Privacy Policy

Your privacy is important to us!

We take privacy very seriously, and believe that your data should be working for you. As Kokoro’s business grows and our Privacy Policy evolves, we will clearly notify you of any changes and ask for your feedback. If you have any questions, comments, concerns or complaints, or if you want to report any security violation to us, please contact us at:

Kokoro complies with the General Data Protection Regulation (Regulation (EU) 2016/679). Our commitment to such regulation may be found in our Data Processing Agreement (DPA).

Version 2.0

Effective Date: April 23, 2021

1. Introduction:

1.1. This Privacy Policy describes how Kokoro Beratungsgesellschaft (the “Company”, „Kokoro“,“we”, or “us”) collects, uses, processes, stores, shares and protects your personal information in connection with your use of our Site accessible through domain name (the “Site”) and the products and services we may offer through the Site, consisting in consulting, ‘Kokoro’ pulse surveys, workshops, coaching and other (online) services (indistinctly referred to as the “Services”).

2. Who are we and how to contact us:

2.1. We are the company responsible for the processing of your data in accordance with this policy. Here’s our information:

Kokoro Beratungsgesellschaft mbH
Wolfswerder 58
14532 Kleinmachnow
Company Number: HRB 31397 P
Email: info[at]

2.2. How to contact us and and who to contact.

Send a request either to the email above or directly to the our data protection officer (DPO)
Name: Imran Ur-Rehman
Email: imran[at]

3. Cookie Policy:

Click here for more details

3.a. Links to other websites:

On our website, in our emails and on our social-media profiles, we may have links to other companies, apps or websites (“other websites”) that aren’t ours. This policy doesn’t cover how those other websites process your data. We encourage you to read the privacy notices on the other websites you visit.

4. Scope of this Policy:

Here we describe the purposes for which we process your data. This covers the why, what and for how long we process your data as a Participant or as a Client of our services or site.

4.1. Purpose #1:
As a Participant, please note that we are not the entity responsible for the processing of data, but a mere provider rendering services to the person or company that sent you the Kokoro survey to complete.
If you have any questions or doubts, we suggest you approach the person or company who has sent you the Kokoro survey, as those are the ones governing the processing of your personal data (PD).

We process the following ordinary data about you as a Participant on behalf of this person and/or company:
As a Participant, Kokoro doesn’t process any sensitive data. The data we process will never reveal your identity and you will remain unidentifiable. No individual results, names, emails or telephone numbers of Participants can be accessed by Kokoro.
Note: All The Participants responses are aggregated into overall anonymous results.

We process your data as a Participant subject to this Privacy Policy in accordance with GDPR Article 6, Lawfulness of processing, more specifically 6.1.a, where you will be prompted to read and consent to it before your provide responses to any Kokoro survey you complete.

We will retain your data for processing for this purpose:

  • Up until the termination of use of Kokoro survey tool in your company as a Client.
  • Up until you leave this employment.
  • Up until you exercise your right to be erased.

We collect Participant data, i.e. results only from our Kokoro survey tool. It is both anonymous and encrypted.

4.2. Purpose #2:
As a Client of our services or site, your data is being processed to perform a contract, and we will be processing your data as long as the contractual relationship with you is in force and during the 2 years following the end of said relationship or as long as we need it for legal, business, or tax purposes. This results in us having to process your data for purposes of providing you both the Services, as well as to perform our obligations under the Services Terms and Conditions. As a Client, Kokoro processes your personal information as an entity incorporated in accordance with the laws of Germany and with the following details:

Kokoro Beratungsgesellschaft mbH
Wolfswerder 58,
14532 – Kleinmachnow,
Contact email: info[at]

4.3. We process the following ordinary data about you as a Client, subject to obtaining your consent, and as long as you do not withdraw any such consent, we may also process your data on behalf of this person and/or the company:

  • To send you electronic commercial communications (if you subscribe to a newsletter) or to answer the requests you may address us when contacting us.
  • To process information obtained through cookies, as described in more detail in the Cookie Policy, and subject to the terms set forth therein.
  • For user experience and analytics purposes based on how you browse the Site and use the Services, which pages you have visited, and to build audiences. Please note that we may profile users by means of cookies. In those cases, your acceptance of the installation and use of cookies results in a data processing for analytics purposes, as described in this paragraph.
  • We may enrich the data we have about you by obtaining information from a select third party for data enrichment purposes, provided that you have given us prior permission. Enriching data allows us to analyse a deeper subset of data from which we improve user experience and may present personalised content.

4.4. Finally, we may also process your data to protect our legitimate interests, as long as the said data is strictly necessary to fulfil the goals set forth below and is in accordance with the GDPR Article, 6.1.b (contract performance) and 6.1.f (legitimate interest). These legitimate interests are namely:

  • To review, monitor, investigate, and analyse how to improve the Services and/or the Site, as well as to keep our Services and the Site secure and operational and prevent abusive activity (e.g. fraud, spam, phishing activities, etc.). This may include doing interviews or surveys to assess any problems in the service or know how to improve your user experience. The interests at stake are ensuring a correct and safe environment for both Participants, you as our Client and us, taking those interests prevalence over your legitimate interests;
  • Any commercial electronic and non-electronic commercial communication sent when we have obtained your consent as mentioned above. We may also send you those kind of communications when you are our Client. In this last case, we will only send you information belonging to us and concerning services and/or products identical or similar to the ones you have contracted with us. In these cases, we have a legitimate interest in processing your contact information to keep you informed about any of our products and services, prevailing this interest over your right to your personal data given the non-sensitive nature of the data in question and the fact that the contractual relationship built with our Clients results in those Clients expecting these kinds of communications; and
  • Upon dissociating the data we have so as to be impossible to be associated to you as our Client or any other data subject, Kokoro might perform statistical and other analysis on information we collect (technical and metadata) to analyse and measure user behaviour and trends, to understand how people use our product and services, in order to improve and optimise our performance of both.

4.5. We retain and process your personal data for this purpose:

  • We need to process your personal data to perform the legal and contractual obligations mentioned in the section above. Otherwise, we are not able to provide you with the Product, Services and/or access our Site.
  • We retain you personal data up until termination of your employment and / or the Service Terms and Conditions.

4.6. We provide access to your personal information for this purpose:

  • We share your information with our service providers who help us to provide the Services to you, in which case those third parties are required to comply with our internal standards, policies, and technical and organisational measures that ensure that your data is protected and kept confidential at all times, and only in accordance with and to the extent authorised by this Privacy Policy.
  • When you authorise us to do so, we may also share your data with other companies so that they can process the data for other purposes, as explained more in detail when we request your prior consent.
  • In addition, if you provide consent for the installation of cookies, your data may be processed by third companies for the purposes and in the territories mentioned in the Cookie Policy on our webpage.
  • We may also share your information with competent courts and authorities, when we are legally required to do so (for instance, to allow such bodies to investigate, prevent, or take action against illegal activities), or we have to take action to protect our rights or any third party rights.

4.7. Additional information:

If you would like more information about our legal basis for processing your data, feel free to contact us. Some of the grounds for processing your data overlap, so there may be several reasons which justify us processing your data.

We do not sell or rent your data to marketers or third parties. We may use your data in other ways than described here but we’ll inform you about these purposes when we collect your data.

Please note that special circumstances or legal requirements may mean that such periods may be shorter or longer, depending on the purpose of complying with legal requirements for the erasure or keeping of information.

5. Keeping your data safe:

We use reasonable organisational, technical and administrative measures to protect your data within our company.

The Internet is not a 100% secure environment and that means we cannot guarantee the security of the data you transmit to us. Emails sent via the Internet might not be encrypted, so we advise you not to include any confidential or sensitive information in your emails to us. To learn more about our current practices and policies regarding security, contact out DPO:

Name: Imran Ur-Rehman
Email: imran[at]
Telephone number: +43 676 950 5819

6. Third parties and processors:

We use companies (third parties and processors) to help us deliver our services to you, e.g. payment processors, web analytics companies, data management services, help desk providers, IT consulting companies, Accountancy and Law services as well as SMS and email provider services.

When we use a processor we make sure that there is a legal agreement in place regarding how they will be handling data on our behalf.

We’ll also make sure that they have appropriate security measures in place and if they are located outside the EU, we’ll of course make sure that there is a legal agreement in place allowing us to give them access to the data (see section 7. below).

We share your data with:
– AWS (Frankfurt, DE)
– Appliscale (Krakow, Poland)

Here’s some of the suppliers we use:
– Appliscale (Krakow, Poland)
– Calendly, Legal Monster, Hotjar, Vonage, Mailchimp and Crisp

Read our cookie policy regarding the suppliers we use for those services. In the event that we are involved in a bankruptcy, merger, acquisition, reorganisation, your information may be transferred as part of that transaction.

This policy will continue to apply to your information also after the information has been transferred to the new entity.

7. How we collect data and process on your behalf in and outside of the EU/EEA:

7.1. In order to provide you with the Services, we may need to process on your behalf third parties’ PD. This is the case, for instance, when a person uploads information to set up a Kokoro Pulse Survey, the data is collected, stored, and processed on your behalf. PD that we collect from you may be stored, processed, and transferred between any of the countries in which we operate. Currently, all data processed is in Germany only.

7.2. Wherever we transfer, process or store your PD, we will take reasonable steps to protect it. We will use the information we collect from you in accordance with our privacy notice. By using our website, services, or products, you agree to the transfers of your PD described within this section.

7.3. We will ensure that all employees authorised to process PD have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.4. To provide you with the Services, we may need to use some service providers we already rely on, as well as hire new ones in the future. Those companies will only process the data to the extent necessary to render the Services, and we will enter into written agreements with them to make sure that said companies comply with the obligations included in this section 7 and implement all necessary security measures to ensure adequate protection of the data.

In the event that we want to change any of those service providers by another, or that we need to hire new companies, you will have the right to reasonably oppose to such changes or new appointments in the non-extendable term of 15 calendar days. ‘Reasonably oppose’ shall be interpreted as any challenge based on the failure to meet the legal requirements set forth by the European data protection laws by the new entity to be hired. In any event, we reserve the right to terminate the relationship with you should we not be able to hire a sub-processor which is essential or needed for providing the service.

The Company shall enter into written agreements with any sub-processors engaged in the provision of the Services including the safeguards and guarantees required by the General Data Protection Regulation (EU Regulation no. 679\2016, the GDPR), particularly in respect of implementing the security measures required in the GDPR. Where sub-processors are in countries, e.g. USA that do not have adequate level of protection of PD under Article 45 of the GDPR, you agree to comply with the requirements set forth in 7.5. below.

7.5. For the provision of the Services or because you want to process data from a given location or hand it to another company, data may be transferred outside the European Economic Area to a country which has not been declared to offer a level of protection equal to the one provided by European data protection regulations.

7.6. We will also provide, at your request and expense and subject to the nature of processing and information available to us, assistance in complying with obligations set forth in Articles 33 to 36 of the GDPR, if applicable.

7.7. With respect to data breaches, we will notify you without undue delay upon we confirm that a data breach affecting PD has taken place. We will provide you with sufficient information to allow you to meet any obligations to report or inform competent authorities or data subjects. We will reasonably cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such data breach.

8. Your rights:

You have the following rights:

8.1. Your right of access and rectification: You have the right to ask us for copies of your PD or ask us to rectify information you think is inaccurate. There are some exemptions, which means you may not always receive all the information we process but as a main rule you can always contact us and ask for your information.

8.2. You have the right to withdraw your consent at any time: You also have the right to request access to, and rectification of, or erasure of your PD, or restriction of processing, or to object to processing, as well as the right to data portability. Please note that if you choose to cancel your data, your account will be deleted and all data in your account will be permanently deleted from our systems. You may lodge a complaint at any time with the German Federal Commissioner for Data Protection. We will allow you to exercise the above mentioned right by contacting us at Kokoro GmbH via

8.4. Your right to withdraw your consent: If processing of your data is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent by contacting us at Kokoro GmbH via info[at]

8.5. Your right to data portability: You have the right to receive your data in a structured, commonly used and machine-readable format.

8.6. Where your data is processed for direct marketing purposes, you have the right to object at any time to the processing of PD about you for such marketing. The law gives us one month to respond to you, but we will try to respond sooner. There may be conditions or limitations on these rights, i.e. it is related to the Services and Product, as these communications are necessary to perform the contractual relationship we have with you. It is therefore not certain e.g. you have the right of data portability in a specific case – this depends on the specific circumstances of the processing activity.

Assistance and additional information: 
You are always welcome to contact us and to take steps to exercise your rights by using the contact details above.

9. How to unsubscribe from email marketing material:

If you have subscribed to our newsletters or asked to receive marketing material from us, you can always unsubscribe. In all these emails we include an unsubscribe link and you can always click the link and easily unsubscribe. You can also unsubscribe by sending us an email to

10. Children and our Services:

Our services and website are not directed to children, and you may not use our services if you are under the age of 18. You must also be old enough to consent to the processing of your information in your country.

11. Changes to this Policy:

Sometimes we need to make changes to this policy to reflect our current practices. We will take reasonable steps to let you know about changes via our website or upon you logging on into your Kokoro account. If you are a registered user, we will notify you via email if significant changes
are being made to the policy using the email address you gave us when you signed up. If you continue to use our website or services after the notification, we will regard this as your acceptance of our privacy practices. If you do not agree to any non-substantial change to this Privacy Policy, you may terminate the Service Terms and Conditions.

12. Prevalence:

This policy might be drafted both in plain and legal versions. In case of any discrepancies, the legal version included herein shall prevail and take precedence with respect to the plain version.

If you have questions about the policy, feel free to contact us by using the contact details in this policy.