LEGAL
Privacy Policy
Last updated:
Data Controller
The data controller responsible for the processing of personal data described in this policy is Kotao GmbH, Cologne, Germany. You can reach our privacy team at legal@kotao.com and our data protection officer at dpo@kotao.com.
What Data We Collect
We collect the data you provide and the data generated when you use the Kotao platform.
- Account data: name, business email, company name, billing details, and the names of the team members you invite.
- Website and usage data: server log data (IP address, request timestamp, request path, status code, user agent), device and browser information, marketing-surface interactions, contact form content, lead form content, newsletter form data, and consent evidence.
- Payment data: card details and payment instruments are handled exclusively by certified payment processors. Kotao never stores full card numbers on its own infrastructure.
Website and Marketing Site Processing
When you use www.kotao.com, we process personal data for the following purposes:
- Contact forms and lead forms: name, business email, company, website, role, business type, revenue band, message, locale, and request intent are processed so we can answer your request, prepare demos, qualify B2B enquiries, and document pre-contract communication. Depending on the request, the legal basis is Art. 6(1)(b) GDPR for pre-contract steps and Art. 6(1)(f) GDPR for our legitimate interest in B2B sales operations and abuse prevention.
- Newsletter forms: email address, locale, request time, confirmation time, request IP address, confirmation IP address, request user agent, confirmation user agent, and source are processed for double opt-in, delivery, unsubscribe handling, and consent evidence.
- Consent records: when a form requires a privacy or newsletter consent, we store a
consentRecordwith granted status, timestamp, IP address, user agent, locale, source, and related request metadata so we can prove and audit the consent. - Funnel events: after your consent (Art. 6(1)(a) GDPR, §25(1) TDDDG) we process marketing-surface events such as page viewed, trial signup started, surface key, language, vertical context, CTA label, UTM parameters, and referrer host in PostHog. A first-touch marketing context is stored in sessionStorage for the current browser session so attribution survives in-session navigation.
- Error monitoring: a minimal error monitoring and crash capture (Sentry, EU ingest) runs in deployed environments for all visitors based on our legitimate interest in operating a stable and secure website (Art. 6(1)(f) GDPR). This tier is deliberately minimized: no session replay, no performance tracing, no breadcrumbs,
sendDefaultPii: false, URLs stripped of query parameters — and nothing is stored on or read from your device. Processed are technical error data such as the error message, stack trace, and browser/device context; the IP address arising at the network layer during transmission is, by configuration, not stored in the error event. Extended Sentry telemetry (performance, release health) and PostHog analytics run exclusively after your consent. The balancing of interests is based on a documented assessment; you may object to the processing at any time (Art. 21 GDPR). - Server logs: we process server logs, including IP address, request timestamp, request path, status code, and user agent, for security, fraud and abuse prevention, availability, debugging, and incident investigation. The legal basis is Art. 6(1)(f) GDPR.
Analytics cookies and comparable technologies are explained in the Cookie Policy.
Newsletter
If you subscribe to the Kotao newsletter, we process your email address and locale to send product updates and operational guidance. Newsletter processing is based on your consent under Art. 6(1)(a) GDPR.
We use double opt-in before adding you to the mailing list. When you submit the newsletter form, we send a confirmation email. We only record your subscription after you click the confirmation link. For consent evidence, we store the request timestamp, request IP address, request user agent, confirmation timestamp, confirmation IP address, and confirmation user agent.
You can withdraw your consent at any time with effect for the future by using the unsubscribe link in a newsletter email or by contacting legal@kotao.com.
Legal Basis under Art. 6 GDPR
We process your data on the following legal bases:
- Art. 6(1)(a) GDPR — consent, including newsletter subscriptions.
- Art. 6(1)(b) GDPR — performance of a contract, when the processing is required to deliver the Kotao platform.
- Art. 6(1)(c) GDPR — compliance with legal obligations, including tax and bookkeeping records under HGB and AO.
- Art. 6(1)(f) GDPR — legitimate interests in operating, securing, and improving the platform.
Sub-processors
We rely on third-party processors to deliver hosting, email, payments, analytics, observability, and optional AI features. The current named list, including Cloudflare, Neon, Kotao Payments processors, Resend, Amazon SES, PostHog, Sentry, OpenAI, purpose, processing region, transfer basis, version history, and change-notice process, is published at Sub-processors.
International Transfers
Some processors and service operations involve recipients in the United States or other countries outside the European Economic Area, the United Kingdom, or Switzerland. Where personal data is transferred internationally, Kotao relies on the published safeguards for the relevant processor, including adequacy decisions such as the EU-U.S. Data Privacy Framework (DPF) for certified recipients and Standard Contractual Clauses (SCC) or equivalent data-transfer addenda where required. The applicable transfer basis for each named processor is listed in the Sub-processors document.
Retention
Account data is retained for the lifetime of your account plus three years after closure. Server logs are retained for 90 days. Financial records are retained for ten years in line with §257 HGB.
Your Rights
Under Art. 15 to 22 GDPR, you have the right to access, rectify, erase, port, restrict, and object to the processing of your personal data, and to withdraw consent where processing is based on consent. To exercise these rights, contact legal@kotao.com.
You may also lodge a complaint with the supervisory authority responsible for Kotao, the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).
Legal context
Other documents.
Privacy, security, terms, and usage rules should be read together when evaluating Kotao for multiple teams.
-
Acceptable Use Policy
Activities prohibited on the Kotao platform.
-
Cookie Policy
How Kotao uses cookies and similar technologies.
-
Data Processing Agreement
Kotao's Data Processing Agreement under Art. 28 GDPR.
-
Illegal Content Reports (DSA)
Notice-and-action mechanism under Art. 16 DSA and Kotao GmbH's points of contact.
-
Imprint
Legal entity information for Kotao GmbH per § 5 DDG.
-
Kotao Payments Terms
Supplementary terms for the integrated payment processing on the Kotao platform.
-
Security Disclosure
How to report security vulnerabilities to Kotao.
-
Sub-processors
Kotao's published, versioned list of sub-processors under Art. 28 GDPR.
-
Terms of Service
The terms governing the use of Kotao's platform and services.