Data Privacy
1. Introduction
This Privacy Policy explains how Cosuno Ventures GmbH (“Cosuno”, “we”, “us”, or “our”) collects, uses, and protects your personal data when you visit our website at www.cosuno.com or use our platform at app.cosuno.com (collectively, the “Services”).
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable German data protection laws.
2. Controller
The data controller responsible for processing your personal data is:
Cosuno Ventures GmbH
Boxhagener Str. 77-78
10245 Berlin
Germany
Email: info@cosuno.de
3. Data Protection Officer
Our external data protection officer can be reached at:
Kertos GmbH
Brienner Str. 41
80333 Munich
Germany
Phone: +49 171 771 0207
Website: www.kertos.io
Email: datenschutz@cosuno.de
4. Data We Collect
4.1 Account & Profile Data
Personal information you provide when creating and using your account, such as name, email address, phone number, job title, and login credentials (passwords are stored in hashed form only).
4.2 Company & Business Data
Information about your organization, including company name, address, registration and tax details, trade specializations, and company profile information. For subcontractors, this may also include compliance certificates and qualification documents.
4.3 Tender & Project Data
Data generated through use of the platform's core features, including project details, bid package information, bills of quantities, bid submissions and pricing, contract documents, and invoicing data.
4.4 Contact Data
Contact information for business partners that users store on the platform, such as name, email address, phone number, and job title. For such data, Cosuno acts as a data processor on behalf of the customer. The customer is responsible for ensuring they have the appropriate legal basis to store this data.
4.5 Communication Data
Messages sent through in-app communication features, support conversations via our chat widget, contact form submissions on our website, and email correspondence with our team.
4.6 Payment & Billing Data
Billing address, subscription plan details, and payment transaction records. Credit card numbers and payment credentials are processed directly by our payment provider (Chargebee) and are not stored on our servers.
4.7 Usage & Technical Data
Information collected automatically when you interact with our Services, such as IP address, browser type, operating system, pages visited, features used, and interaction patterns.
4.8 Cookies
We use cookies and similar technologies as described in Section 8 below.
4.9 Obligation to Provide Data
Providing your personal data is necessary to enter into and perform the contract with us. If you do not provide the required data, we may not be able to create your account or provide our Services.
5. Purposes and Legal Bases for Processing
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and maintaining the platform (account management, tender workflows, bid management) | Performance of contract — Art. 6(1)(b) |
| Processing payments and subscriptions | Performance of contract — Art. 6(1)(b) |
| Sending transactional emails (bid invitations, status updates, notifications) | Performance of contract — Art. 6(1)(b) |
| Customer support via chat and email | Performance of contract — Art. 6(1)(b) |
| Ensuring platform security and preventing fraud | Legitimate interest in protecting our Services and users — Art. 6(1)(f) |
| Monitoring platform performance and resolving errors | Legitimate interest in maintaining service quality and reliability — Art. 6(1)(f) |
| Analyzing usage patterns to improve our Services | Consent — Art. 6(1)(a) |
| Displaying your company profile on the Cosuno Marketplace | Performance of contract — Art. 6(1)(b) |
| Marketing communications and newsletters (see Section 9) | Legitimate interest — Art. 6(1)(f) GDPR |
| Compliance with legal obligations (e.g., tax records, accounting) | Legal obligation — Art. 6(1)(c) |
| Electronic contract signing | Performance of contract — Art. 6(1)(b) |
| Product announcements and feature updates | Legitimate interest in keeping users informed about the software they use — Art. 6(1)(f) |
6. Data Sharing and Recipients
We share your personal data with the following categories of recipients, solely to the extent necessary for the purposes described above:
6.1 Website Services
| Service | Provider | Purpose | Data Processing Location |
|---|---|---|---|
| Webflow | Webflow, Inc. | Website hosting and content management | USA |
| Google Analytics | Google LLC | Website analytics and traffic analysis | USA |
| Google Tag Manager | Google LLC | Tag management for website scripts | USA |
| ActiveCampaign | ActiveCampaign, LLC | Email marketing and automation | USA |
| Salesloft | Salesloft, Inc. | Sales engagement and outreach | USA |
| Intercom | Intercom, Inc. | Customer support chat and messaging | USA |
| Usercentrics | Usercentrics GmbH | Cookie consent management | Germany |
6.2 Platform Services
| Service | Provider | Purpose | Data Processing Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Amazon Web Services EMEA SARL | Platform hosting and infrastructure | Germany |
| DataDog | Datadog, Inc. | Application monitoring and performance logging | Germany |
| Sentry | Functional Software, Inc. | Error tracking and diagnostics | Germany |
| PostHog | PostHog, Inc. | Product analytics and usage tracking | Germany |
| LaunchDarkly | Catamorphic, Co. | Feature flag management | USA |
| Estuary | Estuary Technologies, Inc. | Data pipeline and analytics | Germany |
| dbt Cloud | dbt Labs, Inc. | Data transformation and analytics | USA |
| Looker | Google LLC | Business intelligence and reporting | USA |
| Intercom | Intercom, Inc. | In-app messaging and customer support | USA |
| Beamer | Joincube, Inc. | Product update notifications | Belgium (EU) |
| Mailjet | Sinch AB (Mailjet) | Transactional email delivery | Germany / Belgium (EU) |
| Docusign | Docusign, Inc. | Electronic contract signing | EU |
| Chargebee | Chargebee, Inc. | Subscription billing and payment processing | EU |
6.3 Other Recipients
We may also share personal data with:
- Legal and regulatory authorities, when required by law or to protect our legal rights
- Professional advisors (lawyers, auditors, accountants) as necessary
- Business partners only with your explicit consent
We do not sell your personal data to third parties.
7. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States. For these transfers, we rely on the following safeguards to ensure an adequate level of data protection:
- EU-U.S. Data Privacy Framework (DPF): The following US-based providers are covered by the EU adequacy decision for the EU-U.S. Data Privacy Framework per Art. 45 GDPR: ActiveCampaign, Webflow, Google (Google Analytics, Google Tag Manager, Looker), Salesloft, dbt Labs, Intercom, and LaunchDarkly.
- EU data processing: The majority of our sub-processors process data exclusively within the EU/EEA, including AWS (Germany), DataDog (Germany), Sentry (Germany), PostHog (Germany), Estuary (Germany), Mailjet (Germany/Belgium), Beamer (Belgium), Docusign (EU), and Chargebee (EU).
- Standard Contractual Clauses (SCCs): For any transfers not covered by an adequacy decision, we have entered into EU-approved Standard Contractual Clauses with the respective providers.
- Data Processing Agreements (DPAs): All sub-processors have signed appropriate data processing agreements.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our Services. We distinguish between:
8.1 Essential Cookies
These cookies are required for the core functionality of our Services and cannot be disabled. They include session cookies, authentication cookies, and security cookies.
Legal basis: Legitimate interest per Art. 6(1)(f) GDPR / Section 25(2) TDDDG
8.2 Functional Cookies
These cookies enable us to analyze usage of our Services, measure performance, and provide enhanced functionality such as chat support and product notifications.
Tools: Google Analytics, PostHog, Intercom, Beamer
Legal basis: Consent per Art. 6(1)(a) GDPR / Section 25(1) TDDDG
8.3 Marketing Cookies
These cookies are used by advertisers to display ads that are relevant to your interests.
Tools: ActiveCampaign, Salesloft
Legal basis: Consent per Art. 6(1)(a) GDPR / Section 25(1) TDDDG
Managing Your Cookie Preferences
You can manage your cookie preferences at any time through our cookie consent tool provided by Usercentrics. You can access the settings at any time via the “Cookie Settings” link in the footer of our website.
9. Marketing Communications and Advertising
We send promotional and informational emails to different recipient groups on different legal bases.
9.1 Types of Promotional Communication
- Newsletters and other promotional communications about Cosuno products and services
- Notifications about relevant tenders and content on the Cosuno Marketplace
- Invitations to events, webinars, and product demos
- Promotional outreach to qualified business contacts in a B2B context
9.2 Legal Bases
Depending on the recipient group, processing is based on:
- Our legitimate interest in customer communication and direct marketing under Art. 6(1)(f) GDPR
- For existing customers, additionally supported by § 7(3) UWG (German Act Against Unfair Competition — direct marketing for similar products and services)
- Your explicit consent under Art. 6(1)(a) GDPR, where given
9.3 Objection and Opt-Out
You may object to the processing of your personal data for advertising purposes at any time. Every promotional email contains an unsubscribe link. Alternatively, you may contact us informally at info@cosuno.de. For more information about your rights, see Section 11.
10. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account & profile data | Duration of the account + 30 days after deletion |
| Tender & project data | Duration of the account + 30 days after deletion |
| Contact data | Duration of the account + 30 days after deletion |
| Communication data | Duration of the account + 30 days after deletion |
| Billing & payment records | 10 years after end of contract (German tax law, Section 147 AO / Section 257 HGB) |
| Usage & analytics data | 14 months |
| Server logs | 90 days |
| Cookie data | Varies per cookie, maximum 12 months |
After the applicable retention period expires, personal data is securely deleted or anonymized. Where data is shared between multiple parties (e.g., bids submitted to a general contractor), personal data of the deleted account is anonymized while the business records are retained for the other party.
11. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access per Art. 15 GDPR: You may request confirmation of whether we process your personal data and obtain a copy of that data.
- Right to rectification per Art. 16 GDPR: You may request the correction of inaccurate personal data.
- Right to erasure per Art. 17 GDPR: You may request the deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing per Art. 18 GDPR: You may request that we restrict the processing of your data under certain circumstances.
- Right to data portability per Art. 20 GDPR: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object per Art. 21 GDPR: You may object to the processing of your personal data based on legitimate interest at any time. We will then cease processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent per Art. 7(3) GDPR: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority for Cosuno is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
Website: www.datenschutz-berlin.de
To exercise your rights, please contact us at info@cosuno.de or reach out to our Data Protection Officer (see Section 3).
12. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you within the meaning of Art. 22 GDPR.
13. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and authentication mechanisms
- Regular security assessments and monitoring
- Employee training on data protection
- Incident response procedures
14. Children's Privacy
Our Services are designed for business use and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The “Last updated” date at the top of this policy indicates when the latest revision was made.
16. Contact Us
If you have any questions about this Privacy Policy or our data processing practices, please contact us at:
Cosuno Ventures GmbH
Boxhagener Str. 77-78
10245 Berlin
Germany
Email: info@cosuno.de
Or contact our Data Protection Officer (see Section 3).