Skip to main content

LEGAL

Privacy Policy

Last updated:

Data Controller

The data controller responsible for the processing of personal data described in this policy is Kotao GmbH, Cologne, Germany. You can reach our privacy team at privacy@kotao.com and our data protection officer at dpo@kotao.com.

What Data We Collect

We collect the data you provide and the data generated when you use the Kotao platform.

  • Account data: name, business email, company name, billing details, and the names of the team members you invite.
  • Usage data: server log data (IP address, request timestamp, user agent), device and browser information, and platform interactions used to operate the service.
  • Payment data: card details and payment instruments are handled exclusively by certified payment processors. Kotao never stores full card numbers on its own infrastructure.

We process your data on the following legal bases:

  • Art. 6(1)(b) GDPR — performance of a contract, when the processing is required to deliver the Kotao platform.
  • Art. 6(1)(c) GDPR — compliance with legal obligations, including tax and bookkeeping records under HGB and AO.
  • Art. 6(1)(f) GDPR — legitimate interests in operating, securing, and improving the platform.

Sub-processors

We rely on the following sub-processors to deliver the service:

  • Infrastructure and storage providers (global data-centre services with data-residency controls)
  • Edge security and delivery providers (global points of presence with SCCs where required)
  • Certified payment processors (payment processing, EEA)
  • PostHog (product analytics, EU Cloud / Frankfurt, Germany)

Retention

Account data is retained for the lifetime of your account plus three years after closure. Server logs are retained for 90 days. Financial records are retained for ten years in line with §257 HGB.

Your Rights

Under Art. 15 to 22 GDPR, you have the right to access, rectify, erase, port, restrict, and object to the processing of your personal data, and to withdraw consent where processing is based on consent. To exercise these rights, contact privacy@kotao.com.

You may also lodge a complaint with the supervisory authority responsible for Kotao, the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

Legal context

More documents for the same platform.

Kotao connects sales, payments, guests, teams, and websites. That is why privacy, security, terms, and usage rules should be evaluated together.

Separate product and legal

These documents explain terms and responsibilities. Product details, pricing, and roadmap live on the platform pages.

Review regularly

We keep review date, contact points, and scope visible so customers can understand changes.

Read contracts together

Privacy, DPA, Terms, Security, and Acceptable Use should be read together when evaluating Kotao for multiple teams.

Other documents.

Acceptable Use Policy

Activities prohibited on the Kotao platform.

Cookie Policy

How Kotao uses cookies and similar technologies.

Data Processing Agreement

Kotao's Data Processing Agreement under Art. 28 GDPR.

Imprint

Legal entity information for Kotao GmbH per §5 TMG.

Security Disclosure

How to report security vulnerabilities to Kotao.

Terms of Service

The terms governing the use of Kotao's platform and services.