Kolsetu Logo

Website Privacy Policy

Effective as of: 17 February 2026

1. Introduction and Scope

Kolsetu GmbH and its affiliated companies ("Kolsetu", "we", "us", "our") are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and disclose personal data from visitors and users of our website (kolsetu.com) and all associated digital services, including interactions with our AI voice assistant, Elba.

Please note when reading this Policy:

  • Certain sections may not apply to you, depending on your location or the type of data we hold about you.
  • This Policy may be supplemented or replaced by product-specific privacy notices, in which case the more specific notice takes precedence.
  • Our website may contain links to third-party websites for whose privacy practices we are not responsible.
  • If you use the Elba platform as a contracted product, the Product Privacy Policy (available in the Legal section of our website) additionally applies.

2. Data Controller

The controller responsible for your personal data under GDPR is:

Company
Kolsetu GmbH
Address
Gänsemarkt 33, 20354 Hamburg, Germany
Commercial Register
Amtsgericht Hamburg HRB 191266
VAT ID
DE454953039
Managing Directors
Ben Arnon, Virendra Singh Bhalothia
Data Protection Contact
privacy@kolsetu.com
Phone
+49 15888 369116

Note: Kolsetu has not formally appointed a Data Protection Officer under Art. 37 GDPR. For all data protection enquiries, please use the contact details above.

3. Personal Data We Collect

Depending on the nature of your interaction with us, we may collect the following categories of personal data:

3.1 Identity and Contact Data

  • First and last name, username or similar identifier
  • Email address, phone number, billing address
  • Company name and job title

3.2 Technical and Usage Data

  • IP address, device type, browser type, operating system
  • Access times, pages visited, navigation paths, referring sources
  • Server log files and error logs

3.3 Communications and Marketing Data

  • Content of contact forms, surveys and support requests
  • Your marketing and communications preferences

3.4 Financial Data

  • Bank account and payment card details (in connection with transactions only; processed by PCI-DSS-compliant payment providers)

3.5 Voice Call and AI Interaction Data (Elba)

When you initiate a voice call with Elba, our AI voice assistant, through our website, we collect and process — with your prior explicit consent — the following data:

  • Voice recordings of the conversation
  • Transcriptions and voice-analytic evaluations
  • Call metadata (date, time, duration)
  • Any personal information you voluntarily share during the call

These recordings are used to handle your enquiry, to continuously improve the quality and performance of our AI system, to support our sales team in following up on prospect interactions, and for internal coaching and training purposes. Recordings are processed exclusively on the legal basis of consent as set out in Section 6.

3.6 Service Data

When providing the Elba platform as a contracted product, we process on behalf of our customers information handled within the platform, including voice data, transcriptions, conversation analytics and workflow automations ("Service Data"). This processing is carried out exclusively on the basis of a Data Processing Agreement (DPA) concluded with the respective customer.

3.7 Aggregated and Anonymised Data

We may derive aggregated, anonymised statistical information from data we collect (e.g. the proportion of users accessing certain website features). Such data does not constitute personal data and is not subject to the restrictions of this Policy.

3.8 Sensitive Data and Children's Data

We expressly ask you not to send us special categories of personal data (e.g. health data, political opinions, biometric data). Kolsetu does not knowingly collect personal data from persons under the age of 16. Should we learn that such data has been collected without verified parental consent, we will delete it without delay.

4. Sources of Data Collection

In most cases we collect data directly from you: through contact by telephone or form, account registration, requesting information materials or use of our website. Additionally, data may originate from:

  • Authorised representatives or affiliated organisations acting on your behalf
  • Our partners, employees and service providers
  • Publicly accessible sources (company websites, professional networks)
  • Cookies and other data collection technologies (see Section 13)

5. Purposes of Processing

We use your personal data for the following purposes:

  • Providing our services and handling your enquiries
  • Managing your account and authentication
  • Processing, recording and transcribing voice calls via Elba — to handle your enquiry, for quality assurance, to improve our AI system and to support sales activities
  • Sending product and service communications
  • Analysing website usage patterns and improving user experience
  • Managing our customer relationships and responding to enquiries
  • Ensuring the security of our websites, networks and systems
  • Marketing and advertising (with your consent or on the basis of legitimate interests only)
  • Complying with legal obligations

Automated decision-making: Kolsetu does not carry out automated decision-making that produces legal effects or similarly significantly affects you (Art. 22 GDPR).

6. Legal Basis for Processing

We process your personal data only on the basis of one of the following legal grounds under Art. 6 GDPR:

6.1 Consent (Art. 6(1)(a) GDPR)

For the recording and processing of voice calls via Elba and for marketing communications. Your consent is obtained before the relevant processing activity and may be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact privacy@kolsetu.com.

6.2 Contract Performance (Art. 6(1)(b) GDPR)

For processing that is necessary to provide our services and to handle your requests.

6.3 Legitimate Interests (Art. 6(1)(f) GDPR)

For website analytics, improving our services, security measures and — where not overridden by your interests — certain marketing activities directed at existing business contacts.

6.4 Legal Obligation (Art. 6(1)(c) GDPR)

Where processing is necessary to comply with a legal obligation, such as statutory retention requirements or responding to regulatory requests.

7. Sharing of Personal Data

7.1 Within Kolsetu

Authorised employees of affiliated companies may access your data to the extent necessary to fulfil the purposes set out in this Policy, limited to their professional responsibilities.

7.2 External Service Providers

We share data with carefully selected third-party providers who support us in delivering our services (e.g. payment processing, email delivery, hosting, analytics). These providers are contractually obligated to use data solely for the purposes we specify. For enquiries about sub-processors, contact privacy@kolsetu.com.

7.3 Third Parties for Legal Reasons

We may disclose data where required by law, to enforce our terms of use, to assist with fraud prevention, or in connection with a corporate transaction (merger, sale, acquisition).

7.4 International Data Transfers

Some of our service providers process data outside the EU/EEA. Such transfers take place solely on the basis of appropriate safeguards under Art. 44 et seq. GDPR, in particular EU Standard Contractual Clauses (SCCs) or adequacy decisions of the European Commission. We do not sell your personal data to third parties.

8. Data Retention

We retain your personal data only for as long as is necessary for the respective processing purposes or as required by statutory retention obligations. The following indicative periods apply:

  • Contact form data: 2 years from last contact, provided no contractual relationship arises
  • Contract data: 10 years in accordance with statutory commercial and tax retention obligations (§ 257 HGB, § 147 AO)
  • Voice recordings and transcripts (Elba homepage calls): 90 days from the date of recording, after which permanent deletion takes place
  • Website log data: 90 days
  • Marketing data: until withdrawal of your consent or your objection

In determining appropriate retention periods, we consider the volume, nature and sensitivity of the data, the risk of unauthorised use, and applicable legal requirements.

9. Your Rights as a Data Subject

Under GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): Request deletion of your data under certain conditions.
  • Right to restriction of processing (Art. 18 GDPR): Request limitation of processing of your data.
  • Right to data portability (Art. 20 GDPR): Request that we transmit your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests at any time.
  • Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time with effect for the future.
  • Right to deletion of voice recordings: Request immediate deletion of your Elba call recording at any time.

To exercise your rights, contact: privacy@kolsetu.com. We will respond to your request within the statutory timeframe (generally within one month). We may verify your identity to protect your personal data.

You also have the right to lodge a complaint with the competent supervisory authority:

Authority
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Address
Klosterwall 6 (Block C), 20095 Hamburg, Germany
Phone
+49 40 428 54-4040
Email
mailbox@datenschutz.hamburg.de

10. Data Security

Kolsetu implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or disclosure. These include in particular:

  • TLS encryption of all data transmissions
  • Encryption of data at rest
  • Access controls and authentication procedures with restricted employee access
  • Regular security reviews and vulnerability assessments
  • Incident response procedures and personal data breach notification

Data processing takes place exclusively in EU data centres. Where processing outside the EU/EEA is required for individual services, this takes place exclusively under the safeguards described in Section 7.4.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. The updated Policy will be published with a new effective date. For material changes, we will notify you by displaying a notice at the top of this page for 30 days prior to the change taking effect. Continued use of our website after the effective date of a revision constitutes acknowledgement of the changes.

12. Dispute Resolution

If you have a complaint regarding our compliance with this Privacy Policy, please contact us first at privacy@kolsetu.com. We will investigate all complaints and disputes carefully and endeavour to reach a mutually satisfactory resolution. Notwithstanding this, you have the right at any time to contact the supervisory authority named in Section 9 directly.

13. Cookie Policy

Cookies are small data files stored on your device when you visit our website. They allow us to provide certain functionality and analyse how our website is used. In accordance with the TTDSG, non-essential cookies are set only with your express consent, granted via our cookie consent banner and revocable at any time via "Cookie Settings".

13.1 Strictly Necessary Cookies

Essential for the website to function correctly (e.g. session management, security features). Cannot be disabled. Legal basis: § 25(2) TTDSG.

13.2 Functional Cookies

Store your preferences (e.g. language setting, region) for a more personalised experience on return visits. Legal basis: Consent (Art. 6(1)(a) GDPR).

13.3 Analytics Cookies

Collect anonymised information about how visitors use our website (pages visited, dwell time, referring sources) to help us improve our site. IP addresses are anonymised before processing. Includes Google Analytics — see https://support.google.com/analytics/answer/6004245. To opt out: http://tools.google.com/dlpage/gaoptout. Legal basis: Consent.

13.4 Marketing and Targeting Cookies

Used to display relevant advertising and limit ad frequency. May be set by third-party advertising networks. Legal basis: Consent.

13.5 Social Media Cookies

Enable sharing of content via social media platforms (e.g. LinkedIn, X/Twitter). May enable cross-site tracking. Legal basis: Consent.

13.6 Performance Cookies

Collect information on how users interact with our website (e.g. load times, errors) to improve performance. Legal basis: Consent.

You can manage or delete cookies at any time via your browser settings. Note that disabling certain cookies may limit the functionality of our website.

14. Contact

For questions about this Privacy Policy or to exercise your rights, please contact our data protection team:

Email
privacy@kolsetu.com
Address
Kolsetu GmbH, Gänsemarkt 33, 20354 Hamburg, Germany
Phone
+49 15888 369116

Please include sufficient information in your request to allow us to verify your identity and process your enquiry appropriately.

Website Privacy Policy | Kolsetu