Privacy Policy

1. Introduction

Below we inform you about the processing of personal data when using

• our website gokraka.com

• our profiles on social media.

Personal data is any data that can be related to a specific natural person, e.g., their name or IP address.

1.1. Contact data

The responsible party pursuant to Art. 4 Para. 7 EU General Data Protection Regulation (GDPR) is Kraka Technologies GmbH, Bessemerstraße 82, 12103 Berlin, Germany, Email: impressum@gokraka.com. We are legally represented by Johannes Oel, Hauke Reunitz.

Our data protection officer can be reached through heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, Email: datenschutz@heydata.eu.

1.2. Scope of data processing, purposes of processing and legal bases

The scope of the data processing, purposes of processing and legal bases are detailed further below. As a general rule, the following legal bases are considered for data processing:

• Art. 6 Para. 1 Sentence 1 lit. a GDPR serves as our legal basis for processing operations for which we obtain consent.

• Art. 6 Para. 1 Sentence 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the fulfillment of a contract, e.g., when a site visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing that is necessary for pre-contractual measures, such as inquiries about our products or services.

• Art. 6 Para. 1 Sentence 1 lit. c GDPR applies when we fulfill a legal obligation with the processing of personal data, as may be the case in tax law.

• Art. 6 Para. 1 Sentence 1 lit. f GDPR serves as the legal basis when we can rely on legitimate interests to process personal data, e.g., for cookies necessary for the technical operation of our website.

1.3. Data processing outside the EEA

When we transfer data to service providers or other third parties outside the EEA, EU Commission adequacy decisions pursuant to Art. 45 Para. 3 GDPR ensure the security of the data upon transfer, if available, as is the case, for example, for the UK, Canada, and Israel.

When transferring data to service providers in the USA, the legal basis for the data transfer is an adequacy decision by the EU Commission, provided the service provider is also certified under the EU US Data Privacy Framework.

In other cases (e.g., if no adequacy decision exists), the legal basis for data transfer, as a rule, unless we provide a differing notice, are standard contractual clauses. These are a framework adopted by the EU Commission and part of the contract with the respective third party. According to Art. 46 Para. 2 lit. b GDPR, they ensure the security of data transfers. Many providers have given contractual guarantees that go beyond the standard contractual clauses, which further protect the data, such as guarantees regarding data encryption or a third party's obligation to notify affected parties if law enforcement agencies attempt to access data.

1.4. Storage period

Unless explicitly stated within this privacy policy, the data stored with us will be deleted as soon as they are no longer required for their intended purpose and no statutory retention obligations stand in the way of deletion. If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted, i.e., the data will be blocked and not processed for other purposes. This applies, for example, to data we must retain for commercial or tax law reasons.

1.5. Rights of the affected parties

Affected parties have the following rights concerning their personal data:

• Right to information,

• Right to rectification or erasure,

• Right to restriction of processing,

• Right to object to processing,

• Right to data portability,

• Right to withdraw consent at any time.

Affected parties also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. Contact details of the data protection supervisory authorities are available at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

1.6. Obligation to provide data

Customers, interested parties, or third parties only need to provide us with the personal data necessary for establishing, conducting, and terminating the business relationship or other relationship or that we are legally obligated to collect. Without this data, we will generally have to refuse the conclusion of a contract or the provision of a service or can no longer perform an existing contract or other relationships.

Mandatory information is marked as such.

1.7. No automatic decision-making in individual cases

We generally do not use fully automated decision-making in accordance with Article 22 GDPR to establish and conduct a business relationship or other relationship. Should we utilize these procedures in individual cases, we will inform you separately if this is legally required.

1.8. Contact

When contacting us, e.g., via email or phone, the data supplied to us (e.g., names and email addresses) will be stored by us to answer questions. The legal basis for processing is our legitimate interest (Art. 6 Para. 1 Sentence 1 lit. f GDPR) in answering queries directed to us. Data gathered in this context will be deleted once storage is no longer necessary, or the processing will be restricted if legal retention obligations exist.

1.9. Customer surveys

From time to time, we conduct customer surveys to better understand our customers and their needs. We collect the data specifically requested in this context. Our legitimate interest lies in better understanding our customers and their needs, making the legal basis for the associated data processing Art. 6 Para. 1 Sentence 1 lit f GDPR. The data will be deleted once the survey results are evaluated.

2. Newsletter

We reserve the right to inform customers who have already used our services or purchased goods from time to time via email or other means about our offers unless they have objected. The legal basis for this data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. Our legitimate interest lies in direct marketing (Recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without incurring any additional costs, e.g., via the link at the end of each email or via email to our above-mentioned email address.

Based on the consent of the recipients (Art. 6 Para. 1 Sentence 1 lit. a GDPR), we also measure the open and click rate of our newsletters to understand which content is relevant to our recipients.

We send newsletters using the HubSpot tool from the provider HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. The provider processes content, usage, meta/communication data, and contact data in the EU. Further information is available in the provider's privacy policy at https://legal.hubspot.com/de/privacy-policy.

3. Data processing on our website

3.1. Notice for website visitors from Germany

Our website stores information on the devices of website visitors (e.g., cookies) or accesses information already stored on the device (e.g., IP addresses). Specific information on this is provided in the following sections.

This storage and access are carried out based on the following provisions:

• If this storage or access is absolutely necessary to provide the service explicitly requested by website visitors (e.g., to execute a chatbot used by the website visitor or to ensure the IT security of our website), it is based on § 25 Para. 2 No. 2 of the Telecommunications-Digital Services Privacy Act (TDDG).

• Otherwise, this storage or access is based on the consent of website visitors (§ 25 Para. 1 TDDG).

Subsequent data processing is carried out following the subsequent sections and based on the provisions of the GDPR.

3.2. Informational use of the website

When using the website for informational purposes, i.e., if site visitors do not provide us with additional information, we collect the personal data that the browser transmits to our server to ensure the stability and security of our website. This constitutes our legitimate interest, making the legal basis Art. 6 Para. 1 Sentence 1 lit. f GDPR.

This data includes:

• IP address

• Date and time of the request

• Time zone difference to Greenwich Mean Time (GMT)

• Contents of the request (specific page)

• Access status/HTTP status code

• Transferred amount of data

• Website from which the request comes

• Browser

• Operating system and its interface

• Language and version of the browser software.

This data is also stored in log files. They will be deleted when their storage is no longer necessary, at the latest after 14 days.

3.3. Web hosting and website provision

Our website is hosted by Vercel. The provider is Vercel Inc., 340 S Lemon Ave Unit 4133 Walnut, CA, USA. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact data in the EU. Further information can be found in the provider's privacy policy at https://vercel.com/legal/privacy-policy.

It is our legitimate interest to provide a website, so the legal basis for the described data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

Our website is hosted by Framer. The provider is Framer B.V., Rozengracht 207 B, 1016LZ Amsterdam, Netherlands. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact data, in the USA. Further information can be found in the provider's privacy policy at https://www.framer.com/legal/privacy-statement/.

3.4. Contact form

When contacting us via the contact form on our website, we store the data requested there and the content of the message.

The legal basis for processing is our legitimate interest in responding to inquiries directed to us. Therefore, the legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

The data collected in this context will be deleted once storage is no longer necessary, or processing will be restricted if legal retention obligations exist.

3.5. Job advertisements

We post job advertisements on our website, connected pages, or third-party websites.

The processing of the data provided in the context of the application is for conducting the application process. Insofar as it is necessary for our decision to establish an employment relationship, the legal basis is Art. 88 Para. 1 GDPR in conjunction with § 26 Para. 1 BDSG.

Applicant data will be deleted no later than six months after an applicant is rejected.

3.6. Customer account

Visitors to the website can open a customer account on our website. We process the data requested in this context based on the consent of the site visitor. Therefore, the legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR.

3.7. Technically necessary cookies

Our website uses cookies. Cookies are small text files stored in the web browser on the end device of a site visitor. Cookies help make the offering more user-friendly, effective, and secure. To the extent these cookies are necessary for the operation of our website or its functions (hereinafter "technically necessary cookies"), the legal basis for the associated data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

Specifically, we use technically necessary cookies for the following purpose or purposes:

• The customer does not use necessary cookies

• Cookies that adopt language settings

• Cookies that store login data

3.8. Third-party providers

3.8.1. Deepl API

We use the Deepl API for translations and API development. The provider is DeepL SE, Maarweg 165, 50825 Cologne. Further information is available in the provider's privacy policy at https://www.deepl.com/de/privacy.

3.8.2. PostHog

We use PostHog for product analysis and A/B testing. The provider is PostHog, Inc., San Francisco, 2261 Market St #4008, San Francisco, CA, USA. Further information is available in the provider's privacy policy at https://posthog.com/privacy.

3.8.3. heyData

We have integrated a data protection seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. Further information is available in the provider's privacy policy at https://heydata.eu/datenschutzerklaerung.

4. Data processing on social media platforms

We are represented on social media networks to present our organization and services there. The operators of these networks regularly process user data for advertising purposes.

4.1. LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://www.linkedin.com/legal/privacy-policy?_l=de_DE.

5. Changes to this privacy policy

We reserve the right to change this privacy policy effective in the future. The current version is always available here.

6. Questions and comments

For questions or comments regarding this privacy policy, please feel free to contact us at the contact details provided above.