PRIVACY POLICY

Version: April 2024

1 General Information

1.1 Objective and Responsibility

1. This privacy policy informs you about the nature, scope and purpose of the processing of personal data in relation to our online offer and the associated websites, functions and content (hereinafter collectively referred to as "online offer" or "website"). Details on these processing activities can be found in section 2.

2. Details of data processing for the purpose of carrying out our business processes are described in section 3.

3. KONU LLC (28 Elmwood St #2, Somerville, Massachusetts, 02144, United States) - hereinafter referred to as "Provider", "we" or "us" - is the provider of the online offer and responsible for data protection.

4. Our online offer is provided by Squarespace Ireland Limited (Le Pole House, Ship Street Great, Dublin 8, Ireland).

5. The term ‘user’ encompasses all customers, interested people, employees and visitors of our online service.

1.2 Legal Bases

We collect and process personal data based on the following legal grounds:

1. Consent in accordance with article 6 paragraph 1 lit. a General Data Protection Regulation (GDPR). Consent meaning any freely given, specific, informed and unambiguous indication of agreement, which could be in the form of a statement or any other unambiguous confirmatory act, given by the data’s subject consenting to the processing of personal data relating to him or her.

2. Necessity for the performance of a contract or in order to take steps prior to entering into a contract according to article 6 paragraph 1 lit. b GDPR, meaning the data is required in order for us to fulfil our contractual obligations towards you or to prepare the conclusion of a contract with you.

3. Processing to fulfil a legal obligation in accordance with article 6 paragraph 1 lit. c GDPR, meaning that e.g. the processing of data is required by law or other provisions.

4. Processing in order to protect legitimate interests in accordance with article 6 paragraph 1 lit. f GDPR, meaning that the processing is necessary to protect legitimate interests pursued by us or by a third party, unless such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data.

1.3 Data Subject Rights

You have the following rights with regards to the processing of your data through us:

1. The right to lodge a complaint with a supervisory authority in accordance with article 13 paragraph 2 lit. d GDPR and article 14 paragraph 2 lit. e GDPR.

2. Right of access in accordance with article 15 GDPR

3. Right to rectification in accordance with article 16 GDPR

4. Right to erasure (‘right to be forgotten’) in accordance with article 17 GDPR

5. Right to restriction of processing in accordance with article 18 GDPR

6. Right to data portability in accordance with article 20 GDPR

7. Right to objection in accordance with article 21 GDPR

Notice: Users may object to the processing of their personal data in accordance with legal allowances at any time with effect for the future. The objection may in particular be made against processing for the purposes of direct marketing.

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

1.4 Data Erasure and Duration of Storage

The personal data of the data subject will be erased or blocked as soon as the purpose of the storage is inapplicable. Storage of data beyond that may occur if such storage is required by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or erasure of data also takes place when a retention period mandated by the standards mentioned expires, unless the continued storage of data is required for the conclusion of a contract or the fulfilment of contractual obligations.

1.5 Security of Processing

1. We have implemented appropriate and state-of-the-art technical and organisational security measures (TOMs). Thus, the data that is processed by us is protected against accidental or intentional manipulation, loss, destruction and unauthorized access.

2. These security measures include in particular the encrypted transfer of data between your browser and our server.

1.6 Transfer of Data to Third Parties, Subcontractors and Third Party Providers

1. A transfer of personal data to third parties only occurs within the framework of legal requirements. We only disclose personal data of users to third parties, if this is required e.g. for billing purposes or other purposes, if the disclosure is necessary to ensure the fulfilment of contractual obligations towards the users.

2. If we engage subcontractors for our online service, we have made appropriate contractual arrangements as well as adequate technical and organizational measures with these companies.

3. If we use content, tools or other means from other companies (hereinafter collectively referred to as ‘third party providers’) whose registered offices are located in a third country, it is assumed that a transfer of data to the home countries of these third party providers occurs. The transfer of personal data to third countries takes place exclusively only, if an adequate level of data protection, the user’s consent or another legal permission is present.

2 Concrete Data Processing

2.1 Collection of information for the use of the online offer

1. When using the online offer, information is automatically transmitted to us by the user's browser; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

2. The processing of this information is based on legitimate interests pursuant to Article 6 (1) (f) GDPR (e.g. optimization of the online offer) and to ensure the security of the processing pursuant to Article 5 (1) (f) GDPR (e.g. for the defense and reconnaissance of cyberattacks).

3. The information is automatically deleted at latest 30 days after the end of the connection - i.e. use of the online offer - unless otherwise required by retention periods.

4. The collection of data and the storage of data in log files is absolutely necessary for the provision of the online offer. Therefore, there is no deletion, objection or correction option on the part of the user.

2.2 Consent Management by UserCentrics

1. We use the Usercentrics Consent Management Platform as a consent management tool as part of the analytics activities on our website. The Usercentrics Consent Management Platform collects log file and consent data using JavaScript. This JavaScript enables us to inform users about their consent to certain tags on our website and to obtain, manage and document this consent.

2. Therefore we process the following data:

· Consent data or data of consent (anonymized log data (Consent ID, Processor ID, Controller ID), Consent Status, Timestamp).

· Device data (e.g. shortened IP addresses (IP v4, IP v6), device information, timestamp)

· User data (e.g. eMail, ID, browser information, SettingIDs, Changelog)

The ConsentID (contains the above data), the Consent status incl. timestamp are stored in the local memory of your browser and simultaneously on the cloud servers used. Further processing will only take place if you submit a request for information or revoke your consent. In this case, the relevant information is provided to us in a compact data format in an easily readable text form for the purpose of data exchange (JSON file).

3. No user information is stored for the statistics of the use of the granted or not granted consent. Only the frequency and locations of clicks are stored.

4. The personal data is stored on a Google Cloud server located in the EU (Brussels, Frankfurt am Main).

5. The purpose of the data processing is the analysis and management of the consents granted, in order to comply with our obligation of a GDPR compliant consent management. The use of Usercentrics serves the purpose of proving granted and non-granted consents as well as their management.

6. The legal basis for the management of your consents for the processing of your personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the legally secure documentation and verifiability of consents, the control of marketing measures on the basis of the consent granted as well as the optimization of consent rates.

7. The data is deleted as soon as it is no longer required. The associated cookie has a term of 60 days. The revocation document of a previously granted consent is kept for a period of three years. The retention is based on the one hand on our accountability pursuant to Art. 5 (2) GDPR.

2.3 Squarespace

1. Data Processing

We host our website at Squarespace Ireland Ltd, Le Pole House, Shipstreet Great, Dublin 8, Ireland (hereinafter: Squarespace). Squarespace a tool for creating and hosting websites. When you visit our website, your data is processed on Squarespace's servers. In this process, personal data may also be transmitted to Squarespace's parent company, Squarespace Inc, 8 Clarkson St, New York, NY 10014, USA. Squarespace also stores cookies that are necessary for the presentation of the site and to ensure security (necessary cookies).

2. Legal Basis and Legitimate Interest

The use of Squarespace is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the most reliable presentation of our website. Insofar as a corresponding consent was requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

3. Data transfer to the U.S. is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://support.squarespace.com/hc/en-us/articles/360000851908-GDPR-and-Squarespace

2.4 Adobe Typekit Web Fonts

1. Data Processing

Our website uses so-called “web fonts“ to correctly display font styles. The web font “Futura PT” and “Adobe Garamond Pro” are provided by Adobe Typekit. To correctly display text and fonts, your browser loads the required web fonts into your browser cache. To execute this function, the browser you are using must connect to the Adobe Typekit servers. Through this connection, Adobe Typekit learns that our website has been accessed through the IP address assigned to you.

2. Legal Basis and Legitimate Interest

Please note that the use of Adobe Typekit Web Fonts is in the interest of a consistent and attractive presentation of our online services. If your browser does not support web fonts, then your device will use a standard font. The above purpose constitutes a legitimate interest in accordance with Art. 6 (1) (f) GDPR.

3. Further Information

For further information on Adobe Typekit Web fonts, please visit https://typekit.com/ as well as the data protection policy of Adobe Typekit, which can be found at https://www.adobe.com/de/privacy/policies/adobe-fonts.html

2.5 Online Marketing

2.5.1 Google AdWords and AdWords conversion tracking

1. We use the online advertising programme "Google AdWords" on our website and, in this context, conversion tracking (= visitor action analysis). Google Conversion Tracking is an analysis service of Google Inc (Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland).

2. When you click on an advert placed by Google, a cookie for conversion tracking is stored on your computer. These cookies have a limited validity, do not contain any personal data and are therefore not used for personal identification. If you visit certain pages of our website while the cookie is valid, Google and we can recognise that you have clicked on the ad and have been redirected to this page. Each Google AdWords customer receives a different cookie. It is therefore not possible for cookies to be tracked via the websites of AdWords customers.

3. The information obtained with the help of the conversion cookie is used to create conversion statistics. This tells us the total number of users who clicked on one of our adverts and were redirected to a page with a conversion tracking tag. However, we do not receive any information with which users can be personally identified. The processing takes place on the basis of Art. 6 para. 1 lit. GDPR from our legitimate interest in targeted advertising. The information collected with the help of the conversion cookie is used to create conversion statistics. This tells us the total number of users who clicked on one of our adverts and were redirected to a page with a conversion tracking tag. However, we do not receive any information with which users can be personally identified. The processing is carried out on the basis of Art. 6 para. 1 lit. GDPR from our legitimate interest in targeted advertising and in analysing the impact and efficiency of this advertising.

4. You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you on the basis of Article 6(1)(f) GDPR. To do so, you can prevent the storage of cookies by selecting the appropriate technical settings in your browser software. You will then not be included in the conversion tracking statistics. You can also deactivate personalised advertising for you in Google's advertising settings.

2.5.2 LinkedIn Ads

1. We use "LinkedIn Ads", a service provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn Ads processes and stores information about the behaviour of our users. Among other things, cookies are used for this purpose, small text files that are stored locally in the cache of your web browser on your end device and that enable us to analyse the use of our website by our users.

2. We use LinkedIn Ads for marketing and optimisation purposes, in particular to analyse the use of freelancermap and to continuously improve individual functions and the user experience. By statistically evaluating user behaviour, we can improve our offering and make it more interesting for our users. This also constitutes our legitimate interest in the processing of the aforementioned data by the third-party provider. The legal basis is Art. 6 (1) (f) GDPR. In order to comply with the requirements of the GDPR, corresponding standard contractual clauses have been agreed with LinkedIn.

3. You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We would like to point out that in this case you will not be able to use all the functions of our website to their full extent. You can also prevent the collection of the aforementioned information, in particular by LinkedIn, by clicking on the following link and setting an opt-out cookie: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Please note that this setting will be deleted if you delete your cookies.

4. Further information on data protection at LinkedIn can be found here: https://www.linkedin.com/legal/privacy-policy

2.6 Hubspot CMS

1. Data Processing

We use Hubspot, Inc. as our customer relationship management (CRM) tool at KONU. On our website, Hubspot uses tracking cookies to track site visits and page views on our website. We process the following data: user ID, IP country, IP time zone, referring sites, number of site views, number of visits, timestamps.

2. Legal Basis and Legitimate Interest

These cookies are used to improve your website experience and provide more personalized services to you, both on our website and through other media. The above purpose constitutes a legitimate interest in accordance with Art. 6 (1) (f) GDPR. You may revoke consent for cookies using our Usercentrics Cookie Banner.

3. Further information

The data privacy policy of Hubspot can be found here: https://legal.hubspot.com/privacy-policy

4. Data transfer to the U.S. is based on the standard contractual clauses of the EU Commission. Hubspot is certified under the EU-U.S. Data Privacy Framework. Further information can be found here: https://legal.hubspot.com/eu-us-dpf

2.7 Hubspot Forms

1. Data Processing

We use Hubspot forms to collect information from users through a number of forms on our website (contact us form, post-workshop forms, and open enrollment registration forms). The data collected is the data provided by users filling out the forms (form conversions):

· Contact us form: first and last name, email address, company name, location, role, “how can we help”, “may we add you to our mailing list”, “agree to receive communication from KONU”

· Post-workshop form: first and last name, email address, company name, location, role, “what resonated from the workshop today”, ”are you interested in a 1:1 consultation”, “may we add you to our mailing list”, “agree to receive communication from KONU”

· Workshop registration forms: first and last name, email address, company name, location, role, “discount code”, ”would you like to learn more about our services”, “how did you hear about us”, “agree to receive communication from KONU”

2. Legal Basis and Legitimate Interest

The purpose of data processing is to provide the user with further information on the services they have requested, such as marketing information in order to stay in touch with KONU and/or information on the workshop they have registered for. The legal basis for data processing is freely given consent in accordance with Art. 6 (1) (f) GDPR. You may revoke consent for data processing at any time.

3. Further information

The data privacy policy of Hubspot can be found here: https://legal.hubspot.com/privacy-policy

4. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Hubspot is certified under the EU-U.S. Data Privacy Framework. Further information can be found here: https://legal.hubspot.com/eu-us-dpf

5. Hubspot uses the CloudFlare service to secure the forms. CloudFlare is processing cookies on the basis of the weighing of interests in accordance with Art. 6 (1) (f) GDPR.

2.8 Youtube

1. Data Processing

We have integrated YouTube videos into our website, which are stored on the YouTube platform and can be played directly from our website. YouTube is a service of Google LLC, D / B / A YouTube. 901 Cherry Ave, San Bruno, CA 94066, USA (hereinafter referred to as "Google"). Data about you as a user will only be transferred to Google if you explicitly consent to the use of the video function via our Consent Management System (see paragraph 2.2).

We have no influence on this data transmission. The data transfer takes place regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged in to Google, your data will be directly assigned to your account.

2. Purposes and Legal Basis

We use YouTube videos on our website to present them in a simple way.

The legal basis for the processing of your personal data is your consent according to Art. 6 para. 1 sentence 1 lit. a) GDPR.

3. During the data transfer to Google, your personal data will be transferred to Google servers, which may also be located in the USA. The USA is a country without a level of data protection adequate to that of the EU. This means, in particular, that the US authorities can access personal data in a simplified manner and that there are limited rights to such measures. When you enable the YouTube video feature, you expressly consent to the transfer of data to Google and to the transfer of your personal data to servers in the United States.

4. If you have given your consent, you have the right to withdraw it at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

5. Further Information

Further information on data processing, in particular the legal basis and the storage period of Google, can be found in the privacy policy of the provider (https://policies.google.com/privacy) and in the privacy banner on the YouTube platform. There you will also find further information on your rights and setting options to protect your privacy.

Google reloads further services, these include in particular

a. Google Photos

b. Google Fonts

c. DoubleClick

In doing so, Google may also process your data in the USA, a third country without sufficient data protection.

2.9 Google Analytics

1. We use Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House Barclays Dublin Ireland - hereinafter "Google"), on the basis of your consent for the analysis, optimization and economic operation of our online offer pursuant to Article 6 (1) (a) GDPR. Google uses cookies and other technologies. The information generated by the service about the use of the online offer by users is transmitted to a Google server in the USA and processed there.

2. Google acts on our behalf within the framework of order processing pursuant to Article 28 GDPR. We have concluded a data protection agreement with Google that contains the EU standard data protection clauses.

3. We use Google Analytics with IP anonymization enabled.

4. Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID that can be used to recognize you on future visits to the website. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/¬dlpage/gaoptout?hl=en.

5. The collected data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data remains stored in aggregated form indefinitely.

6. Further information on data use by Google, settings and revocation options can be found on Google's websites:

https://policies.google.com/technologies/partner-sites?hl=de ("Data use by Google when you use our partners' websites or apps").

https://policies.google.com/technologies/ads ("Data use for advertising purposes").

https://adssettings.google.com/¬authenticated ("Managing information Google uses to serve ads to you").

2.10 Links to other websites

1. While using some of our services, you will be automatically redirected to other websites.

2. Please note that this privacy policy does not apply there. The privacy policy of the linked website may differ considerably from this one.

3 Processing for the purpose of carrying out our business processes

3.1 Inquiry by e-mail, telephone or fax

1. If you contact us by e-mail, telephone or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent, unless it is necessary to pass it on to third parties in order to process your request.

2. The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests sent to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested.

3. The data you send to us via contact requests remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

3.2 Existing customer advertising

1. Insofar as you have already made use of services from us against payment, we may inform you from time to time by e-mail or letter about similar services from us (in particular new offers), unless you have objected to this.

2. The legal basis for the data processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in direct advertising (recital 47 GDPR). You can object to the use of your e-mail address and postal address for advertising purposes at any time without additional costs with effect for the future.

4 Processing for the purpose of carrying out our business processes

4.1 Personnel application

For reasons of better readability, the simultaneous use of masculine and feminine and various forms of language is dispensed with - within the framework of the following explanations. All references to persons apply to all genders: m/f/d.

4.1.1 Direct applications

1. We offer you the opportunity to apply to us (e.g. by e-mail or post). In the following, we inform you about the scope, purpose and use of your personal data collected during the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated in strict confidence.

2. Scope and purpose of data collection

If you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is Art. 6 para. 1 lit. b GDPR (general contract initiation) and - if you have given your consent - Art. 6 para. 1 lit. a GDPR. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

3. If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

4. Storage period of the data

5. If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted for up to 6 months from the end of the application process (rejection or withdrawal of the application) on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if legal storage obligations prevent deletion.

4.1.2 Inclusion in the applicant pool

1. If we do not make you a job offer, we may be able to include you in our applicant pool. In the event of inclusion, all documents and details from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.

2. The inclusion in the applicant pool is based exclusively on your express consent (Art. 6 para. 1 lit. a GDPR). The provision of consent is voluntary and is not related to the current application process. The person concerned can revoke his/her consent at any time. In this case, the data from the applicant pool will be irrevocably deleted, unless there are legal reasons for retention.

3. The data from the applicant pool will be irrevocably deleted no later than two years after consent has been given.

5 Cookies

5.1 General Information

1. Cookies are information transmitted by our web server or third-party web servers to the users' devices where they are stored for later retrieval. Cookies can be in the form of small files or any other types of information storage.

2. In the case that users do not want that cookies are stored on their device, they will be asked to disable the corresponding option in their browser's system settings. Saved cookies may be deleted in the system settings of the browser. The exclusion of cookies can lead to functional impairments of this online service.

5.2 Cookie overview, objection

1. You can find an up-to-date overview of the cookies used on this website in the consent management platform "Usercentics" (see paragraph 2.2.).

2. You can also manage your individual consents or preferences there.

6 Changes to the Data Privacy Policy

1. We reserve the right to change this Data Privacy Policy with regards to the data processing, in order to adapt it to changed legal situations, to changes of the online service or of the data processing.

2. If users' consents are required or if elements of the Data Privacy Policy contain provisions in regards to the contractual relationship with the users, the changes will only be made with the consent of the users.

3. Users are requested to keep themselves informed about the content of this Data Privacy Policy on a regular basis.