The data controller is KIProtect GmbH, Bismarckstr. 10-12, 10625 Berlin.
Purpose of Processing
We process your personal data for the following purposes:
- Providing software services to you as a customer.
- Gathering insights to improve our services and their marketing.
- Ensuring the security of our services.
- Invoicing you as a customer and fulfilling our legal requirements.
Legal Basis for Processing
We process your data if it is necessary for the performance of a contract that we entered with you. Notably, we process your personal data to provide access to our online services and downloadable software. We also process your personal data to pursue legitimate interests such as gathering insights to improve our services and their marketing.
Types of Personal Data Processed
We might process the following personal data from you:
- Your name, legal address and contact information, notably your e-mail address(es), phone number and other contact data, as you provided them to us. We use this data to grant access to our services (e.g. by enabling login and password reset using your e-mail address), send you important information (e.g. about security-related activities such as password changes or failed login attempts and about service updates or downtime), reply to contact requests, answer support requests and generate invoices for our services. We delete this data as soon as it is no longer required: If you delete your account, we immediately remove your data from our backend infrastructure. Copies of your data that might remain in database backups will be erased within 30 days. We regularly delete old support e-mails, typically after 3 months. We retain invoices for 10 years, as legally required.
- IP address(es) from which you use to connect to our service, as well as additional information about the device used (e.g. “user agent” strings or information about the underlying hardware or software architecture). We use this data to generate security alerts and detect anomalous account activity. We retain this data at most for 12 months and pseudonymize it whenever possible.
- Device identifiers of two-factor devices you might use to sign into our service.
- Usage data that we collect from our websites, APIs, apps, and services, such as the number of API requests over a given time, visited pages on our websites or usage of specific features in our web application. We use this data to learn how we can improve our services. We anonymize this data in real-time using our own analytics solution.
In general we try to avoid using third-parties to process your personal data. For some services like server hosting, e-mails or payment processing we have to rely on external providers as we cannot realistically provide these services ourselves. When choosing a provider we evaluate it for privacy & security practices as well as sustainability.
- We use Hetzner Online GmbH to host our server infrastructure.
- We use Mailbox.org (Heinlein GmbH) to send transactional e-mails.
- We use Stripe Inc. for payment processing and billing (only if you choose to pay by credit card though).
Where applicable we have entered data processing agreements with these third parties.
Data Protection Measures
We take a multitude of technical and organizational measures to protect your personal data:
- We encrypt personal data whenever possible.
- We only collect the minimum amount of data that is required for a task.
- We limit the number of people that have access to personal data.
- We automate server provisioning and security updates.
- We protect our server infrastructure using several layers of individual protection measures.
- We regularly audit and analyse our infrastructure and software stack.
- We employ software security best-practices like automated testing, static analysis, code reviews and dependency management.
- We do not rely on third parties for data processing unless strictly necessary.
- We open-source or software to make it publicly auditable.
Information Klaro Collects
When you embed the hosted version of Klaro (either the full script or the configuration) into your website, we do not collect or store any personal information about your vistors. When a visitor submits a consent decision we simply store an anonymous record of the consent on our server, allowing you to fullfill the consent documentation requirements according to GDPR (see our blog for details). The record of consent contains the following information:
- Consent decisions for individual services (e.g. 'openstreetmap: false, google-analytics: true, ...')
- The ID of the Klaro config used to collect consent (e.g. 'f5df13dbf67d561b792062c44ec210cb')
- The type of consent decision (e.g. 'accept', 'decline', 'save', ...)
- The hostname of the URL where consent was collected (e.g. 'klaro.org')
- The pathname of the URL where consent was collected (e.g. '/')
- Anonymous information about the user, notably the client used (e.g. 'klaro:web') and the version of the client (e.g. '0.7.18')
Klaro stores consent either in a cookie, or as an entry in the browsers' localStorage. The expiration date of the cookie is configurable and set to 365 days by default. The cookie contains the JSON-encoded consent decisions of the user.
The Klaro API also records anonymous consent statistics by aggregating relevant API calls. The aggregated information contains only frequencies of specific events (e.g. 'accept' or 'decline') events, no data can be attributed to individual users.
You have the following rights in relation to your personal data that we process:
- Access, rectification, and erasure of the data.
- Restriction of the processing of the data.
- Objecting to the processing of the data.
- Lodging a complaint with a supervisory authority.
To exercise these rights to access, rectify, erase, restrict or objcet to the processing of your data, please contact us at firstname.lastname@example.org.