// privacy
Privacy Policy
Last updated: 2 July 2026
This policy explains what personal data we process when you visit kusta.io or join our waitlist, why, and what rights you have. kusta is built EU-first: our infrastructure and your data stay within the EU.
1. Who is responsible
The controller within the meaning of the GDPR is:
Lars Keggenhoff
c/o Bürogemeinschaft EG, Widdersdorfer Straße 127A, 50825 Köln, Germany
Email: [email protected]
Full provider details are in our imprint.
2. What we collect, and why
a) Waitlist sign-up
When you join the waitlist we process the email address you enter, plus the timestamp and confirmation of your opt-in. We use a double opt-in: you receive a confirmation email and are only added after you click the link.
- Purpose: to add you to the waitlist and send you a single notification when kusta launches (plus, if you consent, occasional product news).
- Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw it at any time (see §5) — every email includes an unsubscribe link.
- Retention: until launch and your onboarding, or until you unsubscribe/withdraw consent, whichever comes first. Unconfirmed sign-ups are deleted after a short period.
b) Server logs
When you load the site, our servers automatically record technical data (IP address, date/time, requested resource, referrer, browser/OS) for a short time.
- Purpose: to deliver the site securely and detect/defend against abuse.
- Legal basis: our legitimate interest in a secure, functioning website (Art. 6(1)(f) GDPR).
- Retention: log data is kept for a short period (up to 14 days), then deleted or anonymised.
3. Cookies & tracking
This site sets no tracking or advertising cookies and uses no third-party analytics or trackers. Fonts are self-hosted — we do not load Google Fonts or other external CDNs — so no data leaves to third parties just from viewing the page. (If we add privacy-friendly, cookieless analytics later, we will update this policy first.)
4. Processors & recipients
We only share data with processors bound by a data processing agreement (Art. 28 GDPR):
- Brevo (Sendinblue GmbH / Brevo, EU) — stores the waitlist and sends the confirmation and launch emails. Data is processed on EU infrastructure.
- Hosting — the site runs on EU infrastructure (Hetzner Online GmbH, Germany). Server logs are processed there.
We do not sell your data and do not transfer personal data outside the EU/EEA. Should that ever change, we will rely on an appropriate transfer mechanism (e.g. EU Standard Contractual Clauses) and disclose it here.
5. Your rights
Under the GDPR you have the right to:
- access your data (Art. 15), and to rectification (Art. 16) or erasure (Art. 17);
- restriction of processing (Art. 18) and data portability (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw consent at any time with effect for the future (Art. 7(3)) — this does not affect prior processing;
- lodge a complaint with a supervisory authority (Art. 77).
To exercise any of these, email us at [email protected].
6. Changes
We may update this policy as the product evolves (e.g. when we add features or a new processor). The current version always lives at this URL, with the date at the top.
7. Contact
Questions about your data? Email [email protected] or write to the address in §1.