GDPR Statement

Last updated: 19 April 2026 · Compliance with EU Regulation 2016/679

MarketHub complies with the General Data Protection Regulation (GDPR). This page summarizes our commitments and what you can do as a data subject or customer.

1. Who are you, from a GDPR perspective?

If you are a MarketHub user (paying / platform user)

You are a data subject for your personal data (account, email, billing). We are the controller.

If you are the recipient of a campaign sent via MarketHub

Your data (email, phone, company) is processed by the MarketHub client who contacts you. The client is the controller, MarketHub is the processor — we only execute the client's instructions.

2. GDPR principles we uphold

• Lawfulness, transparency, fairness: we collect only what is necessary and explain why.
• Purpose limitation: we do not reuse data for purposes incompatible with the original collection.
• Data minimisation: we keep the minimum necessary.
• Accuracy: you can correct any data from Settings.
• Storage limitation: clear retention policy (see Privacy Policy).
• Integrity and confidentiality: encryption at rest + in transit, measured security.
• Accountability: internal audit log, DPIA documentation for high-risk operations.

3. Your Rights (GDPR Art. 15-22)

3.1 Right of access (Art. 15)

You can request a copy of all your data. We respond within max 30 days, free of charge for the first request per year.

3.2 Right to rectification (Art. 16)

You can update any data directly in your account (Settings → Profile, Settings → Billing). For non-editable data, contact the DPO.

3.3 Right to erasure ("right to be forgotten", Art. 17)

Upon account deletion, data is erased within 30 days, with legal exceptions (invoices 10 years). You can delete your account from Settings → Account → Delete account.

3.4 Right to restriction of processing (Art. 18)

You can request a temporary halt to processing. Pause your account from Settings → Plan → Pause subscription.

3.5 Right to data portability (Art. 20)

You can export all your data in JSON/CSV format from Settings → Export data.

3.6 Right to object (Art. 21)

If we process your data on the basis of legitimate interest, you can object. Write to the DPO and we will assess it.

3.7 Rights related to automated decision-making (Art. 22)

The platform includes AI that makes recommendations (Growth Autopilot, SEO Copilot). These decisions have human oversight (you approve every action in Level 0). You have the right to request human intervention and to contest AI decisions.

4. How to exercise your rights

Most rights are self-service directly within the app. For complex requests:

Include in your request:

• Your name + the email address used for your account
• Which right you wish to exercise (access, erasure, etc.)
• If you want an export, your preferred format (JSON / CSV)

We respond within max 30 days. For manifestly unfounded or repetitive requests, we may charge a reasonable fee or refuse.

5. Complaints

If you are not satisfied with our response, you may lodge a complaint with:

• ANSPDCP (National Supervisory Authority, Romania): dataprotection.ro
• The supervisory authority in your country of residence
• European Data Protection Board (EDPB): edpb.europa.eu

6. Data Processing Agreement (DPA) for Customers

If you use MarketHub to contact individuals in the EU (marketing, prospecting), you are the GDPR controller and we are the processor. We provide a standard DPA free of charge upon request.

Includes:

• Subject matter of processing (execution of marketing campaigns)
• Duration (for the term of the SaaS contract)
• Nature of data (B2B/B2C contacts, emails, SMS, call recordings)
• List of sub-processors (Anthropic, Twilio, ElevenLabs, etc. — see Privacy Policy)
• Technical security measures (encryption, access controls, audit logs)
• Breach notification obligations within 72h
• Assistance with data subject requests
• Deletion / return of data upon contract termination

7. International Transfers (Chapter V GDPR)

Some processors are based in the US (Anthropic, Replicate, Twilio). For these we use:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures (encryption, restricted access, logs)
• Transfer Impact Assessment (TIA) for each vendor

Schrems II (CJEU) is respected: we do not transfer data to jurisdictions without adequate safeguards.

8. Breach Notification (Art. 33-34)

We actively monitor platform security. In the event of a breach affecting your data:

• We notify the ANSPDCP within 72 hours of discovery
• We inform you directly via email + in-app banner if the breach poses a high risk to your rights
• We publish an incident report on this page (anonymized if necessary)

9. DPIA (Data Protection Impact Assessment)

We have conducted a DPIA for high-risk operations:

• Scraping leads from Google Maps (large-scale processing of public data)
• Voice AI with human voice synthesis (identification risk + potential deepfake)
• AI Copilot + Growth Autopilot (automated decision-making)

DPIA findings are documented internally and available upon request to authorities.

10. Direct Marketing and Consent

For our communications to you (product newsletter, feature announcements):

• Based on explicit consent at registration (opt-in)
• Unsubscribe available in every email
• We do not sell, rent, or transfer the email list

11. Minors (Art. 8)

The platform is for 16+ years old. We do not knowingly collect data from children under 16 years old. For users aged 13-16 in jurisdictions where permitted, we require parental consent.

12. Data Protection Officer (DPO)

Although MarketHub is not legally required to appoint a DPO (we do not process data at the scale of a public authority), we have an internal data protection officer:

DPO Email: office@caiostudio.eu (subject: "GDPR")

13. Changes

We may update this statement to reflect legal or product changes. Major changes are notified 30 days in advance by email.