Privacy Policy

1. Controller

The controller within the meaning of the GDPR and other national data protection laws of the Member States, as well as other data protection regulations, is:

2. Rights of users and data subjects

With regard to the data processing described in more detail below, users and data subjects have the right

• to confirmation as to whether data concerning them is being processed, to information about the data processed, to further information about the data processing, and to copies of the data (Art. 15 GDPR);
• to rectification or completion of incorrect or incomplete data (Art. 16 GDPR);
• to the immediate erasure of data concerning them (Art. 17 GDPR), or, alternatively, where further processing is required under Art. 17 (3) GDPR, to a restriction of processing in accordance with Art. 18 GDPR;
• to receive the data concerning them that they have provided to us, and to transmit this data to other providers/controllers (Art. 20 GDPR);
• to lodge a complaint with the supervisory authority if they believe that the data concerning them is being processed by us in breach of data protection regulations (Art. 77 GDPR).

In addition, we are obliged to inform all recipients to whom we have disclosed data of any rectification or erasure of data, or any restriction of processing carried out pursuant to Art. 16, 17 (1), 18 GDPR. However, this obligation does not apply where such notification is impossible or involves disproportionate effort. Notwithstanding the above, you have the right to information about these recipients.

Pursuant to Art. 21 GDPR, users and data subjects also have the right to object to the future processing of data concerning them, where the data is processed by us on the basis of Art. 6 (1) lit. f GDPR. In particular, objection to data processing for the purpose of direct marketing is permissible.

To exercise your rights, you may contact us at any time by email at contact@keaflow.de.

The supervisory authority responsible for us is:

3. Website provision and creation of log files

Each time our website is accessed, our system, or the system of our hosting provider, automatically collects data and information from the computer system of the requesting device. The following data is collected:

• IP address of the user (shortened or anonymised where technically possible)
• date and time of access
• page/file requested
• amount of data transferred
• notification of successful retrieval
• browser used and its version
• user's operating system
• referrer URL (previously visited page)

Temporary storage of the IP address is necessary in order to deliver the website to the user's device. Storage in log files is carried out to ensure the functionality of the website and to safeguard the security of our information systems.

The legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the purposes set out above.

Log files are generally deleted after no later than 30 days, unless security-related incidents make a longer retention necessary.

4. Hosting

Our website is hosted with an external service provider. The personal data collected on this website is stored on the servers of the host. This may include, among other things, IP addresses, contact requests, meta and communication data, contract data, contact data, and website access data.

The hosting provider is used for the purpose of contract performance with our prospective and existing customers (Art. 6 (1) lit. b GDPR) and in the interest of secure, fast, and efficient provision of our online offering by a professional provider (Art. 6 (1) lit. f GDPR).

Hosting in third countries (USA): Our hosting provider partly processes data on servers in the USA. Where the provider is certified under the EU-US Data Privacy Framework (DPF), the transfer is based on an adequacy decision of the EU Commission pursuant to Art. 45 GDPR. Where this is not the case, the transfer takes place on the basis of standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR. A data processing agreement pursuant to Art. 28 GDPR has been concluded with the host.

Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA.

5. Cookies

5.1 Strictly necessary cookies

We only use cookies on our website where they are technically necessary for the operation of the website (e.g. to store your language preference). Cookies are small text files or other storage technologies placed and stored on your device by the internet browser you use. Through these cookies, certain information is processed on an individual basis, such as browser information or your IP address.

Through this processing, our website becomes more user-friendly, effective, and secure.

We do not currently use tracking, analytics, or marketing cookies. A consent banner is therefore not required.

The legal basis for this processing is Art. 6 (1) lit. b GDPR where these cookies are used to initiate or perform a contract. Otherwise, our legitimate interest lies in improving the functionality of our website; the legal basis is then Art. 6 (1) lit. f GDPR.

5.2 How to remove cookies

You can prevent or restrict the installation of cookies by adjusting your internet browser settings. You can also delete cookies that have already been stored at any time. The steps required depend on the specific browser you use. If you have any questions, please consult your browser's help function or documentation.

If you prevent or restrict the installation of cookies, this may mean that not all features of our website can be used to their full extent.

6. Contact requests / contact options

If you contact us via the contact form or by email, the data you provide will be used to process your request. Providing this data is necessary in order to process and respond to your request — without it we cannot, or can only to a limited extent, respond to your enquiry.

Typically processed are:

• name
• email address
• company (if provided)
• content of the message
• time of submission

The legal basis for this processing is Art. 6 (1) lit. b GDPR where the request is aimed at the conclusion or performance of a contract. In all other cases, the legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in responding to the request.

Your data will be deleted once your enquiry has been answered conclusively, provided there are no statutory retention obligations to the contrary (in particular commercial and tax law retention periods of up to ten years), for example in the case of any subsequent contract performance.

Email delivery: To technically deliver the email notification of incoming contact requests, we use the transactional email service Resend. The provider is Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend processes the data submitted in your enquiry (in particular name, email address, and message content) on our behalf. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Resend.

Data transfer to the USA: Resend also processes the data on servers in the USA. The transfer is based on the standard contractual clauses issued by the EU Commission pursuant to Art. 46 (2) lit. c GDPR. Our legitimate interest in reliable email delivery is based on Art. 6 (1) lit. f GDPR.

7. LinkedIn

We maintain an online presence on LinkedIn to present our company and our services, and to communicate with customers and prospects. LinkedIn is a service operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

We point out that there is a possibility that user data may be processed outside of the European Union, in particular in the USA. This may entail increased risks for users, since, for example, subsequent access to user data may be more difficult. We have no access to this user data — access lies exclusively with LinkedIn.

The legal basis for processing in the context of our LinkedIn presence is our legitimate interest in a contemporary external presentation and communication with prospects and customers (Art. 6 (1) lit. f GDPR).

LinkedIn is certified under the EU-US Data Privacy Framework; the transfer to the USA is based on this. In addition, LinkedIn uses standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR.

LinkedIn's privacy notice is available at linkedin.com/legal/privacy-policy.

8. Data processing within the Keaflow application

If, as a customer, you use our SaaS application Keaflow, we process personal data to perform the usage agreement. The relevant data processing activities are not the subject of this privacy policy for the website, but are regulated separately:

• for contractual master data and billing data, in the privacy notice for customers,
• for the data of your own customers processed by you within the application, in the data processing agreement (DPA) pursuant to Art. 28 GDPR.

Please contact us if you require further information on this.

9. Data security

During your visit to our website, we use the widely used TLS (Transport Layer Security) procedure in combination with the highest encryption level supported by your browser. You can recognise whether an individual page of our website is transmitted in encrypted form by the closed-lock symbol in your browser's address bar.

We also use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised third-party access. Our security measures are continuously improved in line with technological developments.

10. Currency and changes to this privacy policy

This privacy policy is currently valid as of 13 May 2026. Due to the further development of our website and offerings, or due to changed legal or regulatory requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed and printed at any time on the website at keaflow.de/en/privacy.