Kolsetu Logo

Product Privacy Policy

Effective as of: 17 February 2026

1. Introduction

Kolsetu GmbH and its affiliated companies ("Kolsetu", "we", "us", "our") are committed to protecting your privacy. This Product Privacy Policy describes how we collect, use, store, and share personal data in connection with the use of our products, in particular the Elba AI voice assistance platform.

This Policy applies in addition to our general Privacy Policy for the website and describes specifically the processing activities relating to our software products and services. Where this Policy conflicts with the general Privacy Policy, this Policy takes precedence for product-related processing.

2. Data Controller

The controller responsible for processing your personal data is:

Company
Kolsetu GmbH
Address
Gaensemarkt 33, 20354 Hamburg, Germany
Commercial Register
Amtsgericht Hamburg HRB 191266
VAT ID
DE454953039
Managing Directors
Ben Arnon, Virendra Singh Bhalothia
Data Protection Contact
privacy@kolsetu.com
Supervisory Authority
Der Hamburgische Beauftragte fuer Datenschutz und Informationsfreiheit, Klosterwall 6, 20095 Hamburg

3. Personal Data We Process

We process in particular the following categories of personal data when you use our products:

3.1 Master Data

  • Name, contact details, company, job title

3.2 Special Categories of Personal Data (Health Data)

Where customers use Elba for appointment management, patient communication or medical notes, health data (Art. 9 GDPR) may be processed. This occurs exclusively on behalf of the controller (e.g. a medical practice) and only on the legal basis of Art. 9(2) GDPR. Kolsetu processes such data solely as a processor under a Data Processing Agreement (DPA).

3.3 Contract and Billing Data

  • Customer number, invoice and payment information (via Stripe, PayPal)

3.4 Usage and Communications Data

  • Log files, IP addresses, chat or video data, session data

3.5 Technical Metadata

  • Timestamps, device information, protocol data

3.6 Communications and Content Data

  • Voice recordings, transcripts, conversation data, workflows

3.7 User and Employee Data

  • Login credentials, roles, permissions

Further details on processing activities and sub-processors are set out in the Data Processing Agreement (DPA) concluded between Kolsetu and the customer.

4. Sources of Data

We collect personal data in particular through:

  • Your inputs in Elba (e.g. voice, text, workflows, appointment bookings)
  • Your registration or support requests
  • Connection of integrations (e.g. Google Calendar, Outlook, Calendly, HubSpot, Salesforce)
  • Automatically collected system and usage data (e.g. log files, technical metadata)

5. Purposes and Legal Bases of Processing

We use your personal data for the following purposes, each with the stated legal basis under Art. 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): Providing and operating Elba
  • Contract performance and legitimate interests (Art. 6(1)(b) and (f) GDPR): User management, support, communications
  • Legitimate interests (Art. 6(1)(f) GDPR): Ensuring IT security and system stability
  • Contract performance (Art. 6(1)(b) GDPR): Contract execution, billing, payment processing
  • Legitimate interests (Art. 6(1)(f) GDPR): Product improvement on the basis of anonymised or aggregated data
  • Consent (Art. 6(1)(a) GDPR) -- only where you have actively enabled the integration: Optional integrations (Google Calendar, CRM systems, etc.)
  • Art. 9(2) GDPR, exclusively on behalf of the controller: Processing of special categories of data (e.g. health data) for appointment management and patient communication

6. Third-Party Integrations

Our platform offers optional third-party integrations. All integrations are entirely voluntary and only become active when you connect them yourself. Processing occurs exclusively on the basis of your express consent (Art. 6(1)(a) GDPR). You can revoke consent at any time by disconnecting the integration.

6.1 Calendar Integrations

  • Google Calendar: We access only the data required for appointment booking and synchronisation (e.g. available times, event title, event time), via the Google Calendar APIs. We do not share, sell or use Google user data for advertising purposes. You can revoke access at any time in your Google Account settings.
  • Microsoft Outlook and Calendly: Data is processed only to the extent required for appointment management.

6.2 CRM Integrations

Optional connections with CRM systems such as HubSpot or Salesforce process only the data required for synchronisation, customer management and sales processes. No data is shared with other third parties.

6.3 Communications Integrations

Optional integrations with communications services (e.g. Slack, Microsoft Teams, Zoom) process data only to the extent necessary to provide the desired functionality.

7. Disclosure of Personal Data

7.1 Sub-processors

We may share personal data with the following categories of recipient:

  • Calendar and productivity integrations: Google Calendar, Microsoft Outlook, Calendly (optional, only when actively connected by you)
  • Cloud service providers: Hosting in EU data centres (AWS, Google Cloud, Microsoft Azure -- EU regions)
  • Communications and AI services: LiveKit Cloud (regional endpoint), Microsoft Azure OpenAI Service (EU deployment)
  • Payment providers: Stripe (Stripe Payments Europe Ltd., Dublin), PayPal (PayPal Europe S.a.r.l., Luxembourg)
  • Telephony/VoIP: Telnyx UK Limited, London
  • AI observability: Langfuse GmbH, Berlin
  • Workflow automation: n8n GmbH, Berlin
  • CRM/Support: Zoho Corporation GmbH, Duesseldorf

A full list of sub-processors forms part of the Data Processing Agreement (DPA) and is available on request.

8. International Data Transfers

Our demo stack is configured for processing in EU/EEA regions (including Azure OpenAI EU deployments and LiveKit regional endpoints). Where a transfer to a third country is required in exceptional cases, it takes place solely on the basis of appropriate safeguards under Art. 44 et seq. GDPR, in particular EU Standard Contractual Clauses (SCCs).

9. Data Retention

We store personal data only for as long as required for the fulfilment of purposes or a statutory retention obligation exists. After contract termination, data is deleted or anonymised unless mandatory statutory provisions prevent this. Statutory retention periods (e.g. 10 years for accounting documents under German commercial law) are observed.

10. Security Measures

We implement the following technical and organisational measures (TOMs) under Art. 32 GDPR:

  • Encryption of data in transit and at rest (TLS, encrypted storage media)
  • Access controls (role-based permissions, two-factor authentication)
  • Logging and monitoring
  • Redundant systems and backups
  • Incident response and recovery plans
  • Regular security reviews and penetration testing

11. Your Rights

Under GDPR you have the following rights. To exercise them, contact privacy@kolsetu.com:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)

Note that some rights may be restricted by statutory requirements (e.g. commercial or tax retention obligations). The competent supervisory authority is: Der Hamburgische Beauftragte fuer Datenschutz und Informationsfreiheit, Klosterwall 6 (Block C), 20095 Hamburg, mailbox@datenschutz.hamburg.de.

12. Changes to this Policy

We may update this Policy from time to time. The revised Policy will be published with an updated date. For material changes, we will notify you 30 days in advance.

13. Contact

Email
privacy@kolsetu.com
Address
Kolsetu GmbH, Gaensemarkt 33, 20354 Hamburg, Germany
Phone
+49 15888 369116
Product Privacy Policy | Kolsetu