Website Privacy Policy

Valid from: 11. March 2026

1. Introduction

This Website Privacy Policy ("Policy") describes how Kolsetu GmbH ("Kolsetu", "we", "us") processes personal data of individuals who visit www.kolsetu.com (the "Website"), submit enquiries, or interact with the Elba AI voice assistant demo available on the Website. It applies to all visitors regardless of location, to the extent that GDPR or other applicable data protection law governs the processing.

This Policy covers Kolsetu's processing of website visitor data in its capacity as a data controller. It does not cover the processing of personal data within the Elba platform on behalf of business customers - that relationship is governed by the Data Processing Agreement (DPA), available on www.kolsetu.com. If you are a Platform User (an administrator, operator, or agent using the Elba platform under a subscription), the Product Privacy Policy, also available on www.kolsetu.com, additionally applies to you.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies independently.

2. Data Controller

The controller responsible for processing your personal data in connection with this Website is:

Kolsetu has not formally appointed a Data Protection Officer under Art. 37 GDPR. All data protection enquiries should be directed to privacy@kolsetu.com.

3. Personal Data We Collect

We collect only the personal data that is necessary for the purposes described in this Policy (Art. 5(1)(c) GDPR - data minimisation). The categories we process are:

3.1 Identity and Contact Data

When you submit a contact form, request a demo, or otherwise reach out to us, we collect your name, work email address, company name, and job title, together with any information you include in your message. Phone number is collected only where you provide it voluntarily.

3.2 Technical and Usage Data

When you visit the Website, our servers and analytics tools automatically collect certain technical data: IP address (anonymised before processing for analytics purposes), device type, browser type and version, operating system, pages visited, navigation paths, dwell time, and referring sources. This data is used to maintain the security and stability of the Website and to understand how visitors use it so we can improve it.

3.3 Elba Demo Call Data

When you initiate a voice call with Elba via the Website, you are presented with an explicit consent screen before the call connects. By clicking "Start Call" you consent to the call being recorded and transcribed. We collect the voice recording, the conversation transcript, call metadata (date, time, duration), and any personal information you share during the call. Recordings and associated metadata are stored securely on Microsoft Azure infrastructure within the EU and are retained for 90 days, after which permanent deletion takes place automatically.

These recordings are used to handle your enquiry, ensure quality, and improve our services - including reviewing conversation flows, refining Elba's responses, and adjusting speech and pronunciation settings. This constitutes operational improvement of the Elba application and does not involve training the underlying large language model, which is operated by Microsoft (Azure OpenAI Service) independently of Kolsetu.

Special category data. We ask that you do not share special categories of personal data (Art. 9 GDPR - such as health, religious, or biometric data) during demo calls. If you do so voluntarily, such data is processed solely on the basis of the explicit consent you provided by clicking "Start Call", and subject to the same 90-day retention and deletion terms as all other call data.

You may request deletion of your recording at any time before the 90-day period expires by contacting privacy@kolsetu.com, and we will action this without undue delay.

3.4 Marketing and Communications Data

Where you subscribe to marketing communications or attend an event at which Kolsetu participates, we hold your name, email address, company, and communications preferences. Marketing communications are sent only on the basis of your explicit consent. We do not purchase marketing lists or obtain contact data from data brokers.

4. Purposes and Legal Bases

We process website visitor data only for specified, explicit, and legitimate purposes. The applicable legal bases under Art. 6 GDPR are set out below.

Contract performance - Art. 6(1)(b). Where you request a demo, ask us a question, or take steps to enter into a commercial relationship with us, we process your contact and identity data to respond to and fulfil that request.

Consent - Art. 6(1)(a). The recording and transcription of Elba demo calls is based on your explicit consent, given by clicking "Start Call" after reviewing the consent notice. Marketing communications are sent only where you have given explicit consent. Consent may be withdrawn at any time by contacting privacy@kolsetu.com, without affecting the lawfulness of processing carried out before withdrawal.

Legitimate interests - Art. 6(1)(f). We process technical and usage data to maintain the security and stability of the Website, to detect and prevent misuse, and to understand aggregate usage patterns through anonymised analytics. We have assessed that these interests are not overridden by visitors' rights and freedoms, given the anonymised nature of the analytics data and the limited intrusiveness of the processing. Legitimate interest assessments are available on request to privacy@kolsetu.com.

Legal obligation - Art. 6(1)(c). Where processing is required to comply with applicable law - for example, statutory retention of business correspondence or responding to a regulatory request - we rely on this basis.

No automated decision-making. Kolsetu does not make any decisions about website visitors that produce legal or similarly significant effects based solely on automated processing (Art. 22 GDPR).

5. Recipients and Service Providers

We share personal data only where necessary for the purposes described in this Policy. Recipients include:

• Infrastructure and hosting providers operating within the EEA (Microsoft Azure EU region for Elba demo call storage; Google Ireland Limited for website analytics).

• Employees of Kolsetu GmbH acting within the scope of their professional responsibilities - for example, to follow up on a demo request or to investigate a technical issue.

• Advisors, auditors, or legal counsel where required for compliance or legal proceedings.

• Competent authorities where disclosure is required by applicable law.

We do not sell personal data to third parties. We do not share personal data with advertising networks or data brokers.

6. International Data Transfers

Kolsetu GmbH is established in Germany and all primary Website data processing takes place within the EEA. Elba demo call recordings and metadata are stored exclusively on Microsoft Azure within the EU and do not leave the EEA.

Google Analytics data is processed by Google Ireland Limited, an EEA-based entity. Google transfers analytics data to the United States for processing on Google LLC infrastructure. This transfer is protected by EU Standard Contractual Clauses (Commission Decision 2021/914), as disclosed in Google's data processing terms and confirmed in our cookie consent banner. IP addresses are anonymised before any such transfer takes place.

7. Retention

Personal data collected through the Website is retained only for as long as necessary for the purposes set out in this Policy, or as required by applicable law. The following periods apply:

8. Your Rights

As a data subject, you have the following rights under GDPR in respect of your personal data processed under this Policy. To exercise any of these rights, contact privacy@kolsetu.com. We will respond within one month of receipt, extendable by a further two months for complex or numerous requests, with prior notice. We may ask you to verify your identity before processing your request.

• Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your personal data and to receive a copy, together with the information required by Art. 15.

• Right to rectification (Art. 16 GDPR): to have inaccurate personal data corrected and incomplete data completed without undue delay.

• Right to erasure (Art. 17 GDPR): to request deletion of your personal data where it is no longer necessary, consent has been withdrawn, or processing is unlawful, subject to statutory retention obligations.

• Right to restriction of processing (Art. 18 GDPR): to request that we limit processing in specified circumstances, for example while the accuracy of data is being contested.

• Right to data portability (Art. 20 GDPR): to receive personal data you have provided in a structured, commonly used, machine-readable format, where processing is based on contract or consent.

• Right to object (Art. 21 GDPR): to object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

• Right to withdraw consent (Art. 7(3) GDPR): to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent to Elba demo call recording and request deletion, contact privacy@kolsetu.com.

Some rights are subject to statutory limitations - for example, business correspondence subject to commercial retention obligations under German law cannot be erased before the mandatory period expires. We will inform you of any applicable limitations when responding to your request.

Right to lodge a complaint. If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority at any time. The lead supervisory authority for Kolsetu GmbH is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Klosterwall 6 (Block C), 20095 Hamburg, mailbox@datenschutz.hamburg.de. You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU.

9. Data Security

Kolsetu implements appropriate technical and organisational measures in accordance with Art. 32 GDPR to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include TLS encryption of all data transmitted over public networks, encryption of data at rest, role-based access controls and multi-factor authentication, regular security reviews and penetration testing, and documented incident response and breach notification procedures. Elba demo call recordings are stored exclusively in Microsoft Azure EU data centres.

10. Cookie Policy

Cookies are small data files placed on your device when you visit the Website. In accordance with § 25 TTDSG (Germany) and Art. 6 GDPR, non-essential cookies are set only with your prior consent, granted via the cookie consent banner displayed on your first visit and revocable at any time via the "Cookie Settings" link in the Website footer.

You can manage or delete cookies at any time via your browser settings or by updating your preferences in the cookie consent banner. Disabling strictly necessary cookies will affect the functionality of the Website. To opt out of Google Analytics across all websites, you may install the Google Analytics Opt-out Browser Add-on, available from Google.

11. Changes to This Policy

We may update this Policy from time to time. The revised Policy will be published on www.kolsetu.com with an updated effective date. Material changes - those affecting the purposes of processing, categories of data collected, legal bases relied upon, or your rights - will be notified with at least 30 days' advance notice via a prominent notice on the Website. Non-material changes such as editorial corrections take effect upon publication without prior notice.

12. Contact

For privacy enquiries, to exercise your rights under Section 8, or to request deletion of an Elba demo call recording, please contact: