Privacy Policy
Privacy Policy for the KEMPER Connect Cloud
Privacy Policy – KEMPER Connect
As of February 12, 2026
This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (“data”) in the context of our online offering (website, platform/functions, content) and our external online presences (e.g., social media) . We use terms such as “processing,” “controller,” and “processor” in accordance with Art. 4 GDPR.
1. Controller
KEMPER GmbH Von-Siemens-Str. 20, 48691 Vreden, Germany
Managing Directors:
Björn Kemper, Frederic Lanz Phone: +49 (0) 2564 68 0 Email: [email protected]
2. Data protection officer
Our external Data Protection Officer is:
Markus Olbring comdatis it-consulting GmbH & Co. KG Deventer Weg 8, 48683 Ahaus, Germany Email: [email protected] Phone: +49 2567 82900 00 Mobile: +49 173 9799897
For general data protection inquiries, you can also contact: [email protected].
3. Categories of data subjects
Visitors to our website
Users of our platform (including administrators, members, test users)
Prospective customers, customers, and business partners
Persons who contact us (support/sales)
Note: KEMPER Connect is a B2B (business-to-business) platform. Our services are aimed at companies, tradespeople, and professional users. The platform is not intended for use by minors.
4. Types of data processed
Depending on the use, we process in particular:
Master data (e.g., name, company, position)
Contact details (e.g., email, phone number)
Account/login data (e.g., user account, password hash, authentication events)
Contract data (e.g., tariff, contract status)
Content data (e.g., chat/support messages, form content)
Usage data (e.g., functions used, devices/objects created, interaction data)
Meta/communication data (e.g., IP address, device and browser information, log files)
5. Purposes of processing
Provision and operation of website and platform
Registration, login, and account management
Provision of contractual services (SaaS)
Support and communication
Contract management
Security (detection of misuse, fraud, and attacks)
Reach measurement, product analysis, and optimization (only with consent, if necessary)
6. Legal bases
Insofar as the GDPR applies, we process data on the following bases in particular:
Art. 6 (1) (b) GDPR (contract/pre-contractual measures)
Art. 6 (1) (c) GDPR (legal obligation)
Art. 6 (1) (f) GDPR (legitimate interest, e.g., security, operation, optimization)
Art. 6 (1) (a) GDPR (consent, e.g., for analysis/marketing technologies)
For cookies and similar technologies (storage/retrieval on end devices), we also take into account the requirements of German telecommunications/telemedia law (consent requirements for non-essential technologies).
7. Operation of the platform: Roles under the GDPR (customer processing)
If you use KEMPER Connect as a company/organization and transfer personal data of your end customers, employees, or other data subjects to the platform:
You are generally the controller (controller).
We (KEMPER Connect) process this data as a processor within the framework of a data processing agreement (DPA).
We are the controller for data that we process for our own purposes (e.g., account management, security, website operation).
8. Hosting, infrastructure, and data processing (subprocessors)
We use service providers who process data on our behalf (Art. 28 GDPR). In doing so, we ensure that suitable contracts (in particular DPA) and appropriate security measures are in place.
8.1 Product/platform infrastructure
DigitalOcean (region: Frankfurt, Germany) Hosting for backend, API, and relational database.
Timescale / TigerCloud (region: Frankfurt; infrastructure on AWS in Frankfurt) Hosting/management of the time series database.
Vercel Provision/hosting of the front end (delivery of web applications, edge/build infrastructure).
8.2 Communication & email
Brevo Email delivery (e.g., newsletters/transactional emails—depending on your use case).
Crisp.chat Live chat and messaging for support/communication.
8.3 AI services
OpenAI (OpenAI, L.L.C., USA) AI-supported functions (e.g., text generation, assistants). Third-country transfer to the USA (standard contractual clauses).
Anthropic (Anthropic PBC, USA) AI-supported functions (e.g., text processing, analysis). Third-country transfer to the USA (standard contractual clauses).
8.4 Consent management
Cookiebot (Usercentrics A/S, Denmark) Management of cookie consent and data protection preferences (EU).
Note: Depending on the specific configuration of individual services, data may be transferred to third countries (e.g., USA). In these cases, we ensure compliance with the requirements of Art. 44 et seq. GDPR (e.g., standard contractual clauses, additional protective measures if necessary).
9. Server log files & security
Each time you access the website/platform, we process technical access data (e.g., IP address, date/time, URL accessed, referrer, user agent) in order to
ensure system security,
detect attacks/misuse,
ensure stability and error analysis.
The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in secure operation).
10. Registration, login, user account
When registering and using the user account, we process the data required for account creation and authentication (e.g., email, name, password hash, login events) . Legal basis: Art. 6 (1) (b) GDPR (contract) and (f) GDPR (security/prevention of misuse).
11. Contact & support (including Crisp.chat)
When you contact us (email, phone, form, chat), we process your information to handle your request and communicate with you.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual/contractual) or (f) GDPR (general inquiries, efficient customer communication).
Crisp.chat may process name, email, message content, timestamp, and technical metadata in particular.
12. Newsletter & email communication (Brevo)
If you subscribe to our newsletter, we process your email address (and name, if applicable) for the purpose of sending the newsletter.
Legal basis: generally Art. 6 (1) lit. a GDPR (consent).
Unsubscribe/revoke: at any time via the unsubscribe link in each email or by sending a message to [email protected].
Double opt-in/logging: We log registration and confirmation times as well as technical evidence in order to be able to prove your consent (Art. 6 (1) (f) GDPR – legitimate interest in proof).
13. Analysis & product tracking (Google Analytics, Mixpanel)
We use analysis/tracking tools to understand how the website and platform are used and to improve the user experience.
Google Analytics (website analysis; e.g., page views, referrers, interactions)
Mixpanel (platform/product analysis; e.g., use of functions, created devices/objects, events)
Consent: If cookies/identifiers or similar technologies are used for this purpose, processing will only take place after you have given your consent via our consent tool/banner. Legal basis: Art. 6 (1) (a) GDPR (consent). You can change or revoke your consent at any time via the privacy settings (consent banner).
14. AI-supported functions (OpenAI, Anthropic)
We use AI-based services in certain areas of our platform to offer you advanced functions (e.g., intelligent assistants, text generation, data analysis).
Providers used:
OpenAI (OpenAI, L.L.C., USA) – e.g., for text generation and assistance functions
Anthropic (Anthropic PBC, USA) – e.g., for text processing and analysis
Processed data: Depending on the function, input data (texts, queries) may be transmitted to the AI services. We only transmit the data necessary for the respective function.
Third country transfer: OpenAI and Anthropic are based in the USA. Data is transferred on the basis of standard contractual clauses (Art. 46 (2) (c) GDPR).
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract, insofar as the AI function is part of the service) or Art. 6 (1) (f) GDPR (legitimate interest in providing innovative functions).
Note on automated decision-making: There is no automated decision-making within the meaning of Art. 22 GDPR that has legal effect or similarly significantly affects you.
15. Cookies & consent management
We use cookies and similar technologies:
Necessary technologies (e.g., session, login, security functions, consent storage)
Optional technologies (e.g., analysis/tracking such as Google Analytics, Mixpanel)
**Consent management (Cookiebot): ** We use Cookiebot (Usercentrics A/S, Denmark) to manage your consent. When you first visit our website, a banner will ask for your consent to optional cookies. Your preferences are stored and can be changed at any time via the “Cookie settings” link in the footer of the website or by calling up the banner again.
We only activate optional technologies after consent has been given. You can delete/deactivate cookies in your browser; however, this may impair certain functions.
16. Storage period & deletion
We only store personal data for as long as is necessary for the purposes stated.
Platform data in the event of customer deletion: When a customer deletes content/personal data from the platform, it is immediately removed from the productive systems. Backup processes are also designed so that deleted customer data is not retained longer than necessary.
Contract data: Storage in accordance with legal retention requirements (e.g., commercial/tax law).
Support/communication data: for as long as necessary for processing and, if necessary, for defending/pursuing claims.
17. Disclosure of data / recipients
We only disclose data if
this is necessary for the performance of a contract (Art. 6 (1) (b) GDPR),
there is a legal obligation (Art. 6 (1) (c) GDPR),
you have given your consent (Art. 6 (1) (a) GDPR), or
there is a legitimate interest (Art. 6 (1) (f) GDPR) and no overriding interests.
Recipients are, in particular, the processors/sub-processors mentioned in Section 8.
18. Third country transfers (outside the EEA)
If personal data is transferred to countries outside the EEA, this will only be done in compliance with Art. 44 ff. GDPR (e.g., standard contractual clauses, additional measures if necessary) . Whether and to what extent this applies to each service depends on the respective configuration/service provision.
19. External online presences (social media)
We maintain presences on social networks in order to communicate with interested parties, customers, and the public.
When you visit our social media pages, data (e.g., usage statistics, interactions) is processed by the respective platform operator. This may involve joint responsibility (in particular for LinkedIn Page Insights, Art. 26 GDPR).
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in public relations and communication).
Data protection information for the platforms:
Instagram/Meta: https://privacycenter.instagram.com/policy
YouTube/Google: https://policies.google.com/privacy
20. Technical and organizational measures
We take appropriate technical and organizational measures (TOMs) to protect data from loss, misuse, unauthorized access, and unlawful disclosure.
21. Rights of data subjects
You have the following rights, depending on applicability:
Information (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection (Art. 21 GDPR), in particular against processing based on legitimate interests
Withdrawal of consent (Art. 7 (3) GDPR) at any time with effect for the future
Please address any inquiries to: [email protected]
22. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority (based in North Rhine-Westphalia) is in particular:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW) Kavalleriestraße 2–4 40213 Düsseldorf Phone: +49 (0) 211 38424-0 Email: [email protected] Website: https://www.ldi.nrw.de
23. Changes to this privacy policy
We will amend this privacy policy as soon as this becomes necessary due to technical changes, new services, or legal requirements.
Last updated