Privacy Policy

This privacy policy explains what personal data we, Kyrok GmbH (hereinafter "Kyrok" or "we"), collect when you visit our website at www.kyrok.com and when you otherwise interact with our company, and how we process and use your data. Personal data is any information relating to an identified or identifiable natural person, such as name, email address, IP address, or postal address. We process your personal data in accordance with applicable data protection laws and this privacy policy.

Note on the use of our software: Where we process personal data in connection with providing our software to our customers, we act as a processor on behalf of the respective customer. The data processing agreement concluded with the customer pursuant to Art. 28 GDPR applies in this case.

The controller within the meaning of the GDPR is:

Kyrok GmbH
Weinmeisterstraße 12
10178 Berlin
Email: info@kyrok.com

If you have questions about data protection, you can reach us at the contact details above.

3.1 Visiting our website

When you use our website for informational purposes only, the internet browser you use automatically sends information to our website server for technical reasons, and this information is temporarily stored in a so-called log file. The following information is automatically collected and stored until automated deletion: the IP address of your device, the date and time of access, the name and URL of the file retrieved, the amount of data sent, the website from which access was obtained (referrer URL), the internet browser you use (type and version), the operating system of your device, and the name of your access provider.

We process the above data for the following purposes: ensuring a smooth connection to the website, ensuring comfortable use of the website, and evaluating system security and stability. The legal basis for the above data processing is Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes stated above.

Your IP address is stored for a period of 24 hours and then automatically deleted. The other information that does not allow conclusions to be drawn about your person is stored by us in log files and also deleted after 24 hours.

3.1.1 Cookies

We use cookies and similar technologies (hereinafter collectively referred to as "cookies") on our websites. Cookies are small data packages that contain certain information (e.g. the time of your server request, the operating system you use, browser type, the previously visited website, and the IP address) and are stored in the web browser on the user's device when visiting a website. If the corresponding server is accessed again by you, your browser sends the previously stored cookie back to the server.

We use so-called session cookies, which store a session ID that allows various requests from your browser to be assigned to the same session, and which are automatically deleted when you close the browser. In addition, we also use cross-session cookies, which are automatically deleted after a predefined period depending on the type of cookie, ranging from one day to 24 months.

The cookies we set are necessary to enable certain functions of our websites (e.g. cookie banner, storage of your language selection) or to ensure the security of the website. The processing of these necessary cookies is based on Art. 6(1)(f) GDPR to protect our legitimate interests and Section 25(2) No. 2 TDDDG.

You can also disable the storage of cookies via your browser or configure your browser to notify you as soon as cookies are sent.

3.1.2 Web analytics tools

We use web analytics tools on our websites. These tools allow us to track your behaviour on our websites. This helps us make our websites more user-friendly and efficient, fix errors, and optimise our marketing measures.

We use PostHog, a web analytics service provided by PostHog, Inc. (2261 Market Street #4008, San Francisco, CA 94114, USA), in cookieless mode.

The information collected may include:

• pages visited
• time spent on pages
• clicks
• the source of your visit
• browser and device information (browser type, operating system, screen resolution)

Individual persons cannot be identified on the basis of this data. The data is processed and stored exclusively on servers in Frankfurt am Main.

The legal basis is our legitimate interest in website optimisation pursuant to Art. 6(1)(f) GDPR. We have concluded a data processing agreement with PostHog pursuant to Art. 28 GDPR. Further information: posthog.com/privacy.

3.2 Contact, initiation, performance, and termination of business relationships

To initiate, perform, and terminate business relationships with prospects, customers, suppliers, and other business partners, we process the contact details of our contact persons (first and last name, position if applicable, postal address if applicable, email address, telephone number if applicable), communication data, creditworthiness data if applicable, bank details if applicable, contract data if applicable, as well as other content-related information about the enquiry or contractual relationship. Providing this data is not legally required; however, processing your enquiry or conducting the business relationship may be impossible or only possible with difficulty without this data.

We process the data to initiate and perform the contractual or pre-contractual relationship on the basis of Art. 6(1)(b) GDPR, to fulfil legal obligations (e.g. tax and commercial law retention obligations) pursuant to Art. 6(1)(c) GDPR, and to protect our legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interests lie in maintaining the business relationship, analysing and evaluating our business activities, pursuing or defending legal claims if applicable, and conducting a sale or investor process regarding our company.

We generally store your data for as long as this is necessary for the stated purposes. We store the data collected for contract processing for the duration of the contractual relationship and, after the contract ends, if applicable until the expiry of statutory or contractual warranty and guarantee rights and until the conclusion of any court proceedings. Where we are obliged to store data for longer periods due to tax and commercial law retention and documentation obligations, this is done for the legally prescribed periods (up to ten years).

3.3 Applications

If you send us an application, you should at least provide your full name, your postal or electronic contact address, a cover letter, and your CV. There is no legal or contractual obligation to provide this data; however, without it we cannot process your application.

We process the data you submit to decide on the establishment of an employment relationship. The legal basis for this is Section 26(1) BDSG in conjunction with Art. 6(1)(b) GDPR. Where special categories of personal data are affected (e.g. information on health, religion, ethnic origin, or political orientation), processing is based on your consent pursuant to Art. 9(2)(a) GDPR. If you wish to exclude the processing of such data from the outset, we recommend that you do not submit corresponding information.

Mutual legal claims may arise in connection with the application process (e.g. claims under the General Equal Treatment Act – AGG). Processing your data may therefore be necessary to assert or defend against such claims; in this respect, processing is based on Art. 6(1)(f) GDPR.

In the event of a rejection, we store your data for up to six months from the date the rejection is sent in order to comply with the documentation obligations under the AGG. If an AGG lawsuit is filed, we store the data for a further month after the proceedings have been concluded with final effect.

You may revoke your consent to the processing of your application data at any time with effect for the future; the data will then be deleted immediately and your application can no longer be considered. Storage within the above periods to fulfil statutory documentation obligations remains reserved. If your application is successful, your data will be processed within the employment relationship; our separate privacy information for employees applies in this case.

It may be necessary for us to disclose your personal data to third parties. Disclosure only takes place to the extent necessary. The following categories of recipients are particularly relevant:

• the web analytics services mentioned that we integrate on this website;
• IT service providers (e.g. website host, cloud provider, service providers who maintain our IT systems);
• other third parties who support us in our business activities (e.g. freelancers, shipping service providers, agencies, banks, credit agencies, corporate/legal/tax advisors, notaries, auditors);
• authorities, courts, and other public bodies, e.g. in the case of legal disputes arising from the contractual relationship with you;
• potential interested parties and their advisors in the event of a sale or investor process regarding our company.

We host our website with Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. The data collected in accordance with Section 3.1 when visiting our website is therefore transferred to the USA. This is done on the basis of the adequacy decision of the European Commission of 10 July 2023 (C(2023) 4745 final) on the EU-U.S. Data Privacy Framework, under which Vercel is certified. We have concluded a data processing agreement with Vercel. Vercel's privacy policy can be found at vercel.com/legal/privacy-notice.

We take appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorised persons. Our website uses SSL/TLS encryption to secure transmission.

You have the right to obtain information about the data we process relating to your person pursuant to Art. 15 GDPR, to request the rectification of inaccurate and the completion of incomplete data pursuant to Art. 16 GDPR, to request the deletion of your data stored by us pursuant to Art. 17 GDPR, to request restriction of processing pursuant to Art. 18 GDPR, and to receive your data in a structured, commonly used, and machine-readable format or to request its transmission to another controller pursuant to Art. 20 GDPR.

Where data processing is based on your consent, you may revoke this consent at any time in whole or in part with effect for the future pursuant to Art. 7(3) GDPR. Revocation does not affect the lawfulness of processing carried out before the revocation. Your data will then be deleted unless another legal basis for processing exists.

You may also object to data processing if the requirements of Art. 21 GDPR are met.

You also have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates legal data protection provisions. The supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin, datenschutz-berlin.de.

This privacy policy is dated 17 June 2026. We reserve the right to amend this privacy policy to adapt it to changed legal situations or to changes in our offering and data processing. The version available at the time of your visit applies in each case.