Privacy Policy

AhaSend Privacy Policy

Last Updated: 9 May 2025

1. Introduction

Welcome to AhaSend.com! Your privacy is critically important to us. This Privacy Policy explains how TakTek GmbH, operator of AhaSend.com ("AhaSend", "we", "us", or "our"), collects, uses, discloses, and safeguards your personal information when you visit our website ahasend.com (the "Website") and use our Email Service Provider (ESP) services (the "Services").

Please read this policy carefully to understand our practices regarding your information and how we will treat it.

  • Data Controller:
    TakTek GmbH
    Siebensterngasse 42/3, 1070 Vienna, Austria
    Company Registration Number: FN 451613 m
    Registry court: Commercial Court Vienna
    Email: [email protected]
  • Data Protection Officer (DPO):
    You can contact our Data Protection Officer (DPO) regarding any data protection queries or to exercise your rights by emailing: [email protected]
  • Scope of this Privacy Policy:
    This Privacy Policy describes how AhaSend (TakTek GmbH) processes personal data for which it is a Data Controller (e.g., data relating to our direct clients who sign up for our Services and visitors to our Website).
    When our clients use AhaSend's Services to send emails to their subscribers, AhaSend acts as a Data Processor on their behalf for the email content and subscriber data they provide. Our commitments and obligations as a Data Processor are detailed in our Data Processing Agreement (DPA), which is available on our Website and forms part of our Terms of Service.

2. Information We Collect (When We Act as Data Controller)

  1. Information You Provide to Us: When you register for an AhaSend account, use our Services, or communicate with us, we collect information you provide directly. This may include:
    • Your name
    • Your email address
    • Your Timezone
    • Payment information (which is processed by our payment processor, Stripe, though we may receive related transaction details)
    • Your Last Login IP address.
    • We also collect and store the content of communications we have with you, such as support inquiries submitted via email and service notifications we send to you.

  2. Automatically Collected Information: When you use our Website and Services, we may automatically collect certain information, including:

    • Your IP address
    • Device information (such as operating system, browser type, and version)
    • Information about how you navigate and interact with our Website and Services (e.g., pages visited, features used, time spent on pages, clickstream data).

    This information is collected through server logs and tracking technologies like cookies (please see Section 5: "Cookies and Tracking Technologies" for more details).

3. How We Use Your Information and Our Lawful Bases for Processing

We use your personal information for the following purposes, based on the specified lawful grounds under the General Data Protection Regulation (GDPR):

  • To Provide, Maintain, and Improve Our Services:
    • Purpose: To create and manage your account, provide the ESP functionalities you request, process your email sending, offer customer support, ensure the technical functionality of our platform, understand service usage, and identify areas for improvement.
    • Lawful Basis: Performance of our contract with you (Article 6(1)(b) GDPR); Our legitimate interests in maintaining and improving our Services (Article 6(1)(f) GDPR).
  • To Process Transactions:
    • Purpose: To process your payments for the use of our Services and send you related information, including confirmations, invoices, and billing notices.
    • Lawful Basis: Performance of our contract with you (Article 6(1)(b) GDPR); Compliance with a legal obligation (e.g., for invoicing and accounting under Austrian law - Article 6(1)(c) GDPR).
  • To Communicate With You:
    • Purpose: To send you important notices about your account (e.g., service updates, security alerts, billing information), respond to your inquiries, and provide customer support.
    • Lawful Basis: Performance of our contract with you (Article 6(1)(b) GDPR); Our legitimate interests in providing good customer service and keeping you informed (Article 6(1)(f) GDPR).
  • For Service Integrity, Security, and Abuse Prevention:
    • Purpose: To monitor trends, usage, and activities to detect, investigate, and prevent fraudulent transactions, unauthorized access, other illegal activities, and violations of our Terms of Service. This includes automated monitoring for spam and phishing, and high bounce rates which may lead to account suspension (see Section 10: "Automated Decision-Making").
    • Lawful Basis: Our legitimate interests in protecting our Services, users, and business (Article 6(1)(f) GDPR); Compliance with a legal obligation (Article 6(1)(c) GDPR where applicable).
  • For Analytics and Service Improvement:
    • Purpose: To understand how our Website and Services are used, to measure the effectiveness of our Website, and to improve our offerings. This is done using tools like Google Analytics and Microsoft Clarity (see Section 5: "Cookies and Tracking Technologies").
    • Lawful Basis: Your consent for the use of non-essential cookies and similar technologies (Article 6(1)(a) GDPR); Our legitimate interests for server-side analytics not reliant on such cookies (Article 6(1)(f) GDPR).
  • To Manage Our Affiliate Program:
    • Purpose: To track referrals from affiliate partners and attribute commissions using Trackdesk.
    • Lawful Basis: Your consent for tracking cookies (Article 6(1)(a) GDPR); Our legitimate interests in managing our affiliate program (Article 6(1)(f) GDPR for any associated non-cookie based processing).

4. Sharing and Disclosure of Your Information

We do not sell or rent your personal information. We may share your personal information in the following limited circumstances with third parties who act as our service providers (data processors) or where legally required:

  • With Service Providers (Our Processors): We engage third-party service providers to perform functions and provide services to us. We have Data Processing Agreements (DPAs) in place with these providers where required by GDPR, obligating them to protect your data. These include:
    • Payment Processing: Stripe, Inc. (USA) to securely process your payments.
    • Cloud Hosting & Infrastructure: Hetzner Online GmbH (Germany/Finland, and optionally USA if you chose to use our US-based SMTP relay) and DA International Group Ltd (operating as AlphaVPS, Bulgaria) to host our Services and associated data.
    • Content Delivery Network (CDN), Security, and Performance Services: Cloudflare Inc (USA) to enhance the security and performance of our Website and user dashboard. This includes serving static files (HTML, CSS, JavaScript), providing DDoS protection, and Web Application Firewall (WAF) services for these interfaces. Cloudflare processes data such as IP addresses of visitors to our Website and users accessing our dashboard.
    • Analytics Providers: Google LLC (USA, for Google Analytics) and Microsoft Corporation (USA, for Microsoft Clarity) to help us understand service usage (subject to your consent for cookies as detailed in Section 5).
    • Affiliate Program Management: Trackdesk (Czech Republic) to manage our affiliate program (subject to your consent for cookies as detailed in Section 5).
  • For Legal Reasons: If required by law, regulation, valid legal process (such as a subpoena or court order), or governmental request; to enforce our Terms of Service, including investigation of potential violations; to detect, prevent, or otherwise address fraud, security, or technical issues; or to protect the rights, property, or safety of AhaSend (TakTek GmbH), our users, or the public, as required or permitted by law.
  • With Your Consent: We may share your information with other third parties when we have your explicit consent to do so.

5. Cookies and Tracking Technologies

AhaSend uses cookies and similar tracking technologies to track activity on our Service and hold certain information.

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Our cookie consent banner provides you with control over non-essential cookies.

We use cookies for:

  • Providing Essential Functionality (Strictly Necessary Cookies): Some cookies are required for the basic functionality of parts of our Service, including user authentication for the dashboard and maintaining session information. These are used based on our legitimate interest to provide you with a functioning service.
  • Understanding and Saving User Preferences (Functional Cookies): To enhance your experiences with our Service by remembering your preferences and various settings. These are used based on our legitimate interest or your consent, depending on the specific preference.
  • Google Analytics (Analytics Cookies): We use Google Analytics to measure and understand how users interact with our Website and Services. Google Analytics may track details like how much time you spend on the site and the pages that you visit. The use of these cookies is based on your explicit consent. For more information on how Google uses data, please visit Google's Privacy & Terms.
  • Microsoft Clarity (Analytics Cookies): We partner with Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies. The use of these cookies is based on your explicit consent. For more information about how Microsoft collects and uses your data, visit the Microsoft Clarity Privacy Policy.
  • Trackdesk (Affiliate Tracking Cookies): We use Trackdesk for our affiliate tracking program. This helps in tracking referrals from affiliate partners and appropriately attributing commissions or rewards. The use of these cookies is based on your explicit consent. Information on Trackdesk's use of data can be found on their website. Visit the Trackdesk Privcy Policy.

Your Choices Regarding Cookies

You can manage your cookie preferences at any time through our cookie consent banner. Additionally, you can adjust your Internet browser settings to reject some or all cookies and to alert you when a cookie is placed on your device. Please note that if you delete cookies or refuse to accept non-essential cookies, you might not be able to use all of the features we offer, store your preferences, and some of our pages might not display properly.

6. Data Security

We take reasonable technical and organizational measures to help protect your personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction, in accordance with Article 32 GDPR. However, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. We are committed to continuously improving our security measures.

7. International Data Transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country (and, in some cases, may not be as protective). 

Specifically: 

  • Service Providers in the USA: Some of our service providers, such as Stripe, Inc. (for payment processing), Google LLC (for Google Analytics), Microsoft Corporation (for Microsoft Clarity), and Cloudflare, Inc. (for website/dashboard security and performance), are based in the United States. When your personal information is transferred to these providers, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements. These safeguards include:
    • EU-U.S. Data Privacy Framework (DPF): We rely on the European Commission's adequacy decision for the DPF for transfers to US companies that are certified under the DPF. Stripe, Google, and Microsoft state their certification under the DPF. Cloudflare has also certified its compliance with the EU-U.S. DPF.
    • Standard Contractual Clauses (SCCs): For providers where the DPF may not apply or as a supplementary measure, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission. Cloudflare, for instance, states that when they transfer personal data from the EEA, Switzerland, or the UK internationally, they rely on SCCs, including supplementary measures as necessary, or their DPF certification for transfers to the US, and their standard Data Processing Addendum incorporates the EU SCCs to ensure multiple legal bases for processing data. We ensure that necessary supplementary measures are considered as part of a Transfer Impact Assessment where appropriate for all such transfers.
  • Optional Processing in the USA with Hetzner Online GmbH: While our primary hosting infrastructure with Hetzner Online GmbH is within the European Economic Area (EEA) (Germany/Finland), we may offer you the option to utilize specific services or have certain data processed on Hetzner-operated servers located in the United States. If you choose to use such services:
    • Your personal data processed in connection with those specific services may be transferred to the USA.
    • For such transfers to Hetzner's US infrastructure, TakTek GmbH relies on Standard Contractual Clauses (SCCs) agreed with Hetzner Online GmbH to ensure an adequate level of data protection.
  • Service Providers within the EEA: Our affiliate program provider, Trackdesk, is based in the Czech Republic (EEA). Our hosting providers, Hetzner Online GmbH (primary locations in Germany and Finland) and DA International Group Ltd (Bulgaria), are also based within the EEA. Data transfers to these providers are within the EEA and do not require the specific international transfer safeguards mentioned above for third countries.

Specifically, some of our third-party service providers (as listed in Section 4) are based in the United States. When we transfer your personal information from the European Economic Area (EEA), UK, or Switzerland to these providers in the US, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements. These safeguards include:

  • Adequacy Decisions: For transfers to the United States, we rely on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework (DPF) for transfers to US companies that are certified under the DPF. Our providers, Stripe, Google, and Microsoft, state their certification under the DPF.
  • Standard Contractual Clauses (SCCs): For providers where the DPF may not apply or as a supplementary measure, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission. For example, Microsoft uses SCCs for certain transfers between its EU and US entities for Microsoft Clarity. We ensure that necessary supplementary measures are considered as part of a Transfer Impact Assessment where appropriate.

By using our Services, you acknowledge that your information may be transferred to our facilities and to those third parties with whom we share it as described in this Privacy Policy.

8. Data Retention

We will retain your personal information only for as long as is necessary for the purposes for which it was collected, as set out in this Privacy Policy, and to comply with our legal obligations.

  • Account Information: We retain your account information (such as name, email, timezone, last login IP) as long as your account is active with us. If you request account deletion, your personal data will generally be erased within 14 days, unless we are legally required to retain specific elements for a longer period (see "Billing Information"). We may contact you if your account is inactive for an extended period (2 years) before taking steps to delete associated personal data in line with our retention schedule.
  • Billing Information: Transactional data and invoices related to your account (processed via Stripe) will be retained by TakTek GmbH for 7 years from the end of the relevant financial year to comply with Austrian commercial and tax law obligations.
  • IP Logs: Server logs containing IP addresses (collected for security and operational purposes) are retained for 1 month.
  • Analytics Data: Data collected via Google Analytics is retained for 2 months. Data collected by Microsoft Clarity is retained according to their current policies.
  • Communications: Emails and support communications with you may be retained for up to 3 years after our last interaction to ensure we can effectively address any follow-up queries or for record-keeping purposes.

9. Your Data Protection Rights (under GDPR)

If you are within the European Economic Area (EEA), UK, or another jurisdiction with similar data protection laws, you have the following rights regarding your personal data controlled by TakTek GmbH:

  • The right to access: You can request copies of your personal data that we process.
  • The right to rectification: You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • The right to erasure ('right to be forgotten'): You can request that we erase your personal data, under certain conditions (e.g. if you request account deletion or your account has been inactive for too long, see “8. Data Retention”).
  • The right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances. This means we would store your data but generally not process it further while the restriction is in place.
  • The right to object to processing: You can object to our processing of your personal data (e.g., where we rely on legitimate interests as a lawful basis, or for direct marketing purposes), under certain conditions.
  • The right to data portability: You can request that we transfer the data that we have collected and that you provided to us to another organization, or directly to you, in a structured, commonly used, and machine-readable format, under certain conditions.
  • The right to withdraw consent: If we are processing your personal data based on your consent (e.g., for certain cookies or marketing communications), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.
  • Rights related to automated decision-making: You have rights concerning automated decision-making that has legal or similarly significant effects on you (see Section 10: "Automated Decision-Making").

To exercise any of these rights, please contact our Data Protection Officer at: [email protected]. We will respond to your request within one month, as required by GDPR. We may need to request specific information from you to help us confirm your identity before processing your request.

  • Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes GDPR or other applicable data protection laws. For users in Austria, the relevant supervisory authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Website: https://dsb.gv.at. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

10. Automated Decision-Making

To maintain the integrity and security of our Services and to protect all users from abuse (such as spamming and phishing), we employ automated systems to monitor email sending activities. These systems analyze patterns such as spam complaint rates, bounce rates, and other indicators that may suggest a violation of our Terms of Service or applicable laws.

If such activities are detected, our systems may automatically lead to the suspension of an account or sending privileges. This constitutes automated decision-making which can have a significant effect on your ability to use the Service.

  • Logic Involved: The decision to suspend is typically based on predefined thresholds related to email deliverability metrics (e.g., bounce rates exceeding X%, spam complaint rates exceeding Y%) and content patterns indicative of spam or malicious activity.
  • Significance and Envisaged Consequences: The primary consequence is the temporary or permanent suspension of your AhaSend account or your ability to send emails through our Services.
  • Your Rights: If your account or sending capabilities are affected by such an automated decision, you have the right to:
    • Be informed about the decision.
      Request human intervention to review the automated decision.
      Express your point of view regarding the situation.
      Contest the decision.
      To exercise these rights, please contact our support team at: [email protected].

11. Information About Children

Our Services are not directed to individuals under the age of 16 (or a higher age if stipulated by applicable local law for consent to process personal data). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information without parental consent, we will take steps to delete such information. If you believe that we might have any information from or about a child, please contact us at [email protected].

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, service offerings, legal requirements, or other factors. When we make changes, we will revise the "Last Updated" date at the top of this policy. If we make material changes to how we treat your personal information, we will endeavor to provide you with notice through the Services or by other means, such as email, where feasible.

We encourage you to review this Privacy Policy periodically to stay informed about our data protection practices and how we are helping to protect your information. Your continued use of our Services after any changes to this Privacy Policy will mean you accept those changes.