Product Privacy Policy

Valid from: 11. March 2026

1. Introduction

This Product Privacy Policy ("Policy") describes how Kolsetu GmbH ("Kolsetu", "we", "us") processes personal data of individuals who access and use the Elba AI voice automation platform as administrators, operators, or agents ("Platform Users") on behalf of a business customer. Platform Users are the individuals who log in to, configure, and operate the platform - whether under an Enterprise subscription accepted via Order Form, or a Self-Serve subscription accepted via online account registration. Where a provision applies to one track only, this is stated explicitly.

This Policy governs Kolsetu's processing of Platform User data in its capacity as a data controller. It does not govern Kolsetu's processing of data on behalf of business customers in Kolsetu's capacity as a data processor - that relationship is covered by the Data Processing Agreement (DPA), available on www.kolsetu.com. In particular, personal data belonging to the end customers of our business customers (i.e. the individuals who interact with Elba-powered voice agents) is processed exclusively under the DPA and falls entirely outside the scope of this Policy.

Processing of personal data in connection with visits to the Kolsetu website is governed separately by the Website Privacy Policy, available on www.kolsetu.com.

Payment and telephony flows. Payment processing - including subscription fees and credit purchases - is completed by Platform Users directly on the payment provider's own interface. Kolsetu receives only a transaction confirmation event (e.g. "payment succeeded"); no payment card data, bank account credentials, or other financial instrument data are transmitted to or stored by Kolsetu or the Elba platform. Similarly, where Self-Serve customers provision telephone numbers through the Twilio interface embedded in the platform, that interaction takes place directly between the customer and Twilio. Kolsetu receives only a provisioning confirmation. In both cases, the relevant provider acts as an independent controller of the underlying financial or telephony data.

2. Data Controller

The controller responsible for processing Platform User personal data under this Policy is:

3. Personal Data We Process

Kolsetu collects and processes only the personal data that is necessary for the purposes described in this Policy (Art. 5(1)(c) GDPR - data minimisation). The categories of data processed about Platform Users are set out below. Data relating to end customers of our business customers is not covered here; it is addressed in the DPA.

3.1 Account and Identity Data

This is the core data required to create and maintain a Platform User account: name, work email address, and phone number where provided. It also includes company name, job title, and organisational role, which are used for account management and access configuration. Login credentials are limited to email address; passwords are stored in hashed, salted form and are not readable by Kolsetu. Account preferences and notification settings are also held in this category.

3.2 Usage and Activity Data

When a Platform User interacts with the Elba platform, we collect data about how and when the platform is used. This includes login timestamps, session duration, and activity logs; configuration actions such as workflow creation, integration setup, and agent configuration; feature usage data and audit trail entries; and technical metadata including IP address, browser type, operating system, and device identifiers. This data is used for platform security, system stability, and audit accountability purposes.

3.3 Support and Communication Data

When a Platform User contacts Kolsetu for support, we process the content of support requests, bug reports, and related correspondence, together with ticket status, resolution history, and communication logs. This data is retained to enable effective support and to maintain a record of issues and resolutions.

3.4 Subscription and Billing Confirmation Data

For both Enterprise and Self-Serve customers, we hold subscription tier, billing cycle, and account status information. We also receive and store transaction confirmation events from payment providers - for example, a notification that a payment succeeded or that credits were purchased. We do not receive, hold, or process the underlying payment card data, bank account credentials, or any other financial instrument data. For Enterprise customers, we additionally hold Order Form details and contractual records. All financial transactions are completed on the payment provider's own infrastructure; Kolsetu's data exposure is limited to the confirmation event.

4. Purposes and Legal Bases

We process Platform User data only for specified, explicit, and legitimate purposes (Art. 5(1)(b) GDPR). The table below sets out each purpose and its applicable legal basis under Art. 6 GDPR.

Legitimate interests balancing. Where we rely on Art. 6(1)(f), we have assessed that our legitimate interests are not overridden by Platform Users' interests or fundamental rights. This assessment takes into account the business-to-business context of the relationship, the limited categories of data involved, and the technical and organisational measures in place. Legitimate interest assessments are available on request to privacy@kolsetu.com.

No automated decision-making. Kolsetu does not make any decisions about Platform Users that produce legal or similarly significant effects based solely on automated processing (Art. 22 GDPR). Access control decisions within the platform are executed on the documented instructions of the business customer's administrators.

We do not use Platform User data for advertising, behavioural profiling, or AI model training.

5. Sub-processors

In operating the Elba platform, Kolsetu engages sub-processors who may process Platform User data on Kolsetu's behalf. These are limited to providers of core infrastructure, internal communications tooling, and operational systems. Payment providers and telephony providers are not sub-processors in the context of this Policy - as described in Section 1, they operate outside the Elba data flow and act as independent controllers of the data they handle.

The authoritative and current sub-processor list - covering both Platform User data and end-customer data processed under the DPA - is maintained in Annex I-C of the Data Processing Agreement, available on www.kolsetu.com. All sub-processors are bound by data protection obligations no less protective than those applied by Kolsetu, and Kolsetu remains fully responsible for their data protection performance. Business customers are notified of sub-processor changes with a minimum of 30 business days' advance written notice, in accordance with the DPA.

6. International Data Transfers

Kolsetu GmbH is established in Germany and all primary processing takes place within the EEA. Where Platform User data is processed by sub-processors located outside the EEA, transfers take place exclusively on the basis of one of the following mechanisms, applied in order of preference: an adequacy decision by the European Commission (Art. 45 GDPR); EU Standard Contractual Clauses (Commission Decision 2021/914); or the EU–U.S. Data Privacy Framework where applicable. Transfer impact assessments are conducted for all sub-processors in third countries, and documentation is available on request to privacy@kolsetu.com.

7. Retention

Platform User data is retained only for as long as necessary for the purposes set out in this Policy, or as required by applicable law. Upon termination of the contractual relationship, account data is deleted or anonymised within 90 days unless a statutory retention obligation requires otherwise. The following specific periods apply:

8. Your Rights

As a Platform User, you have the following rights under GDPR with respect to your personal data processed under this Policy. To exercise any of these rights, contact privacy@kolsetu.com. We will respond within one month of receipt, extendable by a further two months for complex or numerous requests, with prior notice.

• Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your personal data and, if so, to receive a copy together with the supplementary information required by Art. 15.

• Right to rectification (Art. 16 GDPR): to have inaccurate personal data corrected and incomplete data completed without undue delay.

• Right to erasure (Art. 17 GDPR): to request deletion of your personal data where processing is no longer necessary, consent has been withdrawn, or processing is unlawful, subject to statutory retention obligations.

• Right to restriction of processing (Art. 18 GDPR): to request that we limit processing in specified circumstances, for example while the accuracy of data is being contested.

• Right to data portability (Art. 20 GDPR): to receive personal data you have provided to us in a structured, commonly used, machine-readable format where processing is based on contract or consent.

• Right to object (Art. 21 GDPR): to object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

• Right to withdraw consent (Art. 7(3) GDPR): where any processing is based on consent, to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Some rights are subject to statutory limitations under applicable law - for example, billing confirmation records subject to commercial retention obligations under German law cannot be erased before the mandatory retention period expires. We will inform you of any such limitations when responding to your request.

Right to lodge a complaint. If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority at any time, without prejudice to any other administrative or judicial remedy. The lead supervisory authority for Kolsetu GmbH is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Klosterwall 6 (Block C), 20095 Hamburg, mailbox@datenschutz.hamburg.de. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU.

9. Security

Kolsetu implements and maintains appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR to protect Platform User data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption of data in transit and at rest, role-based access controls and multi-factor authentication for privileged access, logical tenant isolation across all customer environments, regular penetration testing and vulnerability management, and documented incident detection, response, and escalation procedures.

Full details of Kolsetu's technical and organisational measures are set out in Annex 2 of the Data Processing Agreement, available on www.kolsetu.com.

10. Changes to This Policy

We may update this Policy from time to time. The revised Policy will be published on www.kolsetu.com with an updated effective/valid from date. We distinguish between material and non-material changes. Material changes are those that affect the purposes of processing, the categories of data collected, the legal bases relied upon, or the rights available to Platform Users; we will notify Platform Users of material changes with at least 30 days' advance notice via the platform interface or by email to the registered account address. Non-material changes - such as editorial corrections or clarifications that do not affect the substance of the Policy - take effect upon publication without prior notice.

11. Contact

For privacy enquiries, to exercise your rights under Section 8, or to request a copy of a legitimate interest assessment, please contact: