Introduction
At Kosmik Ventures, SL (“we,” “our,” or “us”), we are dedicated to protecting the privacy and security of the personal data we process. This Privacy Policy outlines our practices regarding the collection, use, and sharing of personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We recognize the importance of your privacy and are committed to safeguarding personal data entrusted to us by our customers and their end-users.
Kosmik Ventures, SL, located at Travessera de les Corts 282, 1o 3a, Barcelona (08029) in Spain, specializes in creating automated workflows, including chatbots, IVR systems, and AI agents. Our primary clientele comprises businesses that sell directly to consumers. This Privacy Policy explains how we handle personal data collected through our services, websites, and interactions with our customers and their end-users.
- Information We Collect
1.1 From Our Customers
As a B2B company, we primarily collect and process personal data related to our business customers. This data includes:
Company Name and Address: We collect the official name and registered address of the business for identification and communication purposes.
Billing Information: This includes details necessary for processing payments and maintaining financial records, such as bank account information and billing contact details.
Contact Details of Company Representatives: We collect names, email addresses, and phone numbers of individuals who act as points of contact within the customer organization. This information is crucial for providing support, managing accounts, and facilitating communication.
1.2 On Behalf of Our Customers (End-User Data)
Our services also involve handling personal data on behalf of our customers, particularly concerning their end-users or leads. The types of data we collect in this context include:
Contact Information: This comprises phone numbers and email addresses provided by leads during the qualification process. This data enables us to manage communications through various channels, such as WhatsApp, telephone, and email.
Lead Information: During the lead qualification process, additional information may be collected as provided by the end-users. This can include names, company details, job titles, and other relevant information that aids in lead scoring and qualification.
1.3 Methods of Data Collection
The personal data we collect is gathered through various methods, depending on the interaction context. These methods include:
Website Interactions: When leads submit their contact details on our customers’ websites, this information is transmitted to us via API calls for further processing.
Email Communications: We collect data through email exchanges as part of the lead qualification and communication process.
Instant Messaging Platforms: Data is also collected through interactions on instant messaging platforms such as WhatsApp, where we manage real-time communication with leads.
1.4 Purpose of Data Collection
We collect and process personal data for several key purposes:
Service Provision: The primary purpose of collecting personal data is to provide and maintain our services. This includes managing communications, qualifying leads, and integrating information into our customers’ CRM systems.
Analytics and Reporting: We aggregate data from all chat interactions and lead communications to provide our customers with detailed analytics and performance reports. These insights help our customers understand conversion rates, lead automation effectiveness, and overall process performance.
1.5 Data Minimization and Relevance
We adhere to the principles of data minimization and relevance, ensuring that we only collect personal data necessary for the specified purposes. We do not collect or process data beyond what is required to provide our services effectively.
1.6 Legal Basis for Processing
Our processing of personal data is based on legitimate interests pursued by Kosmik Ventures, SL, and our customers. This includes providing requested services, improving our offerings, and ensuring efficient business operations. In cases where we process personal data based on consent, such as for marketing communications, we obtain explicit consent from the data subjects.
1.7 Customer and End-User Obligations
Our customers are responsible for ensuring that they have obtained the necessary consents from their end-users before sharing personal data with us. They must also provide their end-users with appropriate privacy notices, informing them about the data collection, processing purposes, and their rights under applicable data protection laws.
In conclusion, the collection and processing of personal data are integral to our operations at Kosmik Ventures, SL. We are committed to handling this data with the utmost care, ensuring compliance with legal requirements, and maintaining transparency with our customers and their end-users.
- How We Use Information
This section details the specific ways in which we utilize this information, ensuring transparency and compliance with applicable data protection laws.
2.1 For Our Customers
2.1.1 Service Provision and Maintenance
The primary use of the personal data we collect from our customers is to provide and maintain our services. This includes:
Account Management: We use customer contact details to create and manage user accounts, ensuring authorized access to our services.
Billing and Payments: Billing information is used to process payments for our services, manage invoices, and maintain accurate financial records.
Customer Support: Contact information of company representatives is essential for providing customer support, addressing inquiries, troubleshooting issues, and offering technical assistance.
Service Updates: We use customer contact details to communicate important updates, changes, or enhancements to our services, ensuring customers are informed about new features or modifications.
2.1.2 Analytics and Reporting
We aggregate and analyze data collected from customer interactions to provide valuable insights and performance reports. This includes:
Performance Metrics: Aggregated data is used to generate dashboards and reports that highlight key performance indicators (KPIs) such as conversion rates, lead qualification success rates, and other metrics relevant to our customers’ automation workflows.
Service Improvement: Analyzing usage patterns and customer feedback helps us identify areas for improvement, optimize our services, and develop new features that better meet our customers’ needs.
2.1.3 Marketing and Communication
With explicit consent, we use customer contact information for marketing purposes, such as:
Promotional Offers: Sending information about new services, special offers, or promotions that may be of interest to our customers.
Newsletters: Distributing newsletters that contain industry insights, company news, and updates about our services.
Customers have the option to opt-out of marketing communications at any time.
2.2 For End-Users
2.2.1 Lead Management and Communication
The personal data we collect from end-users on behalf of our customers is primarily used to manage communications and qualify leads. This includes:
Multi-Channel Communication: We use contact information to reach out to leads via channels such as WhatsApp, telephone, and email. This allows us to engage with leads in real-time, addressing their inquiries and gathering additional information needed for qualification.
Lead Qualification: During interactions, we collect relevant information from leads to assess their interest and suitability. This data is then used to qualify the lead, assigning a lead score based on predefined criteria.
CRM Integration: Once a lead is qualified, the collected information, including lead scores and interaction details, is integrated into our customers’ CRM systems. This ensures seamless data transfer and enables our customers to manage their sales pipelines effectively.
2.2.2 Analytics and Reporting
We also use end-user data to generate analytics and reports for our customers. This includes:
Conversion Analysis: Aggregated data from lead interactions is analyzed to provide insights into conversion rates and the effectiveness of lead automation processes.
Customer-Specific Reports: Customized reports are generated to help customers understand the performance of their automation workflows, identify trends, and make informed decisions based on data-driven insights.
2.3 Data Aggregation and Anonymization
While we aggregate data for analytics and reporting, we ensure that any aggregated data is anonymized and does not contain personally identifiable information. This allows us to provide valuable insights without compromising the privacy of individual data subjects.
2.4 Legal Compliance and Enforcement
We may use personal data to comply with legal obligations and enforce our rights. This includes:
Compliance with Laws: Ensuring our data processing activities comply with applicable laws and regulations, including data protection laws like the GDPR.
Fraud Prevention: Using data to detect, prevent, and respond to fraud, security breaches, and other illegal activities.
Enforcement of Terms: Utilizing data to enforce our terms of service, agreements, and policies, and to protect our rights, privacy, safety, or property, and that of our customers and others.
2.5 Internal Business Operations
We use personal data for internal business operations, such as:
Auditing and Accounting: Maintaining accurate financial records and conducting audits to ensure the integrity of our financial processes.
Research and Development: Analyzing data to improve our services, develop new products, and conduct research that enhances our offerings.
Training and Quality Assurance: Using data to train our staff, improve customer support, and ensure the quality and consistency of our services.
2.6 Consent and Choice
Where required by law, we obtain consent from data subjects before processing their personal data for specific purposes. We ensure that data subjects have the choice to opt-in to non-essential data processing activities, such as marketing communications. Additionally, we provide mechanisms for data subjects to withdraw their consent at any time.
- How We Share Information
This section provides a detailed overview of how we share personal data, the types of third parties involved, and the measures we take to ensure data is shared responsibly and in compliance with applicable data protection laws.
3.1 Sharing with Third-Party Service Providers
To provide our services effectively, we may share personal data with third-party service providers who perform functions on our behalf. These service providers include:
3.1.1 Cloud Service Providers
Amazon Web Services (AWS): We use AWS for data storage and cloud computing services. AWS hosts our data in secure data centers located in Germany, ensuring compliance with GDPR.
MongoDB Atlas: MongoDB Atlas provides us with a cloud database service that is also hosted in Germany. This ensures that our data remains within the European Union.
3.1.2 Communication and Telecom Services
Twilio: We use Twilio for communication services, including SMS and phone call handling. This enables us to manage multi-channel communications with leads.
WhatsApp: WhatsApp is used for real-time messaging with leads, allowing us to engage in interactive communications.
3.1.3 Analytics and Reporting Tools
We use various analytics tools to aggregate and analyze data. These tools help us generate performance reports and insights for our customers.
3.1.4 Security and Monitoring Services
To enhance our security measures, we may share data with providers of security and monitoring services. These services help us detect and respond to potential security threats and vulnerabilities.
3.2 Sharing for Legal and Regulatory Compliance
We may disclose personal data to third parties if we believe that such action is necessary to:
Comply with Legal Obligations: Meet any applicable law, regulation, legal process, or enforceable governmental request.
Protect Rights and Safety: Protect the rights, privacy, safety, or property of Kosmik Ventures, SL, our customers, end-users, or the public.
Enforce Our Policies: Enforce our terms of service, agreements, or other policies to protect our operations or users.
3.3 Sharing with Business Partners
In certain circumstances, we may share personal data with our business partners to improve our services and provide joint offerings. These partners are contractually obligated to comply with data protection laws and to use personal data only for the purposes for which it was shared.
3.4 International Data Transfers
While we strive to process all data within the European Union, certain third-party service providers may have operations in other jurisdictions. When we transfer personal data internationally, we ensure appropriate safeguards are in place, such as:
Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission to ensure data protection standards are met.
Adequacy Decisions: We transfer data to countries that the European Commission has determined provide an adequate level of data protection.
Binding Corporate Rules (BCRs): For intra-group data transfers, we may implement BCRs to ensure consistent data protection standards across our organization.
3.5 Data Anonymization and Aggregation
In certain cases, we may share anonymized and aggregated data with third parties. This data does not contain any personally identifiable information and is used for purposes such as:
Research and Development: Enhancing our services and developing new products based on aggregated usage patterns and trends.
Market Analysis: Providing insights into industry trends and benchmarks without compromising individual privacy.
3.6 Customer-Controlled Sharing
Our customers have control over certain aspects of data sharing, including:
Data Sharing Preferences: Customers can specify preferences for sharing data with third parties, subject to the terms of our agreements and applicable laws.
Sub-Processors: We maintain a list of sub-processors that assist in providing our services. Customers are informed of any new sub-processors and have the option to object to such changes if they believe it impacts their data security.
3.7 Data Subject Rights and Third-Party Sharing
We respect the rights of data subjects to control their personal data. This includes:
Access and Portability: Data subjects can request access to their data and obtain a copy in a machine-readable format.
Rectification and Erasure: Data subjects can request corrections to inaccurate data and deletion of their personal data, subject to certain conditions.
Restriction of Processing: Data subjects can request the restriction of processing their data under specific circumstances.
Objection to Processing: Data subjects have the right to object to the processing of their data for certain purposes, including direct marketing.
When responding to data subject requests, we ensure that any third-party sharing is aligned with the data subject’s rights and our legal obligations.
3.8 Transparency and Accountability
We are committed to transparency regarding our data sharing practices. This includes:
Privacy Notices: Providing clear and accessible privacy notices that explain how personal data is shared and with whom.
Regular Updates: Keeping our customers informed of any changes to our data sharing practices, including updates to our list of sub-processors.
Accountability Measures: Implementing measures to ensure that our data sharing practices comply with legal requirements and industry best practices.
3.9 Security Measures for Data Sharing
To ensure the security of personal data shared with third parties, we implement the following measures:
Data Protection Agreements: We enter into data protection agreements with third-party service providers to ensure they adhere to our data protection standards.
Security Audits: Conducting regular security audits and assessments of our third-party service providers to verify their compliance with our security requirements.
Incident Response: Collaborating with third parties to respond promptly to any data breaches or security incidents involving shared data.
- Data Security
We implement comprehensive security measures to safeguard the personal data of our customers and their end-users from unauthorized access, disclosure, alteration, and destruction. This section details our security practices, controls, and policies designed to ensure the confidentiality, integrity, and availability of personal data.
4.1 Information Security Policies
We have established a set of robust information security policies that guide our data protection practices. These policies cover various aspects of information security, including:
Access Control: We define and enforce strict access control policies to ensure that only authorized personnel can access personal data. This includes role-based access control (RBAC) to limit access based on job roles and responsibilities.
Incident Management: Our incident management policy outlines procedures for identifying, responding to, and mitigating security incidents. This ensures timely and effective response to any security threats or breaches.
Vulnerability Management: We have a proactive approach to identifying and addressing vulnerabilities in our systems. Regular vulnerability assessments and penetration tests are conducted to detect and remediate security weaknesses.
Data Encryption: Our data encryption policy mandates the use of strong encryption protocols to protect data in transit and at rest. This ensures that personal data is encrypted using industry-standard methods.
4.2 Employee Training and Awareness
All employees undergo mandatory training on data protection and information security. This training covers essential topics such as:
Data Protection Principles: Employees learn about the principles of data protection, including data minimization, purpose limitation, and accountability.
Security Best Practices: Training includes best practices for safeguarding data, such as password management, recognizing phishing attempts, and secure data handling.
Incident Response: Employees are trained on how to report and respond to security incidents promptly and effectively.
We also conduct regular security awareness sessions to reinforce these concepts and keep employees informed about emerging security threats.
4.3 Data Encryption
To protect personal data from unauthorized access, we use advanced encryption methods:
Data in Transit: Data transmitted over networks is encrypted using Transport Layer Security (TLS) 1.2 or higher. This ensures that data is secure during transmission.
Data at Rest: Personal data stored in our databases and file systems is encrypted using Advanced Encryption Standard (AES) 256-bit encryption. This provides a high level of protection against unauthorized access.
4.4 Data Backup and Recovery
To protect against data loss, we implement robust data backup and recovery procedures:
Regular Backups: Personal data is backed up regularly and stored in multiple secure locations within Europe.
Encrypted Backups: Backup data is encrypted to ensure its confidentiality and integrity.
Recovery Tests: We conduct quarterly data recovery tests to ensure that backups can be restored effectively in the event of data loss or corruption.
- Data Retention
This section details our data retention policies, procedures for data deletion and anonymization, and the rights of our customers and their end-users regarding data retention.
5.1 Data Retention Periods
We have established data retention periods that balance the need for operational efficiency, legal compliance, and the privacy rights of data subjects. Our retention periods are as follows:
5.1.1 Customer Data
General Information: We retain customer information, such as company name, address, billing information, and contact details of company representatives, for the duration of the business relationship. After the termination of the relationship, this data is retained for up to two years to address any potential disputes, comply with legal obligations, and maintain financial records.
Billing Information: Financial records, including billing information, are retained for seven years to comply with accounting and tax regulations.
5.1.2 End-User Data
Contact Information and Lead Data: Personal data collected from end-users, such as phone numbers, email addresses, and information gathered during lead qualification, is retained for up to two years. However, our customers have the flexibility to request shorter retention periods according to their specific requirements and data protection policies.
5.2 Policies for Data Deletion and Anonymization
We have implemented clear policies and procedures for the deletion and anonymization of personal data. These procedures ensure that data is managed responsibly and in compliance with legal requirements.
5.2.1 Data Deletion
Customer Requests: Customers can request the deletion of their data or the data of their end-users at any time. Upon receiving such a request, we verify the identity of the requester and proceed with the deletion process. The data is anonymized within two working weeks.
Automated Deletion: We have automated systems in place to delete personal data once it reaches the end of its retention period. This ensures that data is not kept longer than necessary.
5.2.2 Data Anonymization
Anonymization Process: When personal data needs to be retained for analytical or research purposes beyond the retention period, we anonymize the data to remove any identifiable information. This process ensures that the data can no longer be linked to any specific individual.
Aggregate Data: Anonymized data may be aggregated for reporting and analytics purposes. This aggregated data helps us and our customers gain insights into trends and performance metrics without compromising individual privacy.
5.3 Legal Obligations and Retention
Certain legal obligations may require us to retain personal data for longer periods. These obligations include:
Regulatory Compliance: We retain data as necessary to comply with applicable laws and regulations, such as tax laws, anti-fraud regulations, and data protection requirements.
Litigation and Dispute Resolution: In the event of ongoing litigation or disputes, we may retain relevant data until the resolution of the matter.
5.4 Customer Rights and Data Retention
We respect the rights of our customers and their end-users regarding the retention of their personal data. These rights include:
5.4.1 Right to Access
Data Access Requests: Customers and end-users have the right to request access to their personal data held by us. We provide a copy of the requested data in a structured, commonly used, and machine-readable format.
5.4.2 Right to Rectification
Data Correction Requests: Customers and end-users can request the correction of inaccurate or incomplete data. We promptly update the data to ensure its accuracy.
5.4.3 Right to Erasure
Data Deletion Requests: Customers and end-users have the right to request the deletion of their personal data. We honor these requests, provided there are no overriding legal or legitimate business reasons to retain the data.
5.5 Data Retention Reviews and Updates
We periodically review our data retention policies and practices to ensure they remain effective and compliant with evolving legal and regulatory requirements. This includes:
5.5.1 Policy Reviews
Regular Assessments: We conduct regular assessments of our data retention policies to ensure they align with industry best practices and legal obligations.
Stakeholder Involvement: Our reviews involve key stakeholders, including our Data Protection Officer (DPO), legal counsel, and IT security personnel.
5.5.2 Updates to Retention Practices
Policy Revisions: Based on our assessments, we may revise our data retention policies to address new regulatory requirements or changes in our operational needs.
Customer Notification: We inform our customers of any significant changes to our data retention policies, providing transparency and ensuring they understand how their data is managed.
- Your Rights
This section details the various rights data subjects have regarding their personal data and how we facilitate the exercise of these rights.
6.1 Right to Access
Data subjects have the right to access their personal data held by us. This includes:
6.1.1 Access Requests
Submitting Requests: Data subjects can submit a request to access their personal data by contacting our customers by the designated communication channels who then relay the requests to us.
Information Provided: Upon request, we provide data subjects with a copy of their personal data, along with information about the purposes of processing, categories of data processed, data recipients, data retention periods, and the source of the data if it was not collected directly from the data subject.
6.1.2 Response Time
Timely Responses: We strive to respond to access requests promptly and within the timeframes stipulated by applicable data protection laws, typically within one month of receiving the request. If additional time is needed, we inform the data subject of the extension and the reasons for it.
6.2 Right to Rectification
Data subjects have the right to request the correction of inaccurate or incomplete personal data. This includes:
6.2.1 Correction Requests
Submitting Requests: Data subjects can request the rectification of their data by contacting our customers by the designated communication channels who then relay the requests to us.
Implementing Corrections: Upon receiving a correction request, we verify the accuracy of the data and make the necessary corrections promptly. We also notify any third parties with whom the inaccurate data was shared to update their records.
6.2.2 Notification of Changes
Informing Data Subjects: Once the data has been corrected, we inform the data subject of the changes made and confirm that the rectified data has been updated in our systems and, if applicable, with any relevant third parties.
6.3 Right to Erasure (“Right to be Forgotten”)
Data subjects have the right to request the deletion of their personal data under certain circumstances. This includes:
6.3.1 Deletion Requests
Submitting Requests: Data subjects can request the deletion of their personal data by contacting our customers by the designated communication channels who then relay the requests to us. These requests may be made when the data is no longer necessary for the purposes for which it was collected, if the data subject withdraws consent, or if the processing is unlawful.
Evaluating Requests: Upon receiving a deletion request, we evaluate whether any legal or legitimate grounds exist for retaining the data. If no such grounds exist, we proceed with the deletion.
6.3.2 Data Deletion Process
Anonymization and Deletion: We delete the personal data from our systems and anonymize any residual information to ensure that the data can no longer be linked to the data subject. The deletion process is completed within two working weeks.
Notification of Deletion: We inform the data subject once their data has been deleted and confirm that any relevant third parties have also deleted the data.
6.4 Right to Restriction of Processing
Data subjects have the right to request the restriction of processing their personal data under specific conditions. This includes:
6.4.1 Restriction Requests
Submitting Requests: Data subjects can request the restriction of processing by contacting our customers. These requests may be made if the data subject contests the accuracy of the data, if the processing is unlawful but the data subject opposes deletion, or if the data subject needs the data for legal claims.
Implementing Restrictions: Upon receiving a restriction request, we limit the processing of the data to storage only and ensure that no further processing occurs except for specific reasons, such as legal claims or protecting the rights of others.
6.4.2 Notification of Restrictions
Informing Data Subjects: We inform the data subject once the restriction is in place and confirm the specific limitations applied to the processing of their data.
Lifting Restrictions: If the restriction is lifted, we notify the data subject before resuming normal processing activities.
6.5 Right to Data Portability
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This includes:
6.5.1 Portability Requests
Submitting Requests: Data subjects can request data portability by contacting our customers by the designated communication channels who then relay the requests to us. These requests can be made for personal data that we process based on consent or for the performance of a contract.
Providing Data: Upon receiving a portability request, we provide the data subject with their personal data in a structured, commonly used, and machine-readable format, such as a CSV file. If requested, we can also transmit the data directly to another controller, where technically feasible.
6.6 Right to Object
Data subjects have the right to object to the processing of their personal data under certain circumstances. This includes:
6.6.1 Objection Requests
Submitting Objections: Data subjects can object to the processing of their personal data by contacting our customers by the designated communication channels who then relay the requests to us. Objections can be made when the processing is based on legitimate interests, direct marketing, or profiling related to direct marketing.
Evaluating Objections: Upon receiving an objection, we evaluate whether there are compelling legitimate grounds for the processing that override the data subject’s rights or if the processing is necessary for legal claims.
6.6.2 Ceasing Processing
Stopping Processing: If the objection is upheld, we cease processing the data subject’s personal data for the specific purposes objected to. We notify the data subject of our decision and the actions taken in response to their objection.
6.7 Automated Decision-Making and Profiling
Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. This includes:
6.7.1 Automated Decision-Making Requests
Submitting Requests: Data subjects can request to review decisions made by automated processing by contacting us. These requests can be made if the data subject believes that an automated decision has affected them.
Reviewing Decisions: Upon receiving a request, we review the automated decision and provide the data subject with information about the logic involved, as well as the significance and potential consequences of the processing. If necessary, we can re-evaluate the decision through manual processing.
6.8 Exercising Data Protection Rights
To exercise their data protection rights, data subjects can contact us through the following means:
Contact Information: Our Data Protection Officer (DPO) is available to assist with any data protection requests or inquiries. Data subjects can reach our DPO, Michael Gradek, at:
Michael Gradek
Kosmik Ventures, SL
TRAVESSERA DE LES CORTS 282, 1o 3a
BARCELONA 08029, SPAIN
Email: gdpr@kosmik.cloud
Customer Facilitation: Our customers can also facilitate data protection requests from their end-users by using our web interface or APIs to submit and manage these requests.
6.9 Handling Requests
We are committed to handling all data protection requests promptly and transparently:
Verification: We verify the identity of the requester to ensure that data protection rights are exercised securely.
Documentation: We document all requests and our responses to ensure compliance with legal obligations and to maintain accountability.
- Cookies and Tracking Technologies
Kosmik Ventures, SL recognizes the importance of privacy and transparency when it comes to the use of cookies and other tracking technologies. This section provides detailed information about the types of cookies and tracking technologies we use, their purposes, and how users can manage their preferences.
7.1 What Are Cookies and Tracking Technologies?
Cookies are small text files that are stored on your device (computer, smartphone, tablet) when you visit a website. Tracking technologies include cookies, web beacons, pixels, and similar tools that help websites and services recognize your device and gather information about your interactions.
7.2 Types of Cookies We Use
We use various types of cookies and tracking technologies to improve our services and provide a better user experience. These include:
7.2.1 Essential Cookies
Purpose: Essential cookies are necessary for the basic functionality of our website and services. They enable core features such as user authentication, security, and network management.
Examples: Session cookies that keep you logged in during your visit, security cookies that protect against fraudulent activities.
7.2.2 Analytics Cookies
Purpose: Analytics cookies help us understand how our website and services are used. They collect information about user interactions, such as pages visited, time spent on the site, and navigation patterns.
Examples: Google Analytics cookies that track user behavior and provide insights into website performance and user experience.
7.2.3 Marketing Cookies
Purpose: Marketing cookies are used to deliver relevant advertisements to users. They track your online activity and help us and our advertising partners show you ads that are tailored to your interests.
Examples: Cookies from advertising networks that track your browsing habits and show personalized ads on our website and other sites.
7.2.4 Functional Cookies
Purpose: Functional cookies enhance the functionality and personalization of our website. They remember your preferences and settings, such as language choice or region selection.
Examples: Cookies that remember your language preferences or keep track of your consent to cookies.
7.3 How We Use Cookies and Tracking Technologies
We use cookies and tracking technologies for several purposes:
7.3.1 Enhancing User Experience
Personalization: Cookies help personalize your experience by remembering your preferences and settings. This ensures that you receive a consistent and tailored experience each time you visit our website.
Improved Functionality: Functional cookies support features such as remembering login details, enabling live chat, and providing localized content based on your location.
7.3.2 Analytics and Performance
Usage Data: Analytics cookies collect data about how you interact with our website and services. This information helps us understand user behavior, identify trends, and improve the overall user experience.
Performance Metrics: We analyze performance data to measure the effectiveness of our website, identify areas for improvement, and ensure that our services are functioning optimally.
7.3.3 Marketing and Advertising
Targeted Advertising: Marketing cookies enable us to deliver relevant advertisements to you based on your browsing history and interests. This helps us and our partners provide more personalized and effective marketing campaigns.
Campaign Effectiveness: We use tracking technologies to measure the performance of our marketing campaigns, including metrics such as ad impressions, clicks, and conversions.
7.4 Managing Cookies and Tracking Preferences
We provide users with control over their cookie and tracking preferences. You can manage your preferences in the following ways:
7.4.1 Cookie Consent Banner
Initial Consent: When you first visit our website, you will see a cookie consent banner that explains our use of cookies and provides options to accept or manage your preferences.
Customizing Preferences: You can customize your cookie preferences by selecting which types of cookies you consent to. Essential cookies cannot be disabled as they are necessary for the basic functionality of the site.
7.4.2 Browser Settings
Cookie Management: Most web browsers allow you to manage cookies through their settings. You can choose to block cookies, delete existing cookies, or receive notifications when cookies are set.
Instructions: Refer to the help section of your browser for detailed instructions on how to manage cookies. Common browsers include Google Chrome, Mozilla Firefox, Safari, and Microsoft Edge.
7.4.3 Opt-Out Options
Analytics and Marketing Cookies: We provide options to opt-out of analytics and marketing cookies. You can use our cookie management tool to adjust your preferences at any time.
Third-Party Tools: Some third-party services we use, such as Google Analytics, offer their own opt-out mechanisms. You can visit their websites to learn more about how to opt-out of their tracking.
7.5 Third-Party Cookies and Tracking
In addition to our own cookies, we use third-party cookies and tracking technologies from our partners and service providers. These third parties may collect information about your online activities over time and across different websites.
7.5.1 Third-Party Services
Analytics Providers: Third-party analytics providers, such as Google Analytics, help us analyze website traffic and user behavior.
Advertising Networks: Advertising partners may use cookies to deliver personalized ads and measure the effectiveness of our marketing campaigns.
7.5.2 Data Sharing and Privacy
Data Sharing: We share information collected by cookies with our third-party partners for the purposes described in this policy. These partners are required to comply with applicable data protection laws and safeguard your personal data.
Privacy Policies: Each third-party service has its own privacy policy governing their use of cookies and tracking technologies. We encourage you to review these policies to understand how your data is handled.
7.6 Data Retention for Cookies and Tracking Data
We retain data collected through cookies and tracking technologies for different periods, depending on the type of cookie and its purpose:
7.6.1 Session Cookies
Duration: Session cookies are temporary and are deleted when you close your browser. They are used for essential functions like keeping you logged in during your session.
7.6.2 Persistent Cookies
Duration: Persistent cookies remain on your device for a specified period or until you delete them. They are used for remembering your preferences and settings across visits.
Retention Periods: The retention periods for persistent cookies vary depending on their purpose. For example, analytics cookies may be retained for up to two years to provide long-term insights into website performance.
7.7 Changes to This Cookie Policy
We may update this cookie policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on our website, and we will notify you of significant updates.
- Sub-Processors
Kosmik Ventures, SL utilizes sub-processors to help deliver and support our services effectively. We recognize the importance of transparency and due diligence when engaging with sub-processors, and we are committed to ensuring that they adhere to the same high standards of data protection that we uphold. This section provides detailed information about our sub-processors, the purposes for which we use them, and the measures we take to ensure compliance with applicable data protection laws.
8.1 Who Are Sub-Processors?
Sub-processors are third-party service providers that process personal data on our behalf to support the delivery of our services. They perform specific tasks and functions that are essential to our operations, such as cloud hosting, communication services, and data analytics.
8.2 List of Sub-Processors
We use a variety of sub-processors to facilitate our services. The following are the key sub-processors we engage with:
8.2.1 Cloud Service Providers
Amazon Web Services (AWS): AWS provides cloud hosting and storage services, hosting our data in secure data centers located in Germany. AWS ensures high availability and robust security measures to protect personal data.
MongoDB Atlas: MongoDB Atlas offers managed database services, also hosted in Germany. This ensures that our database operations are efficient and secure.
8.2.2 Communication Services
Twilio: Twilio enables our communication services, including SMS and phone call handling. This allows us to manage multi-channel communications with leads and customers effectively.
WhatsApp: We use WhatsApp for real-time messaging, facilitating interactive communications with leads and end-users.
8.2.3 Analytics and Monitoring Tools
Google Analytics: Google Analytics helps us understand how our website and services are used by collecting data on user interactions and website performance.
Security and Monitoring Services: Various tools are used to monitor system security, detect anomalies, and respond to potential threats.
For a complete and up-to-date list of our sub-processors, please visit: https://wordpress-1349431-4958069.cloudwaysapps.com/sub-processors.
8.3 Purposes for Using Sub-Processors
We engage sub-processors for specific purposes that enhance the functionality, security, and efficiency of our services. These purposes include:
8.3.1 Hosting and Infrastructure
Data Storage and Management: Cloud service providers like AWS and MongoDB Atlas store and manage personal data securely, ensuring high availability and reliability of our services.
Scalability and Performance: Using cloud infrastructure allows us to scale our services according to demand and maintain optimal performance.
8.3.2 Communication and Engagement
Multi-Channel Communication: Sub-processors like Twilio and WhatsApp facilitate communication across various channels, enabling us to reach leads and customers through their preferred methods.
Real-Time Interaction: These services support real-time messaging and phone interactions, enhancing the responsiveness and effectiveness of our lead qualification processes.
8.3.3 Data Analytics and Reporting
Usage Insights: Analytics tools such as Google Analytics provide insights into how our services are used, helping us optimize user experience and improve service offerings.
Performance Monitoring: We use monitoring tools to track the performance and security of our systems, ensuring they operate smoothly and securely.
8.4 Data Protection Measures for Sub-Processors
We implement stringent measures to ensure that our sub-processors handle personal data in compliance with applicable data protection laws, including GDPR. These measures include:
8.4.1 Due Diligence
Vendor Assessment: Before engaging a sub-processor, we conduct a thorough assessment of their data protection practices, security measures, and compliance with legal requirements.
Contractual Obligations: We enter into data protection agreements with all sub-processors, requiring them to adhere to our data protection standards and applicable laws. These agreements include Standard Contractual Clauses (SCCs) where necessary to ensure compliance with GDPR.
8.4.2 Security and Compliance
Security Audits: We conduct regular security audits and assessments of our sub-processors to verify their compliance with our security requirements and data protection standards.
Certifications: We prefer sub-processors that have relevant security certifications, such as ISO 27001, which demonstrate their commitment to maintaining high security standards.
8.4.3 Data Processing Agreements
Binding Contracts: Our data processing agreements outline the specific roles and responsibilities of each sub-processor, ensuring they process personal data only for the purposes specified and in accordance with our instructions.
Confidentiality Obligations: Sub-processors are contractually bound to maintain the confidentiality of personal data and to implement appropriate technical and organizational measures to protect it.
8.5 Data Transfers and International Considerations
When sub-processors process data outside the European Union, we ensure that appropriate safeguards are in place to protect personal data:
8.5.1 Standard Contractual Clauses (SCCs)
Legal Framework: For sub-processors located in countries without an adequacy decision by the European Commission, we use SCCs to ensure that personal data is protected according to EU standards.
8.5.2 Adequacy Decisions
Recognized Jurisdictions: Where possible, we engage sub-processors in jurisdictions that the European Commission has deemed to provide an adequate level of data protection.
8.5.3 Additional Safeguards
Encryption and Security: We require sub-processors to implement strong encryption and security measures to protect personal data during transfer and storage.
Data Minimization: We ensure that sub-processors only receive the minimum amount of personal data necessary to perform their functions, reducing the risk of data exposure.
8.6 Notification of Changes to Sub-Processors
We maintain transparency regarding our use of sub-processors and inform our customers of any significant changes:
8.6.1 Advance Notice
Notification Process: We notify our customers in advance of any new sub-processor engagements or significant changes to existing sub-processor arrangements. Customers have the opportunity to review these changes and raise any concerns.
- Changes to This Privacy Policy
This section outlines our procedures for updating the Privacy Policy and how we communicate these changes to our customers and users.
9.1 Reasons for Policy Changes
We may update this Privacy Policy for several reasons, including:
Legal and Regulatory Changes: To comply with new legal requirements or changes in existing laws and regulations, including data protection laws like the GDPR.
Business Developments: To reflect changes in our business operations, services, or practices, such as the introduction of new services, partnerships, or technologies.
Feedback and Best Practices: To incorporate feedback from customers, industry best practices, and guidance from data protection authorities.
9.2 Notification of Changes
We strive to keep our customers and users informed about any significant changes to this Privacy Policy. Our notification procedures include:
9.2.1 Advance Notice
Prior Notification: We provide advance notice of any significant changes to this Privacy Policy through our website and, where appropriate, through direct communication channels such as email.
Notification Period: We aim to provide at least 30 days’ notice before the new terms take effect, giving customers and users sufficient time to review and understand the changes.
9.2.2 Clear Communication
Detailed Updates: Our notifications include a summary of the key changes and their implications for data protection and privacy.
Access to Updated Policy: We provide easy access to the updated Privacy Policy through our website, ensuring that customers and users can review the full document.
9.3 Consent and Continued Use
We ensure that our customers and users are aware of their rights regarding changes to this Privacy Policy:
9.3.1 Implied Consent
Acceptance of Changes: By continuing to use our services after the updated Privacy Policy takes effect, customers and users are deemed to have accepted the changes.
Right to Object: Customers and users have the right to object to the changes. If they do not agree with the updated terms, they should discontinue using our services.
9.3.2 Explicit Consent
Material Changes: For significant changes that materially affect how we handle personal data, we may seek explicit consent from customers and users. This may involve direct communication and obtaining affirmative consent before implementing the changes.
9.4 Historical Versions
We maintain a record of previous versions of this Privacy Policy for reference:
9.4.1 Archived Policies
Access to Previous Versions: Archived versions of our Privacy Policy are available upon request, allowing customers and users to review historical terms and changes over time.
9.4.2 Change Log
Documenting Changes: We keep a detailed change log that documents the dates and nature of updates to this Privacy Policy. This log provides transparency and accountability regarding our data protection practices.
- Contact Us
This section provides detailed information on how you can contact us for various privacy-related inquiries, including exercising your data protection rights, raising concerns about our data processing activities, and seeking clarification on our Privacy Policy.
10.1 Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with applicable data protection laws. Our DPO is available to assist you with any privacy-related inquiries or issues you may have.
10.1.1 Contact Information
Name: Michael Gradek
Position: Data Protection Officer
Address: Kosmik Ventures, SL, TRAVESSERA DE LES CORTS 282, 1o 3a, BARCELONA 08029, SPAIN
Email: gdpr@kosmik.cloud
10.1.2 Role and Responsibilities
Compliance Oversight: Our DPO ensures that Kosmik Ventures, SL complies with GDPR and other applicable data protection laws.
Data Protection Impact Assessments: The DPO conducts data protection impact assessments (DPIAs) for new projects or significant changes to existing processes.
Responding to Inquiries: The DPO is responsible for responding to data subject requests and inquiries related to data protection and privacy.
10.2 Exercising Your Data Protection Rights
If you wish to exercise any of your data protection rights, such as accessing your personal data, requesting corrections, or asking for deletion, you can contact us through the following methods:
10.2.1 Online Request Form
Submission: Use our online request form available on our website to submit your data protection requests. This form helps us gather the necessary information to process your request efficiently.
Confirmation: Once we receive your request, we will send you a confirmation email and inform you of the expected timeline for our response.
10.2.2 Email Requests
Direct Email: You can send your data protection requests directly to our DPO at gdpr@kosmik.cloud. Please include detailed information about your request to help us process it accurately.
Verification: We may need to verify your identity before processing your request to ensure the security and privacy of your personal data.
10.3 Reporting Data Breaches
In the event of a data breach or security incident involving your personal data, you can report it to us using the following methods:
10.3.1 Immediate Reporting
Email: Send an immediate report of the suspected data breach to our DPO at gdpr@kosmik.cloud. Include as much detail as possible about the nature of the breach and any relevant information.
10.4.2 Incident Response
Response Team: Our incident response team will promptly investigate the reported breach and take necessary actions to mitigate the impact and prevent further unauthorized access.
Notifications: If your data has been affected by a breach, we will notify you as required by applicable data protection laws and provide guidance on steps you can take to protect yourself.
10.5 Regulatory Authorities
If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority. The contact details for the primary data protection authority in Spain are:
10.5.1 Spanish Data Protection Authority
Name: Agencia Española de Protección de Datos (AEPD)
Address: Calle de Jorge Juan, 6, 28001 Madrid, Spain
Phone: +34 912 66 35 17
Website: https://www.aepd.es
You may also contact the data protection authority in your country of residence within the EU if you prefer.