Privacy Policy

We appreciate your interest in KMUPIM. Protecting your personal data is important to us. This privacy policy informs you pursuant to Art. 13, 14 GDPR about which personal data we process when you visit our website, register for our SaaS platform, or use our services.

KMUPIM is a Shopify-native software-as-a-service (PIM/Asset/Release tool) for small and medium-sized merchants in the DACH region. We process as little personal data as possible. We use no web tracking, no web analytics, no advertising cookies and no social media plugins. Fonts, scripts and images are delivered exclusively from our own server; in particular, no Google Fonts, no Google Analytics, no Google Tag Manager, no reCAPTCHA, no Meta/Facebook pixels and no LinkedIn/Microsoft tracking components are loaded.

I. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

E-Mail: info@kmupim.com
Data Protection Contact: info@kmupim.com
Website: www.kmupim.com

Authorized Managing Director and further mandatory information: see Imprint.

II. Data Protection Officer

We are not obligated to appoint a data protection officer pursuant to Art. 37 GDPR in conjunction with § 38 BDSG. For all data protection concerns, you can reach us at info@kmupim.com.

III. Definitions

This privacy policy uses the terms of the GDPR. "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (e.g. name, e-mail address, IP address). "Processing" (Art. 4 No. 2 GDPR) means any operation relating to personal data, such as collection, storage, use, transmission or erasure.

IV. General Principles of Processing

1. Legal Bases

Unless a specific legal basis is stated in this policy, the following applies:

• Consent (Art. 6 para. 1 lit. a GDPR) – if you have expressly permitted the processing.
• Contract performance and pre-contractual measures (Art. 6 para. 1 lit. b GDPR) – insofar as processing is necessary for the performance of the usage contract with you or your request.
• Legal obligation (Art. 6 para. 1 lit. c GDPR) – e.g. to fulfill tax and commercial law retention obligations.
• Legitimate interests (Art. 6 para. 1 lit. f GDPR) – to ensure technically error-free, secure and economically viable operation of our services.

2. Data Minimization and Storage Limitation

We process your data in accordance with the principles of data minimization (Art. 5 para. 1 lit. c GDPR) and storage limitation (Art. 5 para. 1 lit. e GDPR). Personal data is deleted as soon as the purpose of its processing has ceased and no legal retention obligations (in particular § 147 AO, § 257 HGB – typically 6 or 10 years) oppose deletion.

3. Transfer to Third Parties

A transfer of your personal data to third parties only takes place if

• this is necessary for contract performance,
• you have consented,
• we are legally obliged to do so, or
• we engage service providers as processors (Art. 28 GDPR) who we have contractually obligated to protect your data (see Section XIII).

V. Provision of the Website and Server Log Files

When merely visiting our websites www.kmupim.com (landing page), app.kmupim.com (application) and api.kmupim.com (API), we process the data that your browser technically transmits:

• IP address,
• date and time of access,
• URL accessed and HTTP method,
• HTTP status code and amount of data transferred,
• Referrer URL (if transmitted),
• User-Agent (browser type, version, operating system).

This data is exclusively recorded server-side in log files and automatically deleted or anonymized after a maximum of 14 days. No combination with other data sources takes place.

• Purpose: Delivery of content, ensuring operational readiness, detection and defense against attacks.
• Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in a secure, functional web offering).

1. Hosting

Our servers are operated in a data center within the Federal Republic of Germany (EU). The hosting provider is:

Contabo GmbH, Aschauer Straße 32a, 81549 Munich, Germany (contabo.com). A data processing agreement pursuant to Art. 28 GDPR exists with Contabo.

The database (PostgreSQL) and all application services run exclusively on these servers in Germany.

2. Content Delivery Network (CDN)

To accelerate the delivery of static resources and to defend against traffic spikes and DDoS attacks, we use the CDN of the following provider:

BunnyWay d.o.o. (Bunny.net), Cesta komandanta Staneta 4A, 4000 Kranj, Slovenia (bunny.net). Bunny.net is a company based in the EU; used edge locations in Europe are prioritized. A data processing agreement pursuant to Art. 28 GDPR exists with Bunny.net.

In the course of delivery, Bunny.net processes the same connection data as our origin server (IP address, timestamp, User-Agent, URL accessed). API responses are not cached at the edge.

• Purpose: Acceleration of delivery, protection against attacks.
• Legal basis: Art. 6 para. 1 lit. f GDPR.

3. File and Asset Storage

Media files uploaded by the user (e.g. product images, logos, avatars) are stored in an S3-compatible object storage:

Contabo GmbH – Object Storage, Region EU2 (Nuremberg, Germany). Data processing agreement is in place.

VI. Cookies and Comparable Technologies

We exclusively use technically necessary cookies and local storage objects. These are strictly required for the operation of our services and are stored without consent pursuant to § 25 para. 2 No. 2 TDDDG. Processing for analysis, tracking or advertising purposes does not take place; a consent banner for selecting optional cookies is therefore not required.

• Legal basis: § 25 para. 2 No. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b and lit. f GDPR (technically necessary operation, secure authentication).

You can prevent the setting of cookies at any time via your browser settings. In this case, you will not be able to log in to the application.

VII. Contact via E-Mail

If you contact us by e-mail (e.g. at info@kmupim.com), we process the data you transmit (in particular name, e-mail address, content and time of the message) exclusively for handling your inquiry.

Our landing page contains no contact form; all contact options use mailto: links to your local e-mail application. No server-side recording of your message takes place via the website.

• Purpose: Handling of inquiries, communication.
• Legal basis: Art. 6 para. 1 lit. b GDPR, alternatively Art. 6 para. 1 lit. f GDPR.
• Storage duration: After final processing of your inquiry; statutory retention obligations remain unaffected.

VIII. Registration and Use of the KMUPIM Platform

Using our application at app.kmupim.com requires creating a user account.

1. Account and Master Data

We process:

• Name (first and last name),
• business e-mail address,
• password (in hashed form using Argon2id; the plain-text password never leaves your browser without TLS encryption and is not stored),
• selected language and UI preferences,
• company name and role within the account,
• optionally an avatar image uploaded by you.

Purpose: Identification, access management, provision of platform features, billing.
Legal basis: Art. 6 para. 1 lit. b GDPR.
Storage duration: For the duration of your active account. After contract termination, account and content data are deleted or anonymized unless statutory retention obligations oppose deletion (invoice data typically 10 years according to § 147 AO).

2. Authentication and Security Logs

To secure your account, we process:

• timestamp and IP address of successful and failed login attempts,
• User-Agent (browser/operating system) of the session,
• issued refresh tokens (for session management; revocable by you at any time in the account settings),
• e-mail confirmation and password reset tokens (valid for a limited time).

Purpose: Protection of your account against unauthorized access, detection of suspicious login attempts, rate limiting.
Legal basis: Art. 6 para. 1 lit. f GDPR, Art. 32 GDPR.
Storage duration: Login logs are automatically deleted after 90 days.

3. Two-Factor Authentication (optional)

You can additionally secure your account with TOTP-based two-factor authentication (authenticator app). We store your TOTP secret key AES-256-encrypted in our database as well as single-use backup codes (hashed).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent through activation), Art. 32 GDPR.

4. Content Data (Products, Assets, Releases)

In the course of use, you create data in the platform (products, product texts, images, videos, release plans, notes, workflow steps). This content may contain personal data (e.g. names of contacts, employees, customers) and to that extent constitutes data that you have processed on your behalf.

For the processing of this content data, you as our customer are the controller within the meaning of the GDPR. We process this data exclusively on the basis of the Data Processing Agreement (DPA) concluded with you pursuant to Art. 28 GDPR. We make the DPA available to you before the conclusion of the contract.

IX. Shopify Integration

KMUPIM connects – insofar as you activate it – with your Shopify store to synchronize product, inventory and image data. We use the "Bring Your Own Credentials" model: you store the access credentials (Client ID, Client Secret or Access Token) of your own Shopify custom app in the platform.

• The stored access credentials are encrypted at the workspace level using libsodium / XSalsa20-Poly1305.
• Data flows occur exclusively between our backend and Shopify (*.myshopify.com).
• Transmitted data typically includes product information, inventory levels, variants and media. Personal data of end customers (buyers) of your store is not processed by default.

Legal basis: Art. 6 para. 1 lit. b GDPR. Insofar as data is transferred to Shopify (Shopify International Ltd., Ireland, or Shopify Inc., Canada), you as the owner of the Shopify store are independently the controller towards Shopify; Shopify's privacy policy applies (shopify.com/legal/privacy). Canada has an adequacy decision of the EU Commission pursuant to Art. 45 GDPR.

X. Payment Processing (Mollie)

For processing payments of our paid plans we use the payment service provider Mollie:

Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands (mollie.com).

For a paid subscription, we transmit to Mollie the data required for payment processing (name, e-mail, billing address, amount, reference object). Your payment method data (e.g. credit card numbers, SEPA IBAN) is entered exclusively directly with Mollie; we do not receive or store this data. We receive a payment ID, the status and, if applicable, the confirmations necessary for accounting from Mollie.

• Purpose: Contract processing, accounting.
• Legal basis: Art. 6 para. 1 lit. b GDPR; Art. 6 para. 1 lit. c GDPR.
• Storage duration: We retain invoices and payment receipts pursuant to § 147 AO for 10 years.
• Third-country transfer: Does not take place as a rule (Mollie processes in the EU).

Further information: mollie.com/en/privacy.

XI. E-Mail Dispatch (Transactional E-Mails)

For sending transactional e-mails (e.g. registration confirmation, password reset, security-related notifications, invoices) we use the following service provider:

Lettermint B.V., Netherlands (lettermint.co).

Only e-mail address, sender/recipient data and the content of the respective message are transmitted.

• Legal basis: Art. 6 para. 1 lit. b GDPR as well as Art. 6 para. 1 lit. f GDPR (secure and reliable communication).
• Data processing: A data processing agreement pursuant to Art. 28 GDPR exists with Lettermint.
• Third-country transfer: Lettermint is based in the Netherlands and processes exclusively within the European Union. A data transfer to third countries does not take place.

XII. AI-Powered Features (Optional, "Bring Your Own Key")

KMUPIM offers optional AI features (e.g. automatic translation, text generation, image generation, embedding vectors). These features are disabled by default and only become active if you as a customer voluntarily provide your own API key.

When you execute an AI feature, our application transmits the data necessary for the request directly to the provider you selected using your key. We do not store these requests and do not conduct any proprietary AI training with your content.

Since you provide the provider and key yourself, the processing at the respective AI provider is initiated by you as the controller; the data protection and contractual terms of your contractual relationship with the provider apply. For providers based in the USA, the transfer is based on the EU-US Data Privacy Framework (Art. 45 GDPR) or the Standard Contractual Clauses pursuant to Art. 46 GDPR, depending on the provider.

Legal basis (for executing your request through our platform): Art. 6 para. 1 lit. b GDPR.

XIII. Processors and Recipients

We exclusively use carefully selected service providers whom we have contractually obligated to data protection and data security (Art. 28 GDPR).

Further disclosure of your data to third parties does not take place – with the exception of the BYOK AI features you have activated yourself (Section XII) and any legally mandated disclosures to authorities.

XIV. Third-Country Transfer

A transfer of your personal data to countries outside the European Economic Area (EEA) does not take place in the context of standard platform use. Exception: if you yourself activate AI features with your own API key from a US provider (Section XII), a third-country transfer occurs to that extent on your behalf.

We base third-country transfers primarily on the adequacy decision of the EU Commission on the EU-US Data Privacy Framework (decision of 10.07.2023, Art. 45 GDPR; list of certified companies: dataprivacyframework.gov) and supplementarily on the Standard Contractual Clauses of the EU Commission (Art. 46 para. 2 lit. c GDPR) including supplementary technical and organizational measures in accordance with the EDPB Recommendations 01/2020.

XV. No Web Analytics, No Tracking, No Social Plugins

We use no web analytics or audience measurement (in particular no Google Analytics, Plausible, Matomo, Posthog, Mixpanel, Umami or similar), no advertising or conversion trackers (no Google Ads, Facebook/Meta pixel, LinkedIn Insight, Microsoft Advertising/UET, TikTok pixel or similar) and no social media plugins. No external fonts (e.g. Google Fonts) or external JavaScript libraries are loaded in real-time from third-party servers; all assets are delivered from our own servers or our EU CDN.

XVI. Storage Duration

Unless a specific storage duration is given for individual processing activities, the following principles apply:

• Data processed for contract performance is retained for the duration of the business relationship and thereafter until the expiry of statutory retention periods.
• Accounting, invoice and tax-relevant documents are retained for 10 years (§ 147 AO, § 257 HGB).
• Login and security logs are automatically deleted after 90 days.
• Server log files are automatically deleted or anonymized after 14 days.
• Account data is deleted after contract termination and expiry of any retention periods.

XVII. Rights of the Data Subject

You have the following data protection rights towards us, provided the legal requirements are met:

• Access to your processed personal data (Art. 15 GDPR);
• Rectification of inaccurate data (Art. 16 GDPR);
• Erasure of your data ("right to be forgotten", Art. 17 GDPR);
• Restriction of processing (Art. 18 GDPR);
• Data portability (Art. 20 GDPR);
• Objection to processing (Art. 21 GDPR) – in particular against processing based on Art. 6 para. 1 lit. f GDPR as well as at any time against direct marketing;
• Withdrawal of consent given with effect for the future (Art. 7 para. 3 GDPR).

To exercise your rights, an informal message to info@kmupim.com is sufficient. We endeavor to respond to your request within one month pursuant to Art. 12 para. 3 GDPR.

Right to Complain to the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR). The authority responsible for us is:

XVIII. Automated Decision-Making

Decisions based solely on automated processing – including profiling – within the meaning of Art. 22 GDPR that produce legal effects concerning you or similarly significantly affect you do not take place. The optional AI features (Section XII) serve exclusively to support your own editorial decisions; responsibility for adopting generated content lies with you.

XIX. Data Security

We secure your data through a graduated bundle of technical and organizational measures (Art. 32 GDPR). A detailed overview is provided to business customers as part of our DPA under the title "Technical and Organizational Measures (TOM)". Key points:

• Transport encryption: TLS 1.2 / 1.3 for all connections.
• Password hashing: Argon2id with current parameters.
• Encryption of sensitive data at rest: AES-256 (2FA secrets) or libsodium / XSalsa20-Poly1305 (account credentials such as Shopify tokens).
• Signed, short-lived URLs for accessing stored media files (HMAC, proprietary signing key).
• Rate limiting and IP-based throttling on authentication endpoints.
• Access restriction on a need-to-know basis; logged administrative access.
• Regular backups with encrypted storage in the EU.
• Monitoring and incident response process with notification channels pursuant to Art. 33, 34 GDPR.

XX. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy insofar as this becomes necessary due to new features, changed service providers or changed legal requirements. The current version is available at www.kmupim.com/privacy/. We will inform you of material changes in an appropriate manner (e.g. by e-mail or notice in the application).