kinvolk logo | Privacy Policy

Privacy Policy – Kinvolk GmbH

This Privacy Statement applies to personal data collected by Kinvolk GmbH (“Kinvolk”, “we”, “our”, or “us”) through its websites (https://kinvolk.io/; https://www.flatcar-linux.org/), and other websites and social network profiles operated by us (collectively, the “Sites”), any of our products or services that you can access, download, or use via the Sites (collectively, the “Services”), or when you otherwise interact with us. You can recognize a website operated by us when we post a direct link to this Privacy Policy.

With this privacy policy, we inform you about the personal data we collect when you visit our Sites or use our Services and how we process it. Thereby, we also fulfil our obligation to inform you pursuant to Article 13 General Data Protection Regulation (GDPR).

I. Identity of the controller

Kinvolk GmbH
Adalbertstr. 6a
10999 Berlin
Germany

Email: [email protected]

1. General use of the Sites

Generally, we do not store personal data while you use our Sites with the exception that our webserver registers all connections to the Sites automatically and collects the following technical information about your visit:

  • IP address;
  • Name of the files accessed;
  • Information about the transmission;
  • Date and time of the connection;
  • Amount of data transmitted;
  • Referrer;
  • Operating system and
  • Web browser/user agent.

We process this data to establish a connection to your device over the Internet. We store the aforementioned data in log files in order to ensure the security and integrity of our IT systems. The respective purposes of the processing also constitute our legitimate interests we pursue with it (Art. 6 par. 1 lit. f) GDPR). We retain our log files for 90 days and delete them thereafter.

2. Flatcar Container Linux

We operate the Flatcar Container Linux project, a Linux distribution designed for container workloads supported by us. In this context, we collect IP addresses and certain telemetry data [especially: ip addresses] in order to perform the contract with you providing the updates for our operating system. The processing for such purposes is based on Art. 6 par. 1 lit. b) GDPR. We retain the respective data for 180 days and delete them thereafter.

3. Contact

You can contact us, for example, by writing an email. In such case, we will process the personal data you provide us with in order to answer your request. This may include especially your name, email address, subject of your message and the message itself. We will retain your messages until we have fulfilled your request. Afterwards, we will delete it immediately. The processing for such purposes is based on Art. 6 par. 1 lit. f) GDPR, while the purposes of the processing also constitute our legitimate interests we pursue with it.

4. Jobs

If you apply for a position at Kinvolk, we will process your personal data the application procedure based on Sec. 26 par. 1 BDSG (Bundesdatenschutzgesetz, German Federal Data Protection Act). If your application is not successful, we will retain your personal data for additional 6 months, beginning at the end of the month in which we decide on your application. During this time, we will use your data to defend ourselves against claims based on the anti-discrimination law (Allgemeines Gleichbehandlungsgesetz, AGG) and delete it thereafter. The legal basis for such processing is Art. 6 par. 1 lit. c) GDPR. For the operation of our application portal we use the tool Personio by Personio GmbH, Buttermelcherstr. 16, 80469 Munich, Germany (“Personio”). Personio stores and processes your data as an applicant on our behalf for the purpose of HR administration and applicant management. Therefore, we have concluded a data processing agreement with Personio GmbH in accordance with the legal requirements. In addition, Personio processes certain personal data as a controller in the technical provision of the application portal. You can find further information at: https://kinvolk-jobs.personio.de/privacy-policy.

We have the statutory obligation to retain certain documents according to Sec. 257 HGB (German Commercial Code) and Sec. 147 AO (Fiscal Code of Germany) as well as social security laws and employment laws. These documents may also include personal data. Specifically, these are:

  • Accounts and records, inventories, annual financial statements, single fiscal statements according to Sec. 325 par. 2a HGB, group fiscal statements, situation reports, group situation reports the opening balance sheet as well as the operating instructions and other organizational documents needed for their comprehension, accounting records, documents pursuant to Article 15(1) and Article 163 of the Union Customs Code.
    These documents have to be retained for a period of 10 years.

  • Trade or business letters received, reproductions of trade or business letters sent, other documents to the extent that these are of relevance for taxation.
    These documents have to be retained for a period of 6 years

The respective storage period shall begin upon the end of the calendar year in which the last entry was made in the accounts, the inventory, the opening balance sheet, the annual financial statement or the situation report drawn up, the trade or business letter received or sent, the accounting record created, the record made or the other documents created. The legal basis for such processing is Art. 6 par. 1 lit. c) GDPR.

III. Recipients and transfers to third countries

If we are not able to provide services ourselves, we use external service providers. These service providers are primarily providers of IT services, such as our web host, e-mail provider or telecommunications provider.

If not specifically mentioned elsewhere in this privacy policy, we do not transfer your data to third countries.

IV. Rights of the data subject

If the respective requirements are met, the GDPR grants you certain rights as a data subject.

Art. 15 GDPR – Right of access: You shall have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information.

Art. 16 GDPR – Right to rectification: You shall have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Art. 17 GDPR – Right to erasure: You shall have the right to obtain from us the erasure of personal data concerning you without undue delay.

Art. 18 GDPR – Right to restriction of processing: You shall have the right to obtain from us the restriction of processing.

Art. 20 GDPR – Right to data portability: You shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you shall have the right to transmit those data to another controller without hindrance from us. You shall also have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

Art. 77 GDPR – Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Art. 21 GDPR – Right to Object: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on legitimate interests or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

In such case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or where the processing is necessary for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you wish to object to any processing of data, you may send us an email to one of our aforementioned email addresses.

Art. 7 par. 3 GDPR – Withdrawal of Consent: If you have given us your conelease Channels sent, you have the right to withdraw your consent at any time. In case of withdrawal, all data processing based on your consent before your withdrawal will remain lawful.

VI. Obligation to provide us with personal data

You have no statutory or contractual obligation to provide us with any personal data. However, we may not be able to provide you with our services if you decide not to do so.

VII. Existence of automated individual decision-making, including profiling

We do not use automated individual decision-making, including profiling pursuant to Art. 22 GDPR, which produces legal effects concerning you or similarly significantly affects you.

VIII. Internet specific processing or use of personal data

1. Cookies

For providing you the services of our Sites we may use cookies. Cookies are small text files, which are transferred from the Sites or third parties and stored on your device. Cookies cannot execute programs or infect your device with computer viruses. Some cookies are stored only for your current browser session and will be deleted once you close your browser. Other cookies may be stored on your device for a certain period. You can obtain more information on how long specific cookies are stored within your end device’s or browser software’s settings. We use cookies for different purposes. One purpose is to provide you with the functionality of our Site. Another purpose is analyzing your usage of our Sites. These cookies are not strictly necessary for our Sites to work properly, however, they give us new insights on how to improve our services. Typically, cookies do not contain personal data. However, if that may be the case in certain situation, the processing of such data has its legal ground in Art. 6 par. 1 lit. f) GDPR. The aforementioned purposes also constitute the legitimate interests we pursue with them.

We may use certain technologies on our Sites that rely on the use of Cookies or similar technologies such as pixels or tags stored on your device by third parties. You can find more information on these technologies and for what purposes we use them below.

If you wish to prevent us from storing cookies on your device, your web browser or device may provide you with settings to do so. You may find an instruction on how to change your settings in the help section of your browser or device. The respective settings only apply to the device you are currently using. If you use another device, change your web browser or reinstall your browser you may have to change the respective settings again. Please, be aware that not accepting cookies may lead to you not being able to use our Sites and all its functions.

2. Google Analytics

We use Google Analytics, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter referred to as “Google”, to collect information about how users use our Sites.

This information also includes your IP address. However, as IP-anonymization is activated, your IP address will be truncated and therefore anonymized on systems within the European Union/European Economic Area and as soon as technically feasible. Only in exceptional cases, the full IP address will be transferred to a Google server in the United States, and then shortened. Therefore, the information generated by the cookie about your use of the Sites can be transmitted to and stored by Google or one of its affiliates on servers in the United States. However, Google is certified under the EU-US-Privacy Shield. Through certification according to the EU-US Privacy Shield Google guarantees that an adequate level of protection is ensured when processing data in the United States. The certificate is available at: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

Google will use this information on our behalf for the purpose of analyzing your use of our Sites, compiling reports on the website activity and providing other services relating to activity on the Sites and internet usage. The IP address will not be associated with any other data held by Google. You may refuse the use of cookies by choosing the appropriate settings in your browser; please note, however, that if you do this you may not be able to use our service comprehensively.

You can also opt-out by downloading and installing ‘Google Analytics Opt-out Browser Add-on’ for your current web browser: http://tools.google.com/dlpage/gaoptout?hl=en

Our processing is based on Art. 6 par. 1 lit. f) GDPR. The aforementioned purposes constitute also the legitimate interests we pursue with it. The collected data is stored for 50 months. Further information on how Google processes personal data is available at: www.google.com/analytics/terms/de.html; https://policies.google.com/?hl=en.

We use the function GA Audiences. With this function enabled, Google will create so called audiences, which means that it categorizes our users in separate groups such as sites you were interested in, your country or region, used devices or similar. With this data we are able to gain more insight in our visitors. However, we cannot and will not relate such data to a specific person but only process it in an aggregated form.

3. Google Marketing Platform (formerly DoubleClick)

This website uses DoubleClick of the Google Marketing Platform, a service of Google. 36 DoubleClick uses cookies to show you advertisements that are relevant to you. Cookies are used to associate a pseudonymous identification number (ID) with your browser or device in order to verify which ads have been shown in your browser and which ads have been visited. This can improve campaign performance or, for example, prevent you from seeing the same ad more than once. Google may also use cookie IDs to track conversions related to ad requests. This is the case, for example, when a user sees a Campaign Manager ad and later visits the advertiser’s website with the same browser and makes a purchase. According to Google, the cookies do not contain any personal information. The purpose of the use of DoubleClick-cookies is our legitimate interest in displaying and optimizing ads (Art. 6 par. 1 lit. f GDPR).

Due to the technology used, your browser automatically establishes a direct connection with the Google server. We have no influence on the extent and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of DoubleClick, Google receives the information that you have visited the corresponding pages of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will collect and store your IP address.

Further information on data protection and cookies set by Google can be found in the Google data protection declaration: https://policies.google.com/privacy?hl=de.

You may refuse the use of cookies by selecting the appropriate settings on your browser or by making the appropriate settings under the following link: https://www.google.de/settings/ads](https://www.google.de/settings/ads).

Please note that if you do so, you may not be able to use the full functionality of this website.

Alternatively, you can disable the DoubleClick cookies on the following page: http://www.youronlinechoices.com/de/praferenzmanagement/.

4. Google Fonts

Our Sites use the service Google Fonts by Google to display optimized external fonts.

When you access our Sites, a connection to Google is established from which Google can identify the websites from which the request has been sent and to which IP address the fonts are being transmitted for display. Google Fonts does not set any cookies and your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.

The legal basis for the processing of the data mentioned above is Art. 6 par. 1 lit. f) GDPR. The purpose of the processing also constitutes the legitimate interest to provide you with optimized fonts.

You can find further information at: https://developers.google.com/fonts/faq and in the Google data protection declaration: https://policies.google.com/privacy?hl=de.

5. Awesome Fonts

We use the service Awesome Fonts, provided by Fonticons, Inc., for the uniform display of fonts. When you visit a website, your browser caches the required web fonts to display text and fonts correctly. If your browser does not support web fonts, a standard font is used by your computer.

For this purpose, the browser you use must connect to the servers of Fonticons, Inc. This allows Fonticons, Inc. to know that your IP address has been used to access our website. The use of web fonts is in the interest of a uniform and attractive presentation of our online offers. This represents a legitimate interest in the sense of Art. 6 par. 1 lit. f) DSGVO.

You can find further information about Font Awesome at https://fontawesome.com/help

and in the privacy policy of Fonticons, Inc.: https://fontawesome.com/privacy.

6. New Relic

New Relic is an analytics service of the New Relic Inc. (101 Second Street, 15th Floor, San Francisco, CA 94105, „New Relic“).

New Relic collects data about your use of the Sites and stores a cookie with an ID number on your device. New Relic uses this ID and the collected information in order to create and process so called usage profiles of your visit. For a brief time, New Relic processes your IP address in order to gain information such as your geographical positon. However, after such analysis, the IP address is deleted and not stored permanently. We use this data to analyse our user’s behaviour and improve our services. Moreover, we use New Relic in order to monitor the availability and performance of our Sites. For such purpose New Relic collects data about the Sites, and your technical equipment (for example your browser and your hard- and software; so called “Application Data”). Application Data is processed on New Relic’s servers to compare the performance of our and other websites. New Relic may use cookies and similar technologies to provide its services and may process personal data in the United States. However, New Relic is certified under the EU-US-Privacy Shield. Hence, an adequate level of protection is ensured.

The legal basis for the processing of the data mentioned above is Art. 6 par. 1 lit. f) GDPR. The purpose of the processing also constitutes the legitimate interest we pursue with it.

7. Social Networks

We have profiles on social networks. Our social media accounts complement our Sites and provide you with the opportunity to interact with us. As soon as you access our social media profiles in the social networks, the terms and conditions and the data processing policies of the respective operators apply.

We generally have no influence on the data processing on the social networks. The data collected about you while using the services are processed by the networks and may be transferred to countries outside the European Union. Information about which data are processed by the social networks and for which purposes the data are used can be found in the privacy policy of the respective network listed below. We use the following social networks:

Facebook
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Privacy Policy: www.facebook.com/about/privacy/
Privacy-Shield: www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Actice
Opt-Out Options: www.facebook.com/settings?tab=ads and www.youronlinechoices.com
About Insights: www.facebook.com/legal/terms/information_about_page_insights_data

Instagram
Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA as subsidiary of Facebook.
Privacy Policy / Opt-Out Options: help.instagram.com/155833707900388.
www.instagram.com/about/legal/privacy/.
help.instagram.com/519522125107875

Twitter
Twitter International Company, Attn: Data Protection Officer, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.
Privacy Policy: www.twitter.com/en/privacy
Privacy-Shield: www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active
Opt-Out Options: www.twitter.com/personalization

YouTube
YouTube LLC as subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy?hl=en&gl=de
Opt-Out Options: adssettings.google.com/authenticated
Privacy-Shield: www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

LinkedIn
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Privacy Policy: www.linkedin.com/legal/privacy-policy
Privacy-Shield: www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Actice
Opt-Out Options: www.linkedin.com/psettings/?trk=nav_account_sub_nav_settings

Xing
New Work SE, Dammtorstraße 30, 20354 Hamburg, Deutschland.
Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung

We process personal data as a controller, when you send us requests via the social media accounts. We process this data to answer your requests which also constitutes our legitimate interest (Art. 6 par. 1 lit. f) GDPR).

In addition, we are jointly responsible as joint controllers with the following networks and for the following processing operations (Art. 26 GDPR):

When you use our profiles in the networks Facebook, Instagram and LinkedIn, the respective network collects aggregated statistics (“Insights data”) that are created from certain events logged by their servers when you interact with our profiles and the content associated with them. We receive these aggregated and anonymous statistics from the networks about the use of our respective profile. We are not able to associate the data with specific users. To a certain extent, we can control the criteria by which the respective network creates these statistics for us. We use these statistics to make our service more interesting and informative for you. This also constitutes our legitimate interest (Art. 6 par. 1 lit. f) GDPR) for the collection of data carried out by the respective social network to provide us with statistics.

Further information on this data processing is available in the respective Joint Controller Addendum at:

Facebook / Instagram: https://www.facebook.com/legal/terms/page_controller_addendum

LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum

Berlin, February 2020