PRIVACY POLICY

1. INTRODUCTION

Interactive Media Network SRL (“Maximate,” “we,” “us,” or “our”) operates white-label email marketing services for businesses seeking to optimize their customer database engagement. This Privacy Policy explains how we collect, use, process, and protect personal data in accordance with the General Data Protection Regulation (GDPR) and Romanian data protection laws.

Company Information:

• Company Name: Interactive Media Network SRL

• CUI: 31184574

• Registration Number: J2013001378403

• Address: Bucharest, Sector 1, Romania

2. DATA CONTROLLER AND PROCESSOR ROLES

For our white-label email marketing services:

• Our Clients act as Data Controllers for their customer databases

• Maximate acts as Data Processor, processing personal data on behalf of our clients

• Data Protection Officer: Admin of Interactive Media Network SRL

3. PERSONAL DATA WE PROCESS

Categories of Personal Data:

• Email addresses (primary identifier)

• First and last names

• Phone numbers

• Funnel status indicators (loyal customer, inactive, etc.)

• Email engagement metadata (open rates, click-through behavior)

• Technical data: IP addresses, device information, browsing patterns

• Email content copies (retained for 30 days)

Special Categories: We do not process sensitive personal data categories as defined by GDPR Article 9.

4. LEGAL BASIS FOR PROCESSING

We process personal data based on:

• Legitimate Interest (Article 6(1)(f) GDPR): Email deliverability optimization and campaign performance

• Contract Performance (Article 6(1)(b) GDPR): Delivery of white-label email marketing services

• Consent (Article 6(1)(a) GDPR): Where explicit consent is provided by data subjects through our clients

5. PURPOSES OF DATA PROCESSING

Primary Processing Purposes:

• Re-engagement email campaign delivery

• Promotional marketing campaign execution

• Audience segmentation and targeting

• Campaign performance optimization

• Email deliverability monitoring and improvement

Automated Decision-Making: We use automated audience segmentation and campaign targeting based on engagement behavior. No decisions with legal or significant effects are made solely through automated processing.

6. DATA SHARING AND THIRD-PARTY PROCESSORS

Email Service Providers (Sub-processors):

• SparkPost (European jurisdiction)

• SendGrid (European jurisdiction)

• SMTP2GO (European jurisdiction)

• MailTrap (European jurisdiction)

• SendPulse (European jurisdiction)

• ElasticEmail (European jurisdiction)

Data Shared: Only email addresses are shared with ESP partners for campaign delivery purposes.

Analytics Services:

• Google Analytics (with IP anonymization enabled)

Other Integrations:

• Payment processing services (for client billing)

• Slack (for customer support communications)

Data Processing Agreements: All sub-processors operate under their respective terms and conditions that ensure GDPR compliance.

7. DATA STORAGE AND SECURITY

Storage Infrastructure:

• Primary Servers: Digital Ocean, Germany

• Backup Servers: Digital Ocean, Germany (same geographical location)

• Data Encryption: AES-256 encryption for stored data

• Transmission Security: TLS 1.3 encryption for data transmission

Access Controls:

• Role-based access control system

• Admin-only access to client databases

• Complete logging of all data access activities

• Multi-factor authentication for administrative access

Security Monitoring:

• Intrusion Detection System (IDS) implementation

• 24/7 firewall monitoring

• Automated email alerts for security incidents

8. DATA RETENTION PERIODS

Standard Retention:

• Active Contracts: Data retained for contract duration

• Post-Contract: All data deleted within 30 days of contract termination

• Unsubscribed Users: Marked as unsubscribed, then deleted after 30 days

• Email Content: Deleted after 30 days from sending

• Compliance Records: Retained for 30 days post-contract for audit purposes

Right to Be Forgotten: Data deletion completed within 24 hours of verified request.

9. YOUR RIGHTS UNDER GDPR

Data Subject Rights:

• Access: Request copies of your personal data

• Rectification: Correct inaccurate personal data

• Erasure: Request deletion of personal data

• Portability: Receive data in CSV format

• Restriction: Limit processing of your data

• Objection: Object to processing based on legitimate interests

Exercising Rights:

• Online Portal: Log into your client account

• Email Request: Contact us directly with verification

• Response Time: Maximum 7 business days

• Identity Verification: Through client account login

• Export Format: CSV file format

10. DATA BREACH NOTIFICATION

Breach Definition: Unauthorized access to client databases or security incidents affecting personal data integrity.

Notification Procedures:

• Supervisory Authority: ANSPDCP notified within 72 hours as required by law

• Affected Individuals: Direct email notification when high risk to rights and freedoms

• Immediate Response: Access credentials reset within 24 hours

• Documentation: All incidents logged in system records

11. INTERNATIONAL DATA TRANSFERS

All data processing occurs within European Union jurisdiction. Our servers and sub-processors are located in EU countries, ensuring adequate data protection standards without need for additional safeguards.

12. CONSENT MANAGEMENT

Consent Collection: Through client acceptance of terms and conditions
Consent Withdrawal: Automatic deletion from database upon withdrawal
Consent Documentation: Managed through client contractual agreements
Granular Consent: Not currently implemented – processing based on legitimate interest and contract performance

13. CONTACT INFORMATION

Data Protection Inquiries:

• Email: contact@maximate.com

Supervisory Authority:

• ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)

14. POLICY UPDATES

This Privacy Policy may be updated to reflect changes in our practices or legal requirements. Material changes will be communicated through our website and client notifications.