Mavens
Back to Home

Privacy Policy

Last Updated: December 2025

TABLE OF CONTENTS

1. Introduction and Scope

2. Definitions

3. Data Controller and Data Protection Officer

4. Categories of Personal Data We Collect

5. How We Collect Personal Data

6. Legal Bases for Processing (GDPR/LGPD)

7. Purposes of Processing

8. Data Sharing and Disclosure

9. International Data Transfers

10. Data Retention

11. Your Rights as a Data Subject

12. Cookies and Tracking Technologies

13. Third-Party Communication Channels

14. AI and Automated Processing

15. Children's Privacy

16. Security Measures

17. Data Breach Notification

18. HIPAA and Protected Health Information

19. California Privacy Rights (CCPA/CPRA)

20. Updates to This Policy

21. Contact Information

1. INTRODUCTION AND SCOPE

1.1 About Mavens

Mavens ("we," "us," "our," or the "Company") is an omnichannel lead management platform that provides software-as-a-service ("SaaS") solutions combined with professional services, including custom AI agents for sales, marketing, and customer engagement purposes.

Mavens operates globally with headquarters in Lisbon, Portugal, and offices in:

  • Lisbon, Portugal (Headquarters)
  • Wilmington, Delaware, United States
  • Porto Alegre, Rio Grande do Sul, Brazil

    • 1.2 Scope of This Policy

    This Privacy Policy ("Policy") describes how Mavens collects, uses, discloses, retains, and protects Personal Data in connection with:

    This Policy applies to:

  • Visitors to our Website;
  • Prospective customers evaluating our Services;
  • Customers who have contracted with us for Services;
  • End users and contacts whose data is processed through our Platform on behalf of our customers;
  • Individuals whose information is included in our business contact database;
  • Job applicants and employees.

    • 1.3 Our Role: Controller vs. Processor

    Mavens acts in different capacities depending on the context:

    (a) DATA CONTROLLER

    Mavens acts as the data controller when we:

  • Collect data directly from you for our own business purposes;
  • Maintain our business contact database;
  • Process employee and job applicant data;
  • Conduct marketing activities for our own Services.

    • (b) DATA PROCESSOR

    Mavens acts as the data processor when we:

  • Process Personal Data on behalf of our customers through the Platform;
  • Store and transmit communications initiated by our customers;
  • Provide Services under the direction of our customers.

    • When we act as a data processor, our customers are the data controllers and are responsible for ensuring they have appropriate legal bases and consents for the data they process through our Platform. Our processing activities are governed by our Data Processing Agreement with each customer.

    1.4 Agreement to This Policy

    By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, please do not use our Services.

    If your organization is subject to the General Data Protection Regulation (GDPR) or Brazil's Lei Geral de Proteção de Dados (LGPD) and uses our Services to process Personal Data, you must enter into a Data Processing Agreement with Mavens prior to such processing.

    2. DEFINITIONS

    For purposes of this Policy:

    ANPD means the Autoridade Nacional de Proteção de Dados, Brazil's national data protection authority.

    Customer means a business entity that has entered into a contract with Mavens to use our Services.

    Data Processing Agreement or DPA means the agreement between Mavens and a Customer governing the processing of Personal Data on behalf of that Customer.

    Data Subject means an identified or identifiable natural person whose Personal Data is processed.

    End User or Contact means an individual whose Personal Data is processed through our Platform on behalf of a Customer.

    GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

    LGPD means Lei nº 13.709/2018, Brazil's General Data Protection Law (Lei Geral de Proteção de Dados).

    Personal Data means any information relating to an identified or identifiable natural person, including but not limited to name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

    Processing means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

    Sensitive Personal Data or Special Categories of Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life, or sexual orientation, as well as financial account information, government-issued identification numbers, and precise geolocation data.

    Sub-processor means any third party engaged by Mavens to process Personal Data on behalf of a Customer.

    3. DATA CONTROLLER AND DATA PROTECTION OFFICER

    3.1 Data Controller

    The data controller for Personal Data processed in connection with our Services is:

    Mavens

    Lisbon, Portugal (Headquarters)

    For customers and data subjects in the United States:

    Mavens

    Wilmington, Delaware, USA

    For customers and data subjects in Brazil:

    Mavens Brazil

    Porto Alegre, Rio Grande do Sul, Brazil

    3.2 Data Protection Officer

    Mavens has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws.

    You may contact our Data Protection Officer at:

    Email: [email protected]

    For LGPD-specific inquiries, our Encarregado (DPO under Brazilian law) can be reached at the same contact information.

    4. CATEGORIES OF PERSONAL DATA WE COLLECT

    4.1 Data We Collect Directly From You

    (a) ACCOUNT AND IDENTITY DATA

  • Full name
  • Email address
  • Phone number
  • Company name and job title
  • Username and password (stored in encrypted form)
  • Profile photograph (if provided)

    • (b) BILLING AND PAYMENT DATA

  • Billing name and address
  • Payment card information (processed by PCI-compliant third-party processors; we do not store full card numbers)
  • Tax identification numbers (where required)
  • Transaction history

    • (c) COMMUNICATION DATA

  • Correspondence with our support team
  • Feedback and survey responses
  • Chat logs and support tickets

    • (d) PROFESSIONAL SERVICES DATA

  • Business requirements and specifications
  • Implementation documentation
  • Training records

    • 4.2 Data We Collect Automatically

    (a) TECHNICAL AND DEVICE DATA

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Time zone setting
  • Screen resolution

    • (b) USAGE DATA

  • Pages visited and features used
  • Time spent on pages
  • Click patterns and navigation paths
  • Search queries within the Platform
  • Error logs and performance data

    • (c) LOCATION DATA

  • Country and city (derived from IP address via our CDN infrastructure)
  • We use Cloudflare's geolocation headers (CF-IPCountry) to determine your approximate location
  • This geolocation is performed at the infrastructure level and no IP data is transmitted to third-party geolocation services
  • Location data is used to display localized content, chat widgets, and phone number formats
  • We do not collect precise geolocation without explicit consent

    • 4.3 Data Processed on Behalf of Customers

    When acting as a data processor, we may process the following categories of data as directed by our Customers:

    (a) CONTACT DATA

  • Names, email addresses, phone numbers
  • Company information and job titles
  • Communication preferences

    • (b) COMMUNICATION CONTENT

  • Email content sent through the Platform
  • SMS and messaging content
  • Voice call recordings (if enabled by Customer)
  • WhatsApp and other messaging platform communications

    • (c) ENGAGEMENT DATA

  • Email opens, clicks, and responses
  • Message delivery status
  • Call outcomes and durations
  • Opt-in and opt-out records

    • (d) INTEGRATION DATA

  • Data synchronized from Customer's CRM systems
  • Data from connected third-party applications

    • 4.4 Business Contact Database

    Our business contact database contains professional information about business contacts, including:

  • Full name
  • Business email address
  • Business phone number
  • Employer company name and details
  • Job title and function
  • Office location (country and city)
  • Professional social media profiles (LinkedIn, etc.)
  • Company information (size, industry, website)

    • We do NOT intentionally collect personal (non-business) contact information such as home addresses, personal email addresses, personal phone numbers, dates of birth, or any Sensitive Personal Data for our business contact database.

    4.5 Data We Do NOT Collect

    Unless specifically required and agreed upon pursuant to a Business Associate Agreement for HIPAA-covered entities, Mavens does not collect or process:

  • Protected Health Information (PHI)
  • Social Security numbers or national identification numbers
  • Financial account numbers (except for billing purposes via secure third-party processors)
  • Biometric data
  • Genetic data
  • Data concerning children under 16 (or under 13 in the United States)
  • Sensitive Personal Data as defined by GDPR Article 9 or LGPD Article 11

    • 5. HOW WE COLLECT PERSONAL DATA

    5.1 Data Provided Directly by You

    We collect Personal Data that you voluntarily provide when you:

  • Register for an account or request a demo
  • Subscribe to our Services
  • Contact our sales or support teams
  • Complete forms on our Website
  • Participate in surveys, promotions, or events
  • Apply for employment
  • Connect third-party accounts or integrations

    • 5.2 Data Collected Automatically

    We automatically collect certain data when you:

  • Visit our Website (via cookies and similar technologies)
  • Use our Platform (via application logs and analytics)
  • Open or interact with our emails (via tracking pixels, where permitted)

    • See Section 12 for more information about cookies and tracking technologies.

    5.3 Data Received from Third Parties

    We may receive Personal Data from:

    (a) CUSTOMERS

    When a Customer uploads contact lists or connects their CRM or other data sources to our Platform.

    (b) THIRD-PARTY DATA PROVIDERS

    We license business contact information from reputable data providers who represent that they have collected such data lawfully.

    (c) PUBLICLY AVAILABLE SOURCES

    We gather professional information from publicly accessible sources such as:

  • Business-oriented social networks (e.g., LinkedIn)
  • Company websites and press releases
  • Professional directories and databases
  • Public regulatory filings

    • (d) CONNECTED SERVICES

    When you connect third-party services to the Platform (e.g., Gmail, Microsoft 365, CRM systems), we receive data necessary to provide the requested integration functionality.

    (e) REFERRALS

    When someone refers you to our Services, we may receive your contact information from the referring party.

    5.4 Google API Data

    If you connect a Google account (including Gmail) to Mavens:

  • We request only the permissions necessary to provide the Services as described in our Terms of Service.
  • We access your inbox solely to detect replies to emails sent via Mavens.
  • We store only: (i) emails you have sent via Mavens, (ii) responses to those emails, and (iii) authentication tokens and account email addresses.
  • Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • We do NOT use data obtained from Google APIs for advertising purposes (including personalized, re-targeted, or interest-based advertising).
  • Human access to Google API data is prohibited except: (i) with your affirmative consent, (ii) to resolve support issues you have reported, (iii) for security investigations, or (iv) as required by law.

    • 6. LEGAL BASES FOR PROCESSING (GDPR/LGPD)

    6.1 Legal Bases Under GDPR (Article 6)

    If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data based on one or more of the following legal bases:

    (a) CONTRACT PERFORMANCE (Article 6(1)(b))

    We process Personal Data when necessary to:

  • Provide and maintain our Services pursuant to our contract with you
  • Process payments and manage your account
  • Deliver professional services you have purchased
  • Respond to your support requests

    • (b) LEGITIMATE INTERESTS (Article 6(1)(f))

    We process Personal Data when necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include:

  • Operating, improving, and securing our Services
  • Understanding how our Services are used
  • Marketing our Services to businesses (B2B marketing)
  • Preventing fraud and ensuring network security
  • Maintaining our business contact database for B2B purposes
  • Establishing, exercising, or defending legal claims

    • (c) CONSENT (Article 6(1)(a))

    We process Personal Data based on your consent when:

  • You opt-in to receive marketing communications
  • You connect third-party services that require additional permissions
  • You consent to optional cookies and tracking technologies
  • Processing is not otherwise covered by another legal basis

    • You may withdraw consent at any time (see Section 11).

    (d) LEGAL OBLIGATION (Article 6(1)(c))

    We process Personal Data when necessary to comply with applicable laws, such as:

  • Tax and accounting requirements
  • Responding to lawful requests from public authorities
  • Retaining records as required by law

    • 6.2 Legal Bases Under LGPD (Article 7)

    If you are located in Brazil, we process your Personal Data based on one or more of the following legal bases under the LGPD:

    6.3 Processing as a Data Processor

    When we process Personal Data on behalf of our Customers (as a data processor), the legal basis for processing is determined by the Customer (as data controller). Our Customers are responsible for:

  • Ensuring they have a valid legal basis for processing under applicable law
  • Obtaining necessary consents from their End Users
  • Providing required privacy notices to their End Users
  • Responding to data subject requests (with our assistance as appropriate)

    • 7. PURPOSES OF PROCESSING

    7.1 Providing and Maintaining the Services

    We process Personal Data to:

  • Create and manage your account
  • Provide access to the Platform and its features
  • Process and deliver communications on behalf of Customers
  • Enable integrations with third-party services
  • Process payments and manage subscriptions
  • Provide customer support and technical assistance

    • 7.2 Improving and Developing the Services

    We process Personal Data to:

  • Analyze usage patterns and feature adoption
  • Identify and fix bugs and technical issues
  • Develop new features and functionality
  • Conduct research and analytics (using aggregated or anonymized data where possible)

    • 7.3 Communication

    We process Personal Data to:

  • Send transactional communications (e.g., account confirmations, billing notifications)
  • Provide customer support and respond to inquiries
  • Send service-related announcements and updates
  • Send marketing communications (where permitted and with appropriate consent)

    • 7.4 Security and Fraud Prevention

    We process Personal Data to:

  • Protect the security and integrity of our Services
  • Detect, prevent, and respond to fraud, abuse, or security incidents
  • Verify identity and prevent unauthorized access
  • Monitor for violations of our Terms of Service

    • 7.5 Legal and Compliance

    We process Personal Data to:

  • Comply with applicable laws and regulations
  • Respond to lawful requests from public authorities
  • Establish, exercise, or defend legal claims
  • Enforce our Terms of Service and other agreements

    • 7.6 Business Contact Database

    We process business contact information to:

  • Provide data enrichment services to our Customers
  • Enable Customers to identify and contact potential business prospects
  • Maintain data accuracy and currency

    • 8. DATA SHARING AND DISCLOSURE

    8.1 Categories of Recipients

    We may share Personal Data with the following categories of recipients:

    (a) SERVICE PROVIDERS AND SUB-PROCESSORS

    We engage third-party service providers to perform functions on our behalf, including:

  • Cloud hosting and infrastructure providers
  • Payment processors
  • Email delivery services
  • Analytics providers
  • Customer support tools
  • Security and fraud prevention services

    • All service providers are contractually bound to protect Personal Data and may only process it for the specific purposes we authorize.

    (b) THIRD-PARTY COMMUNICATION PLATFORMS

    To enable omnichannel communications, we share data with:

  • WhatsApp/Meta (for WhatsApp Business API)
  • Telecommunications providers (for SMS and voice)
  • Email service providers

    • These platforms process data according to their own privacy policies and terms. See Section 13 for more details.

    (c) CUSTOMERS

    When acting as a data processor, we provide Customers with access to Personal Data of their End Users as necessary to deliver our Services.

    (d) INTEGRATION PARTNERS

    When you connect third-party services to the Platform, we share data as necessary to enable the integration functionality you have requested.

    (e) PROFESSIONAL ADVISORS

    We may share Personal Data with our attorneys, accountants, auditors, and other professional advisors in connection with the services they provide to us.

    (f) CORPORATE TRANSACTIONS

    In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, Personal Data may be transferred to the acquiring entity or successor. We will provide notice of any such transfer and any choices you may have.

    (g) LEGAL AND REGULATORY AUTHORITIES

    We may disclose Personal Data when required by law or in response to valid legal process, including:

  • Court orders, subpoenas, or search warrants
  • Requests from law enforcement or regulatory agencies
  • National security or public safety requirements

    • See Section 8.3 for our protocol for handling such requests.

    8.2 Sub-Processors

    A current list of our sub-processors is available upon request by emailing [email protected]. Customers who have entered into a Data Processing Agreement with us will be notified of any changes to our sub-processors in accordance with that agreement.

    8.3 Handling Requests from Public Authorities

    When we receive requests from public authorities for Personal Data, we follow this protocol:

    (a) LEGAL REVIEW

    Each request is evaluated to confirm its legal validity. We verify that the requesting authority has appropriate legal grounds (subpoena, court order, warrant, or equivalent legal basis).

    (b) SCOPE LIMITATION

    We limit disclosure to only the information strictly required to fulfill the request. We do not provide excessive or unrelated data.

    (c) CUSTOMER NOTIFICATION

    Unless prohibited by law or the request pertains to an ongoing investigation where notification could compromise the investigation, we will:

  • Notify affected Customers if the request relates to data we process on their behalf
  • Provide Customers an opportunity to seek protective measures where legally permissible

    • (d) USER NOTIFICATION

    For data we control directly, we will notify affected users unless prohibited by law.

    (e) DOCUMENTATION

    All requests and our responses are documented, including the legal basis for disclosure and the specific data provided.

    (f) CHALLENGING OVERBROAD REQUESTS

    We will challenge requests that we believe are overbroad, vague, or otherwise legally deficient.

    8.4 No Sale of Personal Data

    Mavens does not sell Personal Data to third parties. We do not exchange Personal Data for monetary or other valuable consideration.

    9. INTERNATIONAL DATA TRANSFERS

    9.1 Locations of Processing

    Mavens operates globally with data processing activities in:

  • United States (primary data center and headquarters)
  • European Union (EU data processing for EU customers where applicable)
  • Brazil (local operations)

    • Personal Data may be transferred to, stored, and processed in countries other than the country in which it was collected.

    9.2 Transfers from the EEA, UK, and Switzerland

    When we transfer Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission or relevant authority, we implement appropriate safeguards, including:

    (a) STANDARD CONTRACTUAL CLAUSES (SCCs)

    We use the European Commission's Standard Contractual Clauses for international transfers, as updated and approved.

    (b) DATA PROCESSING AGREEMENTS

    Our DPAs with Customers include commitments regarding international transfers and appropriate safeguards.

    (c) SUPPLEMENTARY MEASURES

    Where required, we implement additional technical and organizational measures to ensure an adequate level of protection.

    9.3 Transfers from Brazil

    When we transfer Personal Data from Brazil to other countries, we comply with LGPD requirements by:

    9.4 Your Consent to Transfer

    By using our Services, you acknowledge and consent to the transfer of your Personal Data to countries outside your country of residence, including to the United States, which may have different data protection laws than your jurisdiction.

    10. DATA RETENTION

    10.1 General Retention Principles

    We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider:

  • The amount, nature, and sensitivity of the Personal Data
  • The potential risk of harm from unauthorized use or disclosure
  • The purposes for which we process the data
  • Whether we can achieve those purposes through other means
  • Applicable legal, regulatory, and contractual requirements

    • 10.2 Retention Periods by Data Category

    (a) ACCOUNT DATA

    Retained for the duration of your account plus 30 days after account termination to allow for account recovery and data export.

    (b) CUSTOMER DATA (DATA WE PROCESS AS PROCESSOR)

    Retained according to the Data Processing Agreement with each Customer. Upon termination or expiration of Services:

  • Data is available for Customer export for 30 days
  • Data is deleted within 60 days after termination unless legally required otherwise

    • (c) BILLING AND TRANSACTION DATA

    Retained for 7 years after the transaction to comply with tax and accounting requirements.

    (d) COMMUNICATION RECORDS

    Support tickets and correspondence retained for 3 years after resolution for quality assurance and dispute resolution.

    (e) MARKETING DATA

    Retained until you opt out or withdraw consent, plus a record of your opt-out preference to ensure we honor it.

    (f) WEBSITE ANALYTICS

    Aggregated analytics data retained indefinitely; individual-level data retained for 26 months.

    (g) BUSINESS CONTACT DATABASE

    Professional contact information is retained and updated on an ongoing basis. Individuals may request removal at any time (see Section 11).

    (h) SECURITY LOGS

    Retained for 12 months for security monitoring and incident investigation.

    10.3 Data Deletion

    Upon expiration of the applicable retention period, Personal Data is:

  • Securely deleted or destroyed; or
  • Anonymized such that it can no longer be associated with an individual.

    • Backup copies may be retained for a limited additional period as part of our disaster recovery procedures, during which they remain subject to this Policy.

    11. YOUR RIGHTS AS A DATA SUBJECT

    11.1 Rights Under GDPR (EEA, UK, Switzerland)

    If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your Personal Data:

    (a) RIGHT OF ACCESS (Article 15)

    You have the right to obtain confirmation as to whether we process your Personal Data and, if so, to access that data and receive information about how it is processed.

    (b) RIGHT TO RECTIFICATION (Article 16)

    You have the right to have inaccurate Personal Data corrected and incomplete data completed.

    (c) RIGHT TO ERASURE / "RIGHT TO BE FORGOTTEN" (Article 17)

    You have the right to request deletion of your Personal Data in certain circumstances, such as when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

    • (d) RIGHT TO RESTRICTION OF PROCESSING (Article 18)

    You have the right to request that we restrict processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

    (e) RIGHT TO DATA PORTABILITY (Article 20)

    You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible.

    (f) RIGHT TO OBJECT (Article 21)

    You have the right to object to processing of your Personal Data:

  • At any time, for direct marketing purposes (including profiling for direct marketing)
  • On grounds relating to your particular situation, where processing is based on legitimate interests

    • (g) RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Article 22)

    You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you, unless such processing is necessary for a contract, authorized by law, or based on your explicit consent.

    (h) RIGHT TO WITHDRAW CONSENT

    Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

    (i) RIGHT TO LODGE A COMPLAINT

    You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

    11.2 Rights Under LGPD (Brazil)

    If you are located in Brazil, you have the following rights under the LGPD (Article 18):

    You have the right to petition the ANPD (Autoridade Nacional de Proteção de Dados) regarding your Personal Data.

    11.3 Exercising Your Rights

    To exercise any of these rights, please contact us at:

    Email: [email protected]

    We will respond to your request within:

  • GDPR: One month (extendable by two additional months for complex requests)
  • LGPD: 15 days

    • We may need to verify your identity before processing your request. If we cannot verify your identity, we may request additional information.

    11.4 Rights for End Users of Our Customers

    If you are an End User whose data is processed by Mavens on behalf of one of our Customers, please direct your requests to the Customer directly. We will assist our Customers in responding to such requests in accordance with our Data Processing Agreement.

    11.5 Removal from Business Contact Database

    If your professional contact information is included in our business contact database and you wish to be removed, please email [email protected] with the subject line "Database Removal Request." We will process your request within 30 days and add your information to our suppression list to prevent re-addition.

    12. COOKIES AND TRACKING TECHNOLOGIES

    12.1 Types of Cookies We Use

    (a) STRICTLY NECESSARY COOKIES

    Essential for the Website and Platform to function. These cannot be disabled.

    (b) PERFORMANCE/ANALYTICS COOKIES

    Help us understand how visitors interact with our Website by collecting anonymous information.

    (c) FUNCTIONALITY COOKIES

    Remember your preferences and settings to enhance your experience.

    (d) MARKETING/TARGETING COOKIES

    Track your browsing activity to deliver relevant advertisements. These are only placed with your consent.

    12.2 Cookie Consent

    For visitors from the EEA, UK, Switzerland, Brazil, and other jurisdictions requiring consent:

  • We display a cookie consent banner on your first visit
  • Non-essential cookies are not placed until you provide consent
  • You can modify your preferences at any time through our cookie settings

    • 12.3 Web Beacons and Tracking Pixels

    We use web beacons (tracking pixels) in our emails to understand:

  • Whether an email has been opened
  • Which links were clicked
  • When and where the email was accessed

    • You can disable image loading in your email client to prevent tracking, or click "unsubscribe" in any email to opt out of future communications.

    12.4 Do Not Track

    Some browsers offer a "Do Not Track" (DNT) signal. Our Website does not currently respond to DNT signals. However, you can manage your cookie preferences as described above.

    12.5 Third-Party Analytics

    We use third-party analytics services (such as Google Analytics) to analyze Website usage. These services may use cookies and similar technologies. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

    13. THIRD-PARTY COMMUNICATION CHANNELS

    13.1 Overview

    Mavens enables omnichannel communications through various third-party platforms. When you or your End Users communicate through these channels, data is shared with and processed by the respective platform providers.

    13.2 WhatsApp and Meta Platforms

    If you use WhatsApp Business API through our Services:

  • Messages and metadata are transmitted through Meta's infrastructure
  • Meta processes this data according to the WhatsApp Business Terms of Service and Meta Privacy Policy
  • Meta may use message metadata (but not message content for WhatsApp) as described in their policies
  • Mavens cannot control how Meta uses data once transmitted to their systems
  • You are responsible for complying with WhatsApp Business Messaging Policy, including obtaining proper opt-in consent

    • 13.3 Telecommunications Providers (SMS/Voice)

    If you use SMS or voice services through our Platform:

  • Communications are transmitted through telecommunications carriers and providers
  • These providers may process and retain call detail records, message metadata, and in some cases message content
  • Telecommunications providers are subject to their own regulatory requirements and privacy policies
  • We cannot control how telecommunications providers use data once transmitted
  • Voice calls may be recorded if you enable this feature; you are responsible for complying with applicable consent requirements

    • 13.4 Email Services

    If you connect email services (Gmail, Microsoft 365, etc.):

  • We access your email account solely to provide the Services as described
  • For Gmail: Our use complies with Google API Services User Data Policy (see Section 5.4)
  • Email providers may process data according to their own privacy policies

    • 13.5 Your Responsibilities

    When using third-party communication channels through our Services, you are responsible for:

  • Reviewing and complying with the terms and privacy policies of each platform
  • Obtaining appropriate consent from End Users for data sharing with these platforms
  • Informing End Users that their data will be processed by third-party platforms
  • Complying with all applicable laws and platform-specific requirements

    • 14. AI AND AUTOMATED PROCESSING

    14.1 AI-Powered Features

    Our Platform includes AI-powered features such as:

  • Automated message classification and routing
  • Response suggestions and content optimization
  • Lead scoring and prioritization
  • Conversation analytics and insights
  • AI agents for customer engagement

    • 14.2 How AI Processes Data

    Our AI systems process:

  • Message content and metadata
  • Engagement patterns and user behavior
  • Historical communication data

    • To:

  • Improve message deliverability and response rates
  • Provide intelligent recommendations
  • Automate routine communications
  • Generate analytics and insights

    • 14.3 Automated Decision-Making

    We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect individuals without human oversight.

    Where our Customers use AI features that may involve automated decision-making affecting End Users, Customers are responsible for:

  • Ensuring compliance with applicable laws (including GDPR Article 22 and LGPD Article 20)
  • Providing required disclosures to End Users
  • Implementing appropriate human oversight
  • Enabling End Users to request human review where required

    • 14.4 AI Training

    We may use aggregated, anonymized, or de-identified data derived from usage of our Services to train and improve our AI models. We do NOT use identifiable Customer data or End User data for AI training without explicit consent or a specific contractual agreement permitting such use.

    14.5 Disclosure of AI Use

    When AI or automated systems interact with End Users on behalf of our Customers, our Customers are responsible for providing appropriate disclosures that the communication is automated or AI-assisted, as required by applicable law.

    15. CHILDREN'S PRIVACY

    Our Services are designed for business use and are not intended for children. We do not knowingly collect Personal Data from:

  • Children under 16 years of age in the EEA
  • Children under 13 years of age in the United States
  • Children under 18 years of age in Brazil (unless permitted by applicable law with parental consent)

    • If we learn that we have collected Personal Data from a child in violation of applicable law, we will delete that information promptly. If you believe we have collected information from a child, please contact us at [email protected].

    16. SECURITY MEASURES

    16.1 Technical Safeguards

    We implement appropriate technical measures to protect Personal Data, including:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest using industry-standard encryption
  • Secure authentication mechanisms, including support for multi-factor authentication
  • Regular security assessments and penetration testing
  • Intrusion detection and prevention systems
  • DDoS protection and mitigation
  • Regular security patches and updates

    • 16.2 Organizational Safeguards

    We implement appropriate organizational measures, including:

  • Access controls limiting data access to authorized personnel with a business need
  • Confidentiality agreements with all employees and contractors
  • Regular security awareness training
  • Background checks for employees with access to Personal Data
  • Incident response procedures
  • Business continuity and disaster recovery plans

    • 16.3 Payment Card Security

    We do not store complete payment card numbers. Payment processing is handled by PCI DSS-compliant third-party processors.

    16.4 Your Security Responsibilities

    You are responsible for:

  • Maintaining the confidentiality of your account credentials
  • Using strong, unique passwords
  • Enabling multi-factor authentication where available
  • Managing user access within your account appropriately
  • Notifying us promptly of any suspected unauthorized access

    • 16.5 No Guarantee

    While we implement security measures consistent with industry standards, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your Personal Data.

    17. DATA BREACH NOTIFICATION

    17.1 Our Commitment

    In the event of a security incident involving Personal Data, we are committed to:

  • Promptly investigating and containing the incident
  • Notifying affected parties as required by applicable law
  • Taking appropriate remedial measures
  • Documenting the incident and our response

    • 17.2 Notification to Supervisory Authorities

    Where required by GDPR (Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach involving Personal Data, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

    Where required by LGPD, we will notify the ANPD and affected data subjects within a reasonable time as determined by the ANPD.

    17.3 Notification to Customers

    If a breach involves Personal Data we process on behalf of a Customer, we will notify the Customer promptly (and in any event within the timeframe specified in our Data Processing Agreement) to enable the Customer to fulfill its own notification obligations.

    17.4 Notification to Individuals

    Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected individuals directly, unless:

  • We have implemented measures rendering the data unintelligible (e.g., encryption)
  • We have taken subsequent measures eliminating the risk
  • Individual notification would involve disproportionate effort (in which case we will make a public communication)

    • 18. HIPAA AND PROTECTED HEALTH INFORMATION

    18.1 Default Status

    BY DEFAULT, Mavens IS NOT A HIPAA-COVERED ENTITY AND THE SERVICES ARE NOT DESIGNED OR INTENDED FOR USE WITH PROTECTED HEALTH INFORMATION (PHI).

    You should NOT use our standard Services to collect, store, process, or transmit PHI unless you have entered into a Business Associate Agreement (BAA) with Mavens.

    18.2 HIPAA-Eligible Services

    For Customers who are HIPAA-covered entities or business associates and require HIPAA compliance:

  • You MUST execute a Business Associate Agreement with Mavens before transmitting any PHI
  • Additional security controls and configurations may be required
  • Not all Service features may be available for HIPAA-eligible use
  • Additional fees may apply

    • 18.3 Third-Party Platform Limitations

    IMPORTANT: Certain third-party platforms integrated with our Services (including WhatsApp/Meta) explicitly do NOT support HIPAA compliance. You must NOT transmit PHI through channels that do not support HIPAA, even if you have a BAA with Mavens.

    18.4 Your Responsibilities Under HIPAA

    If you are a HIPAA-covered entity or business associate, you are responsible for:

  • Executing a BAA with Mavens before transmitting PHI
  • Configuring the Services appropriately for HIPAA-eligible use
  • Training your workforce on HIPAA requirements
  • Ensuring PHI is not transmitted through non-HIPAA-compliant channels
  • Complying with all applicable HIPAA requirements

    • 19. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

    19.1 Applicability

    This section applies to California residents and supplements the other provisions of this Policy pursuant to the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

    19.2 Categories of Personal Information

    In the preceding 12 months, we have collected the following categories of Personal Information:

  • Identifiers (name, email address, phone number, IP address)
  • Commercial information (transaction history, services purchased)
  • Internet or network activity (browsing history, usage data)
  • Professional or employment information (job title, employer)
  • Inferences drawn from the above

    • 19.3 Your California Rights

    You have the right to:

    (a) KNOW

    Request disclosure of the Personal Information we have collected about you, including categories, sources, purposes, and third parties with whom we share it.

    (b) DELETE

    Request deletion of your Personal Information, subject to certain exceptions.

    (c) CORRECT

    Request correction of inaccurate Personal Information.

    (d) OPT OUT OF SALE/SHARING

    We do not sell Personal Information or share it for cross-context behavioral advertising. Therefore, no opt-out is necessary.

    (e) NON-DISCRIMINATION

    We will not discriminate against you for exercising your privacy rights.

    19.4 Exercising Your California Rights

    To exercise your rights, contact us at [email protected]. We will verify your identity before processing your request.

    19.5 Authorized Agents

    You may designate an authorized agent to make requests on your behalf. We may require verification that you authorized the agent.

    20. UPDATES TO THIS POLICY

    20.1 Changes to This Policy

    We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

    20.2 Notification of Changes

    For material changes, we will:

  • Post the updated Policy on our Website with a new "Last Updated" date
  • Notify registered users via email or in-app notification
  • Where required by law, obtain consent before implementing changes that materially affect your rights

    • 20.3 Your Continued Use

    Your continued use of our Services after any changes to this Policy constitutes your acceptance of the updated Policy. If you do not agree with any changes, you should discontinue use of our Services.

    21. CONTACT INFORMATION

    21.1 General Inquiries

    For questions about this Privacy Policy or our privacy practices:

    Email: [email protected]

    Website: www.mavensforce.com

    21.2 Data Protection Officer

    Email: [email protected]

    21.3 Mavens Europe (Headquarters)

    Lisbon, Portugal

    Email: [email protected]

    21.4 Mavens Brazil / Encarregado

    Porto Alegre, Rio Grande do Sul, Brazil

    Email: [email protected]

    21.5 Other Inquiries

    Legal/Terms of Service: [email protected]

    General Support: [email protected]

    21.6 Supervisory Authorities

    EEA residents may lodge a complaint with their local data protection authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

    Brazil residents may petition the ANPD at: https://www.gov.br/anpd/

    By using Mavens Services, you acknowledge that you have read and understood this Privacy Policy.

    Privacy Policy - Mavens