Table of Contents
The controller responsible for data processing on this website is:
Rusi Kolev
Kolev Architektenküchen
Hauptstr. 39
61239 Ober-Mörlen
Phone: 06002 4213585
Contact: Via our Kontaktformular
Website: https://kolev-kuechen.de
We are not required to appoint a data protection officer, as fewer than 20 persons are regularly engaged in the automated processing of personal data (Section 38 para. 1 BDSG). For questions regarding data protection, you can reach us at any time via our Kontaktformular.
In this privacy policy, we address you informally, as you are accustomed to from our communication. This does not affect your statutory rights.
Diese Datenschutzerklärung erklärt dir, welche personenbezogenen Daten wir auf unserer Website und im This privacy policy explains what personal data we collect on our website and in the course of our kitchen planning services, what we use it for, and what rights you have.
We process your data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications Digital Services Data Protection Act (TDDDG).
As we use AI tools for processing consultation conversations (speech recognition, summarization, analysis of design preferences), we have conducted a Data Protection Impact Assessment pursuant to Art. 35 GDPR. This is reviewed at least annually. Upon request, we are happy to inform you about the results.
This website does not set any cookies — neither tracking cookies, advertising cookies, nor technically non-essential cookies. Our analytics tool (Abschnitt 6) and our advertising measurement (Abschnitt 8) also operate entirely without cookies. We do not use localStorage, sessionStorage, or device fingerprinting.
A cookie consent banner is therefore not required pursuant to Section 25 para. 2 TDDDG, as no access to end users’ terminal equipment is made beyond what is technically necessary for the provision of the service.
For security reasons, this website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that your browser’s address bar changes from “http://” to “https://” and displays a lock icon in the browser bar.
When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Provider: Netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany
Data center: Nuremberg, Germany
Our website and all associated services — video consultation, automation, and database — run on our own server in Germany.
Legal basis: Art. 6 para. (1) f GDPR (legitimate interest in the reliable provision of our website).
DPA: Data Processing Agreement pursuant to Art. 28 GDPR concluded with Netcup.
Each time our website is accessed, the following technical data is automatically collected:
This data is used exclusively to ensure uninterrupted operation and is automatically deleted after 14 days.
Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
EU branch: Cloudflare Germany GmbH
To ensure our website loads quickly and securely, we use Cloudflare as a Content Delivery Network and DNS service. Cloudflare processes technically necessary connection data (IP address, requested URL) in the process. The processing by Cloudflare is technically necessary for delivering the website and is therefore permissible without consent pursuant to § 25 para. 2 no. 2 TDDDG.
Should Cloudflare, in exceptional cases (e.g., during a DDoS protection check), set a technically necessary security cookie, this serves exclusively to protect the website and falls under § 25 para. 2 no. 2 TDDDG (strictly necessary access).
Legal basis: Art. 6 para. (1) f GDPR (legitimate interest in the secure and efficient delivery of our website).
Third-country transfer: Cloudflare is certified under the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR). Additionally, Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR have been agreed upon as a legal fallback.
DPA: A Data Processing Agreement has been concluded with Cloudflare.
Datenschutz: https://www.cloudflare.com/de-de/privacypolicy/
We use Umami, a privacy-friendly, self-hosted web analytics software.
Umami exclusively collects aggregated, anonymous usage statistics: page views, session duration, and country of origin.
Legal basis: Art. 6 para. (1) f GDPR (legitimate interest in the anonymous analysis of user behavior). Since no personal data is stored, no consent is required.
As explained in Section 2, our website is completely cookie-free. Umami supports this concept, as it operates without cookies and without personal data.
When you use our contact form, we collect the following data:
Purpose: Processing your inquiry.
Legal basis: Art. 6 para. (1) b DSGVO (vorvertragliche Maßnahmen).
Damit wir deine Beratung optimal vorbereiten können, bitten wir dich vorab um einige Angaben in einem Online-Formular (selbst gehostet mit Gravity Forms):
Zweck: Vorbereitung und Durchführung der Küchenberatung.
Legal basis: Art. 6 para. (1) b DSGVO (Vertragserfüllung und vorvertragliche Maßnahmen).
We use the self-hosted booking software Amelia for scheduling appointments. All booking data is stored exclusively on our own server in Germany.
To check availability, we synchronise appointment metadata (date, time, booking reference) with Google Calendar. Your name, email address, and phone number are not transmitted to Google. Synchronisation is handled via Google Ireland Limited. Google LLC (USA) is certified under the EU-US Data Privacy Framework (Art. 45 GDPR). Standard Contractual Clauses (SCCs) have additionally been agreed.
Legal basis: Art. 6 para. (1) b GDPR (performance of contract and pre-contractual measures).
We run ads on Facebook and Instagram. To measure whether these ads are effective, we use the Meta Conversions API (CAPI). This works exclusively server-side — no Meta Pixel (JavaScript) is used on our website, no cookie is set on your device, and no client-side tracking is carried out. All data transmission takes place via our own server.
Data processed:
Note on pseudonymisation: Before transmission, your contact data is hashed using the SHA-256 method (pseudonymised within the meaning of Art. 4 No. 5 GDPR). Meta can only match the hashed data with existing user profiles — the data nonetheless remains personal data.
Purpose: Measuring advertising effectiveness and optimising our ads.
Legal basis: Art. 6 para. (1) a GDPR (consent). Data is only transmitted to Meta if you have actively given your consent in the contact form (checkbox). Without your consent, no data will be transmitted to Meta.
Joint responsibility: We and Meta Platforms Ireland Limited are jointly responsible for this processing in accordance with Art. 26 GDPR. Under this agreement, Meta is responsible for providing the infrastructure and processing the received data. We are responsible for the lawful collection and transmission of data (including obtaining your consent). The agreement can be found at https://www.facebook.com/legal/controller_addendum. You can assert your rights against either of the two controllers.
You can withdraw your consent at any time — simply contact us via our contact form. Data already transmitted to Meta can be deleted there in accordance with Meta’s own privacy policy.
Third-country transfer: Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR). As an additional legal safeguard, Standard Contractual Clauses have been agreed upon pursuant to Art. 46 para. 2 lit. c GDPR.
Meta Privacy Policy: https://www.facebook.com/privacy/policy/
For our initial consultations, we use the video conferencing software Jitsi Meet. This runs entirely on our own server in Germany.
Data processed:
Recording: We record the consultation session in order to subsequently provide you with a high-quality summary and precise kitchen planning. For this reason, we ask for your consent at the time of booking (checkbox). Without your consent, no recording will take place.
Recording: We record the consultation session in order to subsequently provide you with a high-quality summary and precise kitchen planning. For this reason, we ask for your consent at the time of booking (checkbox). Without your consent, no recording will take place.
You can withdraw your consent at any time — even during the session. In that case, we will stop the recording immediately and delete any data already recorded. The video consultation can also take place without a recording — your consent to recording is not a prerequisite for the consultation.
At the start of the recording, we will remind you of this once more.
Legal basis:
Retention period: The recording will be deleted 6 months after your project is completed. For non-clients, deletion occurs 3 months after the consultation.
The audio recording of your consultation session is automatically converted into text using AI-based speech recognition software (transcription). Prior to transmission, only the audio channel is extracted and converted into a compressed format. Video data is not transmitted to the speech recognition service.
Provider: OpenAI, Inc. (USA) — Service: Whisper API
Data processed: Audio content of the consultation session.
Purpose: Creation of a written session summary as the basis for your kitchen planning.
Legal basis: Art. 6 para. (1) a GDPR (consent). Your consent to the recording (Section 9) also covers the subsequent transcription, as this is a necessary step in project processing.
Note: The audio data is processed exclusively for transcription purposes. In accordance with OpenAI’s API usage terms, the transmitted audio data is not stored and is immediately deleted after processing (Zero Data Retention). OpenAI does not use your data to train its models.
DPA: Data processing agreement concluded with OpenAI.
Third-country transfer: OpenAI is certified under the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR). As an additional legal safeguard, Standard Contractual Clauses have been agreed upon pursuant to Art. 46 para. 2 lit. c GDPR.
After your consultation, your data goes through the following steps:
The written session transcript is processed using an AI language model in order to:
As part of the summary, the AI creates a structured profile of your consultation preferences (so-called profiling pursuant to Art. 4 No. 4 GDPR). This includes assessments of your design style, communication behaviour, and budget framework. This information is stored as an internal working aid and is used exclusively for personal consultation by Rusi. All decisions regarding offers, pricing, and project design are made personally by Rusi — no automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects or similarly significantly affects you.
For continuous quality improvement, we store corrections to AI drafts exclusively in anonymised form. Personal details (names, addresses, specific project details) are removed in the process.
Provider: Amazon Web Services EMEA SARL (Luxembourg) — Service: Amazon Bedrock Model: Claude (Anthropic) — operated in the AWS region Frankfurt (eu-central-1)
Data processed: Transcript text and questionnaire responses.
Data residency: All data is processed exclusively within the EU (Frankfurt am Main). No transfer to third countries takes place.
AWS is a US-based company. In addition to the contractual guarantees (AWS Data Processing Addendum with Standard Contractual Clauses), AWS has committed to reviewing governmental access requests under EU law and, where unfounded under EU law, to challenge them.
Legal basis: Art. 6 para. (1) f GDPR (legitimate interest in efficient and high-quality project processing). The balancing of our legitimate interest against your rights comes out in favour of processing, as only conversation content already recorded with your consent is processed, and the summary serves your immediate benefit.
Note: Amazon Bedrock guarantees that customer data will not be used to train AI models.
DPA: Covered by the AWS Data Processing Agreement (applies to all AWS services).
All AI-generated content — summaries, email drafts, offer texts, and design proposals — is personally reviewed and approved by Rusi before being passed on to you.
For sending project-related emails, we use Amazon Simple Email Service (SES). This includes consultation summaries, offers, and invoices.
Provider: Amazon Web Services EMEA SARL (Luxembourg)
Data processed: Email address and email content.
Legal basis: Art. 6 para. (1) b GDPR (performance of a contract).
DPA: Covered by the AWS Data Processing Agreement.
Emails are processed exclusively within the EU (EU region Ireland). No transfer to third countries takes place.
We send exclusively project-related emails via this service — no advertising and no newsletters.
For project tracking, we provide you with a personal client portal. This is operated on our own WordPress server in Germany — all data remains with us.
Data processed: Project progress, task status, and uploaded files (mood boards, drafts, renders).
Access: You receive a personalised link with a cryptographically secure access token. No user account is required. Access is logged (IP address, timestamp).
Legal basis: Art. 6 para. (1) b GDPR (performance of a contract).
For the creation of quotes, order confirmations, and invoices, we use LexOffice.
Provider: Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany
Data processed: Name, address, email address, and invoice data.
Purpose: Creation and management of business documents as well as accounting.
Payment: Payment is made exclusively by bank transfer. We do not use any external payment service providers (no PayPal, no Stripe).
Legal basis:
DPA: Data processing agreement concluded with Haufe-Lexware.
For creating material suggestions and design ideas (mood boards), we use the Google Gemini API for AI-assisted image generation.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data processed: We transmit to Google Gemini exclusively descriptions of the desired kitchen style and materials (e.g. “modern kitchen with oak wood and Dekton worktop”). Directly identifying data such as name, address, or contact details are not transferred.
Legal basis: Art. 6 para. (1) b GDPR (performance of a contract and pre-contractual measures).
Third-country transfer: Google LLC (USA) is certified under the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR). Processing within the EU is handled by Google Ireland Limited. As an additional legal safeguard, Standard Contractual Clauses have been agreed upon pursuant to Art. 46 para. 2 lit. c GDPR.
Since only factual style descriptions without any personal reference are transmitted, no processing of personal data within the meaning of the GDPR takes place.
For internal project coordination, we use the messaging service Telegram.
Provider: Telegram FZ-LLC, Dubai, United Arab Emirates
Data processed: In Telegram, we use exclusively highly reduced data:
Not processed via Telegram: Email addresses, phone numbers, postal codes, scoring data, and full names are never sent via Telegram.
Legal basis: Art. 6 para. (1) f GDPR (legitimate interest in efficient internal communication).
Third-country transfer: Telegram is headquartered in the United Arab Emirates. No adequacy decision from the EU Commission exists for the UAE. The transfer is based on Art. 49 para. 1 subpara. 2 GDPR (compelling legitimate interests). The transfer concerns a limited number of data subjects (exclusively active consultation clients) and is not carried out on a mass scale. We have assessed the necessity and determined that the interests of the data subjects are adequately protected through strict data minimisation. The following protective measures are in place:
For data backup purposes, we store encrypted backups on Google Drive.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data processed: Database backups (client data, project data) and files.
Legal basis: Art. 6 para. (1) f GDPR (legitimate interest in data security).
Third-country transfer: Google LLC (USA) is certified under the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR). As an additional legal safeguard, Standard Contractual Clauses have been agreed upon pursuant to Art. 46 para. 2 lit. c GDPR.
Storage: Backups follow a rolling retention policy. Deleted data may still be contained in backups until the next rotation.
DPA: Google Workspace Data Processing Agreement.
In the context of our services, personal data is transferred to recipients in third countries (outside the EU/EEA). The following table provides an overview:
| Service | Country | Legal basis |
|---|---|---|
| Cloudflare | USA | EU-US Data Privacy Framework (Art. 45 GDPR) + SCCs |
| Google (Drive, Gemini, Calendar) | USA (via Ireland) | EU-US Data Privacy Framework (Art. 45 GDPR) + SCCs |
| OpenAI (Whisper) | USA | EU-US Data Privacy Framework (Art. 45 GDPR) + SCCs |
| Meta (CAPI) | USA (via Ireland) | EU-US Data Privacy Framework (Art. 45 GDPR) + SCCs + consent |
| Telegram | UAE | Art. 49 para. 1 subpara. 2 GDPR + data minimisation |
The EU-US Data Privacy Framework (DPF) is the adequacy decision of the EU Commission dated 10 July 2023 pursuant to Art. 45 GDPR. All mentioned US providers are certified under the DPF, thus ensuring an adequate level of data protection. In addition, we have agreed Standard Contractual Clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR with all US providers — as an additional safeguard in the event that the adequacy decision should cease to apply.
Note: Although Amazon AWS (Bedrock, SES) is a US-based company, the data processing for our AI summaries and email sending takes place exclusively within the EU (Frankfurt and Ireland respectively). No transfer to third countries takes place for these services.
We store your personal data only for as long as is necessary for the respective purpose or as required by statutory retention periods.
| Data category | Retention period | Basis |
|---|---|---|
| Session recordings (clients) | 6 months after project completion | Consent |
| Session recordings (non-clients) | 3 months after the consultation | Consent |
| Transcripts and AI summaries | Project duration + 12 months | Consent |
| Non-converted enquiries | 6 months after last contact | Legitimate interest |
| Contact details (on business documents) | 10 years after last invoice | Statutory (§ 147 AO) |
| Invoices, order confirmations | 10 years | Statutory (§ 147 AO, § 257 HGB) |
| Quotes without order placement | 6 years | Statutory (§ 257 HGB) |
| Mood boards and design drafts | Project duration + 24 months | Legitimate interest |
| Client portal data | Project duration + 24 months | Legitimate interest |
| Telegram messages (internal) | Project duration + 12 months | Legitimate interest |
| AI quality data | Regularly anonymized | Legitimate interest |
| Meta conversion logs (local) | 30 days | Legitimate interest |
Project completion is defined as the point in time when the final invoice has been paid in full. If no contract is concluded, project completion is defined as 6 months after the last contact.
After the retention period expires, your data will be deleted unless statutory retention obligations prevent this. Deleted data may still be contained in encrypted backups until the next rotation.
You have the following rights with regard to your personal data:
Note on AI processing: No automated individual decision-making within the meaning of Art. 22 GDPR takes place at our company. All AI-generated content is personally reviewed by Rusi before being passed on to you. Should this change in the future, you have the right to human review, to present your point of view, and to contest the decision.
To exercise your rights, please use our contact form.
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) Gustav-Stresemann-Ring 1 65189 Wiesbaden https://datenschutz.hessen.de
We update this Privacy Policy as needed — for example, when the legal situation changes or we introduce new services.
Last updated: 27 March 2026