1. Overview
Kanrix GmbH ("Kanrix", "we", "us", or "our") operates the strategy deployment and KPI management platform available at kanrix.com and associated subdomains (the "Service").
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. It applies to visitors to our website and to customers and users of the Kanrix platform.
We are committed to processing personal data in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, and all other applicable data protection laws.
2. Data We Collect
2.1 Data you provide directly
- Account information: name, work email address, company name, job title, and password when you register for or use the Service.
- Contact form submissions: name, work email, company, role, industry, and the content of your message when you use our contact or demo-booking forms.
- Payment information: billing address and payment card details. Card data is processed directly by our payment processor (Stripe) and is never stored on Kanrix servers.
- Communications: emails, support tickets, and other correspondence you send us.
- User-generated content: KPI data, strategy documents, project information, and other content you upload or create within the platform.
2.2 Data collected automatically
- Usage data: pages visited, features used, session duration, and in-app actions.
- Technical data: IP address, browser type and version, operating system, device type, and timezone.
- Cookies and similar technologies: see Section 8 for details.
2.3 Data from third parties
- If you connect an ERP system, database, or API to Kanrix, we process the operational data you authorise us to access. This data is used solely to provide the integration features you have configured.
- If you sign in via a third-party SSO provider (e.g. Google Workspace, Microsoft Azure AD), we receive your name and email address from that provider.
3. How We Use Your Data
We use the data we collect to:
- Provide, operate, and improve the Kanrix Service
- Create and manage your account
- Process payments and send billing-related communications
- Respond to enquiries, support requests, and feedback
- Send product updates, feature announcements, and administrative notices
- Send marketing communications where you have given consent or where we have a legitimate interest (you may opt out at any time)
- Analyse platform usage to improve performance and user experience
- Detect, investigate, and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not sell your personal data to third parties. We do not use your operational data (KPIs, strategy content, project data) for any purpose other than operating the features you have configured.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions where a legal basis is required, we rely on the following:
| Purpose | Legal Basis |
|---|---|
| Providing the contracted Service | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Responding to enquiries | Legitimate interests (Art. 6(1)(f)) |
| Product updates & administrative notices | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) or Legitimate interests |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
6. Data Retention
We retain personal data for as long as necessary to fulfil the purposes described in this policy, and no longer than:
- Account data: for the duration of your subscription plus 90 days after account closure (to allow for reactivation), then deleted or anonymised.
- Platform content (KPIs, projects, strategy data): deleted within 30 days of account closure unless a longer retention period is required by law.
- Billing records: up to 7 years in accordance with financial record-keeping requirements.
- Marketing communications: until you unsubscribe or object to processing.
- Support communications: up to 3 years from the date of the most recent interaction.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion of your data ("right to be forgotten"), subject to legal obligations.
- Restriction: request that we restrict processing of your data in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests, including direct marketing.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email privacy@kanrix.com. We will respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with your local data protection authority.
9. Security
We implement industry-standard technical and organisational measures to protect your personal data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Role-based access controls and principle of least privilege
- Regular security assessments and penetration testing
- Employee security training and background checks
- Incident response procedures and breach notification processes
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
10. International Data Transfers
Kanrix is headquartered in the European Union. Where we transfer personal data to countries outside the EEA that do not have an adequacy decision from the European Commission, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-U.S. Data Privacy Framework where applicable
Copies of the safeguards we use are available on request at privacy@kanrix.com.
11. Children
The Kanrix Service is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@kanrix.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email (if you are a registered user) or by posting a notice on our website at least 14 days before the changes take effect. The updated policy will always be available at kanrix.com/privacy.
13. Contact Us
For any questions about this Privacy Policy or to exercise your data rights:
Data Controller: Kanrix GmbH
Privacy enquiries: privacy@kanrix.com
General enquiries: hello@kanrix.com