Privacy | Kyon Energy

(As of October 2025)

Kyon Energy Solutions GmbH (hereinafter "we" or "us") is pleased that you are visiting our website https://en.kyon-energy.de(hereinafter "Website") visit. Data protection and data security when using our website are very important to us. Therefore, we would like to inform you at this point about which of your personal data we collect when you visit our website and for what purposes they are used.

§ 1 Controller
Responsible within the meaning of the EU General Data Protection Regulation (hereinafter "GDPR") for the processing of personal data on our website is:

Kyon Energy Solutions GmbH
Dachauer Strasse 15b
80335 Munich
Germany
Email: info@kyon-energy.com
Website: https://en.kyon-energy.de

§ 2 Data Protection Officer
The data protection officer of Kyon Energy Solutions GmbH is:

Kertos GmbH
Brienner Str. 41
80333 Munich
Germany
Email: dsb@kertos.io

§ 3 What is personal data?
Personal data are all information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, phone number, date of birth, email address, or IP address. Information for which we cannot establish a reference to your person (or only with disproportionate effort), e.g., through anonymization of the information, is not personal data. The processing of personal data (e.g., collection, querying, use, storage, or transmission) always requires a legal basis or your consent.

§ 4 Data Processing on Our Website
1) Provision and Use of the Website
‍
a) Scope and Purpose of Data Processing
We collect and use personal data of our users only insofar as this is necessary to provide a functional website as well as our content and service or information offerings. When calling up and using our website, we collect the personal data that your browser automatically transmits to our server. This information is temporarily stored in a so-called logfile. The following information is collected without your intervention and stored until automated deletion:
• IP address of the requesting computer,
• Date and time of access,
• Name and URL of the retrieved file,
• Website from which the access is made (referrer URL),
• Used browser and possibly the operating system of your computer as well as the name of your access provider.

The mentioned data are processed by us for the following purposes:
• Ensuring a smooth connection setup of the website
• Ensuring secure and comfortable use of our website

b) Legal Basis
For the data processing mentioned under a), Art. 6 para. 1 lit. f GDPR serves as the legal basis, if it is technically necessary. The processing of the mentioned data is necessary for the provision of a website and the enabling of secure and comfortable use and thus serves to protect a legitimate interest of our company. Furthermore, there are no overriding interests of the website user, so the interest of the website operator prevails.

For non-technically necessary data, the legal basis is your consent under Art. 6 para. 1 lit. a GDPR.

c) Storage Duration and Data Deletion
As soon as the mentioned data are no longer required for displaying the website, they are deleted. The collection of data for providing the website and storing the data in logfiles is essential for the operation of the website. Consequently, there is no possibility for the user to object. Further storage will occur in individual cases if legally required.

2) Contact via Email
‍
a) Type and Scope of Data Processing
On our website, we offer you the opportunity to contact us via Email. When you contact us, the personal data provided by you (such as salutation, name, content of the email) as well as your email address are processed. These data are processed by us for the purpose of properly handling your inquiry. No disclosure of your personal data to third parties occurs when contacting us via email.

b) Legal Basis
The aforementioned data processing for the purpose of contacting us is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests to be able to process your inquiries. Should the contact lead to a contract conclusion, we rely on Art. 6 para. 1 lit. b GDPR based on contract initiation.

c) Storage Duration
Once the inquiry you submitted has been processed and the relevant matter has been conclusively clarified, the personal data you provided via the contact form will be deleted. Further storage may occur in individual cases if legally required or if necessary for contract fulfillment.

3) Application Form
‍
a) Type and Scope of Data Processing
On our website, we offer you the opportunity to apply for open positions via an application form. If you contact us through this form, the following personal data will be processed:
- Name
- Email Address
- Phone Number
- Start Date
- Desired Salary
- LinkedIn (Optional)
- CV- Certificates
- Cover Letter

This data is processed by us for the purpose of properly handling your application.
No dissemination of your personal data to third parties occurs when using the form.

Legal Basis
The data processing described above for the purpose of
b) application processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR in conjunction with § 26 (1) 1 BDSG on the basis of contract initiation.

Storage Duration
If the application leads to an employment relationship, the processed data will be stored until the end of the employment relationship. If no employment relationship is established, we store your data for 6 months due to the General Equal Treatment Act and then delete it.
‍
4) Online Forms for Construction Site Personnel (Cognito Forms)
‍
a) Type and Scope of Data Processing
To provide location-specific information (e.g. safety instructions, shift schedules) and to collect information regarding persons deployed on our construction sites as well as visitors in a structured manner, we use the online form tool Cognito Forms of Cognito LLC, 929 Gervais St, Columbia SC 29201, USA. Through these web-based forms, the following categories of personal data may be entered, among others:
- Name, company affiliation/job title
- Email address and/or telephone number
- Access card/ID or security¬certificate numbers
- (Optional) uploaded proofs/certificates (PDF, image files)
The data is stored in the Microsoft Azure Cloud.

b) Legal Basis
- Art. 6 (1) (c) GDPR (compliance with obligations under occupational health and safety law and construction site regulations)
- Art. 6 (1) (f) GDPR (legitimate interest in efficient and verifiable construction site management).

c) Retention Period
The form data is deleted no later than twelve months after completion of the respective construction project; Cognito Forms retains deleted entries in encrypted backups for a maximum of 30 days.

d) Recipients
Cognito LLC processes the data exclusively as a processor pursuant to Art. 28 GDPR. A data processing addendum with standard contractual clauses has been concluded. Internal recipients are only those departments responsible for occupational safety, HR, and project management. The Cognito Forms servers are located in geo-redundant data centers in the USA. Cognito Forms is certified under the EU-U.S. Data Privacy Framework (DPF) and thus provides an adequacy mechanism pursuant to Art. 45 GDPR; the standard contractual clauses also apply.

§ 5 Use of Cookies
‍
a) Type and Scope of Data Processing
We use cookies on our website.

Cookies are small text files that are stored on your computer when you visit our website and enable your browser to be recognized again. Cookies store information such as your language settings, the duration of your visit to our website, or your entries made there.

There are different types of cookies. Session cookies are temporary cookies that are stored in the user's internet browser until the browser window is closed and the session cookies are thus deleted. Persistent cookies are used for repeated visits and are stored in the user's browser for a predefined period. First-party cookies are set by the website the user visits. Only this website may read information from these cookies. Third-party cookies are set by organizations that are not the operator of the website the user visits.

Furthermore, a distinction can be made between technically necessary, functional, and advertising cookies. The former are necessary to ensure basic functions of the website (storage of language settings). Functional cookies collect information about user behavior and whether they receive any error messages. Advertising cookies, on the other hand, serve to offer the user individually tailored advertising.
‍
b) Legal Basis
Due to the described purposes of use (cf. § 5a) the legal basis for the processing of personal data usingtechnically necessarycookies is Art. 6 para. 1 lit. f GDPR, as we have an interest in the user-friendly presentation of our website. If you have given us your consent to usefunctional and advertisingcookies based on a notice provided by us on the website (“cookie banner”), the legality of the use is additionally governed by Art. 6 para. 1 sentence 1 lit. a GDPR.Storage
‍
c) Duration
Once the data transmitted to us via cookies is no longer required to achieve the purposes described above, this information will be deleted. Further storage will occur on an individual basis if legally required.
‍
d) Configuration of Browser Settings
Most browsers are preset to accept cookies by default. However, you can configure your respective browser to accept only certain cookies or no cookies at all. We point out, however, that you may not be able to use all functions of our website if cookies are disabled by your browser settings on our website. Through your browser settings, you can also delete cookies already stored in your browser or display the storage duration. Furthermore, it is possible to set your browser to notify you before cookies are stored. Since the various browsers can differ in their respective functionalities, we ask you to use the respective help menu of your browser for configuration options.

§ 6 Tracking and Analysis Tools
We use tracking and analysis tools to ensure continuous optimization and needs-based design of our website. With the help of tracking measures, we can also statistically record the use of our website by visitors and further develop our online offering for you based on the insights gained. Based on these interests, the use of the tracking and analysis tools described below is justified according to Art. 6 para. 1 sentence 1 lit. f GDPR. If you have given us your consent to use cookies based on a notice provided by us on the website (“cookie banner”), the legality of the use is additionally governed by Art. 6 para. 1 sentence 1 lit. a GDPR. The subsequent description of the tracking and analysis tools also provides information on the respective processing purposes and the processed data.

a) Google Analytics
Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), is used on this website. Google Analytics uses so-called “cookies”, text files that are stored on your computer and that enable an analysis of your use of the website.

The information generated by these cookies, such as the time, location, and frequency of your use of this website, is generally transmitted to a Google server in the USA and stored there. When using Google Analytics, it cannot be ruled out that the cookies set by Google Analytics may collect additional personal data in addition to the IP address. We point out that Google may transfer this information to third parties if legally required or if third parties process this data on behalf of Google.

Google will use the information generated by cookies on behalf of the operator of this website to evaluate your use of the website, compile reports on website activities, and provide other services related to website and internet usage to the website operator. According to Google's own statements, the IP address transmitted by your browser within the framework of Google Analytics will not be merged with other data from Google.

You can generally prevent the storage of cookies by setting your browser software accordingly. We point out, however, that you may not be able to use all functions of this website to their full extent in this case.

§ 7 Social Plugins
‍
a) Type and extent of data processing
Our presence on social networks and platforms is designed for better, active communication with our customers and interested parties. Therefore, social plugins of the social networks “LinkedIn” (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland), “X” (X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA), and “Instagram” (Meta Ireland Limited, Merrion Road, Dublin 4, Ireland) are integrated into our website.Based on the data transmitted through the social plugin to the respective service, the service may associate it with your account.

The social plugins are integrated in such a way that data is not directly transmitted to the social networks. Only by clicking on the respective button is data transferred, and you leave our website, establishing a direct connection between your browser and the servers of the social networks. Information on the data subsequently collected by the respective social network can be found here:
https://de.linkedin.com/legal/privacy-policy
https://twitter.com/de/privacy
https://help.instagram.com/155833707900388

b) Legal Basis
The legal basis for the processing of your personal data is our legitimate interest in communicating with our interested parties and customers, as well as analyzing and further developing services and products, and improving business processes in accordance with Art 6 para. 1 lit. f GDPR.

§ 8 Grievance Process

a) Type and extent of data processing
We offer affected individuals (e.g., residents near our facilities) the opportunity to submit complaints or inquiries centrally and in a structured manner via an online form. Access to this form is available on our website and through posters at our construction sites and facilities.
The following personal data is processed when using the form:
• First and last name
• Email address
• Telephone number (optional)
• Content of the complaint or inquiry

The collected data is solely used for processing the respective complaint or inquiry, as well as for tracking and documenting the process.

b) Legal Basis
The processing of personal data occurs in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in a structured handling of complaints, ensuring communication with the complainants, and legal documentation.
‍
c) Storage Duration
The personal data is stored for a period of 3 years to consider potential inquiries or legal claims. After this period, the data will be deleted unless longer storage is required due to legal obligations.
‍
d) Recipients of personal data
The personal data collected within the grievance process is only shared with internal departments responsible for handling the complaint. Additionally, processing occurs in the tool Monday.com from the service provider monday.com Ltd, which is used for structured processing of complaints. Transmission to further third parties only occurs if necessary for processing the complaint or legally required.

§ 9 Recipients of Personal Data
Within our company, only those individuals who need access to your personal data for the respective purposes have access to it. We only disclose your personal data to external recipients if there is a legal permission or if we have your consent. Below is an overview of the relevant recipients:
- Processors: Group companies or external service providers, for example in the areas of technical infrastructure and processing, maintenance, and payment processing, which are carefully selected and monitored. Processors may only use the data according to our instructions.
- Public authorities: Authorities and state institutions, such as tax authorities, public prosecutors, or courts, to whom we must transmit personal data, for example, to fulfill legal obligations or safeguard legitimate interests.

§ 10 International Data Transfer
We primarily process your data within the European Union (EU) and the European Economic Area (EEA).For certain of our service providers it may still be the case that their headquarters are outside the EEA in so-called "third countries". The General Data Protection Regulation (GDPR) imposes strict requirements on the transfer of personal data to third countries. All our data recipients must meet these requirements. Before we transfer your data to a service provider in a third country, each service provider is first checked for its data protection level. It is only selected if it can demonstrate an adequate level of data protection even outside the EEA. Regardless of whether our service providers are located within the EEA or in third countries, each service provider must sign a data processing agreement with us. Service providers outside the EEA must meet additional requirements. According to Art. 44 et seq. GDPR, personal data may be transferred to service providers who meet at least one of the following conditions:
- The European Commission has decided that the third country ensures an adequate level of protection (e.g. Israel and Canada).
- Standard contractual clauses have been included in our agreement with the data recipient (including any additional measures, if necessary).
- Other appropriate safeguards according to Art. 46 GDPR provided (e.g. Binding Corporate Rules).
- In special exceptional cases according to Art. 49 GDPR

§ 11 Data Security and Protection Measures
We are committed to treating your personal data confidentially. To prevent manipulation, loss, or misuse of your data stored with us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress. However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned protection measures are not observed by other persons or institutions outside our responsibility. In particular, unencrypted data disclosed - for example, if this is done by e-mail - can be read by third parties. We have no technical influence on this. It is your responsibility as a user to protect the data you provide against misuse by encryption or in other ways.

§ 12 Rights of Data Subjects
You have the following legal rights regarding your personal data:
‍
Right of Access
You have the right to request confirmation as to whether we process personal data concerning you. If this is the case, you have the right to access this personal data as well as further information, e.g. the processing purposes, the recipients, and the planned duration of storage or the criteria for determining the duration.

Right to Rectification and Completion
You have the right to demand the immediate correction of incorrect data. Taking into account the purposes of processing, you have the right to demand the completion of incomplete data.

Right to Erasure (“Right to be Forgotten”)
You have the right to erasure, provided the processing is not necessary. This is the case, for example, if your data is no longer needed for the original purposes, you have revoked your data protection consent, or the data has been processed unlawfully.

Right to Restriction of Processing
You have the right to restrict processing, for example, if you believe the personal data is incorrect.

Right to Data Portability
You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format.

Right to Object
You have the right to object at any time on grounds relating to your particular situation to the processing of certain personal data concerning you. In the case of direct marketing, you as the data subject have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling, insofar as it is related to such direct marketing.

Right to Withdraw Your Data Protection Consent
You can withdraw your consent to the processing of your personal data at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal is not affected by this.