Privacy Policy
1. Data Controller and Contact
kapio UG (haftungsbeschränkt)
Lademannbogen 1522339 Hamburg
Deutschland
- Phone
- 040 29856997
- moin@kapio.eu
- Geschäftsführer
- Martin Miersch
- Register Court
- Amtsgericht Hamburg
- Register Number
- HRB 170634
- USt-IdNr.
- DE346887978
2. Purposes, Data Categories and Legal Bases
- Data Types
- Name, email, company name, billing address, VAT ID
- Purpose
- Contract fulfillment, administration
- Legal Basis
- Art. 6(1)(b) GDPR
- Data Types
- Session token, IP address, user agent, timestamp
- Purpose
- Operation, security, error analysis
- Legal Basis
- Art. 6(1)(b), (f) GDPR
- Data Types
- Language preference, consent status, email preferences (digestEmailsEnabled)
- Purpose
- Platform function, communication
- Legal Basis
- Art. 6(1)(b) GDPR
- Data Types
- Name, bio, skills, industries, tools, links (website/LinkedIn)
- Purpose
- Profile display, matching, publicity
- Legal Basis
- Art. 6(1)(b) GDPR; publication: Art. 6(1)(a) GDPR
- Data Types
- Name, email, company, phone number, originExpertId
- Purpose
- Contact, personalization
- Legal Basis
- Art. 6(1)(b) GDPR
- Data Types
- stripeCustomerId, payment_method_brand/last4, payout status
- Purpose
- Billing/payment processing (PCI-DSS)
- Legal Basis
- Art. 6(1)(b) GDPR
- Data Types
- Participants, time, duration, text transcript (anonymous speaker labels)
- Purpose
- Service provision, billing, support
- Legal Basis
- Art. 6(1)(b) GDPR; transcription: Art. 6(1)(a) GDPR
- Data Types
- rating, displayName (with consent), takeaway, npsScore
- Purpose
- Quality, transparency, matching
- Legal Basis
- Art. 6(1)(f) GDPR; publication: Art. 6(1)(a) GDPR
- Data Types
- Events, pageviews, internal UUID, UTM (utm_source/medium/campaign, gclid, fbclid, msclkid, referer)
- Purpose
- Product analysis, error analysis
- Legal Basis
- Art. 6(1)(a) GDPR (with cookies/IDs); cookieless see section 5
- Data Types
- Rate limiting (IP hash), contactAttemptLogs
- Purpose
- Abuse protection, platform integrity
- Legal Basis
- Art. 6(1)(f) GDPR
- Data Types
- Experts: identity/tax data, revenues/transactions, bank data (DAC7/PStTG)
- Purpose
- Fulfillment of reporting obligations
- Legal Basis
- Art. 6(1)(c) GDPR
3. Legitimate Interests (Art. 6(1)(f) GDPR)
- Digest emails: User-friendliness and timely information about new content/messages; can be disabled via digestEmailsEnabled at any time.
- Rate limiting (IP hash, SHA-256): Abuse/attack protection with minimal data processing (no plain text IP).
- Session tracking (IP/User-Agent): Login security, fraud detection, technical error analysis.
- Contact detection logs: Protection of platform integrity and fairness (prevention of unauthorized direct contacts/circumvention).
Balancing of interests: The measures mentioned are necessary, proportionate and minimize data processing; no overriding conflicting interests of the data subjects are apparent.
4. Recipients/Categories of Recipients and Third Country Transfers
- Service
- Payment service
- Country
- USA
- Guarantees
- SCCs, EU-US Data Privacy Framework
- Service
- Country
- USA
- Guarantees
- DPA/SCCs/DPF; retention approx. 45 days
- Service
- Meetings/Transcripts
- Country
- USA
- Guarantees
- SCCs
- Service
- Storage
- Country
- EU/USA
- Guarantees
- SCCs
- Service
- Analytics
- Country
- EU (Frankfurt)
- Guarantees
- EU Cloud
- Service
- Analytics
- Country
- EU
- Guarantees
- Cookieless
- Service
- AI
- Country
- USA
- Guarantees
- SCCs
- Service
- AI
- Country
- USA
- Guarantees
- SCCs
- Service
- Push/Realtime
- Country
- EU
- Guarantees
- EU location
- Service
- CMS
- Country
- EU
- Guarantees
- EU location
- Service
- Calendar integrations
- Country
- USA
- Guarantees
- OAuth, SCCs
- Service
- Authority (DAC7)
- Country
- Germany/EU
- Guarantees
- legal obligation
5. Cookies, Consent and Tracking (TDDDG-compliant)
Legal bases:
- Technically necessary cookies and similar technologies: Art. 6(1)(f) GDPR (legitimate interest).
- Non-essential storage/access on end devices: Consent under § 25 TDDDG.
- Analytics/Marketing: Activation only after consent.
Consent Mode v2 (Google Tags):
- For users in the EEA, GA4/Ads tags are only triggered after consent.
- We transmit signals according to your selection: ad_user_data, ad_personalization, ad_storage, analytics_storage.
Consent versioning:
- The banner stores consentVersion and consentAt for traceability.
Consent categories:
- essential: exclusively technically necessary cookies.
- all: technically necessary + Analytics/Marketing.
Cookie/Tag Overview
- Category
- essential
- Purpose
- Session ID for guests
- Duration
- 30 days
- Consent Required
- Nein
- Category
- essential
- Purpose
- Consent status
- Duration
- 1 year
- Consent Required
- Nein
- Category
- essential
- Purpose
- Consent timestamp
- Duration
- 1 year
- Consent Required
- Nein
- Category
- essential
- Purpose
- Login session
- Duration
- Session
- Consent Required
- Nein
- Category
- analytics
- Purpose
- EU Cloud; cookies/IDs only with consent; cookieless via EU proxy possible; autocapture/session recording disabled
- Duration
- variable
- Consent Required
- Ja
- Category
- analytics
- Purpose
- Cookieless, EU location; controllable via banner opt-out
- Duration
- no cookies
- Consent Required
- Nein
- Category
- marketing
- Purpose
- EEA-wide only after consent; Consent Mode v2 active
- Duration
- variable
- Consent Required
- Ja
6. AI/AI Services and Data Protection
Transmitted content:
- Search queries, expert profiles, factual chat histories and transcripts with anonymized speaker labels.
- No PII such as customer names, emails, phone numbers, payment data, calendars/availabilities or IP addresses.
AI features:
- Expert matching (embeddings), chat search, deliberation, transcript summarization, briefing generation.
AI Access Controls (granular per organization/user; off by default):
- allowAiAccessToChat: false
- allowAiAccessToNotes: false
- allowAiTranscriptSummary: false
- allowAiAccessToDocuments: false
Automated decisions:
- No automated individual decisions with legal effect or profiling within the meaning of Art. 22 GDPR take place.
EU AI Regulation:
- We align AI functions with current and upcoming obligations; no high-risk applications, no prohibited practices.
7. Meetings and Transcripts
- A live transcript is created during video calls.
- No video or audio recordings are made or stored.
- Only the text transcript is saved.
- Transparency/Consent: We inform about transcription before the session begins; transcription requires active consent.
8. Payment Processing (PCI-DSS)
- Payments (customer/expert payouts) are processed via Stripe.
- kapio does not store credit card numbers; sensitive payment details remain with Stripe (e.g., Customer/Payment Method IDs).
9. Calendar Integrations
- Access via OAuth (Google Calendar, Microsoft Graph), data minimization (availabilities/events).
- Calendar contents and availabilities remain local.
- No calendar data is sent to AI services.
10. Retention Periods
- Duration
- until deletion + 3 years
- Justification
- Statute of limitations
- Duration
- 10 years
- Justification
- § 147 AO, § 257 HGB
- Duration
- up to 10 years
- Justification
- Billing/accounting
- Duration
- 5 years
- Justification
- Support, proof of service
- Duration
- until withdrawal
- Justification
- Legitimate interest
- Duration
- 7-30 days
- Justification
- IT security
- Duration
- 24 hours (automatic cleanup)
- Justification
- Abuse protection/minimization
11. Data Subject Rights
You have the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR, subject to retention obligations)
- Restriction (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent (Art. 7(3) GDPR)
Contact for exercising rights: moin@kapio.eu
Complaint: Competent supervisory authority Hamburg or any other EU supervisory authority.
12. Minors
- The offer is exclusively aimed at persons aged 18 and over.
- No knowing processing of data of minors takes place.
13. Data Security (TOMs)
- TLS transport encryption, encryption at rest (e.g., AES)
- Role-based access controls
- Regular backups and penetration tests
- Training and audit logs
14. DAC7 Reporting Obligation for Experts (PStTG)
If the thresholds are exceeded (≥ 2,000 € annual revenue or ≥ 30 transactions/year), we are obliged to report annually by January 31 to the Federal Central Tax Office (BZSt):
- Name, address, date of birth, tax ID/VAT ID, revenues/transactions, bank details
Legal basis: legal obligation (Art. 6(1)(c) GDPR).
Note: If both thresholds are not reached, the small provider exception applies.
15. Changes and Versioning
- We update this privacy policy in case of technical or legal changes.
- The current version and date of change are shown above.
- Consent versions are stored separately (consentVersion, consentAt).
16. Role Clarification
- Experts generally act as independent controllers for their own purposes (no data processing agreement).
- External infrastructure/SaaS service providers are used as processors insofar as they act exclusively on behalf of kapio.
Last updated: January 22, 2026