Privacy Policy - iknowly

The protection of your personal data is important to us. This privacy policy informs you in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) about how, to what extent, and for what purposes we process personal data on our website and platform.

Version 1.2, Last updated: 19-06-2025

1. Data Controller

iknowly UG (haftungsbeschränkt)
Nobelstraße 10
70569 Stuttgart
Germany

Commercial Register: HRB 800247, Local Court of Stuttgart
Managing Director: Taha Al-Taie
Email: legal@iknowly.com
Phone: +49 157 85083140
Website: www.iknowly.com

2. General Information on Data Processing

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws. We process personal data only when necessary for the specific purposes outlined in this policy and based on a valid legal basis under Art. 6 GDPR.

Data Processing Principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

3. Legal Bases for Processing

We process personal data based on the following legal grounds:

  • Art. 6(1)(a) GDPR – Consent When you have given explicit consent for specific processing activities, such as marketing communications or non-essential cookies.

  • Art. 6(1)(b) GDPR – Contract performance Processing necessary for the performance of our Terms of Use or to take steps at your request prior to entering into a contract (e.g., registration, booking consultations, payment processing).

  • Art. 6(1)(c) GDPR – Legal obligation Processing required to comply with legal obligations, such as tax regulations, accounting requirements, or other statutory retention duties.

  • Art. 6(1)(f) GDPR – Legitimate interests Processing necessary for purposes of legitimate interests pursued by us or third parties, except where such interests are overridden by your fundamental rights and freedoms. We conduct a balancing test for each legitimate interest purpose as detailed below.

4. Detailed Data Processing Activities

We collect and process personal data only to the extent necessary for the operation of our platform, to fulfill contractual obligations, and to comply with legal requirements. Below is an overview of when and how personal data is collected, the categories of data involved, purposes, and the legal basis for processing.

4.1 Website Visits and Technical Data

When you access our website, certain information is automatically transmitted by your browser to our server and temporarily stored in log files. This includes:

  • IP address of the requesting device
  • Date and time of access
  • Time zone difference to GMT
  • Name and URL of the accessed file
  • Referrer URL (website from which access originated)
  • Browser type, language, and version
  • Operating system and user interface
  • Access status/HTTP status code
  • Amount of data transmitted

Legal Basis: Art. 6(1)(f) GDPR - Legitimate Interests

Legitimate Interest Analysis:

Our legitimate interest lies in ensuring website functionality, security, and performance optimization. We have a compelling business need to:

  • Detect and prevent cyber attacks and unauthorized access
  • Optimize website performance and user experience
  • Comply with legal requirements for system security
  • Analyze technical errors and system performance

Balancing Test: The processing of technical data is necessary for website operation and security. The data is automatically generated and does not involve sensitive personal information. Users expect websites to function properly and securely. Our interests do not override your fundamental rights as the data is limited to technical information necessary for website functionality.

Retention Period: 90 days for server logs

4.2 Contact Forms and Email Communication

Processed Data:

  • Name
  • Email address
  • Message content
  • Time of inquiry
  • IP address

Purpose: To process and respond to your inquiry, including any follow-up correspondence.

Legal Basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interests)

Legitimate Interest Analysis: Our legitimate interest is to respond to inquiries and provide customer support. We have a compelling business need to communicate with potential and existing customers to provide information about our services and resolve issues.

Balancing Test: Processing contact data is necessary to respond to your inquiries. You voluntarily provide this information when contacting us, creating a reasonable expectation of processing. Our interests do not override your rights as the processing is limited to the purpose of responding to your inquiry.

Retention Period: 3 years from last contact

4.3 Platform Registration

Data collected:

  • First and last name
  • Email address
  • Encrypted password
  • Registration timestamp

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests)

Purpose: Creating and managing user accounts is necessary for the performance of our Terms of Use and providing platform access.

Legitimate Interest Analysis: Our legitimate interest lies in maintaining a secure user database, preventing fraud, and ensuring platform integrity. We have a compelling business need to verify user identity and maintain account security.

Balancing Test: Processing registration data is essential for platform functionality and security. Users voluntarily register expecting secure account management. The processing benefits both users (secure accounts) and our business (platform integrity). Our interests do not override user rights as the data is essential for service provision and security.

Retention Period: Until account deletion + 1 month for technical cleanup

4.4 User Onboarding

Data collected/handling:

  • Onboarding form status
  • Industry, goal, skills, languages
  • Country, major/field of study, gender (optional)
  • About me section
  • Profile image
  • Time zone

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests)

Legitimate Interest Analysis: Our legitimate interest is to match users with suitable consultants and improve platform functionality. This data enables us to provide personalized recommendations and enhance user experience.

Balancing Test: Processing profile data improves service quality and user experience. You voluntarily provide this information to receive better service matching. Most data is optional, and you maintain control over what information to share. Our interests do not override your rights as the processing directly benefits your use of the platform.

Retention Period: Until account deletion + 1 month

4.5 Consultant-Specific Data

Mandatory (Visible to Platform Users):

  • First and last name
  • Profile image
  • About me, city, and country
  • Education, professional experience, years of experience
  • Industry, major/field of study, and languages
  • Session pricing, offered services, skills, tagline
  • Ratings and reviews
  • Public profile links (LinkedIn, GitHub, Xing, personal website)

Optional (Visible to Platform Users):

  • Motivational/Introduction video (Optional)

Internal Use Only (Not Visible to Users):

  • Application timestamp
  • Profile statuses
  • Balance, total revenue, last consultation date
  • Weekly profile views, search impressions
  • Motivation text and referral source
  • Tax Identification Number (for consultants registered as Kleinunternehmer, processed solely for fulfilling legal tax obligations)
  • Stripe onboarding metadata (e.g., Stripe account ID, verification status)

Note: Stripe independently collects additional personal data (e.g., phone number, identity documents) as part of their Know Your Customer (KYC) verification. iknowly does not access or store this data.

Optional Documents for Verification Badge (Internal Use Only):

  • Resume
  • Educational certificates
  • Employment certificates

Legal Basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interest)

Legitimate Interest Analysis: Our legitimate interest is to verify consultant qualifications, maintain platform quality, and provide users with reliable information for booking decisions. We have a compelling business need to ensure service quality and platform integrity.

Balancing Test: Processing consultant data is essential for platform functionality and user trust. Consultants voluntarily apply to join our platform and understand that profile information will be displayed to attract clients. Internal analytics help improve platform performance. Our interests do not override consultant rights as the processing is necessary for platform participation and business success.

Retention Period: Profile data until account deletion + 1 month; verification documents 3 years after account deletion

4.6 Registration Authentication

Authentication Methods:

  • Email/password via AWS Cognito
  • Google Single Sign-On (SSO)

Data Collected:

  • Email address and verification status
  • Given name and family name (if using Google SSO)
  • Google ID (if using Google SSO)
  • Encrypted password (for email/password authentication)

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests)

Purpose: Secure user authentication is necessary for contract performance and platform access.

Legitimate Interest Analysis: Our legitimate interest is to provide secure and convenient authentication options while maintaining account security and preventing unauthorized access. We have a compelling business need to protect user accounts and platform integrity.

Balancing Test: Processing authentication data is necessary for secure platform access and fraud prevention. Users choose their preferred authentication method and expect secure login processes. The processing enhances security and user convenience while protecting against unauthorized access. Our interests do not override your rights as authentication is essential for platform access and security.

Third-Party Processor: Google Ireland Limited (for Google SSO)

Retention Period: Until account deletion

4.7 Bookings and Sessions

Data Collected:

  • Selected consultant
  • Preferred date and time
  • Availability from calendar
  • Session pricing and selected services
  • Communication tool used (ZEGOCLOUD - iknowly room)
  • Promo code (if applied)
  • Customer business type (e.g., B2C or B2B)
  • VAT ID (if applicable)
  • Company name (if applicable)
  • Full billing address: name, street, postal code, city, state, country
  • Session feedback and ratings
  • Communication logs
  • Session recordings (if applicable)

Purpose: To facilitate consultation bookings, apply discounts, ensure legally compliant invoicing, and maintain service quality.

Legal Basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interests)

Legitimate Interest Analysis: Our legitimate interest lies in ensuring service quality, facilitating dispute resolution, improving platform functionality, and maintaining consultation records for business continuity and user safety.

Balancing Test: Processing consultation data benefits both users (service delivery, quality assurance) and consultants (payment processing, reputation management). Users voluntarily book consultations expecting professional service delivery. Our interests do not override user rights as the processing is essential for service provision and quality maintenance.

Retention Period: 6 months after consultation completion for service quality and dispute resolution; feedback data up to 3 years for platform improvement

4.8 Payment Processing

Payments are securely processed via Stripe Payments Europe Ltd. iknowly does not collect or store users' credit card or bank account details.

Data Received from Stripe:

  • Stripe customer ID
  • Payment and transaction status
  • Invoice ID
  • Stripe fees
  • Complete transaction history
  • Payment method information
  • Billing addresses

Legal Basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interests)

Purpose: Processing payment data is necessary for contract performance, compliance with accounting and tax obligations under German commercial law (HGB) and tax code (AO), and maintaining business operations.

Legitimate Interest Analysis: Our legitimate interest includes fraud prevention, financial record keeping, business continuity, and providing secure payment processing. We have a compelling business need to maintain accurate financial records and prevent fraudulent transactions.

Balancing Test: Processing payment data is essential for completing transactions, preventing fraud, and maintaining business operations. Users voluntarily engage in paid services expecting secure payment processing. The processing protects both users (fraud prevention) and our business (financial integrity). Our interests do not override user rights as payment processing is fundamental to the service relationship.

Further information: https://stripe.com/privacy

Retention Period: 10 years (statutory retention under German law)

5. Purposes of Processing - Overview

Purpose Legal Basis Retention Period
Platform functionality, registration Art. 6(1)(b) GDPR Until account deletion + 1 month
Booking and consultation execution Art. 6(1)(b) GDPR 6 months after session
Consultation feedback Art. 6(1)(f) GDPR Up to 3 years
Payment & invoicing Art. 6(1)(b), (c) GDPR 10 years
Consultant verification Art. 6(1)(b), (f) GDPR 3 years after account deletion
User profile management Art. 6(1)(b) GDPR Until account deletion + 1 month
Platform improvement (analytics) Art. 6(1)(f) GDPR Until withdrawal
Direct marketing Art. 6(1)(a) GDPR Until withdrawal
Legal archiving Art. 6(1)(c) GDPR Statutory periods
Contact inquiries Art. 6(1)(f) GDPR 3 years from last contact

6. Marketing Communications

Legal Basis: Art. 6(1)(a) GDPR - Consent

Data Processed: Email address, name, communication preferences, engagement metrics

Purpose: Sending newsletters, service updates, and promotional materials

Retention Period: Until consent is withdrawn

Withdrawal: You can withdraw consent at any time by clicking the unsubscribe link in our emails or contacting legal@iknowly.com.

7. Cookies and Tracking Technologies

We use cookies and tracking tools to improve usability and optimize our services. Details can be found in our Cookie Policy.

Legal Bases:

  • Art. 6(1)(a) GDPR (consent via cookie banner)
  • Art. 6(1)(f) GDPR (legitimate interests for essential cookies)
  • § 25 TTDSG (device information)

Essential Cookies: Processed under Art. 6(1)(f) GDPR based on our legitimate interest in website functionality.

Analytics and Marketing Cookies: Processed under Art. 6(1)(a) GDPR based on your consent collected via our Consent Management Platform (Usercentrics).

Google Services: We implement Google Consent Mode v2 to ensure Google services only load after obtaining your consent for non-essential purposes.

You can withdraw your consent at any time via our consent management tool (Usercentrics).

Cookie Overview

Cookie Name Purpose Category Duration Consent Required
__stripe_mid Stripe security Essential 1 year No
__stripe_sid Stripe session Essential 30 minutes No
_cf_bm Bot protection (Cloudflare) Essential 30 minutes No
CONSENT Google consent tracking Functional 2 years Yes
test_cookie Cookie test (Google) Functional 15 minutes Yes
_ga Google Analytics Analytics 2 years Yes
_ga_XXXXXXXXXX GA property cookie Analytics 2 years Yes
_gid Session user tracking Analytics 24 hours Yes
_gat_gtag_UA_XXXXXXXX_X Throttle request rate Analytics 1 minute Yes
li_gc LinkedIn consent Functional 6 months Yes
bcookie LinkedIn browser ID Advertising 1 year Yes
bscookie LinkedIn secure login Advertising 1 year Yes
lidc LinkedIn load balancing Advertising 1 day Yes
lang LinkedIn language setting Functional Session Yes
_fbp Facebook ad personalization Advertising 3 months Yes
fr Facebook tracking Advertising 3 months Yes

8. Data Sharing with Third Parties

Your data will only be shared with third parties if:

  • You have given explicit consent (Art. 6(1)(a) GDPR)
  • It is necessary for contract performance (Art. 6(1)(b) GDPR)
  • There is a legal obligation (Art. 6(1)(c) GDPR)
  • It is based on our legitimate interest (Art. 6(1)(f) GDPR)

We have concluded Data Processing Agreements (DPAs) with all processors handling personal data on our behalf.

8.1 Payment Processing

Processor: Stripe Payments Europe Limited
Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland
Purpose: Payment processing, fraud prevention, financial compliance
Legal Basis: Art. 6(1)(b) GDPR - Contract Performance, Art. 6(1)(c) GDPR - Legal Obligation, and Art. 6(1)(f) GDPR - Legitimate Interests
Data Processed: Payment information, billing data, transaction records
Legitimate Interest: Fraud prevention, secure payment processing, business continuity, and financial record accuracy
Safeguards: EU-based entity, GDPR-compliant, DPA concluded
Data Location: EU/EEA with potential transfers to Stripe, Inc. (USA) under Standard Contractual Clauses and Data Privacy Framework
Privacy Policy: https://stripe.com/privacy

8.2 Video Communication

Processor: ZEGOCLOUD Pte. Ltd.
Address: 80 Robinson Road, #02-00, Singapore 068898
Purpose: Video consultation platform, real-time communication
Legal Basis: Art. 6(1)(b) GDPR - Contract Performance and Art. 6(1)(f) GDPR - Legitimate Interests
Data Processed: Video/audio data during consultations, user identifiers, session metadata
Legitimate Interest: Ensuring reliable video consultation services, platform functionality, and user experience optimization
Safeguards: Standard Contractual Clauses, DPA concluded, encryption in transit and at rest
Data Location: Singapore and EU data centers
Third Country Transfer: Singapore (no adequacy decision) - processing based on Standard Contractual Clauses with additional safeguards
Privacy Policy: https://www.zegocloud.com/privacy-policy

8.3 Cloud Hosting

Processor: Amazon Web Services EMEA SARL
Address: 38 Avenue John F. Kennedy, L-1855 Luxembourg
Purpose: Cloud hosting, data storage, content delivery
Legal Basis: Art. 6(1)(b) GDPR - Contract Performance and Art. 6(1)(f) GDPR - Legitimate Interests
Data Processed: All platform data stored on our servers
Legitimate Interest: Platform availability, data security, performance optimization, and business continuity
Safeguards: EU-based entity, GDPR-compliant, DPA concluded
Data Location: EU ( Ireland, Germany) data centers exclusively
Privacy Policy: https://aws.amazon.com/privacy/

8.4 Analytics and Marketing (with Consent)

Google Ireland Limited
Address: Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Website analytics, advertising
Legal Basis: Art. 6(1)(a) GDPR - Consent and Art. 6(1)(f) GDPR - Legitimate Interests
Legitimate Interest: Website optimization, user experience improvement, and business development (applies to essential analytics only)
Safeguards: EU-based entity, consent-based processing for marketing, DPA concluded
Third Country Transfer: Potential transfers to Google LLC (USA) under Standard Contractual Clauses and Data Privacy Framework
Privacy Policy: https://policies.google.com/privacy

Meta Platforms Ireland Limited
Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Purpose: Social media marketing, advertising analytics
Legal Basis: Art. 6(1)(a) GDPR - Consent and Art. 6(1)(f) GDPR - Legitimate Interests
Legitimate Interest: Business promotion and user acquisition (limited to essential business promotion activities)
Safeguards: EU-based entity, consent-based processing, DPA concluded
Third Country Transfer: Potential transfers to Meta Platforms, Inc. (USA) under Standard Contractual Clauses and Data Privacy Framework
Privacy Policy: https://www.facebook.com/privacy/policy/

LinkedIn Ireland Unlimited Company
Address: Wilton Plaza, Wilton Place, Dublin 2, Ireland
Purpose: Professional network marketing, B2B advertising
Legal Basis: Art. 6(1)(a) GDPR - Consent and Art. 6(1)(f) GDPR - Legitimate Interests
Legitimate Interest: Professional networking and B2B business development
Safeguards: EU-based entity, consent-based processing, DPA concluded
Third Country Transfer: Potential transfers to LinkedIn Corporation (USA) under Standard Contractual Clauses and Data Privacy Framework
Privacy Policy: https://www.linkedin.com/legal/privacy-policy

8.5 Consent Management

Processor: Usercentrics GmbH
Address: Sendlinger Straße 7, 80331 Munich, Germany
Purpose: Cookie consent management, compliance documentation
Legal Basis: Art. 6(1)(c) GDPR - Legal Obligation and Art. 6(1)(f) GDPR - Legitimate Interests
Data Processed: Consent records, cookie preferences, IP addresses (anonymized)
Legitimate Interest: GDPR compliance, consent documentation, and legal protection
Safeguards: EU-based entity, GDPR-compliant, DPA concluded
Data Location: Germany
Privacy Policy: https://usercentrics.com/privacy-policy/

8.6 IP Geolocation

Processor: ipapi.co (Viblast Ltd.) Address: 16192 Coastal Highway, Lewes, DE 19958, United States Purpose: IP-based geolocation lookup to determine users’ country for tax and localization purposes Legal Basis: Art. 6(1)(c) GDPR – Legal Obligation (e.g., determining tax/VAT applicability) and Art. 6(1)(f) GDPR – Legitimate Interests Data Processed: IP address (with optional geolocation data), timestamp Legitimate Interest: Ensuring proper tax compliance, enhancing user experience by offering localized services Safeguards: Data is transferred to the United States; protected by Standard Contractual Clauses (SCCs) Data Location: United States Privacy Policy: https://ipapi.co/privacy/

Overview of Data Recipients

Recipient Purpose Location Safeguards
Stripe Inc. Payment processing USA/Ireland SCC, DPA, DPF
ZEGOCLOUD Video calls Singapore/EU SCC
Amazon Web Services (AWS) Hosting and Managing EU ( Ireland) DPA
Google Ireland Limited Analytics, Auth USA/Ireland SCC, DPF, consent
Google Analytics Analytics USA SCC, consent required
Meta (Facebook) Pixel Marketing USA SCC, consent required
LinkedIn Insight Tag Marketing USA SCC, consent required
Usercentrics GmbH Cookie consent management EU GDPR-compliant
ipapi.co (Viblast Ltd.) IP-based geolocation USA SCC, DPA (ifavailable)

9. International Transfers

9.1 Transfers to Third Countries

When we transfer personal data to countries outside the EU/EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (Decision 2021/914) with all processors in third countries.

Additional Safeguards: We implement supplementary measures including:

  • Encryption in transit and at rest
  • Access controls and logging
  • Regular security assessments
  • Contractual obligations for data protection

9.2 Data Privacy Framework (DPF)

The EU-U.S. Data Privacy Framework is an adequacy mechanism that enables certain US companies to receive personal data from the EU in compliance with GDPR requirements. Companies certified under the DPF commit to specific privacy principles and enforcement mechanisms.

DPF-Certified Processors:

  • Google LLC (DPF Certification)
  • Meta Platforms, Inc. (DPF Certification)
  • LinkedIn Corporation (DPF Certification)
  • Stripe, Inc. (DPF Certification)

When transferring data to DPF-certified companies, we rely on both their DPF certification and Standard Contractual Clauses as complementary safeguards. You can verify current DPF certifications at: https://www.dataprivacyframework.gov/s/

Benefits of DPF:

  • Additional oversight by U.S. Department of Commerce
  • Binding commitments to EU-equivalent privacy standards
  • Independent dispute resolution mechanisms
  • Enhanced enforcement through U.S. authorities

9.3 Third Country Transfer Risks

Transfers to the United States: Data transferred to US-based companies (Google, Meta, LinkedIn) may be subject to access by US government authorities under laws such as the FISA (Foreign Intelligence Surveillance Act) and Executive Order 12333. These laws may allow US authorities to access your data under certain circumstances, potentially without your knowledge or consent.

Risk Mitigation: We minimize data transfers, use encrypted connections, and rely on Standard Contractual Clauses with additional safeguards. You may withdraw consent for marketing services at any time to limit such transfers.

Transfers to Singapore (ZEGOCLOUD): Singapore does not have an adequacy decision from the European Commission. We rely on Standard Contractual Clauses and additional technical and organizational measures to ensure adequate protection.

10. Retention Periods

We store personal data only as long as necessary for the respective purposes or as required by law:

Data Type Retention Period Legal Basis
User account data 1 month after account deletion Art. 6(1)(b) GDPR
Consultation records 6 months after session Art. 6(1)(b) GDPR
Consultation feedback Up to 3 years Art. 6(1)(f) GDPR
Consultant documents 3 years after account deletion Art. 6(1)(f) GDPR
Invoices & payment data 10 years Art. 6(1)(c) GDPR (HGB/AO)
Video metadata 90 days Technical necessity
Server logs 90 days Art. 6(1)(f) GDPR
Contact inquiries 3 years from last contact Art. 6(1)(f) GDPR
Marketing consent records Until consent withdrawn + 3 years Art. 6(1)(c) GDPR

11. Your Rights Under GDPR

You have the following rights at any time:

11.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed, and access to such data including:

  • Purposes of processing
  • Categories of data
  • Recipients or categories of recipients
  • Retention periods
  • Information about your rights
  • Source of data (if not collected from you)
  • Existence of automated decision-making

11.2 Right to Rectification (Art. 16 GDPR)

You have the right to obtain rectification of inaccurate personal data and to have incomplete data completed.

11.3 Right to Erasure (Art. 17 GDPR)

You have the right to obtain erasure of personal data ("right to be forgotten") when:

  • Data is no longer necessary for the original purposes
  • You withdraw consent (where processing is based on consent)
  • You object to processing based on legitimate interests
  • Data has been unlawfully processed
  • Erasure is required for compliance with legal obligations

Note: This right does not apply when legal retention obligations exist.

11.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to obtain restriction of processing when:

  • You contest the accuracy of data (during verification)
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You object to processing (pending verification of legitimate grounds)

11.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit that data to another controller when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

11.6 Right to Object (Art. 21 GDPR)

General Right to Object: You have the right to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR (legitimate interests). We will no longer process your personal data unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Direct Marketing: You have the absolute right to object to processing for direct marketing purposes at any time. If you object, we will no longer process your personal data for such purposes.

Automated Decision-Making You have the right not to be subject to automated decision-making, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in such automated decision-making.

11.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

11.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to file a complaint with a supervisory authority.

11.9 Exercising Your Rights

Contact to exercise your rights:

  • Email: legal@iknowly.com
  • Subject Line: "Data Protection Request - [Type of Request]"
  • Include: Your full name, registered email address, and specific details about your request

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

12. Children's Privacy

Our platform is not intended for children under 16. We do not knowingly collect personal data from children under 16. If we become aware of such data, we will delete it immediately. If you believe we may have collected information from a child under 16, please contact us at legal@iknowly.com.

13. Security Measures

We implement appropriate technical and organizational measures to protect your data against loss, misuse, or unauthorized access:

Technical Measures:

  • SSL/TLS encryption for all data transfers
  • AES-256 encryption for data at rest
  • Hashed passwords (no plaintext storage)
  • Regular security updates
  • Penetration testing and vulnerability assessments
  • Backup systems and disaster recovery plans
  • Access logging and monitoring
  • Network security and firewall protection
  • Server location: AWS Ireland (EU)

Organizational Measures:

  • Access control mechanisms and permission concepts
  • Role-based access control
  • Regular employee training on data protection
  • Data protection impact assessments
  • Incident response procedures
  • Vendor security assessments
  • Regular review of security measures

These measures are regularly reviewed and updated to reflect technological advancements.

14. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any algorithmic processing (such as consultant matching) is used only to improve user experience and does not result in automated decisions with legal or significant effects.

15. External Links

Our website may contain links to external sites. We are not responsible for their content or privacy practices. Please review the privacy policies of linked websites.

16. Supervisory Authority

For privacy-related questions or complaints, you may contact the relevant supervisory authority:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Königstraße 10a
70173 Stuttgart
Germany

Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

17. Changes to This Privacy Policy

We reserve the right to update this policy to reflect legal changes or service modifications. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on our website
  • In-app notification (where applicable)

The current version is always available at www.iknowly.com/privacy-policy.

Continued use of our services after receiving notice of changes constitutes acceptance of the updated policy.

18. Contact Information

Data Protection Officer/Contact Email: legal@iknowly.com Phone: +49 157 85083140 Address: iknowly UG, Nobelstraße 10, 70569 Stuttgart, Germany

For data protection inquiries, please use the subject line "Data Protection Inquiry" to ensure prompt handling.

As of: June 19, 2025
Last Updated: June 19, 2025