Privacy Policy

Last updated: 2026-05-02 · Version 1.0 · GDPR-aware

⚠️ Template. Privacy policies are legally sensitive — consult a lawyer.

1. Who we are

The KOCKA platform is operated by [Company name], registered at [Address]. We are the controller of data you provide at registration and technical log data. For data you upload about your own customers, we act as processor and you are the controller.

2. What we collect

About you (administrator/technician):

Company name, address, tax ID, email, phone
Hashed password (never plaintext)
Login events (time, IP, user agent)
Subscription/billing data if applicable

About your customers (end-users you serve):

Name, phone, email — entered by you to manage tickets
Device and problem info
Photos you upload
We have no direct relationship with end customers — you are responsible for lawfulness of processing

Technical data:

HTTP/error logs
Cookies (see Cookie Policy)

3. Why we process (legal basis)

Performance of contract — to provide the Service
Legitimate interest — security, abuse prevention, improving the Service
Legal obligation — accounting and tax records
Consent — only for newsletters; you can withdraw any time

4. Sharing

We do not sell or share your data with third parties for marketing. We share only with carefully chosen sub-processors: hosting provider, email/SMS provider, payment processor (where applicable). We have signed DPAs (GDPR Art. 28) with all sub-processors.

5. Your rights

Under GDPR you have the right to: access, rectification, erasure ("right to be forgotten"), data portability, restriction, objection, and to lodge a complaint with the supervisory authority. Email privacy@KOCKA.example; we respond within 30 days.

6. Retention

Active account — for as long as it is active plus 90 days after deactivation
Accounting data (invoices) — 10 years (legal obligation)
Log files — 90 days
Database backups — 30-day rolling

7. Security

HTTPS in transit, bcrypt/argon2 password hashing, RBAC access control, multi-tenant isolation (company_id filtering), encrypted backups at rest, security incident monitoring and statutory breach notification.

8. International transfer

Our servers are in the EU. Any transfer outside the EU/EEA is performed under Standard Contractual Clauses (SCC) or equivalent GDPR-recognized mechanisms.

9. Children

The Service is not aimed at users under 18. We do not knowingly collect data on minors.

10. Changes

We may update this Policy. Material changes will be announced at least 30 days in advance.

11. Contact

privacy@KOCKA.example