Privacy Policy

1. Controller and Processor Roles

Krahasso is a software-as-a-service application for business customers. For account and registration data, the contact and login details of the people who use the application, and technical log data, the controller within the meaning of Art. 4(7) GDPR is:

Email: [email protected]

For the project, drying-protocol, equipment, and end-customer data that our business customers enter into the application, those business customers determine the purposes and means of processing. They are therefore the controllers, and Krahasso acts solely as a processor (Art. 28 GDPR) on their documented instructions under a data processing agreement (Auftragsverarbeitungsvertrag). If you are an end customer of one of our business customers, please address requests regarding that data to the business customer responsible for it.

A data protection officer is not required under Sec. 38 of the German Federal Data Protection Act (BDSG), as Krahasso is operated as a sole proprietorship that does not meet the statutory threshold. You can reach us on all data protection matters at [email protected].

2. What Data We Collect

We collect the following categories of personal data to provide our services:

• Account information — name, email address, and securely hashed password
• Project data — project addresses, status, completion dates, and notes
• Equipment usage — allocation records, return dates, and equipment details
• Drying protocol data — measurement readings, moisture levels, visit records, and photographs taken during on-site inspections
• Voice data — audio recordings made through the in-app voice assistant. Recordings are transcribed; the audio file is automatically deleted from the active system at the latest 30 days after it was made, while the resulting transcript remains as part of the conversation history. Copies held in our standard backup regime age out under the lifecycle rules disclosed in Section 5.
• Organization details — company name, logo, address, contact details, tax identification, and bank details used for billing
• Technical data — log data (such as IP address and device/app information) necessary for security and troubleshooting, and strictly necessary session cookies used to keep you signed in. We do not use third-party analytics, tracking, or advertising cookies.

3. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following legal grounds:

• Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to provide the services you have subscribed to
• Legitimate interests (Art. 6(1)(f) GDPR) — for security, abuse prevention, and improvement of the Service, based on data for which Krahasso is the controller (account, login and contact details, technical log data). This basis does not extend to project, drying-protocol, equipment, or end-customer data processed on behalf of business customers; that data is processed solely on the controller's instructions under Art. 28 GDPR (see Section 1).
• Consent (Art. 6(1)(a) GDPR) — where you have given explicit consent (e.g. for optional communications)
• Legal obligation (Art. 6(1)(c) GDPR) — where processing is required by law

Where Krahasso acts as a processor (see Section 1), the legal basis for processing the data concerned is determined by the respective business customer as controller, not by Krahasso.

4. Purpose of Data Processing

Your data is used exclusively for the following purposes:

• Managing construction and drying projects
• Tracking equipment allocations and returns
• Recording and reporting drying protocol measurements
• Generating project reports
• Providing AI-powered voice assistant features (transcription and natural language commands)
• Authenticating your identity and securing your account

5. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described above.

Where Krahasso is the controller (account data, login and contact details, technical logs), this data is permanently deleted within 30 days of account cancellation, unless statutory retention obligations require otherwise.

Where Krahasso acts as a processor, project, drying-protocol, equipment, and end-customer data is processed according to the business customer's instructions as controller. The business customer determines the retention period; where the business customer is subject to statutory retention obligations (for example § 257 HGB for commercial documents or § 147 AO for tax-relevant records), it is for the business customer to apply those obligations to a deletion request. Krahasso deletes or returns the data on the business customer's instruction. Within 30 days after the end of the data processing agreement, we provide a complete export of the data on the business customer's request, in the content and format specified in clause 7.5 of the Service Description (see DPA § 13); after that period, the data is deleted from the active system in accordance with the data processing agreement. Backup copies held as part of our standard backup regime are permanently removed by automated lifecycle rules within at most 38 days.

Non-personal, aggregated statistics (for example, total project counts) may be retained for internal reporting purposes. These statistics do not contain information that can identify individuals.

6. Data Sharing & Transfers

Your data is only accessible to authorized users within your organization's account.

We do not sell or rent personal data.

To operate the Service, we use trusted data processors under Article 28 GDPR:

• Hetzner Online GmbH (Germany/EU) — hosting infrastructure and storage services
• Amazon Web Services (AWS, eu-central-1 region) — transactional email delivery
• OpenAI Ireland Ltd (Ireland/EU) — AI-powered voice transcription and natural language processing. Audio recordings are sent to OpenAI for processing and are not used by OpenAI to train their models. OpenAI Ireland may use OpenAI, L.L.C. (USA) as a sub-processor; that onward transfer is safeguarded by the EU Standard Contractual Clauses. OpenAI's data usage policy applies (see openai.com/policies/usage-policies).
• Google Ireland Limited (Ireland/EU) — our mobile app uses the Google Maps SDK to display project locations on a map, and Firebase Cloud Messaging to deliver push notifications. When you use these features, Google may collect technical data such as your IP address, device information, and map interaction data. We do not collect or transmit your device's location; only project addresses stored in our system are displayed. Google Ireland may use Google LLC (USA) as a sub-processor; Google LLC is certified under the EU-U.S. Data Privacy Framework. For more information, see Google's privacy policy (policies.google.com/privacy).
• MapTiler AG (Switzerland) — provides the basemap tiles displayed in the web application's map view. When you view a map page, your IP address and the map viewport coordinates are transmitted to MapTiler. Processing takes place in Switzerland, for which the European Commission has issued an adequacy decision under Article 45 GDPR.
• Apple Distribution International Ltd (Ireland/EU) — delivers push notifications to iOS devices via the Apple Push Notification Service (APNs). The notification data required for delivery (such as the notification title and body and a device identifier) is transmitted to Apple. Any onward processing by Apple Inc. (USA) is safeguarded under the EU-U.S. Data Privacy Framework.

Most personal data is processed within the European Union. For AI voice processing, audio data may ultimately be processed by OpenAI, L.L.C. in the United States via OpenAI Ireland Ltd; that onward transfer is safeguarded by the EU Standard Contractual Clauses. For map and push notification features on Android, technical data may ultimately be processed by Google LLC in the United States via Google Ireland Limited; Google LLC is certified under the EU-U.S. Data Privacy Framework. For push notifications on iOS, notification delivery data is processed by Apple Distribution International Ltd in Ireland and may be onward-processed by Apple Inc. in the United States; Apple Inc. is certified under the EU-U.S. Data Privacy Framework. For basemap tiles in the web application, your IP address and map viewport coordinates are transmitted to MapTiler AG in Switzerland; the European Commission has adopted an adequacy decision for Switzerland under Article 45 GDPR. No other personal data is transferred outside the EU/EEA or to countries without an adequacy decision.

7. Your Rights (Art. 15–21 GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate or incomplete data
• Right to erasure (Art. 17) — request deletion of your data
• Right to restriction (Art. 18) — restrict processing under certain conditions
• Right to data portability (Art. 20) — receive your data in a portable format
• Right to object (Art. 21) — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

You also have the right to lodge a complaint with a data protection supervisory authority if you believe your data is being processed unlawfully. Where Krahasso acts as a processor, requests to exercise your rights regarding the data concerned should be directed to the relevant business customer as controller.

The supervisory authority responsible for the controller is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encrypted data transmission (HTTPS/TLS)
• Secure password hashing and automated checks against known data-breach corpora
• Optional two-factor authentication via a one-time email code, available per user
• Network-level protection (firewalls and restricted database access)
• Access controls within customer accounts

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals without undue delay in accordance with Art. 33 and 34 GDPR. Where Krahasso acts as a processor, we will inform the responsible business customer without undue delay so that they can meet their notification obligations.

9. Changes to This Policy

We may update this privacy policy from time to time. The latest version will always be available within the application. The date of the last update is shown at the top of this page.