Privacy Policy

1. Responsible Parties and Scope

1.1 Data Controllers

The responsibility for data processing depends on your location. For users in the European Economic Area and Switzerland, the responsible party is: Kotao UG (haftungsbeschränkt), Hohenzollernring 57, 50672 Cologne, Germany, represented by Managing Director Nico Miebach. For users outside the European Economic Area, the responsible party is: Kotao FZCO, Building A1, Dubai Silicon Oasis, Dubai, United Arab Emirates, represented by Managing Director Nico Miebach.

1.2 Data Protection Officer

For data protection inquiries, you can reach us at legal@kotao.com. Management currently assumes the function of data protection officer and is available for all data protection concerns.

1.3 Scope of Application

This Privacy Policy applies to all services offered by Kotao, including Kotao (www.kotao.com), Kotao Workspaces (workspaces.kotao.com and app.workspaces.kotao.com), Kotao POS (pos.kotao.com and app.pos.kotao.com), as well as all associated mobile applications and API interfaces. It provides information about the type, scope, and purpose of collecting and using personal data.

2. Principles of Data Processing

2.1 Legal Basis

The processing of personal data is based on the General Data Protection Regulation (GDPR) for users in the European Economic Area and comparable international data protection standards for users outside the EU. The legal bases for data processing are, depending on the processing purpose: contract fulfillment pursuant to Art. 6(1)(b) GDPR, legitimate interests pursuant to Art. 6(1)(f) GDPR, consent pursuant to Art. 6(1)(a) GDPR, or legal obligation pursuant to Art. 6(1)(c) GDPR.

2.2 Data Minimization and Purpose Limitation

We collect and process personal data only to the extent necessary and exclusively for the stated purposes. Data is only shared with third parties when necessary for contract fulfillment, based on a legal basis, or with your explicit consent.

2.3 Data Localization

For customers in the European Economic Area, all personal data is processed and stored exclusively on servers within the European Union. For customers outside the EEA, processing occurs in the geographically nearest region to optimize service quality.

3. Categories of Processed Data

3.1 Master Data

During registration and use of our services, we collect master data such as name, email address, postal address, telephone number, company name, and company data. For private users, collection is limited to information necessary for service provision.

3.2 Contract Data

Within the contractual relationship, we process data about your selected plan, booked additional services, contract start and duration, and termination data. This information is required for proper contract processing.

3.3 Payment Data

Payment information such as credit card data or bank details is processed exclusively through our payment service provider Stripe. We do not store complete payment data ourselves, only references and the last four digits of the payment method for identification.

3.4 Usage Data

When using our services, we automatically collect technical data such as IP address, browser type and version, operating system used, referrer URL, hostname of the accessing computer, and time of server request. This data is necessary for providing and securing our services.

3.5 Communication Data

When you contact us, we store the resulting data such as email addresses, messages, and attachments to process your request and for any follow-up questions.

3.6 Service-Specific Data

Depending on the service used, we process additional data. For Kotao Workspaces, this includes documents, emails, calendar data, tasks, and CRM entries. For Kotao POS, transaction data, product information, and sales statistics are collected. On the Kotao platform, we process booking data, reservations, preferences, and reviews.

3.7 Special Data Categories

Special data categories may arise in certain contexts. Dietary preferences or accessibility requirements for hotel or restaurant bookings are only processed if you provide them voluntarily. Hotel bookings may capture data of fellow travelers including minors, with responsibility for lawful disclosure of this data resting with the booking adult.

4. Purposes of Data Processing

4.1 Contract Fulfillment

The primary purpose of data processing is fulfilling our contractual services. This includes providing booked services, managing your user account, processing payments, and delivering support services.

4.2 Communication

We use your contact data for communication within the contractual relationship, including important system notifications, maintenance announcements, and information about contract changes.

4.3 Security and Abuse Prevention

To ensure IT security and protect against abuse, we process technical data. This includes detecting and defending against cyber attacks, preventing fraud, and enforcing our terms of use.

4.4 Service Improvement

Based on aggregated and anonymized data, we analyze the use of our services for continuous improvement of functionality, usability, and performance.

4.5 Legal Obligations

We must store certain data due to legal retention requirements, particularly in accounting and tax legislation. For Kotao POS, data processing also occurs to meet Cash Register Security Ordinance requirements.

4.6 Marketing

If you have consented or it is legally permissible, we use your data to inform you about new features, products, or special offers. You can object to this use at any time.

5. Service Providers and Third Parties

5.1 Hosting and Infrastructure

Our primary infrastructure is provided by Cloudflare, a leading provider of web performance and security. For EU customers, data processing occurs exclusively in European data centers. Database infrastructure is provided by AWS, with processing within the EU also guaranteed for EU customers.

5.2 Email Delivery

For sending emails, we use Resend. EU customers receive emails exclusively via servers in Ireland. For customers outside the EU, the geographically nearest region (North Virginia, São Paulo, or Tokyo) is automatically used to ensure optimal delivery rates.

5.3 Payment Processing

Payment processing is handled by Stripe, Inc., a PCI-DSS certified payment service provider. Stripe processes payment data according to the highest security standards. Further information can be found in Stripe's privacy policy at https://stripe.com/privacy.

5.4 Analytics and Monitoring

To analyze user behavior and improve our services, we use PostHog. For EU customers, data processing occurs exclusively in the EU region. Error monitoring and performance analysis is conducted via Sentry, transmitting only technical data without personal reference.

5.5 Contractual Agreements

We have concluded data processing agreements pursuant to Art. 28 GDPR with all mentioned service providers, ensuring compliant processing of your data.

6. International Data Transfer

6.1 Principles

Transfer of personal data to countries outside the EU only occurs when an adequate level of data protection is ensured or appropriate safeguards are in place. For EU customers, no data transfer outside the EU generally occurs.

6.2 Separation of Processing

Data processing is strictly separated by customer location. Support in Germany exclusively serves EU customers, while support in Dubai is responsible for all other regions. No international data exchange occurs between the companies.

6.3 Standard Contractual Clauses

Should data transfer to third countries be required in exceptional cases, this occurs based on EU standard contractual clauses or comparable guarantees.

7. Storage Duration and Deletion

7.1 Principles of Data Deletion

Personal data is deleted as soon as it is no longer necessary for the purposes for which it was collected and no legal retention obligations exist.

7.2 Deletion upon Account Termination

When deleting a user account, all personal data of the user is completely removed from our systems within 30 days. This includes all references in organizational data, which are replaced by neutral placeholders such as "User deleted."

7.3 Retention Obligations

Certain data is subject to legal retention obligations. Booking documents and invoices must be retained for 10 years according to tax regulations. Business letters and commercial correspondence are subject to a 6-year retention period.

7.4 Organizational Data

When leaving an organization, your personal data is removed from the organizational context, while content you created remains with the organization. Upon complete deletion of an organization, all associated data is irrevocably deleted.

8. Your Rights as a Data Subject

8.1 Right to Information

You have the right to receive information about data stored about you free of charge at any time. This includes information about origin, recipients, processing purposes, and storage duration of the data.

8.2 Right to Rectification

You can request immediate correction of incorrect or completion of incomplete personal data.

8.3 Right to Erasure

Under certain conditions, you have the right to deletion of your personal data, particularly when it is no longer necessary for the purposes for which it was collected.

8.4 Right to Restriction of Processing

You can request restriction of processing your data under certain circumstances, for example if you dispute the accuracy of the data.

8.5 Data Portability

You have the right to receive your data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

8.6 Right to Object

You can object to the processing of your personal data for certain purposes, particularly for direct marketing.

Where processing is based on your consent, you can withdraw it at any time with effect for the future.

8.8 Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. For EU customers, this is the respective competent state data protection authority or the European Data Protection Supervisor.

8.9 Automated Exercise of Rights

Many of your rights can be exercised directly through your user account. For further requests, contact us at legal@kotao.com. Processing is automated with subsequent notification of the result.

9. Cookies and Tracking

9.1 Necessary Cookies

We use technically necessary cookies to ensure the basic functionality of our services. These include session cookies to maintain your login and security cookies to protect against attacks.

9.2 Analytics Cookies

With your consent, we use analytics cookies from PostHog to understand and improve the use of our services. You can revoke your consent at any time in account settings.

You can control the use of cookies in your browser settings. Note that disabling certain cookies may limit the functionality of our services.

10. Security

10.1 Technical and Organizational Measures

We implement extensive technical and organizational security measures to protect your data from unauthorized access, loss, or misuse. This includes encryption during transmission (TLS) and storage (Encryption at Rest), multi-level access controls, and regular security reviews.

10.2 Employee Training

All employees with access to personal data are regularly trained in data protection and data security and are obligated to maintain confidentiality.

10.3 Penetration Tests and Audits

We conduct regular penetration tests and security audits to identify and remediate potential vulnerabilities.

10.4 Data Breaches

In the event of a data breach, we will comply with our legal notification obligations and immediately inform affected users if there is a high risk to their rights and freedoms.

11. Protection of Minors

11.1 Age Restriction

Our services are generally aimed at adult users. Minors between 16 and 18 years may use the services only with consent from their legal guardians.

11.2 Data of Minors

For hotel bookings or similar services, data of minor fellow travelers may be collected. Responsibility for lawful disclosure of this data lies with the booking adult.

12. Changes to the Privacy Policy

12.1 Updates

We reserve the right to adapt this Privacy Policy to accommodate changed legal situations or changes to our services. The current version is always available at https://policies.kotao.com/privacy-policy.

12.2 Notification of Changes

We will inform you of significant changes via email or through a prominent notice in our services.

13. Contact

For data protection inquiries, you can reach us at:

Kotao UG (haftungsbeschränkt)
Hohenzollernring 57
50672 Cologne
Germany
Email: legal@kotao.com Phone: +49 221 95019148