Privacy Policy
Privacy Policy of Kilo Moana UG (haftungsbeschränkt)
Last updated: 02.04.2026
1. Introduction
This Privacy Policy explains how Kilo Moana UG (haftungsbeschränkt) („we“, „us“, „our“, or the „Company“) collects, uses, discloses, and protects your personal data when you use our service RocketKit (the „Service“), accessible at https://rocketkit.io.
We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.
By using our Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller responsible for your personal data is:
Kilo Moana UG (haftungsbeschränkt)
Heidestraße 49g
25462 Rellingen, Germany
Managing Director: Alexander Siemer-Schmetzke
Email: info@kilo-moana.com
Commercial Register: Amtsgericht Pinneberg, HRB 19590
3. Data We Collect
3.1 Data You Provide to Us
- Account Data: Name, email address, password (hashed), and other information you provide during registration
- Profile Data: Any additional information you add to your user profile
- Payment Data: Billing address, payment method details (processed by our payment provider Stripe; we do not store full credit card numbers)
- Communication Data: Messages, support requests, and feedback you send to us
- Content Data: Any content you create, upload, or store within the Service
3.2 Data Collected Automatically
- Log Data: IP address, browser type and version, operating system, referrer URL, pages visited, date and time of access
- Device Data: Device type, screen resolution, unique device identifiers
- Usage Data: Features used, actions taken, frequency and duration of use
- Cookie Data: Information collected through cookies and similar technologies (see our Cookie Policy for details)
3.3 Data from Third Parties
- Payment Provider (Stripe): Transaction status, payment confirmation
- Analytics (Google Analytics): Anonymized usage statistics
4. Purposes and Legal Bases for Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and maintaining the Service | Art. 6(1)(b) – Performance of a contract |
| User account management | Art. 6(1)(b) – Performance of a contract |
| Payment processing | Art. 6(1)(b) – Performance of a contract |
| Customer support | Art. 6(1)(b) – Contract / Art. 6(1)(f) – Legitimate interest |
| Service improvement and analytics | Art. 6(1)(a) – Consent (for cookies) / Art. 6(1)(f) – Legitimate interest |
| Newsletter and marketing communications | Art. 6(1)(a) – Consent |
| Security and fraud prevention | Art. 6(1)(f) – Legitimate interest |
| Compliance with legal obligations | Art. 6(1)(c) – Legal obligation |
5. Data Sharing and Recipients
We share your personal data only as described below:
5.1 Service Providers (Sub-processors)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Strato | hosting | GER | GDPR (EU entity0, SCCs |
| Vercel Inc. | Frontend hosting, CDN | USA (Global Edge) | EU-US DPF, SCCs |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland / USA | GDPR (EU entity), SCCs |
| Google Ireland Limited | Web analytics (Google Analytics) | Ireland / USA | EU-US DPF |
| Sendinblue GmbH (Brevo) | Email marketing, transactional emails | Germany / France | GDPR (EU entity) |
5.2 Other Disclosures
We may also disclose your data:
– When required by law, court order, or governmental request
– To protect our rights, property, or safety, or that of our users or the public
– In connection with a merger, acquisition, or sale of assets (with prior notice to you)
We do not sell your personal data to third parties.
6. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework (DPF): Where the recipient is DPF-certified (Art. 45 GDPR)
- Standard Contractual Clauses (SCCs): EU Commission-approved clauses pursuant to Art. 46(2)(c) GDPR
- Consent: In specific cases, based on your explicit consent (Art. 49(1)(a) GDPR)
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data Category | Retention Period |
|---|---|
| Account data | Duration of the contract + 30 days for data export |
| Payment/invoice data | 10 years (German tax law, Sec. 147 AO) |
| Server log files | 90 days |
| Analytics data | 26 months (Google Analytics default) |
| Newsletter consent records | Until withdrawal of consent + documentation period |
| Support communications | 3 years after resolution |
After the retention period expires, data is securely deleted or anonymized.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15 GDPR): Obtain confirmation and a copy of your personal data
- Right to Rectification (Art. 16 GDPR): Correct inaccurate or incomplete data
- Right to Erasure (Art. 17 GDPR): Request deletion of your data („right to be forgotten“)
- Right to Restriction (Art. 18 GDPR): Restrict processing in certain circumstances
- Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at: alexander@siemer-schmetzke.de
We will respond to your request within one month. In complex cases, this period may be extended by two additional months, and we will inform you accordingly.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
https://www.datenschutzzentrum.de
9. Cookies and Tracking Technologies
We use cookies and similar technologies on our Service. For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy.
Essential cookies are set without consent as they are strictly necessary for the operation of the Service. All other cookies (analytics, marketing) require your explicit opt-in consent.
10. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and role-based permissions
- Regular security reviews and updates
- Employee confidentiality obligations
For a detailed description of our security measures, see our Technical and Organizational Measures (TOMs).
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
11. Necessity of Data Provision (Art. 13(2)(e) GDPR)
The provision of certain personal data is required for the conclusion and performance of the contract:
- Registration (mandatory): Name, email address, password. Without this data, we cannot create your account or provide the Service.
- Paid subscriptions (mandatory): Billing address and payment information. Without this data, payment processing cannot be completed.
All other data (e.g., profile information, newsletter subscription) is voluntary. Not providing optional data does not affect your ability to use the core features of the Service.
12. Automated Decision-Making / Profiling (Art. 13(2)(f) GDPR)
We do not use automated decision-making, including profiling, pursuant to Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. All decisions that may affect you as a user (e.g., account suspension due to a breach of Terms) are made by natural persons.
13. Children’s Privacy
Our Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that data promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice on our Service at least 30 days before the changes take effect.
The „Last updated“ date at the top of this policy indicates when it was last revised.
15. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Kilo Moana UG (haftungsbeschränkt)
Heidestraße 49g
25462 Rellingen, Germany
Email: info@kilo-moana.com
Effective: 02.04.2026
Applicable to: RocketKit (https://rocketkit.io)