1. Controller
The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation is:
- Company
- Dumanu GmbH
- Address
- Beethovenstr. 120 C, 42655 Solingen, Germany
- Represented by
- Dominik Hassel
- info@meykt.com
This Privacy Policy applies to the websites meykt.com, meykt.de, their subdomains and the use of the Meykt platform to the extent that Dumanu GmbH determines the purposes and means of processing.
Where customers use Meykt to process their own customer, employee, supplier, service provider, shop, order, file or production data, Dumanu GmbH usually acts as a processor within the meaning of Art. 28 GDPR. The respective customer remains responsible for such processing. Details are governed by the data processing agreement.
2. Privacy contact
For privacy questions, data subject requests or questions about the processing of personal data, Dumanu GmbH can be reached at info@meykt.com.
No data protection officer has been appointed.
3. General principles
We process personal data only where this is necessary to provide our websites, perform contracts, secure the platform, communicate with users, comply with legal obligations or where processing is based on consent.
Processing is limited to the data required for the respective purpose. Access within Meykt is role- and permission-based. Customer data is processed in tenant-separated environments.
4. Website visits and technical delivery
When our websites are accessed, technically necessary data is processed to deliver the website, operate it reliably and protect it. This includes in particular:
- IP address
- date and time of access
- requested URL
- referrer URL
- browser type and version
- operating system
- amount of data transferred
- technical error and security events
The processing takes place to provide the website, detect and prevent attacks, analyze errors and ensure operation. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is the secure and reliable operation of our websites and services.
We use Vercel for hosting and delivery. Data may also be processed outside the European Union. For such transfers, we rely on suitable safeguards, in particular adequacy decisions, standard contractual clauses and supplementary protective measures.
5. Cookies, local storage and similar technologies
Meykt uses technically necessary cookies and comparable storage technologies to provide login sessions, language settings, security functions, routing and required platform features.
Technically necessary storage includes in particular:
- session and refresh cookies for login through Supabase Auth
- locale or language cookies to store the preferred language
- cookies and local storage for selecting stations, machines or employees in production contexts
- local UI preferences such as navigation state, favorites or display options
The legal basis for technically necessary cookies and storage is Sec. 25(2) German TDDDG and Art. 6(1)(b) GDPR where they are required for contract performance, and Art. 6(1)(f) GDPR where they support secure and user-friendly operation.
For non-essential analytics or marketing technologies, we obtain consent in advance. The legal basis is Sec. 25(1) TDDDG and Art. 6(1)(a) GDPR. Consent can be withdrawn at any time with effect for the future.
6. Analytics
We use Vercel Analytics to obtain aggregated usage statistics for our websites and applications. According to the provider, Vercel Analytics is cookie-less and collects analytics data in aggregated form without recognizing visitors through cookies. Processing serves to improve stability, performance and user guidance. The legal basis is Art. 6(1)(f) GDPR, unless consent is required.
For the public version, the use of Google Analytics is also planned. Google Analytics will only be used where valid consent has been obtained. Google may process usage information, technical device and browser data and interaction data. We will use Google Analytics with privacy-friendly settings, in particular IP anonymization, consent management and Google's data processing terms.
The legal basis for Google Analytics is Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG. Consent can be withdrawn at any time.
7. Contact and communication
If users contact us by email, form or support features, we process the information provided to handle the request. This may include name, email address, organization, role, message, technical information and previous communication.
The legal basis is Art. 6(1)(b) GDPR where communication is necessary for contract performance or pre-contractual steps, and Art. 6(1)(f) GDPR for general inquiries and support communication.
We use Resend to send transactional emails, invitations, system notifications, support emails and similar messages. Resend processes the necessary recipient, content, sending and delivery data. Where data is processed in the United States, we rely on suitable safeguards such as standard contractual clauses.
8. Registration, user account and organizations
When registering, logging in and using a Meykt account, we process in particular:
- name
- email address
- password or authentication data
- organization and organization role
- language, time zone and profile information
- login, security and session data
- invitation and permission data
- onboarding and usage settings
Processing takes place to create and manage the user account, authenticate users, separate tenants, assign permissions and provide the platform. The legal basis is Art. 6(1)(b) GDPR. Security and log data is also processed on the basis of Art. 6(1)(f) GDPR.
We use Supabase for authentication, database, storage and platform data. The Supabase project is currently operated in the Frankfurt am Main region. Supabase Auth may process session and authentication data. Google OAuth may optionally be used if users log in through Google.
9. Use of the Meykt platform
When using Meykt Central, we process the data that customers and users create, import, upload or provide through integrations. Depending on usage, this may include:
- organization, location, station and machine data
- user, team, role and permission data
- employee data, workstations, production roles and availability
- customer and contact data
- delivery and billing data where stored in the system
- shop connections and shop metadata
- products, variants, article numbers, SKUs, prices and product descriptions
- orders, line items, shipping and customer data from shops
- production jobs, work steps, workflows, process states and logs
- approvals, briefings, quote data, service provider or customer portal data
- uploaded files, images, production files and technical attachments
- machine commands, machine status, telemetry, local action logs and Agent status
- support, error, audit and security logs
Where these data are processed to perform the contract with the customer, the legal basis is Art. 6(1)(b) GDPR. Where data is processed for security, error analysis, abuse prevention or service improvement, the legal basis is Art. 6(1)(f) GDPR. Where statutory retention or evidence obligations apply, the legal basis is Art. 6(1)(c) GDPR.
For personal data that customers process in Meykt relating to their own end customers, employees, service providers, suppliers or shop customers, Dumanu GmbH usually acts as processor. The customer remains responsible for lawfulness, notices, legal bases, deletion periods and data subject rights.
10. Shop connections and external integrations
Meykt can be connected to external shop and platform services, for example WooCommerce, Etsy, Shopify, Amazon, eBay or future providers. Such connections are actively configured by the customer.
We use Nango to manage OAuth connections, credentials, tokens, API calls and integration data. Meykt generally does not store shop passwords or OAuth tokens directly in its own database, but uses connection identifiers and integration data from Nango.
Depending on the connected platform, the following data in particular may be processed:
- shop name and shop URL
- connection status and technical configuration
- external product and order IDs
- product, variant and order data
- customer data from shop orders
- payment, shipping and fulfillment information where provided by the shop
- raw API response data for mapping, traceability and error analysis
The legal basis is Art. 6(1)(b) GDPR where the integration is used for contract performance. Where technical logs are processed for security and troubleshooting, the legal basis is Art. 6(1)(f) GDPR.
The customer is responsible for connecting only those shop and third-party accounts for which they are authorized and for informing their own customers about processing by connected systems.
11. Meykt Agent and local machine control
The Meykt Agent is a local desktop application installed in the customer's production environment. The Agent can communicate with Meykt Central and, depending on configuration, perform local actions such as:
- receiving or executing machine commands
- communicating with local software or machine interfaces
- opening, providing, printing or transferring files to machines
- reporting status and result data to Meykt Central
- confirming or logging production steps
Personal and technical data may be processed, for example user identifiers, station data, machine assignments, production job data, file paths, file names, status messages, error logs and execution results.
Processing takes place to provide the local production features configured by the customer. The legal basis is Art. 6(1)(b) GDPR. Security and error data is additionally processed on the basis of Art. 6(1)(f) GDPR.
The customer decides which local machines, programs, files and automations are connected. The customer remains responsible for ensuring that the use of the Meykt Agent in their production environment is lawful, safe and covered under labor law and data protection law.
12. Payment processing and billing
We use Stripe for paid plans, subscriptions, payment processing, invoices and payment information. Depending on the payment method, Stripe processes in particular:
- name, company and billing data
- email address
- payment method and payment status
- invoice and tax data
- technical payment and fraud prevention data
Processing takes place for contract performance and billing on the basis of Art. 6(1)(b) GDPR and to comply with legal obligations on the basis of Art. 6(1)(c) GDPR. Stripe also processes certain data as an independent controller, in particular for fraud prevention, compliance, payment network obligations and statutory retention obligations.
13. AI features
Meykt may provide AI features in the future, for example to support evaluations, texts, mappings, data preparation, workflow support, error analysis or assistant functions. AI features are used only where they are activated for the respective function or contractually agreed.
Depending on the feature, prompts, files, order data, product data, process data, technical logs or other content selected by the user may be transmitted to an AI provider. AI providers may include in particular Google Cloud / Vertex AI / Gemini and, if integrated in the future, other providers such as OpenAI.
The legal basis is Art. 6(1)(b) GDPR where the AI feature is part of the booked service, or Art. 6(1)(a) GDPR where separate consent is required. Art. 6(1)(f) GDPR may apply to security, quality and abuse protection measures.
Meykt will use AI services only with suitable contractual privacy arrangements. Customer data is not used by Meykt for its own model training purposes. Where an AI provider offers options to use customer data for model training or product improvement, such options will be disabled for business customer data where contractually and technically possible. The concrete AI provider and processing will be listed in this Privacy Policy or in a subprocessor list once the respective function is used in production.
The customer is responsible for not entering particularly sensitive or legally protected content into AI features unless this has been expressly agreed and secured.
13a. Image vectorization
Via the “Vectorization” tool, users can convert raster images (for example logos) into vector graphics. For this purpose, the image file selected by the user is transmitted to and processed by an external service provider that specializes in image vectorization and is established in the United States.
The data processed includes in particular the uploaded image file, the resulting vector output and technical processing data (for example format, size and time of processing).
The transfer takes place only if the user actively triggers the feature and expressly consents to the transfer beforehand. The legal basis is consent under Art. 6(1)(a) GDPR. The associated transfer to the United States is based on Art. 49(1)(a) GDPR (explicit consent to the data transfer). Consent can be withdrawn at any time with effect for the future by no longer using the feature.
Note on third-country transfer: For the service provider used, there is no adequacy decision, no data processing agreement and no standard contractual clauses. There is therefore a risk that U.S. authorities may access transmitted data and that the user may not have the same level of legal remedies as provided within the EU.
Storage at the service provider: The service provider stores the uploaded file and the result temporarily under its own terms, currently for up to approximately two weeks; for account-linked records, storage may last longer. We cannot guarantee earlier deletion.
Use for training purposes: The service provider reserves the right to use transmitted images to develop, train and improve its own techniques and models. No objection to this is provided for at the service provider. Users should therefore not vectorize images containing personal data of third parties or confidential content, and should only upload images for which they hold the necessary rights.
The service provider acquires no rights in the resulting vector graphic; the results belong to the user within the scope of their rights in the source image. The feature is optional; users may instead use already vectorized files without using the external service.
14. Security, abuse prevention and audit logs
To secure the platform, we process technical logs, authentication events, role changes, system events, API access, error data, security-relevant configurations and audit logs.
Processing serves to detect abuse, investigate security incidents, trace administrative changes and maintain service stability. The legal basis is Art. 6(1)(f) GDPR. Where legal obligations apply, the legal basis is Art. 6(1)(c) GDPR.
15. Recipients and processors
We disclose personal data only where this is required for the purposes described above, where a legal obligation exists, where the user has consented or where another legal basis applies.
Service providers used by us include in particular:
| Provider | Purpose | Typical data |
|---|---|---|
| Supabase | Database, authentication, storage, realtime | Account, platform, file, auth and usage data |
| Vercel | Hosting, deployment, delivery, analytics | Website access, technical logs, aggregated analytics |
| Nango | Shop integrations, OAuth, API proxy, token management | Integration data, connection data, shop API data |
| Inngest | Background jobs, workflow events, retry and automation processing | Event data, workflow data, technical execution data |
| Resend | Transactional emails, invitations, system emails | Recipients, email content, sending and delivery data |
| Stripe | Payment processing, subscriptions, invoices | Billing, payment, tax and fraud prevention data |
| Google OAuth, Google Analytics, future Google Cloud / AI services | Login, analytics or AI feature data depending on use | |
| External vectorization service (USA) | Converting uploaded images into vector graphics (“Image vectorization” feature) | Uploaded image file, resulting vector output, technical processing data |
The specific list of subprocessors may change when services are replaced, added or extended. Material changes will be communicated in an appropriate manner where contractually or legally required.
16. International transfers
Some service providers we use are established or have processing capacities outside the European Union or the European Economic Area, in particular in the United States. Personal data may therefore be transferred to third countries.
Where data is transferred to third countries, we rely on suitable safeguards, in particular:
- adequacy decisions by the European Commission, such as the EU-U.S. Data Privacy Framework where the respective provider is certified
- standard contractual clauses of the European Commission
- supplementary technical and organizational measures
- contractual data processing agreements
In individual cases we use services for which none of the above safeguards (adequacy decision, standard contractual clauses or data processing agreement) is in place. This concerns in particular the image vectorization feature. The transfer to the United States is then based exclusively on the user’s explicit consent under Art. 49(1)(a) GDPR, after the user has been informed of the associated risks.
17. Retention and deletion
We store personal data only for as long as necessary for the respective purposes or as long as statutory retention obligations apply.
In general, the following retention periods apply:
- User account and contract data is stored for the duration of the contract.
- After contract termination, platform and customer data is generally retained for 30 days to allow restoration, migration or mitigation of accidental termination effects. Afterwards, it is deleted or anonymized unless statutory retention obligations prevent this.
- Invoices, payment and tax-relevant documents are stored according to statutory retention obligations, generally for six to ten years.
- Security, system and audit logs are stored only for as long as required for security, traceability and error analysis. Unless longer storage is necessary, they are generally deleted or anonymized after no more than 90 days.
- Backups are overwritten or deleted according to the applicable backup cycle. Targeted individual deletion from existing backups may be technically limited; in that case deletion takes place no later than at the end of the backup cycle.
18. Data subject rights
Data subjects have the following rights subject to the statutory requirements:
- access to personal data processed, Art. 15 GDPR
- rectification of inaccurate data, Art. 16 GDPR
- erasure, Art. 17 GDPR
- restriction of processing, Art. 18 GDPR
- data portability, Art. 20 GDPR
- objection to processing based on legitimate interests, Art. 21 GDPR
- withdrawal of consent with effect for the future, Art. 7(3) GDPR
- complaint with a data protection supervisory authority, Art. 77 GDPR
The supervisory authority responsible for Dumanu GmbH is:
- Authority
- State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
- Address
- Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
- Web
- www.ldi.nrw.de
19. Requirement to provide data
Providing certain data is necessary to access the website, create a user account, perform contracts, process payments or use Meykt features. Without these data, we cannot provide the respective services or can provide them only with restrictions.
20. Automated decisions
No automated decision-making within the meaning of Art. 22 GDPR currently takes place. If AI or automation features are used in the future that produce legal effects or similarly significantly affect users, we will identify this separately and comply with legal requirements.
21. Changes to this Privacy Policy
We may amend this Privacy Policy if our services, providers used, legal requirements or technical processes change. The version published at the time applies.
For privacy questions, contact us at info@meykt.com.