Last updated: December 2024
1. Overview
This privacy policy explains what personal data we collect when you use our website and the Kanman SaaS application, how we use it, and what rights you have regarding your data.
2. Controller
The controller responsible for data processing is:
Marco Kerwitz
kerwitz.dev
Birkenweg 21
31226 Peine, Germany
Phone: +49 5171 9078566
Email: [email protected]
3. Data Processing Overview
3.1 Account Data
When you register for Kanman, we collect:
- Email address
- Name (if provided)
- Password (stored encrypted)
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Retention: Duration of contract plus 3 years (limitation period)
3.2 Usage Data
When you use Kanman, we process:
- Projects, boards, and tasks you create
- Usage logs (actions, timestamps)
- Technical data (IP address, browser type, device information)
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests: security, service improvement)
Retention: Content data: duration of contract. Logs: 30-90 days.
3.3 Payment Data
For payment processing, we use Stripe (Stripe Payments Europe Ltd., Ireland). Stripe processes:
- Payment method details
- Transaction data
- Billing address
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Retention: Tax documents: 10 years (Section 147 AO)
Stripe's privacy policy: https://stripe.com/privacy
4. Service Providers
4.1 Supabase (Database and Authentication)
We use Supabase (Supabase Inc., USA) for our database infrastructure and user authentication. Data processed: user data, email addresses, usage data.
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Data transfer: Data is hosted in the EU (eu-west-1). Transfer to the USA is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Privacy policy: https://supabase.com/privacy
4.2 Cloudflare (CDN and Security)
We use Cloudflare (Cloudflare Inc., USA) as our Content Delivery Network and for security measures. Data processed: IP addresses, technical connection data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests: IT security, performance)
Data transfer: Cloudflare is certified under the EU-US Data Privacy Framework. EU Standard Contractual Clauses also apply.
Privacy policy: https://www.cloudflare.com/privacypolicy/
4.3 Stripe (Payment Processing)
Payment processing is handled by Stripe Payments Europe Ltd., Ireland. Stripe processes payment data, transaction data, name, email, and billing address.
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Privacy policy: https://stripe.com/privacy
5. Data Transfers to Third Countries
Some of our service providers are based in the USA. For transfers to companies certified under the EU-US Data Privacy Framework, an adequacy decision by the EU Commission dated July 10, 2023 applies. Additionally or alternatively, we have concluded EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with our service providers. Copies can be provided upon request.
6. Cookies
6.1 Essential Cookies
We use essential cookies required for the functioning of our service:
- Authentication cookies (Supabase session)
- Security cookies (Cloudflare)
- Cookie consent storage
Legal basis: Art. 6(1)(f) GDPR (legitimate interests: necessary for service operation)
6.2 Analytics
We use Cloudflare Web Analytics for privacy-friendly, cookieless analytics that does not track individual users or store personal data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests: service improvement)
7. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Tax documents/invoices | 10 years | Section 147 AO, Section 14b UStG |
| Contract data | Duration + 3 years | BGB limitation period |
| Usage logs | 30-90 days | Legitimate interest |
| Account data | Until deletion request | Contract performance |
8. Your Rights
Under the GDPR, you have the following rights:
8.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access that data.
8.2 Right to Rectification (Art. 16 GDPR)
You have the right to obtain rectification of inaccurate personal data concerning you.
8.3 Right to Erasure (Art. 17 GDPR)
You have the right to obtain erasure of personal data concerning you under certain conditions.
8.4 Right to Restriction (Art. 18 GDPR)
You have the right to obtain restriction of processing under certain conditions.
8.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can export your data through the Kanman application.
8.6 Right to Object (Art. 21 GDPR)
You have the right to object to the processing of your personal data based on legitimate interests at any time, for reasons arising from your particular situation.
8.7 Right to Withdraw Consent (Art. 7 GDPR)
Where processing is based on consent, you have the right to withdraw that consent at any time. The lawfulness of processing based on consent before its withdrawal is not affected.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.
9. Data Security
We use SSL/TLS encryption for all data transmission. Our service providers implement appropriate technical and organizational measures to protect your data.
10. Contact
For questions about data protection or to exercise your rights, please contact:
Email: [email protected]
We will respond to your request within one month. This period may be extended by two months for complex requests.