Privacy Policy

We are pleased that you are visiting our website “www.kodiak.eu” and thank you for your interest.

We, KODIAK GmbH, Brandsende 12, 20095 Hamburg (“KODIAK”, also “we”, “us”, “our”) process your personal data only in accordance with statutory regulations, in particular with Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) and the German Federal Data Protection Act (BDSG).

This Privacy Policy informs you about the processing of your personal data and your rights as a data subject when:

You use our website kodiak.eu (Section 2-3);
You contact us via e-mail or contact form (Section 4);
You contact us for business purposes via other means (Section 5);
You conclude a contract with us (Section 6);
You use social media plugins or video content on our website (Section 7);
You visit our presences on social media (Section 8); or
You apply for a position in our company (Section 9).

Furthermore, you will find more detailed information below regarding the recipients of your personal data within the EEA and in third countries (see Section 10), the deletion of your personal data and retention periods (see Section 12), your rights as a data subject (see Section 13), and automated decision-making (Section 14).

1. Controller and Data Protection Officer

The controller responsible under data protection law for the data processing described in this Privacy Policy is:

KODIAK GmbH Brandsende 12 20095 Hamburg Phone: +49 (0) 40 739 298 67 E-mail: info@kodiak.eu

You can reach our Data Protection Officer at: KODIAK GmbH, Datenschutzbeauftragter, Brandsende 12, 20095 Hamburg, mail@planit.legal.

2. Data processing when using our website

When you use our website, we may process the following categories of data. These data may involve personal data.

2.1. Internet connection data

In the case of purely informational use of our website, i.e., if you do not register or otherwise transmit information to us, we only process such data that your browser automatically transmits to our server (so-called “server log files”).

When you visit our website, we collect the following data, which is technically necessary for us to display our website to you:

Name of the accessed website
Date and time at the time of access
Amount of data sent in bytes
Source/reference from which you came to the page
Browser (type) used
Operating system used
IP address used (if applicable: in anonymized form)

The processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. We store this data for this purpose for a period of up to six months.

2.2 Accesses and storage on your terminal device (“Cookies”)

In order to make the visit to our website attractive and to enable the use of certain functions, we use cookies on various pages. These are small text files that are stored on your terminal device. We also use similar technologies such as local storage, pixels, or tags, which we collectively refer to as “cookies” in the following.

These technologies make it possible to store information on your terminal device (e.g., in your browser) or to read it from there. A basic distinction is made between two types:

Transient cookies: Some of the cookies we use are deleted after the end of the browser session, i.e., after you close your browser, and are therefore not stored permanently.
Persistent cookies: Other cookies remain on your terminal device and enable us to recognize your browser on your next visit. Persistent cookies are automatically deleted after a specified duration, which may vary depending on the cookie.

In the following, we explain which types of cookies we use and how you can make and adjust your selection in this regard:

2.3 Technically necessary cookies

In certain cases, the storage of information on your terminal device or access to information already stored on your terminal device is absolutely necessary so that we can make our website available to you for use (“Technically necessary cookies” and/or “Essential cookies”).

For example, our website uses the technically necessary Borlabs Cookie to obtain your consent for the storage of certain cookies in your browser and to document this in compliance with data protection regulations.

Since these cookies are absolutely necessary, they do not require your consent. The legal basis for storing and reading this information on your terminal device is Section 25 (2) No. 2 of the German Telecommunications-Digital Services Data Protection Act (TDDDG).

Insofar as personal data is processed by these technically necessary cookies, this is done on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in ensuring the basic functionality, stability, and security of our website and fulfilling our documentation obligations under data protection law.

2.4 Optional cookies

We only use cookies and comparable storage technologies that are not technically necessary (“Optional cookies”) with your consent.

When you access our website for the first time, we display a so-called cookie banner (consent management tool). There we inform you about the optional cookies we use and give you the opportunity to decide which optional cookies you wish to agree to (there the category “External Media”).

A detailed list of the cookies and services used, the respective providers, and the storage periods can be found directly in the settings of our consent management tool.

When you visit our website for the first time, an information banner (“Cookie Banner”) will be displayed. There you have the choice:

“Accept all”: By clicking on this button, you consent to the use of all cookies used on our website (including the optional ones).
“Accept only essential cookies”: With this selection, you reject all optional cookies. In this case, only the technically necessary cookies described under 2.3 will be set.
“Individual settings”: Here you can select in detail which individual services you would like to consent to.

The legal basis for the storage and reading of information for these optional cookies is your consent in accordance with Section 25 (1) TDDDG. The legal basis for the subsequent processing of the personal data collected thereby is also your consent in accordance with Art. 6(1)(a) GDPR.

Some of our partners are located or process data in countries outside the EU and the EEA (so-called third countries), such as the USA. For the transfer of your data to our partners, particularly in the USA, we use the following secure mechanisms provided for by the GDPR:

Adequacy decision for the USA (Data Privacy Framework): A large part of our US service providers are certified under the EU-U.S. Data Privacy Framework (DPF). The European Commission has issued an adequacy decision for this agreement (pursuant to Art. 45 GDPR). This decision confirms that personal data transferred to DPF-certified companies in the USA enjoy a level of protection comparable to that in the EU.
Standard Contractual Clauses: If a partner is not certified under the Data Privacy Framework or is located in another country without an adequacy decision, we conclude the Standard Contractual Clauses issued by the EU Commission (pursuant to Art. 46 GDPR). These contractual obligations ensure that the protection of your data also complies with European standards outside the EU.

Your consent is voluntary. You can revoke your consent at any time with effect for the future without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.

To do this, please click on “Settings” in the cookie banner or in the footer at the very bottom of our website on:

Via this link, you will reach your pre-configured cookie settings. There you have the option to revoke or re-grant your previously given consent. You can also select or deselect individual cookies or services there.

In addition to our cookie banner, you can limit your consent to the setting of cookies in whole or in part by configuring your browser settings accordingly and deactivating the setting of cookies in whole or in part. In addition, you can install a plugin in your browser to protect your privacy, which offers the possibility to prevent web analysis – e.g., AdBlock, Ghostery, or NoScript (please note the privacy notices of the respective plugin provider).

Furthermore, some web analysis providers are members of industry associations via whose websites you can centrally prevent usage-based online advertising and web analysis by the respective members. Below you will find the websites of these associations for convenient cross-provider prevention of web analyses. In this way, you can also prevent the creation of pseudonymous user profiles.

“European Interactive Digital Advertising Alliance” (EDAA): http://www.youronlinechoices.com/de/praferenzmanagement/
“Digital Advertising Alliance” (DAA): www.aboutads.info/choices/
“Network Advertising Initiative” (NAI): http://optout.networkadvertising.org/?c=1

If you do not declare your consent to the use of cookies or delete cookies from your terminal device, this may impair your ability to use the website or individual functionalities.

2.5 Use of the Consent Management Tool “Borlabs Cookie”

To meet the legal requirements for cookie consent management, we use the “Borlabs Cookie” tool on our website. The provider is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany.

Borlabs Cookie provides the user interface (cookie banner) through which we can obtain your consent for the storage of technically unnecessary cookies and for the use of external services, manage these, and document them in compliance with data protection regulations.

When you visit our website, Borlabs Cookie stores a technically necessary cookie (borlabs-cookie) in your browser to save your settings. The consents you have given or revoked are documented in this cookie. The data collected in this context usually includes a randomly generated and anonymous user ID, the settings you have selected (e.g., which categories you have accepted), as well as the date and time of your consent. This data is not used to identify you personally or to analyze your surfing behavior.

The use of Borlabs Cookie and the storage of the borlabs-cookie are technically necessary to comply with our legal obligations. Without this tool, we cannot obtain and prove the required consents in a legally secure manner. The storage of the borlabs-cookie in your browser is therefore based on Section 25 (2) No. 2 TDDDG, as it is absolutely necessary to provide the service requested by you (the management of your privacy settings).

The subsequent processing of your consent data is based on Art. 6(1)(c) GDPR (fulfillment of a legal obligation), as we are legally obliged to be able to prove effective consent (obligation to provide proof pursuant to Art. 5(2) GDPR).

Your consent settings are stored in the borlabs-cookie in your browser for a period of up to one year. After this period has expired or if you manually delete the cookies in your browser, you will be asked for your consent again the next time you visit our website.

3. GTranslate

In the event of your consent, we use the GTranslate service of GTranslate Inc., 4394 NW 120th Ave, Coral Springs, FL 3065, USA (“GTranslate”) for the automatic translation of the contents of our website.

In the context of providing the translation function, GTranslate collects data regarding your use of our website. When you call up a page that is translated via GTranslate, your browser establishes a direct connection to the servers of GTranslate and, if applicable, to the servers of third-party providers of translation technologies (such as Google Translate). In doing so, your IP address as well as the URL of our website accessed by you are transmitted to these servers. This is technically necessary to display the translated contents to you in your browser. GTranslate may also collect technical information about your browser and operating system.

GTranslate provides us with this technology to make our website accessible in various languages and thus offer an international audience a better user experience. You can view the privacy policy of GTranslate here.

The data collected by means of GTranslate is stored on servers in the USA. We base the transfer of your personal data to the USA on appropriate guarantees in the form of Standard Contractual Clauses pursuant to Art. 46 GDPR, which were concluded with GTranslate Inc.

4. Contact via contact form

In the context of contacting us via the contact form, personal data is processed. In this case, we collect your first and last name, your e-mail address, and the content of your request.

We store and use this data exclusively to answer your request or to contact you and for the associated technical administration. Since our offers are aimed exclusively at business customers, the legal basis for this data processing is our legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interest is to process your request efficiently and to initiate, implement, or maintain the business relationship with your company. We assume that your interests as a person acting in a professional capacity do not outweigh our interest in business communication.

5. Data processing for business contacts outside the website

We also process personal data outside our website when you or your company contact us. This happens, for example, by telephone, by post, by e-mail, or when you hand us your business card at trade fairs and events.

In these cases, we usually collect your business contact details (such as name, position in the company, e-mail address, telephone number) as well as the information relating to your specific request.

The processing of this data is carried out to process your inquiry, to maintain and expand our business relationship, or to initiate a contract with the company for which you work. Since our offers are aimed exclusively at business customers, we base this processing on our legitimate interest in the professional and efficient maintenance of our business contacts pursuant to Art. 6(1)(f) GDPR.

You can object to this data processing under the conditions of Art. 21(1) GDPR. Detailed information on your right to object according to Art. 21 GDPR can be found in Section 13 “Your rights as a data subject” of this Privacy Policy.

6. Data processing during contract initiation and implementation

Since our offers are aimed exclusively at business customers (B2B), we process personal data for the initiation, implementation, and execution of contracts with companies. In doing so, we process the data of the respective contact persons, representatives, or employees of our business partners (e.g., name, business contact details, position in the company, contract and communication data).

The processing of this data is essential for smooth business processing. The legal basis is our legitimate interest in the initiation, implementation, and maintenance of the contractual relationship with the company for which you work (pursuant to Art. 6(1)(f) GDPR).

Since this processing is based on our legitimate interest, you generally have a right to object. Detailed information on your right to object according to Art. 21 GDPR can be found in Section 13 “Your rights as a data subject” of this Privacy Policy.

7. Use of Social Media Plugins and Video Content (Two-Click Solution)

On our website, we offer you the opportunity to share content via social networks such as LinkedIn or to display external media content (e.g., videos) directly. For this purpose, we use privacy-friendly technologies that function according to the principle of the “two-click solution” (also known as the “Shariff” solution) to protect your privacy.

This means that when you merely access our website, basically no personal data is transmitted to the respective third-party providers. The corresponding elements are deactivated by default and do not establish a connection to the servers of the providers. Only when you click on one of the buttons or the preview image of a video and thereby activate it (first click), do you give your consent to the data transfer. A connection to the server of the respective provider is then established.

In the case of social media buttons, you can perform the desired action (e.g., share the content) with a second click; in the case of videos, the content is loaded and played after activation.

The legal basis for the data transfer to the third-party provider after your activation is your consent pursuant to Art. 6(1)(a) GDPR as well as Section 25 (1) TDDDG. You can revoke your consent at any time for the future by reloading the page.

After activation, we no longer have any influence on the scope of the data that the respective network collects and processes. Please refer to the privacy policies of the respective provider for the purpose and scope of data collection as well as your rights in this regard:

LinkedIn: Provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The data transfer to the parent company in the USA, LinkedIn Corporation, is based on its certification under the EU-U.S. Data Privacy Framework. Privacy Policy: https://www.linkedin.com/legal/privacy-policy/de-de
YouTube: We embed videos from the YouTube platform. Here we use the “extended data protection mode” (Domain: https://www.youtube-nocookie.com). According to YouTube, no cookies are set in this mode to analyze user behavior as long as you do not play the video. Nevertheless, data is stored in the local storage of your browser when accessing and playing to ensure technical functions (e.g., bandwidth settings or playback preferences). Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data transfer to the parent company in the USA, Google LLC, is based on its certification under the EU-U.S. Data Privacy Framework. Privacy Policy: https://policies.google.com/privacy?hl=de

8. Joint responsibility with operators of social networks

We maintain company pages on the social networks of LinkedIn. As the operator of these pages, we are jointly responsible with the respective operator of the social network

LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, D02 AD98, Ireland; Parent company: LinkedIn Corporation, 1000 West Maude Avenue Sunnyvale, California 94085 USA

for the collection (but not for the further processing) of the data of visitors to our company pages within the meaning of the GDPR.

The data collected includes:

Information on the types of content that visitors view or interact with, or the actions taken by them,
Information about the devices used by visitors (e.g., IP addresses, operating system, browser type, language settings, cookie data).

Social networks also collect and use information to provide analysis services, so-called “Page Insights”, for page operators so that they obtain insights into how people interact with their pages and with the content associated with them.

We have concluded a special agreement with the operator of the social network: https://de.linkedin.com/legal/l/dpa?

These agreements regulate in particular which security measures the operator must observe and in which the operator has agreed to fulfill the rights of the data subjects (i.e., users can, for example, direct requests for information or deletion directly to the operator of the social network).

The rights of visitors (in particular to access, deletion, objection, and complaint to the supervisory authority) are not restricted by the agreements with the respective operator. You can assert your rights (access, rectification, deletion, restriction of processing, data portability, objection, and complaint) both against us and against the respective operator of the social network.

Purposes of processing: Contact requests and communication, tracking (e.g., interest/behavior-based profiling, use of cookies), remarketing, reach measurement (e.g., access statistics, recognition of returning visitors).

Legal basis: The legal basis for data processing is our legitimate interest in the most comprehensive possible presence of our offer and our company on the Internet as well as the opportunity to communicate with you via social networks (Art. 6(1)(f) GDPR).

Data subjects: Website visitors, visitors to our company pages in social networks.

In the case of LinkedIn, it is possible that some of the collected information is also processed outside the EU and the EEA, e.g., in the USA. The EU Commission determined in its adequacy decision of July 10, 2023, that the level of data protection in the USA is comparable to that in the EU. LinkedIn Corp. is certified under the EU-U.S. Data Privacy Framework underlying the decision of the EU Commission.

9. Data processing in connection with an application process for a KODIAK position

You have the opportunity to apply for employment in our company via the online form integrated on our website.

In order to be included in the application procedure, applicants must provide us with certain personal data required for a well-founded and informed assessment and selection. This personal data includes general personal details (first and last name, address, telephone number, e-mail address) as well as performance-specific evidence of the qualifications required for a position (curriculum vitae data, e.g., school education, vocational training, professional experience, language skills, possibly profiles in social networks (e.g., XING, LinkedIn, Facebook) as well as documents in connection with applications (application photos, cover letters, certificates, references, work samples, etc.)).

The legal basis for this processing for the purposes of carrying out the application procedure and initiating an employment relationship is Art. 6(1)(b) GDPR. If consent pursuant to Art. 6(1)(a) GDPR is required for a specific processing activity, this will be obtained from you separately and transparently.

10. Recipients of your personal data and third country transfers

We use various technical service providers for the processing of your personal data, who take over the hosting of our website for us, provide us with IT services as well as cloud and SaaS services, take over IT support and maintenance for us, but who are also sales partners and with whom we work together to provide services.

Insofar as these service providers can have access to your personal data, they process your data within the framework of data processing agreements (Art. 28 GDPR) that we have concluded with these companies.

We may transfer your personal data in this context to processors or sub-processors in countries outside the European Union (“EU”) and the European Economic Area (“EEA”), in particular to the USA.

These data transfers generally take place on the basis of the adequacy decision of the EU Commission of July 10, 2023 (C(2023) 4745). Our service providers are generally certified under the EU-U.S. Data Privacy Framework. If this is not the case, we ensure appropriate guarantees within the meaning of Art. 46 GDPR. This may include the conclusion of the Standard Contractual Clauses of the EU Commission and, if applicable, additional necessary measures to ensure an appropriate level of data protection.

11. Security

For security reasons and to protect the transmission of your personal data and other confidential content (e.g., orders or inquiries to the controller), our website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string https:// and the lock symbol in your browser line.

12. Deletion of your personal data

We delete your personal data as soon as its processing is no longer necessary for the purposes explained in this Privacy Policy. Specific information on the storage duration for individual processing operations can be found, if applicable, in the corresponding sections of this Privacy Policy.

If and as long as statutory retention obligations oppose deletion, we limit the processing of your data to this archiving purpose (so-called data blocking) and delete your data upon expiry of the retention period. Such retention obligations exist under German commercial and tax law, in particular for business letters for six years at the end of the year and for accounting-relevant documents for ten years. The periods begin in each case at the end of the calendar year in which the document in question was created or received.

13. Your rights as a data subject

As a data subject of the data processing of our company, you have the following rights under the respective statutory conditions:

The right to confirmation as to whether we process your personal data (Art. 15 GDPR);
The right to access your personal data processed by us and to a copy of the data (Art. 15 GDPR);
The right to rectification in the event that your personal data is incorrect (Art. 16 GDPR);
The right to erasure of your personal data (Art. 17 GDPR);
The right to restriction (blocking) of your personal data (Art. 18 GDPR);
And the right to data portability (Art. 20 GDPR).

In the case of processing of your personal data on the basis of Art. 6(1)(f) GDPR, you can also object to the processing in question under the conditions of Art. 21(1) GDPR.

If the processing is based on your consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, you can revoke your consent at any time with effect for the future (Art. 7(3) GDPR).

Please note that we will continue to keep your consent in the event of a revocation. This is because we must be able to prove the consent even after a revocation and the deletion of your personal data. The legal basis for the (also continued) retention of the consent is Art. 6(1)(c) in conjunction with Art. 5(1)(a), (2), Art. 7(1) GDPR and Art. 6(1)(f) GDPR.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

14. No automated individual decision-making

Your personal data is not used for automated individual decision-making within the meaning of Art. 22(1) GDPR.

15. Changes to the Privacy Policy

New legal requirements, corporate decisions, or technical developments may require changes to this Privacy Policy. The Privacy Policy will then be adapted accordingly. You will always find the current version on our website.

Status: November 2025

GET THE KODIAK PROJECT POWER

Learn more about how we can support you with a customized solution across all project phases and their changing complexity.

Privacy Policy

GET THE KODIAK PROJECT POWER

KODIAK GmbH

HAMBURG OFFICE

BERLIN OFFICE

GRIMMEN OFFICE

Menu