Privacy policy.

Valid from: November 13, 2025

1. Introduction

In the following, we provide information about the collection of personal data when using:

  • Our website kukan.ai

  • Our profiles on social media

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1. Contact Details

The controller within the meaning of Art. 4 para. 7 EU General Data Protection Regulation (GDPR) is:

Kukan UG (haftungsbeschränkt)

Brunnenstrasse 41

10115 Berlin

Germany

Email: hello@kukan.ai

We are legally represented by Gerrit McGowan.

For questions regarding data protection, please contact us at: hello@kukan.ai

1.2. Scope of Data Processing, Processing Purposes and Legal Bases

We detail the scope of data processing, processing purposes and legal bases below. In principle, the following come into consideration as the legal basis for data processing:

  • Art. 6 para. 1 s. 1 lit. a GDPR serves as our legal basis for processing operations for which we obtain consent.

  • Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g. if a site visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing that is necessary for pre-contractual measures, such as in the case of inquiries about our products or services.

  • Art. 6 para. 1 s. 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.

  • Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis when we can rely on legitimate interests to process personal data, e.g. to answer inquiries directed to us or to ensure the stability and security of our website.

1.3. Data Processing Outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, the security of the data during the transfer is guaranteed by adequacy decisions of the EU Commission, insofar as they exist (e.g. for Great Britain, Canada and Israel) (Art. 45 para. 3 GDPR).

In the case of data transfer to service providers in the USA, the legal basis for the data transfer is an adequacy decision of the EU Commission if the service provider has certified itself under the EU-U.S. Data Privacy Framework.

In other cases (e.g. if no adequacy decision exists), the legal basis for the data transfer are usually standard contractual clauses, unless we indicate otherwise. These are a set of rules adopted by the EU Commission and are part of the contract with the respective third party. According to Art. 46 para. 2 lit. c GDPR, they ensure the security of the data transfer. Many of the providers have given contractual guarantees that go beyond the standard contractual clauses to protect the data. These include, for example, guarantees regarding the encryption of data or regarding an obligation on the part of the third party to notify data subjects if law enforcement agencies wish to access the respective data.

1.4. Storage Duration

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and no legal obligations to retain data conflict with the deletion. If the data are not deleted because they are required for other and legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Standard retention periods we apply:

  • Contact form inquiries: 6-12 months after the inquiry has been resolved or last contact

  • Customer relationship management data: Duration of business relationship plus 3 years (for potential contract-related disputes)

  • Log files: 14 days maximum

  • Google Analytics data: 14 months (configured in GA4)

  • Cookies: See our Cookie Policy for specific retention periods

Commercial and tax law may require us to retain certain data for longer periods:

  • Accounting documents: 10 years (§ 147 AO - German Tax Code)

  • Commercial correspondence: 6 years (§ 257 HGB - German Commercial Code)

1.5. Rights of Data Subjects

Data subjects have the following rights against us with regard to their personal data:

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to receive information about this data and further details.

  • Right to rectification (Art. 16 GDPR): You have the right to obtain the rectification of inaccurate personal data and to have incomplete personal data completed.

  • Right to erasure (Art. 17 GDPR): You have the right to obtain the erasure of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.

  • Right to restriction of processing (Art. 18 GDPR): You have the right to obtain restriction of processing under certain conditions, such as when you contest the accuracy of the data.

  • Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, to processing of personal data based on Art. 6 para. 1 lit. f GDPR (legitimate interests). You also have an absolute right to object to the processing of your data for direct marketing purposes.

  • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit this data to another controller.

  • Right to withdraw consent (Art. 7 para. 3 GDPR): Where processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at: hello@kukan.ai

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

Responsible supervisory authority for Berlin:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstr. 219

10969 Berlin

Germany

Phone: +49 30 13889-0

Email: mailbox@datenschutz-berlin.de

Website: https://www.datenschutz-berlin.de

A list of all supervisory authorities in Germany and their contact details is available at: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html

1.6. Obligation to Provide Data

Within the scope of the business or other relationship, customers, prospective customers or third parties need to provide us with personal data that is necessary for the establishment, execution and termination of a business or other relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or to provide a service or will no longer be able to perform an existing contract or other relationship.

Mandatory data are marked as such on our website.

1.7. No Automated Decision-Making

As a matter of principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and implement the business or other relationship. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.

1.8. Making Contact

When you contact us, e.g. by email, telephone, or through our contact form, the data you provide to us (e.g. name, email address, telephone number, and message content) will be stored by us in order to answer your questions and process your inquiry.

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in answering inquiries directed to us and maintaining customer relationships.

Data retention: We delete or anonymize the data accruing in this context 6-12 months after the inquiry has been resolved or after the last contact, unless there are legal retention obligations or the data is needed for contract fulfillment. For potential contract-related inquiries, we may retain data for up to 3 years to handle any disputes.

1.9. Customer Surveys

From time to time, we may conduct customer surveys to better understand our customers and their needs. In doing so, we collect the data requested in each case.

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in getting to know our customers and their wishes better in order to improve our services.

Data retention: We delete the data when the results of the surveys have been evaluated and are no longer needed for the stated purpose.

2. Data Processing on Our Website

2.1. Notice for Website Visitors from Germany

Our website stores information in the terminal equipment of website visitors (e.g. cookies) or accesses information that is already stored in the terminal equipment (e.g. IP addresses). What information this is in detail can be found in our Cookie Policy and in the following sections.

This storage and access is based on the following provisions:

  • Insofar as this storage or access is absolutely necessary for us to provide the service of our website expressly requested by website visitors (e.g., to ensure the IT security of our website or to maintain session functionality), it is carried out on the basis of Section 25 para. 2 no. 2 of the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, "TTDSG").

  • Otherwise, this storage or access takes place on the basis of the website visitor's consent (Section 25 para. 1 TTDSG).

The subsequent data processing is carried out in accordance with the following sections and on the basis of the provisions of the GDPR.

For detailed information about cookies, their purposes, durations, and your choices, please refer to our Cookie Policy.

2.2. Informative Use of Our Website

During the informative use of the website, i.e. when site visitors do not separately transmit information to us, we automatically collect the personal data that your browser transmits to our server in order to ensure the stability and security of our website.

Data collected:

  • IP address

  • Date and time of the request

  • Time zone difference to Greenwich Mean Time (GMT)

  • Content of the request (specific page)

  • Access status/HTTP status code

  • Amount of data transferred in each case

  • Referrer URL (website from which the request comes)

  • Browser type and version

  • Operating system and its interface

  • Language and version of the browser software

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in ensuring the stability, security, and functionality of our website.

Data storage: This data is stored in log files and deleted when their storage is no longer necessary, at the latest after 14 days.

2.3. Web Hosting and Provision of the Website

Our website is hosted by Squarespace, Inc., 8 Clarkson Street, New York, NY 10014, United States.

Data processed: The provider processes personal data transmitted via the website, such as content data, usage data, meta/communication data, or contact data. Squarespace processes data both within the EU and the USA.

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in providing a reliable and secure website.

Data transfer: Squarespace is certified under the EU-U.S. Data Privacy Framework, which provides an adequacy decision for data transfers to the USA.

Further information: Squarespace's privacy policy is available at: https://www.squarespace.com/privacy

2.4. Contact Form

When you contact us via the contact form on our website, we store the data you provide (such as name, email address, message content, and any other information you voluntarily provide).

Purpose: To process and respond to your inquiry.

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in answering inquiries directed to us. If your inquiry relates to a potential contract, the legal basis is Art. 6 para. 1 s. 1 lit. b GDPR (pre-contractual measures).

Data retention: We delete the data 6-12 months after the inquiry has been resolved or after the last contact, unless there are legal retention obligations. For potential contract-related inquiries, we may retain data for up to 3 years.

2.5. Third-Party Services

2.5.1. HubSpot CRM

We use HubSpot for customer relationship management (CRM) to manage and organize our business relationships and customer interactions.

Provider: HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA

Data processed:

  • Contact data (e.g., name, email address, company)

  • Usage data (e.g., interactions with our website, email open rates)

  • Content data (e.g., inquiry details, communication history)

  • Meta/communication data (e.g., device information, IP addresses)

Processing location: Data is processed within the EU on HubSpot's EU servers.

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in managing customer relationships efficiently and providing high-quality customer service.

Data transfer: HubSpot is certified under the EU-U.S. Data Privacy Framework. We have concluded a Data Processing Agreement with HubSpot in accordance with Art. 28 GDPR.

Data retention: Data is retained for the duration of the business relationship and for 3 years thereafter (to handle potential disputes), unless longer retention is required by law or the data subject requests deletion.

Further information: HubSpot's privacy policy is available at: https://legal.hubspot.com/privacy-policy

2.5.2. Google Analytics 4

We use Google Analytics 4 for web analytics to understand how visitors interact with our website and to improve user experience.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for users in the EU)

Data processed:

  • Usage data (e.g., pages visited, time spent on site, interaction with content, access times)

  • Meta/communication data (e.g., device information, browser type, IP addresses - anonymized)

  • Event data (e.g., button clicks, downloads, form interactions)

IP anonymization: We have activated IP anonymization. Your IP address is shortened by Google within member states of the European Union or other parties to the Agreement on the European Economic Area before transmission to the USA.

Legal basis: Your consent (Art. 6 para. 1 s. 1 lit. a GDPR and § 25 para. 1 TTDSG). Google Analytics is only activated after you have given your explicit consent via our cookie banner.

Consent withdrawal: You may revoke your consent at any time by:

  1. Adjusting your cookie settings via our cookie banner

  2. Installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

  3. Contacting us at hello@kukan.ai

The revocation does not affect the lawfulness of the processing until the revocation.

Data transfer: Data may be transferred to Google LLC servers in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework, which provides an adequacy decision for data transfers to the USA. We have concluded a Data Processing Agreement with Google in accordance with Art. 28 GDPR.

Data retention: We have configured Google Analytics to automatically delete user data after 14 months. Aggregated, anonymized reports may be retained longer for statistical purposes.

Further information:

For detailed information about the cookies set by Google Analytics, please refer to our Cookie Policy.

3. Data Processing on Social Media Platforms

We maintain a presence on social media networks to present our organization and our services and to communicate with interested parties and customers.

General information about social media platforms:

The operators of these networks regularly process their users' data for advertising and market research purposes. They create user profiles from online behavior, which are used to show targeted advertising on the platforms and elsewhere on the Internet. To this end, the operators store information about user behavior in cookies on users' devices.

It cannot be ruled out that the operators merge this information with other data they hold about users or that operators or their servers are located in non-EU countries, where different data protection standards may apply.

Our processing of data:

When users contact us via our social media profiles (e.g., through direct messages or comments), we process the data provided to us in order to respond to inquiries.

Legal basis: Our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in communicating with interested parties and customers and answering inquiries directed to us.

Data retention: We retain communication data for as long as necessary to respond to inquiries and maintain customer relationships, typically 6-12 months after the last interaction.

Your rights and objections:

You can obtain further information about data processing by the social media platforms and instructions on how to object to processing in the privacy policies of the respective platforms (linked below). You can also manage your privacy settings directly on each platform.

3.1. LinkedIn

We maintain a company profile on LinkedIn.

Operator: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Data processing by LinkedIn: LinkedIn processes user data for various purposes, including targeted advertising and analytics. LinkedIn is a joint controller with us for certain aspects of data processing related to our company page.

Privacy policy: https://www.linkedin.com/legal/privacy-policy

Opt-out options: You can manage your advertising preferences and opt out of certain data processing here: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Further information: Information about LinkedIn's processing of page insights data: https://legal.linkedin.com/pages-joint-controller-addendum

3.2. Instagram

We maintain a company profile on Instagram.

Operator: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (for users in the EU)

Data processing by Instagram: Instagram (operated by Meta) processes user data for various purposes, including targeted advertising, content personalization, and analytics. Meta is a joint controller with us for certain aspects of data processing related to our business page, particularly regarding page insights and statistics.

Privacy policy: https://www.instagram.com/legal/privacy/

Opt-out options: You can manage your advertising preferences and data settings within the Instagram app:

  • Go to Settings > Privacy and Security > Data Sharing

  • Go to Settings > Ads to manage ad preferences

Further information:

3.3. Facebook

We maintain a company page on Facebook.

Operator: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (for users in the EU)

Data processing by Facebook: Facebook (operated by Meta) processes user data for various purposes, including targeted advertising, content personalization, and analytics. Meta is a joint controller with us for the processing of page insights data. When you visit or interact with our Facebook page, Meta collects and processes data about your interactions, which is used to provide us with anonymized statistics about our page's performance.

Privacy policy: https://www.facebook.com/privacy/policy/

Opt-out options: You can manage your privacy and advertising preferences on Facebook:

Joint controllership: We are joint controllers with Meta for the processing of page insights data. Meta has primary responsibility for processing this data and fulfilling data subject rights. You can exercise your rights directly with Meta.

Further information:

4. Changes to This Privacy Policy

We reserve the right to update this privacy policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

A current version is always available at this page. We encourage you to review this privacy policy periodically for the latest information on our privacy practices.

The "Valid from" date at the top of this policy indicates when it was last revised.

If we make material changes to this privacy policy, we will notify you through a prominent notice on our website prior to the change becoming effective.

5. Questions and Comments

If you have any questions or comments regarding this privacy policy or our data processing practices, please feel free to contact us:

Kukan UG (haftungsbeschränkt)

Brunnenstrasse 41

10115 Berlin

Germany

Email: hello@kukan.ai

For questions specifically related to data protection and your rights under GDPR, please contact us at the same email address.