is Processed for Clients.
Where MauTech processes Personal Information solely on behalf of a Client as a Service Provider, California Consumers must direct their CCPA/CPRA requests to the relevant Client (the Business). MauTech will not independently respond to such requests except as required by law and will instead refer the Consumer to the Client or notify the Client of the request, subject to contractual and legal limitations.
5.4 Rights of Individuals in Canada (PIPEDA)
5.4.1
Where the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to MauTech’s processing of Personal Information as a Data Controller, individuals in Canada may have the following rights, subject to applicable legal conditions:
Right to Access: To request access to Personal Information that MauTech holds about them, including details about how that information is being used and to whom it has been disclosed, subject to legal exceptions.
Right to Request Correction: To challenge the accuracy and completeness of Personal Information and have it amended as appropriate.
Right to Challenge Compliance: To challenge MauTech’s compliance with PIPEDA by contacting MauTech using the details in Section 6 (Contact / DPO) and, if unsatisfied, to lodge a complaint with the Office of the Privacy Commissioner of Canada or other applicable provincial privacy regulator.
5.4.2
Where MauTech processes Personal Information solely as a Data Processor / Service Provider for a Client that is itself subject to PIPEDA or other Canadian privacy laws, Data Subjects must direct their rights requests to the Client. MauTech will, in accordance with the applicable DPA and at the Client’s request, provide reasonable assistance.
5.5 Rights of Individuals in Australia (Privacy Act and APPs)
5.5.1
Where the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to MauTech’s processing of Personal Information as a Data Controller, individuals in Australia may have the following rights, subject to applicable legal constraints:
Right of Access: To request access to Personal Information held by MauTech, subject to certain exceptions (for example, where providing access would unreasonably impact the privacy of others or would be unlawful).
Right to Correction: To request correction of Personal Information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. MauTech will take reasonable steps to correct such information where required.
Right to Complain: To submit a complaint to MauTech regarding handling of Personal Information and, if not satisfied with the response, to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
5.5.2
Where MauTech, as a Processor / Service Provider, processes Personal Information on behalf of an Australian Client subject to the Privacy Act and APPs, individuals should direct their access, correction, or other rights requests to that Client. MauTech will assist the Client as required by the DPA and applicable law.
5.6 Exercising Rights; MauTech’s and Client’s Responsibilities
5.6.1
Requests Relating to Data Processed on Behalf of Clients.
For data that MauTech processes exclusively on behalf of a Client as Data Processor / Service Provider (for example, End User AI conversations, SMS content, call metadata, booking information, review requests, or CRM records owned by the Client):
Any Data Subject or Consumer wishing to exercise rights (access, deletion, correction, objection, etc.) must submit the request directly to the Client (the Data Controller / Business);
MauTech is not authorized to review, evaluate, or grant such requests independently; and
MauTech will, where contractually agreed and to the extent required under applicable law, provide technical and organizational assistance to the Client in responding to the request.
5.6.2
Requests Relating to MauTech’s Own Processing as Controller.
For data where MauTech acts as an independent Data Controller (for example, Client account data, business contact details, direct sales leads, or website visit data):
Individuals may submit rights requests using the contact methods provided in Privacy DEL 6 (Children, Do Not Track, Changes & Contact/DPO);
MauTech may request additional information to verify the identity of the requester and to determine whether MauTech is a Controller or Processor in the specific context;
MauTech will respond within the time periods required by applicable law, subject to permissible extensions and limitations.
5.6.3
Verification and Limitations.
MauTech and/or the Client may, to the fullest extent permitted by law:
Require sufficient information to verify the identity of the requester before acting on any rights request;
Decline to act on requests that are manifestly unfounded, excessive, repetitive, abusive, or technically infeasible;
Charge a reasonable fee, where permitted by law, for repetitive or burdensome requests;
Retain certain Personal Data if required to comply with legal obligations, resolve disputes, enforce agreements, maintain security, or establish, exercise, or defend legal claims.
5.6.4
No Legal Advice.
This Privacy Policy, including this Section 5, is not legal advice and does not create a solicitor-client or attorney-client relationship. MauTech expressly disclaims any responsibility for providing legal advice to Clients or End Users regarding the interpretation or application of the GDPR, UK GDPR, CCPA/CPRA, PIPEDA, Australian privacy law, or any other data protection regime. Clients are solely responsible for obtaining their own legal counsel and for implementing rights-handling workflows that comply with applicable law.
6.1 Children’s Privacy and Age Limitations
6.1.1 Business-Focused Services Only.
The Services are designed and intended exclusively for use by business entities and their authorized personnel. The Services are not designed for, marketed to, or intended to be used by children or minors for personal, family, or household purposes.
6.1.2 No Intentional Collection of Children’s Data.
MauTech does not knowingly collect, process, or maintain Personal Data from:
(a) children under the age of 16 in the European Economic Area (EEA), the United Kingdom, or any jurisdiction where 16 is the default age of digital consent, or
(b) children under the age of 13 in the United States or any jurisdiction where 13 is the default age of digital consent,
unless such processing is strictly performed on behalf of a Client in its capacity as Data Controller, under a valid legal basis determined by the Client, and solely for purposes of providing the Services.
6.1.3 Client’s Responsibility for Children’s Data.
Where a Client uses the Services in a context that involves minors (for example, if a Client’s End Users include individuals under the applicable age of digital consent), the Client is solely and exclusively responsible for:
determining whether such use is lawful under applicable law;
obtaining any necessary verifiable parental or guardian consent;
providing appropriate notices and disclosures;
configuring the Services in a manner consistent with applicable child-protection, education, or sector-specific laws (e.g., COPPA, GDPR child-consent rules, or equivalent laws);
ensuring that no unlawful or high-risk processing of children’s data is performed through the Services.
MauTech does not monitor or verify whether End Users are minors and has no obligation to do so.
6.1.4 Unintentional Collection and Remedial Measures.
If MauTech becomes aware that it has directly and independently collected Personal Data from a child in violation of this Section 6.1 (i.e., outside of acting solely as Processor for a Client):
MauTech will take reasonable steps to delete such data as soon as commercially practicable; and
may, at its discretion, disable or restrict the associated account or functionality.
If you believe that a child has provided Personal Data directly to MauTech, you should immediately contact MauTech using the contact information in Section 6.5 and clearly indicate:
that the individual is a child;
the approximate date and context of the disclosure; and
any relevant identifiers (e.g., email address, phone number, account ID) so MauTech can locate the data.
6.1.5 No High-Risk Child-Focused Uses.
The Services must not be used by Clients for any high-risk child-focused use cases such as:
services directed primarily to children;
behavioral profiling of minors;
targeted advertising to minors;
processing of sensitive Personal Data of minors, unless strictly necessary and fully compliant with applicable law.
Any such use is strictly at the Client’s own risk and constitutes a material violation of this Privacy Policy and the Data Processing Addendum.
6.2 “Do Not Track” and Similar Signals
6.2.1 Browser-Based Do Not Track (DNT).
Certain browsers or devices may include a “Do Not Track” (“DNT”) or similar setting designed to signal your preference regarding online tracking. Because there is no uniformly accepted industry standard for responding to DNT or equivalent signals:
MauTech does not commit to recognizing or responding to DNT signals at this time.
6.2.2 Regional Preferences and Opt-Out Mechanisms.
Where required by law (for example, in some U.S. states or under certain EU/UK interpretations):
MauTech will honor legally mandated opt-out mechanisms or consent preferences to the extent applicable to MauTech’s role as a Data Controller (e.g., for its own website analytics or marketing to Clients); and
where MauTech acts solely as a Data Processor for Clients, it is the Client’s responsibility to implement and honor consent and opt-out mechanisms for End Users, including cookie banners, preference centers, and opt-out controls, as required by applicable law.
6.2.3 Client Responsibility for Compliance with Signals and Preferences.
To the extent that Client is subject to legal regimes requiring:
honoring browser or device signals;
implementing global privacy controls;
providing tracking-preference interfaces;
Client is solely responsible for:
configuring its own website(s), funnels, and user interfaces to capture and honor such signals;
applying such preferences in its use of the Services;
ensuring that any APIs, tags, or scripts it deploys comply with applicable law.
MauTech has no obligation to monitor or enforce such preferences on behalf of Client.
6.3 Changes to This Privacy Policy
6.3.1 Right to Modify.
MauTech reserves the right to modify, update, revise, or replace this Privacy Policy at any time, in its sole and absolute discretion, to reflect:
changes in the Services;
changes in legal or regulatory requirements;
changes in industry practices; or
operational, security, or business needs.
6.3.2 Notice of Material Changes.
If MauTech makes material changes to this Privacy Policy, MauTech will take reasonable steps to notify affected Clients, which may include:
posting an updated version on the MauTech website with a revised “Last Updated” date;
sending an email notice to Client’s primary account contact;
displaying an in-app or dashboard notification.
The form, scope, and timing of notice shall be determined by MauTech in its discretion, subject to applicable law.
6.3.3 Effective Date of Changes.
Unless otherwise required by law or stated by MauTech:
changes to this Privacy Policy become effective on the date indicated in the “Last Updated” legend; and
Client’s or End Users’ continued use of the Services after such date constitutes acceptance of the revised Privacy Policy, to the extent permitted by law.
If a Client objects to any material change, the Client’s sole remedy is to discontinue use of the Services and, where applicable, terminate the Agreement in accordance with the Terms of Service.
6.3.4 Hierarchy with Other Agreements.
In the event of any conflict or inconsistency between:
this Privacy Policy; and
a signed Data Processing Addendum (DPA) or Master Services Agreement (MSA) between MauTech and a Client,
…the DPA or MSA shall prevail with respect to contractual obligations between MauTech and that Client, to the extent permitted by applicable law.
For End Users, this Privacy Policy serves as a notice of MauTech’s data handling practices and does not, by itself, create a direct contractual relationship with MauTech unless expressly stated otherwise.
6.4 Relationship to Client’s Own Privacy Notices
6.4.1 Client’s Duty to Provide Notices to End Users.
Where MauTech processes Personal Data on behalf of a Client (as Processor / Service Provider):
Client is solely responsible for determining the content of its own privacy notices and consent mechanisms provided to End Users;
Client must ensure that such notices accurately describe the use of MauTech’s Services, including any AI, SMS, voice, and automation components;
Client must ensure that any descriptions of MauTech’s role, processing activities, international transfers, and retention are accurate and compliant with applicable law.
6.4.2 No Legal Advice; No Substitution.
This Privacy Policy:
is not legal advice;
is not a substitute for Client’s own legal counsel;
does not relieve Client of its duty to independently comply with privacy, telecom, AI, and data protection laws.
Client must consult its own legal advisors to determine how to configure and use the Services in a legally compliant manner for Client’s specific use case and jurisdiction.
6.4.3 Client Responsibility for Data Subject Requests.
As further detailed in the Data Processing Addendum:
For data processed as Controller, Client remains the primary point of contact for Data Subjects;
End Users should first contact the Client (not MauTech) to exercise access, deletion, correction, or related rights;
MauTech will, where required and commercially reasonable, assist Client as Processor in responding to such requests, but is not responsible for substantive legal determinations (e.g., whether a request is valid, must be honored, or may be refused).
6.5 Contact Information and Data Protection Inquiries
6.5.1 MauTech Identity and Contact.
For questions, concerns, or requests relating to this Privacy Policy or MauTech’s handling of Personal Data, you may contact MauTech at:
Company Brand: MauTech
Legal Entity: Mauseth Technologies ENK
Org. No.: 925392243
Address: Solbakken 32D, 6429 Molde, Norway
Support Email: [email protected]
Legal / Privacy Email: [email protected]
6.5.2 Data Protection Officer / Privacy Contact.
MauTech may designate an internal privacy contact or Data Protection Officer (“DPO”) as required by law. Where applicable, communications sent to the legal/privacy email above will be directed to the appropriate internal resource responsible for handling privacy and data protection matters.
6.5.3 Response Timeframes.
MauTech will endeavor to respond to privacy-related inquiries and requests:
within timeframes required by applicable law; or
where no specific timeframe is mandated, within a commercially reasonable period.
Where MauTech acts solely as Processor for a Client, MauTech may:
direct Data Subjects to contact the relevant Client; and/or
inform the Client of the request and await instructions, in accordance with the DPA and applicable law.
6.5.4 Complaints to Supervisory Authorities.
Nothing in this Privacy Policy is intended to limit any right you may have under applicable law to:
lodge a complaint with a data protection authority (for GDPR/UK GDPR jurisdictions);
submit a complaint to a regulator (for example, under CCPA/CPRA, PIPEDA, or Australian Privacy Act); or
seek remedies available under local law.
You should consult your local laws and supervisory authorities for details on how to exercise such rights.
6.6 Final Provisions
6.6.1 Applicability of This Privacy Policy.
This Privacy Policy applies:
to MauTech’s own handling of Personal Data as an independent Controller (e.g., website visitors, Clients, business contacts); and
to MauTech’s handling of Personal Data as Processor / Service Provider for Clients, subject to applicable Data Processing Addenda and contractual terms.
6.6.2 Supremacy of Mandatory Law.
Where this Privacy Policy conflicts with mandatory requirements under applicable law, such mandatory legal requirements shall prevail only to the extent of the conflict. All remaining provisions of this Privacy Policy remain in full force and effect.
6.6.3 Incorporation by Reference.
For Clients, this Privacy Policy is incorporated by reference into, and forms part of, the governing Terms of Service and any applicable Data Processing Addendum. For End Users, it operates as a transparency document describing how MauTech processes Personal Data on behalf of its Clients and for MauTech’s own purposes, as permitted by law.