Privacy Policy

In the following, we provide information about the collection of personal data when using our website and within the scope of our services and

1.Controller and Data Protection Officer

The controller is


Gotzinger Str. 8, 81371 Munich, Germany

[email protected]

To ask questions or comments about this policy and our privacy practices, including  information regarding your privacy rights, contact us as follows:

By post: KAYA GmbH Weiglstrabe 19 Munich 80636

Attn: Data Protection Officer

By e-mail: [email protected]

2. Collection of personal data when visiting our website

2.1 Data

We generally only process data that we receive directly from you. In the case of mere informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis is Art. 6 (1)(f) General Data Protection Regulation (“GDPR”)):

·       IP address

·     Date and time of the request

·       Time zone difference from Greenwich Mean Time (GMT)

·       Content of the request (specific page)

·       Access status/HTTP status code

·       Amount of data transferred in each case

·       Website from which the request comes

·      Browser

·      Operating system and its interface

·       Language and version of the browser software.

2.2 Share buttons (Facebook, LinkedIn, Twitter)

Furthermore, we use so-called share functions for the networks of Facebook, LinkedIn and Twitter. So-called “share buttons” are technologies that enable you as a user to make certain content known to members of social networks via a direct connection. To integrate the share button, we use a technical solution that prevents data (e.g. IP address) from being transmitted to social networks such as Facebook as soon as you open our website. This means that the buttons are deactivated by default. They are only activated the first time you click on the buttons. We have no influence on the scope of the data that Facebook, LinkedIn and Twitter collects using the plug-ins. However, we would still like to inform you about this as far as we are able to.

By activating the share function, providers receive the information that a user has called up the relevant page of the offer. If the user is logged in, the visit can be assigned to the user account. When users interact with the buttons, for example by pressing the Like button or posting a comment, the corresponding information is transmitted directly from your browser to Facebook, LinkedIn or Twitter and stored there. If a user is not a member of Facebook, LinkedIn or Twitter, there is still the possibility that the provider will find out his IP address and store it. Further information on data processing by the provider of the social media platform can be found in the provider’s privacy policy:

·       Facebook:

·       LinkedIn:

·       Twitter:

If a user is a member of the providers and does not want Facebook, LinkedIn and Twitter to collect data about him or her through this offer and link it to his or her membership data, he or she must log out before visiting the website and before activating the share function. The legal basis for this processing is Art. 6 (1) (f) GDPR.

2.3 Akismet Anti-Spam

We use the Akismet plugin from Automattic Inc, 60 29th Street #343, San Francisco, CA 94110-4929, US. With the help of this plugin, comments from real people are distinguished from spam comments. For this purpose, all comment details are sent to a server in the US, where they are analyzed and stored for four days for comparison purposes. If a comment has been classified as spam, the data is stored beyond this time. This information includes the name
entered, the email address, the IP address, the comment content, the referrer, information about the browser used as well as the computer system and the time of the entry. You are welcome to use pseudonyms. You can completely prevent the transfer of data by not using our commenting system. That would be a pity, but unfortunately we do not see any other alternatives that work just as effectively. You can object to the use of your data for the future at [email protected], subject “Deletion of Data stored by Akismet” under specification/description of the stored data.

3. Collection of personal data via further functions and offers of our website

In addition to the purely informational use of our website, we offer various services that you can use if you are interested. For this purpose, you usually have to provide further personal data, which we use to provide the respective service and for which the aforementioned data processing principles apply.

3.1 Newsletter

You can subscribe to our newsletter with which we inform you about our current interesting offers. If you wish to subscribe to our newsletter, you must provide your e-mail address at which you wish to receive the newsletter. The newsletter will only be sent with your explicit consent. After entering your e-mail, you will receive a confirmation e-mail to the e-mail address provided. The newsletter will only be sent after an explicit confirmation by clicking on a link in the confirmation e-mail (so-called double opt-in). The provision of further, separately marked data is voluntary and will be used to address you personally. After your confirmation, we store your e-mail address for the purpose of sending the newsletter. The legal basis is Art. 6 (1) (a) GDPR.

You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can do so by clicking on the link provided in each newsletter email or by sending a message to the contact details provided above.

3.2 When you contact us

When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations. The legal basis is Art. 6 (1) (b), (f) GDPR.

3.3 Data processing of applicants

You also have the option of applying for open positions with us via our website ( We process your personal data to the extent that it is required to carry out the application process. This includes the following categories of data:

  • Applicant master data (first name, last name, address, job position) Qualification data (cover letter, CV, previous activities, professional qualification)
  • (Job) references and certificates (performance data, assessment data, etc.)
  • Voluntary information, such as an application photo, details of severely disabled status or other information that you provide to us voluntarily in your application.

In general, we only process the personal data that we receive from you as part of the application process. We process your personal data in particular in compliance with the GDPR and the Federal Data Protection Act (“BDSG”) as well as all other applicable laws.

Data processing for the purpose of the application relationship (Section 26 (1) BDSG)

Personal data of applicants may be processed for the purpose of the application procedure if this is necessary for the decision on the establishment of an employment relationship with us. The necessity and scope of the data collection will be assessed, among other things, according to the
position to be filled. If the position you are applying for involves particularly confidential tasks or increased personnel and/or financial responsibility, a more extensive collection of data may be necessary. For example, we ask our applicants to provide us with their police clearance certificate. In order to comply with data privacy law, such data processing will take place only after the selection of applicants has been completed, immediately before you are hired, or only after you have been hired. After completion of the application process, your application documents will be stored for a maximum of six months

processing based on your consent (Art. 6 (1) (a) GDPR, Section 26 (2) BDSG)

If you have given us your voluntary consent to the collection, processing or transmission of certain personal data, then this consent forms the legal basis for the processing of this data. We process your personal data on the basis of consent given by you if you would like to be included in our applicant pool. In that case, we store the application documents beyond the current application procedure for consideration in subsequent application procedures. 

Based on our
legitimate interest (Art. 6 (1) (f) GDPR)

In certain cases, we process your data to protect a legitimate interest of us or a third party: Namely to defend legal claims in proceedings under the General Equal Treatment Act (“AGG”). In the event of a legal dispute, we have a legitimate interest in processing the data for purpose of evidence.

Is there an obligation to provide your personal data?

The provision of personal data is neither legally nor contractually required, nor are you obliged to provide the personal data. However, the providing of personal data is necessary for the completion of the application process. This means that if you do not provide us with personal data when applying, we will not be able to carry out the application process.

4. Recipients of personal data

We only process your data for the purposes communicated in this privacy policy and we only pass it on to service partners if they are acting on our behalf. Processing of your personal data by commissioned service providers is carried out within the framework of the legal requirements (pursuant to Art. 28 GDPR). The service providers we use are only given access to such personal data that is necessary for the performance of the respective activity. These service providers are prohibited from disclosing your personal data or using it for other purposes, in particular for their own promotional purposes. Insofar as external service providers come into contact with your personal data, we have taken legal, technical and organizational measures, as well as regular checks, to ensure that they also comply with the applicable data protection regulations.

We only pass on data to third parties if we have a legal basis for doing so. We do not pass
on your personal data commercially to other companies.

In addition to the cases already listed, we use external service providers from the
following areas:

·       IT service providers (e.g.
maintenance service providers, hosting service providers).

·       Service providers for file and
data destruction

·       printing services

·       Advice and consulting,

·       Service providers for
marketing or sales

·       Logistics service providers

In addition, we may be obliged to transfer your personal data to further recipients, such as authorities for the fulfillment of legal notification obligations. These are usually tax authorities on the basis of tax law requirements.

5. Transfer of personal data outside of the European Union

Countries outside the European Union (and the European Economic Area “EEA”) handle the protection of personal data differently than countries within the EU. Data processing outside the EU is only permitted if the level of protection of your data guaranteed by the GDPR is also maintained outside the EU. We have therefore taken special measures to ensure that your personal data is processed in third countries as securely as within the European Union. Insofar as we process data in a third country – i.e. outside the EU or EEA – or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is only done in accordance with the legal requirements. We therefore only transfer your data to third countries if we either have your express consent to do so, or if this is contractually or legally required. With service providers in third countries, we conclude the Standard Contractual Clauses provided by the Commission of the European Union. These clauses provide appropriate safeguards for the protection of your data with third country service providers. It is true that the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield agreement invalid in its ruling of July 16, 2020 (Case C-311/18; so-called Schrems II). At the same time, however, the ECJ also ruled that the Commission Decision on Standard Contractual Clauses (2010/87/EU) remains valid in principle, so that standard contractual clauses for a transfer of personal data to third countries can in
principle continue to be used.

6. Security measures

All appropriate measures are taken to preserve data security and confidentiality
and, in particular, to prevent damage or unauthorized access by third parties. Accordingly, technical and organizational measures are implemented by us to
ensure an adequate level of security appropriate to the risks.

7. Your personal data rights

Users have the following personal data rights:

·       right of access;

·       right to rectification;

·       right to erasure – this right can be exercised as long as it does not affect the performance of the contract or compliance with our legal and regulatory obligations;

·       right to restriction of processing;

·       right to modify and/or withdraw consents (to be exercised at any time) with respect to the processing of personal data based on your consent;

·       right to object to processing of personal data;

·       right to data portability.

All users also have the right to give general and/or specific instructions about what happens to their personal data and how they would like their rights to be exercised after their death. Users also have the right to lodge a complaint with the competent authority.

8. Changes to this privacy policy

This policy is designed to be dynamic and is therefore liable to change. In the case of minor changes, the new policy will be published on the website under the relevant section. In the case of substantial changes, such as changes to the purposes of processing or to the procedures for exercising your rights, you will be duly notified of those change.