Privacy Policy of KV GmbH

1. Introduction

KV GmbH (“co.de”, “we”, “us”) is committed to processing your personal data responsibly and protecting your privacy. This privacy policy explains how we collect, process, store, and protect personal data in the context of our services, particularly in connection with the administration and registration of subdomains under co.de. The basis of our data processing is the European General Data Protection Regulation (GDPR), supplemented by the German Federal Data Protection Act (BDSG).

Although our company is based in Germany, our services are directed at customers worldwide. Therefore, we comply not only with European data protection standards but also consider international regulations when necessary, such as when working with partners and authorities outside the EU.

We take data protection very seriously and will inform you comprehensively below about the type of data collected, its processing, your rights, and the measures we take to ensure the security of your data.

2. Responsible body

Responsible for data processing is:

KV GmbH

Martinistraße 3

49090 Osnabrück

Deutschland

E-Mail: datenschutz@kv-gmbh.de

Managing director authorized to represent the company:

Martin Steinkamp

Responsible data protection supervisory authority:

Die Landesbeauftragte für den Datenschutz Niedersachsen

Prinzenstraße 5

30159 Hannover

E-Mail: poststelle@lfd.niedersachsen.de

3. Categories of Processed Personal Data

As part of our services, we collect and process, among others, the following categories of personal data:

  • Name, address, phone number, email address
  • Company data (for legal entities)
  • User IDs and login credentials (e.g., logins, IP addresses, timestamps)
  • Technical contact details for domains (e.g., Admin-C, Tech-C, zone contacts)
  • Communication content (support inquiries, emails, call notes)
  • Identity documents and verification materials
  • Log data (e.g., access history, user agent, operating system)

4. Special Categories of Personal Data

In rare cases, we may process special categories of personal data under Article 9(1) GDPR, such as when copies of IDs are required in abuse handling, verification, or identity checks. Such data is collected only with explicit consent or a legal obligation, is specially protected, and is promptly deleted once its purpose is fulfilled.

5. Purposes and Scope of Data Processing

Your data is processed for the following purposes:

  • Setup and management of subdomains
  • Management of customer and partner data
  • Technical operation, maintenance, and monitoring of our systems
  • Detection and prevention of cyberattacks, spam, and abuse
  • Communication with customers, partners, and authorities
  • Handling inquiries, particularly related to abuse cases
  • Documentation obligations under tax and commercial laws
  • Identity verification and legitimacy confirmation (e.g., for disputed domain ownership)

In cases of abuse, postal confirmation may be sent to the address provided during registration. This serves to verify the identity of the domain holder.

6. Legal Basis of Data Processing

The processing of data is based on the following legal grounds:

  • Art. 6 para. 1 lit. a GDPR (consent)
  • Art. 6 para. 1 lit. b GDPR (fulfillment of a contract)
  • Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation)
  • Art. 6 para. 1 lit. f GDPR (legitimate interest, e.g. IT security, network stability, prevention of misuse)

7. Recipients of Personal Data

Within our organization, only those departments that need access to your data to fulfill our contractual and legal obligations will have access. External recipients may include:

  • Technical service providers and hosting providers (e.g., email, server operations)
  • Operators of support and ticketing systems
  • Domain registrars
  • Authorities and courts as required by law
  • Third parties conducting legitimacy checks in abuse cases

Disclosure to coordinating abuse offices only occurs when legally required or necessary to avert threats.

The collection and publication of technical contact data via the WHOIS/RDAP service is governed by the applicable WHOIS/RDAP policy.

8. Data Processing Agreement (AVV)

We conclude legally compliant data processing agreements pursuant to Article 28 GDPR with all service providers who process personal data on our behalf. These providers are contractually obligated to process data solely in accordance with our instructions, implement appropriate security measures, and maintain confidentiality.

Examples of such processors include hosting companies, CRM providers, email providers, or services for automated abuse detection.

9. Transfer to third countries

Data transfers to countries outside the EU/European Economic Area (so-called third countries) only occur if an adequate level of data protection in accordance with Articles 44 ff. GDPR is ensured. This may be guaranteed through an EU Commission adequacy decision, standard contractual clauses, or binding corporate rules.

10. Storage duration

We retain personal data only as long as necessary to fulfill the intended purposes or comply with legal retention periods:

  • Contract and billing data: 10 years
  • Communication and support data: 12–24 months
  • Server and access data: up to 12 months

After these periods, data is deleted or anonymized.

11. Rights of Data Subjects

You have the right to:

  • Access your stored data (Art. 15 GDPR)
  • Rectify inaccurate data (Art. 16 GDPR)
  • Request deletion (“Right to be forgotten”, Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)

To exercise your rights, please contact: datenschutz@kv-gmbh.de

You also have the right to lodge a complaint with a supervisory authority.

12. IT and Data Security

We implement a wide range of technical and organizational measures to protect your data, including:

  • Encryption of data traffic (TLS/SSL)
  • Multi-level access control systems (e.g., 2-factor authentication)
  • Intrusion detection systems and firewalls
  • Access logging and monitoring
  • Role and rights management based on the “need-to-know” principle

13. Hosting, Logs, and Technical Infrastructure

Our servers are located exclusively in data centers within the EU. When accessing our systems, the following data is automatically logged:

  • IP address
  • Date and time
  • Accessed URL and HTTP status
  • Browser type and version
  • Operating system

These data are used exclusively to ensure operation, troubleshoot issues, and detect abuse, and are not merged with other data sources.

14. Cookies and Similar Technologies

We only use technically necessary cookies that are required for the operation of our website and the provision of basic functions (e.g., session management, login functionality). There is no tracking, profiling, or analysis of user behavior. Consent is not required for these essential cookies pursuant to § 25(2) TTDSG.

15. Automated Decision-Making / Profiling

We do not carry out automated decision-making or profiling pursuant to Art. 22 GDPR. If such processing should occur in the future, we will inform you separately and obtain your consent if legally required.

16. Changes to this Privacy Policy

We reserve the right to amend this privacy policy in the event of legal, technical, or organizational changes. The current version is always available at www.co.de/datenschutz. In the case of fundamental changes, we will actively inform affected persons via email. Accredited registrars are obliged to ensure that domain holders receive the current version of this privacy policy or are appropriately informed about it when registering a subdomain under “co.de”.

Status: May 2025