Privacy Policy

Version 6.0 effective from 1st February 2024

Data Privacy is a very important issue for us and we hold the protection of your personal data in very high esteem. The purpose of this Privacy Policy is to provide you information on how and to which purposes  we’re collecting your personal data and how this will be processed.  Particularly this Privacy Policy provides you with information about how we process your personal data when you visit our website, when we communicate with you as partner or client, when you apply for open positions at Kiron, when you are a student on Kiron Campus and generally when you use the services offered through our website and through Kiron Campus. Your data will be processed in compliance with the applicable legal data protection regulations. Read this Privacy Policy carefully and contact us as  indicated below if you have any questions.

The sections of this Privacy Policy apply to the websites www.kiron.ngo (“Website”) and/or campus.kiron.ngo (“Campus”). If you visit another website, the data protection provisions of the respective website operator apply. If links to other websites are placed on our website or on Campus, we have no influence nor control on the content of such websites and the way they process personal data. We recommend that you read the respective privacy notices to obtain information on how your personal data is collected and processed.

This Privacy Policy is organized as follows:

A. General Information & Overview

The information provided in this section provides general information, which applies to all services and processes, unless specified otherwise within the specific sections. 

1. Contact

The information provided in this section provides general information, which applies to all services and processes, unless specified otherwise within the specific sections. 

a. Data Controller

Responsible for the collection and processing of your data in accordance with Art. 4 para 7 GDPR is: 

c/o Impact Hub Berlin
Rollbergstr. 28a
12053 Berlin, Germany
Email: privacy@kiron.ngo

Kiron Open Higher Education gGmbH

(“Kiron”, “we”, “us” or “our”)

b. Data Protection Officer

You can contact our Data Protection Officer as follows:

Leopoldstr. 21
80802 Munich, Germany
Email: datenschutzbeauftragter@datenschutzexperte.de

Web: www.datenschutzexperte.de

PROLIANCE Gmb

Our Privacy Policy aims to be simple and understandable for everyone. The terms used in this Privacy Policy, unless they are defined herein or in other sources we explicitly refer to, correspond to the official terms of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation,  “GDPR”). Such official terms are defined in Art. 4 GDPR. The full text of the GDPR can be found here.

2. Terms and Terminology

Our Privacy Policy aims to be simple and understandable for everyone. The terms used in this Privacy Policy, unless they are defined herein or in other sources we explicitly refer to, correspond to the official terms of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation,  “GDPR”). Such official terms are defined in Art. 4 GDPR. The full text of the GDPR can be found here.

3. Access to Data and Transferal

Depending on your use of our services different sets of data may be processed or stored, as is described in detail further below.

Our employees, volunteers and contractors have access to the data based on our access control policies and are contractually bound to keep the information confidential.

Kiron uses service providers in order to operate and maintain Kiron’s website and Kiron’s educational platform “Campus” and to be able to offer certain services related thereto, which may receive and process personal data of the users. Any service providers engaged by Kiron are obliged to comply with the applicable data protection regulations and will process data exclusively in accordance with the instructions of Kiron. Kiron and its service providers commit to take reasonable technical and organizational precautions in order to protect the data of the users.

Your data will not be transferred to any third parties unless

  • we have explicitly indicated this in the description of such data processing;
  • you have given express consent pursuant to Art. 6 para. 1 s. 1 lit. (a) GDPR;
  • disclosure in accordance with Art. 6 para. 1 s. 1 lit. (f) GDPR is required to assert, exercise or defend legal claims and there is no reason to assume that you have a predominantly legitimate interest in the non-disclosure of your data;
  • disclosure in accordance with Art. 6 para. 1 s. 1 lit. (c) GDPR is a legal obligation and
  • transfer to third parties is required by Art. 6 para. 1 s. 1 lit. (b) GDPR for the performance of the contractual relationships with you.

Any third party processor, which handles data on Kiron’s behalf is required to do so in accordance with contractual terms which require that the data is kept secure, is processed in accordance with applicable data protection laws, and used only as we have instructed and not for that Third Party Processor’s own purposes (unless you have explicitly consented to them doing so). 

If our use of a Third Party Processor involves the transfer of personal data to a location outside of the European Economic Area, we apply all necessary instruments to ensure that the personal data is adequately protected in that location, including particularly e.g. European Commission-approved standard contractual clauses.

4. Servers

The main Kiron servers and data storages are hosted at SysEleven GmbH. In order to ensure an adequate level of data protection in accordance with the provisions of the GDPR, we have concluded a data processing agreement in accordance with Art. 28 GDPR.

Contact: SysEleven GmbH, Boxhagener Str., 80, 10245, Berlin.

More information: syseleven.de/en/privacy-policy

a. SysEleven 

Although the majority of the data is stored on SysEleven  we also use Amazon Web Services (“AWS”). We have concluded a data processing agreement with AWS. Using AWS, personal data may be transferred to the U.S. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Amazon Web Services Inc. is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified here.

Contact: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855, Luxembourg

More information: aws.amazon.com/compliance/eu-data-protection

b. Amazon Web Services (AWS)

5. Cookies

In order to optimize our services, we use cookies on different pages of the Website and of the Campus platform. Cookies are small text files that are stored on your device. Some of the cookies will be deleted at the end of your browser session (so-called session cookies). Other cookies may remain on your device and allow us to identify your browser the next time you visit the Kiron platform (so-called persistent cookies).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or language settings). Other cookies are used to evaluate user behavior or display advertising.

Technically necessary cookies are stored on the basis of Art. 6 para. 1 s. 1 lit. (f) GDPR. We have a legitimate interest in the storage of cookies for the technically error-free and optimised presentation of our services. Other cookies are only stored with your consent on the basis of Art. 6 para. 1 s. 1 lit. (a) GDPR. This consent can be withdrawn at any time for the future. The legal basis may also result from Art. 6 para. 1 s. 1 lit. (b) GDPR if the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.

On our Website and on Campus we give you the opportunity to select the type of cookies that will be used in addition to such cookies that are essential for the functionality of the Website (“Essential Cookies”). Provided you have given your consent, we also use cookies in order to statistically record the use of our website or of Campus and to evaluate it for the purpose of optimising our offer to the users. Insofar as cookies are used for analysis purposes, we will inform you of this separately within the framework of this privacy policy and obtain your consent. These cookies enable us to automatically recognize when you return to our site that you have already visited our website. These cookies are automatically deleted after a certain period (max. 14 months).

You can set your browser to

  • be informed about the setting of cookies,
  • only allow cookies in individual cases,
  • exclude the acceptance of cookies for certain cases or generally,
  • activate the automatic deletion of cookies when the browser is closed.

The cookie settings can be managed under the following links for each browser:

You can also manage cookies of many companies and functions used for advertising individually. To do this, use the appropriate user tools, available at www.aboutads.info/choices or www.youronlinechoices.com/uk/your-ad-choices.

Most browsers also offer a so-called "do-not-track function". When this feature is enabled, the browser tells ad networks, websites, and applications that you do not want to be "tracked" for behavioural advertising and the like.

For information and instructions on how to edit this feature, please refer to the links below, depending on your browser provider:

Additionally, you can prevent the loading of so-called scripts by default. "NoScript" allows the execution of JavaScripts, Java and other plug-ins only at trusted domains of your choice. Information and instructions on how to edit this function can be obtained from the provider of your browser (e.g. for Mozilla Firefox at: addons.mozilla.org/de/firefox/addon/noscript).

In case of non-acceptance of cookies, the functionality of the Kiron Website or of Campus may be limited.

6. Minor's Data

We recognize that some data protection laws vary based on the age of consent. Depending on the jurisdiction, the age of consent can be between 13 to 16 years old. We do not knowingly request to collect personal information from any data subject (as defined in the GDPR) under the age of consent as defined by the jurisdiction in which the data subject resides. If we are aware of or suspect that a data subject is under the age of consent, we will require the data subject to terminate their account or any usage of our services. We will also take steps to delete the information as soon as possible. Please notify us if you know of any individuals under the age of consent using any of our tolls or services.

More strict rules apply for the access to Kiron Campus (s. Sec F).

B. Visiting the website kiron.ngo

This section describes how Kiron handles your personal information when you visit the website www.kiron.ngo ( “Website” or “our website”).

1. Webflow

Our website www.kiron.ngo is hosted on Webflow, a platform and service provided by Webflow Inc. We have concluded a data processing agreement with Webflow Inc. Accessing our website, personal data may be transferred to the U.S. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Webflow, Inc. is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified via the following link: dataprivacyframework.gov/s/participant-search   

Contact: Webflow, Inc., 398 11th Street, Floor 2, San Francisco, CA 94103, USA

More information: webflow.com/legal/privacy  

2. Data collected and legal basis

When you visit our Website, the browser on your device automatically sends information to the server. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until it is automatically deleted: 

  • The domain you requested
  • Mobile Device ID (of your mobile device)
  • IP Address (the number that is automatically assigned to your computer when you use the Internet)
  • Installed Fonts and PlugIns
  • Browser type and -version
  • Browser language/locale settings
  • Operating System
  • Referrer URL (the page, from which this page was linked, including the search term, in case of a search engine)
  • Time and date of the request
  • The amount of data transferred.

The mentioned data will be processed for the purpose of ensuring a smooth and stable connection of the Website and a comfortable use of our Website for the users as well as to evaluate the system security and stability and for other administrative purposes. The legal basis for data processing is Article 6 para. 1 s. lit. (f) GDPR. Our legitimate interest follows from the purposes listed above for data collection. 

The saved logs will not be retained for any period longer than 12 months.

3. Tracking Measures and Analysis Tools

a. Google Analytics

Our website uses Google Analytics, an internet analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses so-called "cookies" and web beacons. 

Google will use this information on behalf of the operator of this website to evaluate your use of the website and to create reports on website activity. Google will also use this information to provide the website operator with further services related to the use of the website and the internet. The IP address sent by your browser in the context of Google Analytics is not combined with other data from Google. Processing is carried out in accordance with Art. 6 para. 1 lit. a GDPR on the legal basis of your given consent.

We use Google Analytics only with activated IP anonymisation. This means that your IP address will only be further processed by Google in abbreviated form.

We have concluded a Data Processing Agreement with the service provider in which we oblige him to protect the data of our customers and not to pass them on to third parties. 

Since a transfer of personal data by Google to affiliates and sub-processors to countries outside the EU and EEA is possible, further appropriate safeguards are required to ensure the level of data protection under the GDPR. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Google LLC is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified via the following link: dataprivacyframework.gov/s/participant-search 

For potential transfers to other countries outside the EU and the EEA, for which no adequacy decision of the EU Commission exists, we have concluded standard contractual clauses with the provider in accordance with Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the country outside the EU to process the data in accordance with the level of protection in Europe.

The terms of use of Google Analytics and information on data protection can be accessed via the following links: 
google.com/analytics/terms
policies.google.com/privacy

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. User and event-level data associated with cookies, user IDs (e.g., User ID), and advertising IDs (e.g., DoubleClick cookies, Android Advertising ID, IDFA) will be deleted no later than 14 months after collection.

You can prevent cookies from being saved by adjusting the settings of your browser software accordingly. Please note, however, that if you do so you may not be able to use all the functions of this website without restriction. You can also prevent Google from collecting the data generated by the cookie and analysing your use of the website (including your IP address) and processing this data by Google by downloading and installing the browser plugin available at tools.google.com/dlpage/gaoptout.

b. Meta Pixel

Our Website also uses Meta Pixel, an analytical tool provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Meta Pixel helps us measure the effectiveness of our Facebook and Instagram advertising by tracking the behaviour of the Website visitors. To this purpose Meta Pixel uses cookies and similar technologies.

The tool tracks user behaviour on our website and links the information with the user data of our website visitors on Facebook. 

Since a transfer of personal data by Meta to affiliates and sub-processors to countries outside the EU and EEA is possible, further appropriate safeguards are required to ensure the level of data protection under the GDPR. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Meta Platforms, Inc. is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified via the following link: dataprivacyframework.gov/s/participant-search 

For potential transfers to other countries outside the EU and the EEA, for which no adequacy decision of the EU Commission exists, we have concluded standard contractual clauses with the provider in accordance with Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the country outside the EU to process the data in accordance with the level of protection in Europe.

The terms of use of Meta and information on data protection can be accessed via the following links: 
www.facebook.com/legal/terms  
www.facebook.com/privacy/policy

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. User and event-level data associated with cookies, user IDs (e.g., User ID), and advertising IDs (e.g., DoubleClick cookies, Android Advertising ID, IDFA) will be deleted no later than 14 months after collection.

You can prevent cookies from being saved by adjusting the settings of your browser software accordingly. Please note, however, that if you do so you may not be able to use all the functions of this website without restriction. You can also manage how Meta collects the data generated by the cookie and analysing your use of the website (including your IP address) and processing this data by Meta as indicated at www.facebook.com/privacy/policies/cookies/ 

c. Linkedin Insight Tag

Our Website also uses Linkedin Insight Tag, an analytical tool provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Linkedin Insight Tag helps us measure the effectiveness of our advertising by tracking the behaviour of the Linkedin members visiting our Website. To this purpose Linkedin Insight Tag uses cookies and similar technologies and collects data,  including the URL, referrer, IP address, device and browser characteristics (User Agent), and timestamp.

The IP addresses are truncated or hashed, and members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining pseudonymized data is then deleted within 180 days.

Since a transfer of personal data by Linkedin to affiliates and sub-processors to countries outside the EU and EEA is possible, further appropriate safeguards are required to ensure the level of data protection under the GDPR. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Linkedin Corporation is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified via the following link: dataprivacyframework.gov/s/participant-search 

For potential transfers to other countries outside the EU and the EEA, for which no adequacy decision of the EU Commission exists, we have concluded standard contractual clauses with the provider in accordance with Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the country outside the EU to process the data in accordance with the level of protection in Europe.
The terms of use of Linkedin and information on data protection can be accessed via the following links: linkedin.com/legal/user-agreement   
linkedin.com/legal/privacy-policy

You can prevent cookies from being saved by adjusting the settings of your browser software accordingly. Please note, however, that if you do so you may not be able to use all the functions of this website without restriction. You can also manage how Linkedin collects the data generated by the cookie and analysing your use of the website (including your IP address) and processing this data by Linkedin as indicated at:
linkedin.com/psettings/guest-controls/retargeting-opt-out  

4. Donations via FundraisingBox 

We process the data you enter in the donation input mask on the website in order to process the payment of donations by you via the donation platform fundraisingbox.com, embedded in the website. The platform is operated by Wikando GmbH, Schießgrabenstr. 32, 86150 Augsburg,Germany. The information you enter in the donation input mask is transmitted to fundraisingbox.com by clicking on the "Donate Now!" button and is processed to complete your donation using the chosen payment method and to issue a donation receipt.

The legal basis for the above mentioned processing is Art. 6 para. 1 lit. b GDPR.Further information on the handling of personal data in connection with the fundraisingbox.com plugin can be found here: fundraisingbox.com/privacy

5. Contacting Kiron

If you have any questions or remarks, we offer you the opportunity to contact us by email or per post at the contacts indicated here.

a. Data collected and legal basis

When you contact us through the Website we may collect and process personal information from you, including but not limited to:

  • Name
  • Email adress
  • Any other information you voluntarily provide contacting us

We process your personal information you have transmitted on the basis of Article 6 para. 1 s. 1 lit. (f) GDPR. Our legitimate interest is to answer your questions and inquiries.

Your personal information will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this section, or as otherwise required by applicable law. Generally this means your personal information will be kept for the duration of the inquiry process plus a reasonable period of time on a case by case basis.

b. Access to Data and Transferal 

We will not transfer your personal data to any external third party, except for the purpose of managing our correspondence with you, where we may work with a specialised provider contracted by us (s. Sect. D, para b). 

C. Kiron Newsletter 

Via our website you can also register for our Newsletter. In this case, you will have to confirm your consent to receiving a newsletter with information about Kiron. 

a. Data collected and legal basis

We collect your name and email address so that we can deliver the requested periodical email newsletter from Kiron to you. No other data is collected for the purpose of sending the newsletter. We use the so-called double opt-in procedure for sending the newsletter. This means that we will not send you our newsletter by email until you have expressly confirmed that you agree to the dispatch of newsletters. In the first step, you will receive an email with a link to confirm that you, as the owner of the corresponding email address, would like to receive the newsletter in the future. With the confirmation you give us your consent according to Art. 6 para. 1 s.1 lit. (a) GDPR that we may use your personal data for the purpose of the desired newsletter dispatch.

When registering for the newsletter, in addition to the email address required for sending the newsletter, we store the IP address via which you have registered for the newsletter as well as the date and time of registration and confirmation so that we can trace any possible misuse at a later point in time.

b. Retention and Deletion

You can, of course, unsubscribe from the newsletter at any time via email privacy@kiron.ngo, or, better, by following the instructions provided at the bottom of each newsletter. After unsubscribing, your email address will be immediately removed from the system handling the newsletter.

c. Access to Data and Transferal 

Your name and email address will be stored on Kiron’s secured server (s. Section A, para. 4, subpara. a. and b). Within Kiron, only those departments will have access to your data that need it to carry out the mailing of the Newsletter.

Our email newsletters are sent via a technical service provider to whom we pass on the data you provide when you register for the newsletter. This forwarding is carried out in accordance with Art. 6 para. 1 s. 1 lit. (f) GDPR and serves our legitimate interest in the use of an effective, secure and user-friendly newsletter system. The data you enter to subscribe to the newsletter (e.g. email address) will be stored on servers located in the EU.

The service provider uses this information for the dispatch and statistical evaluation of the newsletter on our behalf. For evaluation purposes, the emails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. In this way it can be determined whether a newsletter message was opened and which links were clicked on, if applicable. Conversion tracking can also be used to analyse whether a predefined action (e.g. purchase of a product on our website) was carried out after clicking on the link in the newsletter. Technical information is also collected (e.g. time of access, IP address, browser type and operating system). The data is only collected pseudonymously and is not linked to your other personal data, a direct personal reference is excluded. This data is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.

If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the newsletter.

We have concluded an order processing contract with our email service provider in which we oblige him to protect our customers' data and not to pass it on to third parties.

Email service provider:Service provider: Mailjet by SinchAddress: Mailjet SAS,13-13 bis, rue de l’Aubrac, 75012 Paris, France www.mailjet.com

A transfer to other third parties may only take place with your consent (Art. 6 para. 1 s. 1 lit. (a) GDPR) or if we are legally obliged to do so in individual cases (Art. 6 para. 1 s. 1 lit. (c) GDPR). 

D.  Communication with Partners

a. Salesforce 

We use the services of Salesforce.com Germany GmbH for building and managing our relationship with external partners and potential partners and for communicating with them. Salesforce is a software company based in Germany, subsidiary of a holding based in the USA. We use this integrated software solution as a CRM and for communication purposes. With the Salesforce Sales email extension, we log emails sent from outside of Salesforce to the CRM automatically.

The legal basis for this processing is our legitimate interest in maintaining contacts made in the course of business transactions beyond the initial contact and in using them to establish business relationships and to remain in contact with the persons for this purpose according to Art. 6 para. 1 s. 1 lit. (f) GDPR.

We have concluded a Data Processing Agreement with the service provider in which we oblige it to protect the data of our customers and not to pass them on to third parties. 

Since a transfer of personal data by Salesforce to affiliates and sub-processors to countries outside the EU and EEA is possible, further appropriate safeguards are required to ensure the level of data protection under the GDPR. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Google LLC is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified via the following link: dataprivacyframework.gov/s/participant-search 

For potential transfers to other countries outside the EU and the EEA, for which no adequacy decision of the EU Commission exists, we have concluded standard contractual clauses with the provider in accordance with Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the country outside the EU to process the data in accordance with the level of protection in Europe.

The terms of use of Salesforce and information on data protection can be accessed via the following links: 

salesforce.com/company/legal/sfdc-website-terms-of-service 
salesforce.com/company/legal/agreements  
salesforce.com/de/company/privacy

b. Slack Connect

We use the services of Slack Connect for communicating with external partners, a product of Slack Technologies Inc. based in USA, which is a Salesforce Inc. company. 

The legal basis for this processing is our legitimate interest in maintaining contacts made in the course of business transactions beyond the initial contact and in using them to establish business relationships and to remain in contact with the persons for this purpose according to Art. 6 para. 1 s. 1 lit. (f) GDPR.

We have concluded a data processing agreement with Slack. Since a transfer of personal data by Slack to affiliates and sub-processors to countries outside the EU and EEA is possible, further appropriate safeguards are required to ensure the level of data protection under the GDPR. For the U.S., there is an adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR regarding companies with certification under the EU-U.S. Data Privacy Framework. Google LLC is certified under the EU-U.S. Data Privacy Framework and is therefore committed to compliance with adequate data protection standards, which can be verified via the following link: dataprivacyframework.gov/s/participant-search 

For potential transfers to other countries outside the EU and the EEA, for which no adequacy decision of the EU Commission exists, we have concluded standard contractual clauses with the provider in accordance with Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the country outside the EU to process the data in accordance with the level of protection in Europe.

The terms of use of Slack and information on data protection can be accessed via the following links: app.slack.com/trust/compliance/gdpr
slack.com/intl/en-gb/main-services-agreement
slack.com/intl/en-gb/trust/privacy/privacy-policy

E. Applying for a Position at Kiron

You can apply for one of the open positions at Kiron through our website by sending us an email as indicated here.

This section describes how Kiron handles your personal information when you apply for a job, an internship, a volunteer role or another position with us (“Position”) and the rights you have in connection with that information. The term “Candidates” is used in this section to refer to anyone who applies for any Position specified in our Career web page, or who otherwise seeks to work with or for us (whether on a permanent or non-permanent basis).

1. Data collected and legal basis

When you apply for a Position at Kiron, we may collect certain information automatically, from you personally, or from third party sources.

a. Information we may collect automatically

You can visit the Careers page of our website and navigate through the open positions without providing personal information. However, we do collect certain information automatically from your device when you visit our website. For further information, please see section B of this Privacy Policy.

b. Information we may collect from you

We only process such data that are related to your application. This can be general personal data (name, address, contact details, etc.), information on your professional qualifications and schooling, information on further professional training and, if applicable, other data that you provide us with in connection with your application.

As a general rule, during the recruitment process, we try not to collect or process any Special Categories of Personal Data (as defined in Art. 9 para. 1 GDPR) unless authorized by law or where necessary to comply with applicable laws. However, in some circumstances, we may need to collect, or request on a voluntary disclosure basis, some Special Categories of Personal Data for legitimate recruiting-related purposes. For example, information about your physical or mental condition may be collected in order to consider accommodations we need to make for the recruitment process and/or subsequent job role.

You may provide, on a voluntary basis, other information including Special Categories of Personal Data during the recruiting process.

c. Information we may collect from other sources

We may collect some or all of the following personal information from other sources (in each case where permissible and in accordance with applicable law) when you apply for a role with Kiron:

  • References provided by referees;
  • Other background information provided or confirmed by academic institutions and training or certification providers;
  • Information provided by background checking agencies and other external database holders (for example criminal records, credit reference, professional / other sanctions registries);
  • Information provided by recruiting or executive search agencies; and
  • Information collected from publicly available sources, including any social media platforms you use or other information available online.

We may also receive personal data from applicants via the platform Join, a service of Join GmbH, Klausenerstraße 10a, 39112 Magdeburg, Germany.

We process your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), insofar as this is necessary for the decision on the establishment of an employment relationship with us. The legal basis is Art. 88 GDPR in conjunction with Art. 26 BDSG for the purposes of the employment relationship, if this is necessary for the decision on the establishment of an employment relationship.

Furthermore, we may process your personal data if this is necessary to fulfill legal obligations (Art. 6 para. 1 s. 1 lit. (c) GDPR) or to defend or assert legal claims. The legal basis for this is Art. 6 para. 1 s. 1 lit. (f) GDPR. The legitimate interest is, for example, a duty of proof in proceedings under the General Equal Treatment Act (AGG).

If you give us express consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent pursuant to Art. 6 para. 1 s. 1 lit. (a) GDPR. Any consent granted can be revoked at any time with effect for the future 

If an employment relationship arises between you and us, we may, in accordance with Art. 88 GDPR in conjunction with Art. 26 BDSG, further process the personal data already received from you for the purposes of the employment relationship, insofar as this is necessary for the implementation or termination of the employment relationship or for the exercise or fulfilment of the rights and obligations of employee representation arising from a law or a collective agreement, works or service agreement (collective agreement).

2. Retention and Deletion

In case you are selected for a position at Kiron, the information collected during the recruiting process will be processed in accordance with applicable law, including any privacy notice for employees, a copy of which will be provided when you are on-boarded as an employee, intern, or volunteer, as applicable, or through Kiron’s internal staff communications channels.

If you are not successful, we will keep your application for a maximum period of six months, after which your personal information will be deleted or anonymised. We might keep it for a longer period, in which case we will ask for your consent first.

3. Access to Data and Transferal 

Within Kiron, access to your personal information is reserved only to those departments and employees that need it to carry out their tasks and duties and that are directly involved in the selection process. If you apply for a position related to the activities carried out by our office in Jordan, we may share your personal information with the Jordan office, which will process your data exclusively in accordance with and for the purposes stated in this Privacy Policy.

If you have any questions about the processing of your data, you may address them to the person managing the recruiting process or contacting us as specified in Section 1. You can find an overview of your rights in Section G.

F. Kiron Campus

The purpose of Kiron is to offer courses through an online learning platform called Kiron Campus (“Campus” or “Platform”). In this section we provide information about how your data is handled and processed on Campus at different stages when you apply to become a student at Kiron (“Student” or “Kiron Student”), when you are a Student and when you stop being a Student. Also this section will describe how your data is processed through the different services that Kiron offers on or via the Platform to its Students.

1. Applying to become a Kiron student

Should you be interested in becoming a Student at Kiron, you can apply and register using the form you will find on Campus, using either your personal email address or third-party application (SSO) such as Google and DAAD/Mein DAAD. 

Google – If you opt to register with an existing Google account,you agree that we will obtain validation of the password from Google. In this case, Google will ask for your permission to share certain information from your Google account with Kiron. This includes your name, your Google email address, your language preference and your profile pictures. This information is collected by Google and made available to us under the terms of the Google Privacy Policy. You can control the information provided to us by Google via your Google activity controls.
DAAD – You can also log in to Kiron with your DAAD ID. In this case DAAD shares certain information from your DAAD account with Kiron. This includes your full name, your email address and DAAD ID. This information is collected by DAAD and made available to us under the terms of the Data Privacy Statement “Mein DAAD”.

When you fill in the form, you agree that the information you give us will be used for the purpose of giving you access to the courses offered by Kiron, helping you succeed with your online studies with Kiron and providing you with the services suiting your situation and needs. In this section we explain which personal information we collect in the application process, for what purpose and how such personal information is processed.

a. Our Policy concerning Minors

We recognize the privacy interests of children. Currently Kiron Campus is not intended to be used by individuals younger than 18 years of age. Individuals that are under the age of 18 may not set up an account as a Student. On Campus we do not collect knowingly data of individuals younger than 18. If we learn that an individual younger than under the age of 18 has set up an account, or that we’ve collected personal data from a minor under that age, we will take reasonable steps to delete the account and the data as quickly as possible.

If you have reason to believe that we may have collected personal data from an individual under that age, you can inform us and you can also submit a request that it be removed to privacy@kiron.ngo.

b. Data Collected and legal basis

The following information is collected by a form on the apply page as part of your application and will later be used to create your account as a Student at Kiron:

  • Personal details: name (first and last name), email address,nationality, country of residence as well as, if you wish to fill in also these details, city of residence, gender, age (birthday), phone number. 
  • Document proving your status as a “refugee”, internally displaced person or as a qualifying member of a host community in Jordan or Lebanon. If applicable , the project you participated into or the organization from which you found out about Kiron

The information gathered in the application process is used to prepare your registration and also to ensure that you are eligible for our free service, by providing some proof of your status as a “refugee”, as an internally displaced person or as a qualifying member of a host community in Jordan or Lebanon. 

We collect this data to provide you access to our online courses and to optimize our services and guidance for you. This may include e.g. information on specialized programs for female students (“gender”) and additional student services (for instance those indicated in the following paragraphs). If consent is given, the legal basis for data processing is Art. 6 para. 1 s. 1 lit. (a) GDPR or Art. 6 para. 1 s. 1 lit. (b) GDPR, insofar as the processing is necessary for the provision of the requested services.

Your Status

Kiron’s student services are targeted primarily at refugees. In addition, we accept internally displaced people and eligible members of host communities in Jordan and Lebanon. We must therefore assess your eligibility. The respective documents uploaded by you are safely stored separately from your account information. 

c. Retention and Deletion

Should an application not meet the minimum requirements to become a Kiron Student our support team will reach out to the applicant to clarify and evaluate if eligibility might still be possible (e.g. by providing additional documents). Until your application is deemed to meet all requirements, you may have access to Campus but possibly not to all courses and services.

Successful applicants will be notified by email and the information they have provided will be converted into a Kiron Student profile as the basis for the relationship between the Student and Kiron. In the event that an application is not accepted, all registration data will be deleted promptly.

d. Access to Data and Transferal

Within Kiron, until the applicant has been accepted, only the employees at Kiron in charge of reviewing applications will have access to the data provided with the application. All data is stored and processed on Kiron’ secure server infrastructure hosted by SysEleven. During the application process and until you have been accepted as a Student, we will not transfer your data to any external party. 

2. Being a Kiron Student: Your Student Profile 

When your application is successful, regardless whether you have enrolled with a Google gmail account or another email address, your profile will be set up on Campus as Kiron Student. 

Students that have enrolled on Campus before this Privacy Policy has been published might have been assigned an email account with an address ending in @students.kiron.ngo. This account will be maintained by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") and administered by Kiron as part of their Google-for-Nonprofits program. Effectively, the account entails a number of functions, which are part of Google Workplace. These email addresses are still active and the provisions hereunder apply to such email accounts as well.

a. Data Collected and legal basis 

The following information is collected when you log-in and use your student account:

  • login and usage logs
  • all personal information and data you may choose to upload to your student account or which is included in the material you may upload – including profile pictures, emails sent and received, files, videos, etc.

If consent is given, the legal basis for data processing is Art. 6 para. 1 s. 1 lit. (a) GDPR or Art. 6 para. 1 s. 1 lit. (b) GDPR, insofar as the processing is necessary for the provision of the requested services.The log files will be processed for the purpose of ensuring a smooth and stable connection of the Platform and a comfortable use of our Platform for the students as well as to evaluate the system security and stability and for other administrative purposes. The legal basis for data processing is Article 6 para. 1 s. 1 lit. (f) GDPR. Our legitimate interest follows from the purposes listed above for data collection. 

b. Retention and Deletion

The log files may be retained until their storage is required for the above-mentioned purposes. So, generally login logs are not deleted but are anonymised when the Student requests deletion of their account (s. para 9); HTTP request logs are deleted on a regular basis, at the latest upon the next deploy on Campus, at least every two weeks.

All personal information and data you may have uploaded to your profile will be removed either when you delete it from your account or at latest when you will cease being a Kiron Student. For the deletion process see para 9 below.

c. Access and Transferal 

Your student profile on Campus is administered by Kiron. Kiron may access your profile or review the information stored therein for the purposes of providing and improving the services on Campus. Furthermore, Kiron administrators have the ability to reset an account password upon explicit request by the Student. 

All your data is stored on secured servers (S. above Section A 4). Within Kiron, access to your personal information is granted only to those departments and employees that need it to carry out their tasks and duties related to the functions of the Platform and the provision of the services on the Platform. Certain employees from our Jordan office may have access to the data, in which case they will process your data exclusively in accordance with and for the purposes stated in this Privacy Policy.

Only for those Students that still have a @students.kiron.ngo account, the following applies:

Google Workplace employs automatic security mechanisms such as spam filters, login and usage logs and safety warning mechanisms. Kiron’s administrators have the possibility to view automatically collected logging information which are part of Google Workplace security and audit features. For more information about the security mechanism of Google Workplace please see workspace.google.com/faq

To use this service you will need to agree to Google’s terms of service (www.google.com/intl/en/policies/terms) and privacy policy (www.google.com/policies/privacy).

All information and data you chose to upload to your G Suite account – including profile pictures, emails sent and received, files, videos, etc. – is processed automatically by Google in one of their secure data centers. We have concluded a data processing agreement with Google G Suite. Through the use of G Suite, personal data may be transferred to the USA. In order to ensure an adequate level of data protection in accordance with the provisions of the GDPR, we have concluded standard contractual clauses with the provider in accordance with Art. 46 Para. 2 lit. c GDPR.

For further information see: apps.google.com/faq/security and cloud.google.com/security/whitepaper 

3. Being a Kiron Student: Studying on Campus

As a Kiron Student you have the possibility to study, following courses on different topics as well as language courses. Also, you are given access to a number of services and functionalities of the Platform, which may include:

  • providing an overview and specific recommendations for free online courses (Massively Open Online Courses “MOOC”), which may match your interests and your goals;
  • provide access and transfer to MOOC-platforms (such as Coursera etc.)
  • providing information about our products and recent developments at Kiron
  • inviting you to Student Events
  • providing you with mentoring services
  • providing you with tutorials and classes as live sessions
  • offering the possibility for exchange and communication between students

We will need to collect personal information for some or all of these purposes. This section will explain which data is collected and how it is processed for these purposes. The information contained in this section applies to all purposes unless it is specified otherwise or more in detail in one of the following sections.

a. Data Collected and legal basis 

Kiron may collect, process and use the content and other information Students provide when accessing the Platform and using the services provided thereon, including the data submitted for signing up for a service (s. Section F 1.a.), creating or sharing content, and messaging or communicating with others on the website. Such information may include:

  • name
  • nickname
  • email address
  • gender
  • country of residence
  • city
  • date of birth
  • nationality
  • phone number
  • status as refugee, internal displaced person or qualifying member of a host community in Jordan or Lebanon  and related documentation

Your data will be processed for the purpose of ensuring that Students access the Platform and to all services for the Students, to provide for an efficient, unhindered and comfortable use of the Platform, and to constantly improve the Platform and the services offered to the Students. If consent is given, the legal basis for data processing is Art. 6 para. 1 s. 1 lit. (a) GDPR or Art. 6 para. 1 s. 1 lit. (b) GDPR, insofar as the processing is necessary for the provision of the requested services.

Contacting Students

For contacting Students (i.e. information about campaigns, course reminders, etc.) Kiron uses a technical service provider to whom we pass on your email address you provide when you register for Kiron. This forwarding is carried out in accordance with Art. 6 para. 1 s. 1 lit. (f) GDPR and serves our legitimate interest in the use of an effective, secure and user-friendly communication. Your email address will be stored on servers located in the EU.

We have concluded an order processing contract with our email service provider in which we oblige him to protect our customers' data and not to pass it on to third parties.
Email service provider:
Service provider: Mailjet
Address: Mailjet SAS,13-13 bis, rue de l’Aubrac, 75012 Paris, France
Privacy policy: www.mailjet.com/privacy-policy

Student Events

Kiron periodically organizes events for its Students and may collect specific information to facilitate the organization of such events. The participation in such events is optional and the information provided by you is used only for the organization of the specific event. Kiron may keep a record of which Students participated at Student Events. The legal basis for data processing is Art. 6 para. 1 s. 1 lit. (b) GDPR, insofar as the processing is necessary for the provision of the requested services.

Certificate of Enrollment

Kiron may provide you with a non-legally binding document which says that you are enrolled at Kiron. We may ask you about the purpose of the request and will use this information for statistics, in which case we will ask for your consent and your data will be anonymised, and to help us identify students with the potential to transfer to a university. 

Community page

From time to time on the Community page on Campus we publish links to interesting opportunities to support you with your goals. The opportunities are provided by independent third parties and organizations. In these cases the data protection provisions of the respective website operator applies and we recommend that you obtain information on the respective website how your personal data is collected and processed.  

b. Retention and Deletion

Your data and personal information will be removed from the Platform when you will cease being a Kiron Student. For the deletion process see para 9 below.

c. Data Access and Transferal

All your data is stored on secured servers (S. above Section A, para 4). Within Kiron, access to your personal information is granted only to those departments and employees that need it to carry out their tasks and duties related to the functions of the Platform and the provision of the services on the Platform. Certain employees from our Jordan office may have access to the data, in which case they will process your data exclusively in accordance with and for the purposes stated in this Privacy Policy.

We may use the support of external services in order to provide certain services to you or to contact you:

i. Location Data

Kiron will provide specific offers based on the country or city you are currently located. Kiron needs to know in which country you are currently located in order to offer these services. Additionally, you may provide your current city in order to further allow for tailoring of services.

ii. Zendesk 

Our Student communications, Support Ticketing system, Support Portal, Live Chat and Knowledge Base, Feedback and suggestions section are using a software solution by Zendesk Inc., 989 Market Street #300, San Francisco, CA 94102, USA. We have concluded a data processing agreement with Zendesk. Through the use of Zendesk, personal data may be transferred to the USA. In order to ensure an adequate level of data protection in accordance with the provisions of the GDPR, Zendesk has Binding Corporate Rules according to Art. 47 GDPR.

The legal basis for the use of this service is our legitimate interest according to Art. 6 para. 1 s. 1 lit. (f) GDPR. Our legitimate interest in the use of this service is to be able to answer user enquiries quickly and efficiently.

Data including email contact information, IP-address logs as well as email content is stored on servers hosted within the European Union in compliance with European GDPR. More information: zendesk.com/company/customers-partners/privacy-and-data-protection

iii. Contact and additional Information via phone, email and other means

Kiron may keep in contact with you or send you updated information via email or other messaging services for which the respective contact details are used.

These services include:

  • WhatsApp Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland: For certain services we may also ask you to communicate through WhatsApp Messenger service. Therefore your name and telephone number will be required. You will be asked for your specific consent to communicate via WhatsApp.
    More information: whatsapp.com/legal/#privacy-policy 
  • Facebook Groups: May be used for recruiting purposes and for the organization of student events. 
    More information: facebook.com/policy.php
  • Telegram: May be used to create and coordinate Student groups and communicate with group members.
    More information: telegram.org/privacy
  • Mattermost: We use Mattermost as our chosen platform for communicating with students.
    More information: mattermost.com/privacy-policy

We may use the contact services indicated to send you messages that may include information about our products and recent developments or to create and coordinate Student groups about specific topics, interests and events. We may also contact you in case of questions in connection with the Kiron platform, as well as to inform you on changes with regard to this Privacy Policy or any other Terms of Services. 

iv. Other disclosures

Other than in the aforementioned cases Kiron will not transmit your personal data to any third parties, unless we are obliged to do so because of German legal regulations (e.g. disclosure to courts or law enforcement authorities), you have given us your explicit consent, or the disclosure is permitted by law. A disclosure may for example be permitted when such disclosure is required for us to be able to render our services to the user on the Kiron platform.

4. Being a Kiron Student: Data Analysis for Scientific Purposes

Kiron may analyze the data collected from its Students for scientific purposes in order to conduct academic surveys and research, such as evaluating key performance indicators, social impact and scientifically analyze the services offered on the Platform. 

a. Data Collected and legal basis

Such research will be conducted by Kiron or its research partners either in accordance with the respective legislation, using anonymized and pseudonymised data, whenever possible, or after you have explicitly consented to be part of such research. If consent is given, the legal basis for data processing is Art. 6 para. 1 s. 1 lit. (a) GDPR.

b. Retention and Deletion

The data and personal information collected for research purposes will be either anonymised or removed from the server where it is stored when you will cease being a Kiron Student. For the deletion process see Section 10 below.

c. Access and Transferal

The data selected for research purposes is copied and stored on a separate server environment, which is dedicated to research only, on Kiron’s secure data servers. Only certain Kiron’s selected employees are authorized to access this data. 

5. Being a Kiron Student: Cooperation with External Partners

As a Kiron Student you will be granted access to different free online courses on different topics, which are offered by external partners (“External Partners”; e.g. MOOC providers like Coursera, language courses providers like Inlingua). You can access these courses through Campus.

a. Exchange of Data with External Partners

In certain cases we will have to provide our External Partners with certain personal data in order to inform the partner that you are a Kiron Student and to identify you so that the External Partner will grant you access to its services. This is the case for instance of the MOOC provider Coursera.

In some cases you are redirected to the External Partner’s platform or website, where you should login with your Kiron Student account in order to come in favor of full functionality of these websites. Such websites and platforms are governed by their own separate privacy policies and terms of services, which you will have to accept in order to be able to use the services offered by the websites. Information about the data collected by such websites, how such data is processed, the purpose and legal basis of processing, your rights and other relevant data related information is specified in the respective privacy policies of the External Partners. 

Furthermore, Kiron may receive information about the users and their activities (e.g. participation and completion of courses and programs) on and off the service from the External Partners.

b. Data Collected and legal basis

Depending on the partner and of the services, we may share the data strictly necessary as requested by the External Partner to identify you and to offer you certain courses and services, such as:

  • name
  • email address
  • date of birth
  • country of origin
  • Spoken language(s)

If consent is given, the legal basis for data processing is Art. 6 para. 1 s. 1 lit. (a) GDPR or Art. 6 para. 1 s. 1 lit. (b) GDPR, insofar as the processing is necessary for the provision of the requested services.

External Partners (e.g. a MOOC-partner like Coursera) may share with us such information as

  • the choice of subject
  • study record
  • period of study
  • results of completion
  • your language test results, etc. 
  • attendance

The processing of this information is necessary for the purposes of the legitimate interests in accordance with art. 6 para. 1 s. 1 lit. (f) GDPR.

c. Retention and Deletion

The data and personal information collected for research purposes will be either anonymised or removed from the server where it is stored when you cease being a Kiron Student. For the deletion process see para 9 below.

d. Access and Transferal

The data selected for research purposes is copied and stored on a separate server environment, which is dedicated to research only, on Kiron’s secure data servers. Only certain Kiron’s selected employees are authorised to access this data. 

6. Being a Kiron Student: Communications Channels between Students on Campus

Currently, on Campus Students have the possibility to chat and communicate with other Students through a Community page. Also, if you registered as a Student in the past and received a students.kiron.ngo account, Kiron has offered to you the possibility to register for and participate in our internal discussion forum (“Forum”) based on the Discourse platform. The Forum remains only accessible via login with such email address granted by Kiron. 

Forum and the Community page (“Channels”) are meant to exchange your experience with other students or with members of the team at Kiron. Using the Channels is optional and if you opted to join, Kiron created an account for you. 

a. Data collected and legal basis

Kiron may collect, process and use the content and other personal information Students may provide when accessing and being active on the Channels. Such information may include:

  • login and usage logs
  • name
  • email address
  • profile image
  • all personal information and data you may share on the Channels.

If consent is given, the legal basis for data processing is Art. 6 para. 1 s. 1 lit. (a) GDPR or Art. 6 para. 1 s. 1 lit. (b) GDPR, insofar as the processing is necessary for the provision of the requested services.

The mentioned data will also be processed for the purpose of ensuring a comfortable use of our the Channels for Kiron Students as well as to evaluate the system security and stability and for the purpose of moderating the Channels and ensure that no inappropriate content is uploaded which violates the Channel or the Forum’s code of conduct. The legal basis for data processing is Art. 6 para. 1 s. 1 lit. (f) GDPR. Our legitimate interest follows from the purposes listed above for data collection. 

b. Retention and Deletion

Your data and personal information will be removed from the Channels either when you delete it from your account and correspondence or at latest when you will cease being a Kiron Student. For the deletion process see para 9 below.

c. Data Access and Transferal

At Kiron, only employees that are authorised to administer and / or moderate the Channels will have access to your data on the Channels . However you need to be aware that content you provide within the Channels may be accessed by a larger audience of other Students, who register on the Channels and join the groups or channels, on which you share information. 

The Channels are not accessible by any external search engines, such as Google or Bing, or by any other third parties other than those mentioned herein, if any. 

7. Being a Kiron Student: Mentoring

Kiron offers its Students the possibility to use an online counseling service, which is provided in partnership with Mentorink (www.mentorink.com). If you want to use this service you will create a separate user account on Mentorink’s website. The way your data is collected and processed by Mentorink is specified in Mentorink’s Policy on their website, for any information in this respect you can go to mentorink.com/privacy-policy.

a. Data collected and legal basis

When you show interest and when you attend the counseling service, we will collect the following data:

  • Name
  • Email address
  • Place of residence
  • Form of first contact (e.g. via mail, event)
  • Registration date
  • Dates of all mentoring sessions or no-show
  • Additional comments if needed (e.g. if a student has special preferences)
  • Any other information you may decide to share with us.

The mentioned data will be collected and processed for the purpose of facilitating your registration with Mentorink, to provide you the mentoring service and to support and assist you when you participate in this mentoring service. We will collect this data only subject to your explicit consent. The legal basis for data processing is Art. 6 para. 1 s 1 lit. (a) GDPR. Also, we may collect information about the attendance to the sessions for statistical purposes and to evaluate the usage and effectiveness of this service. In this case the legal basis for data processing is Article 6 para. 1 lit. (f) GDPR. Our legitimate interest follows from the purposes listed above for data collection. In no case we will receive any information about the content of the counseling sessions, which will remain fully confidential. 

b. Retention and Deletion

All the personal data related to the mentoring process is stored on Kiron’s space on the Mentorink’s platform, and / or in our Backend, in a separate section dedicated to this purpose. In case you contacted us through the email student-support@kiron.ngo, some data and information you may have provided may be stored on our customer relationship management system Zendesk. The data will be removed from Mentorink, from the Backend and from Zendesk when you cease being a Kiron student (S. para 9 below).

c. Data Access and Transferal

Only Kiron employees with authorization can access Kiron’s space on the Mentorink platform and the specific section of the Backend, where your personal information about the counseling service is held. Also Mentorink’s administrators may access the reserved space on Mentorink platform solely for the purpose to ensure the functionality of the platform. No data collected in the context of this purpose will be made available to third parties, other than to Mentorink.

8. Being a Kiron Student: Live Sessions Tutorials

Kiron offers its Students the possibility to attend tutorials on topics of their interest with Kiron’s volunteer staff. This service is offered to Students upon their request. In order to support you and to connect you as a Student with the suitable tutor, we may collect specific data and we may ask for your approval to communicate with tutors.

a. Data collected and legal basis

When you show interest and when you attend the live sessions tutorials, we will collect the following data:

  • Name
  • Email address
  • Telephone number (optional)
  • Your personal interests for the tutorials 

The mentioned data will be collected and processed for the purpose of organising and facilitating your attendance of tutorials and to support and assist you when you participate in this service. We will collect this data only subject to your explicit consent. The legal basis for data processing is Article 6 para. 1 lit. (a) GDPR. Also, we may collect information about the attendance to the tutorial sessions for statistical purposes and to evaluate the usage and effectiveness of this service. In this case the legal basis for data processing is Article 6 para. 1 lit. (f) GDPR. Our legitimate interest follows from the purposes listed above for data collection. In no case we will receive any information about the content of the tutorial sessions, which will remain fully confidential. 

b. Retention and Deletion

All the personal data related to the tutoring process is stored in our Backend in a separate section dedicated to this purpose. The data and information you have sent to the e-mail student-support@kiron.ngo, may be stored on our customer relationship system Zendesk. We may retain the data collected for the purposes of this service also on digital files which will be stored in a dedicated section of our Google Drive system.

The data will be removed from the Backend, from Zendesk and from Drive when you cease being a Kiron student (S. para 9 below).

9. Ceasing being a Kiron Student

You may terminate your membership with the Kiron Platform at any time. For this purpose please send an email to student-support@kiron.ngo. Further to your request of deletion: 

  • Your Student account will be removed from our platform and live systems within a maximum of 30 days.
  • Data related to your account may remain in our backup systems for a period of time but will be irreversibly deleted or anonymised after 12 months at the latest.
  • All your personal data and references to you will be completely anonymized with the exception of the data, for which a legal requirement to retain exists.
  • Your profile in our forum (forum.kiron.ngo) will be anonymized. Any content you contributed to the forum, however, will remain, unless specifically deleted by you, and will be deleted after a maximum period of 12 months.
  • Upon account deletion, if you have received a students.kiron.ngo account provided by Kiron, this will be closed including  the email box and the Drive cloud storage and all information will be deleted from Google’s and Kiron’s servers. The data cannot be recovered once it is deleted. 

G. Social Media Links 

1. Introduction and general information about data processing 

Data Privacy is a very important issue for us and we hold the protection of your personal data in very high esteem. In this chapter we inform you how your personal data, that is collected when you use our Social Media Channels on social networks and plattform, is processed. Your data is processed in accordance with the applicable laws and regulations. 

a. General information on the responsible body

The controller named at the beginning of this privacy policy (hereinafter referred to as "we/us") operates websites or "fan pages" on various social media platforms. We are jointly responsible for the processing of your personal data in connection with your visit to our presence or our "fan page" on the Facebook, Instagram and LinkedIn platforms with the operators of the respective platform named here under i), insofar as they provide us with aggregated information about visitors to our fan page or our presence ("Insights"). Detailed information on the scope of processing under joint responsibility in relation to the respective providers can be found in the second section of this privacy policy.

i. Joint Responsibility 

The platform operator for Facebook and Instagram is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour Dublin 2, a subsidiary of Meta Platforms, Inc, 1601 Willow Rd Menlo Park, CA 94025-1452, USA. The operator of the LinkedIn platform is: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W Maude Ave Sunnyvale, CA, 94085-2810 USA.

We have concluded an agreement with the operators in accordance with Art. 26 GDPR on joint responsibility for the processing of your personal data (Controller Addendum) with regard to Facebook. This agreement specifies which data processing operations we or the respective operator are responsible for when you visit our fan page or our presence on the platform of the respective operator. You can view this agreement at the following link:

Facebook: facebook.com/legal/terms/page_controller_addendum
LinkedIn: legal.linkedin.com/pages-joint-controller-addendum

ii. Own responsibility of the platform provider

If your personal data is processed by one of the providers of social media platforms listed below, this processing is the responsibility of the platform operator within the meaning of Art. 7 No. 4 GDPR. For the assertion of your rights as a data subject, we would like to point out that these can be asserted most effectively with the respective providers. Only they have access to the data collected from you. If you still need help, please feel free to contact us at any time.

  • Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland
  • Instagram, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Irland 
  • YouTube, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland 
  • TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Irland

b. Data transfer and recipients. Data transfer to third states 

If we pass on personal data to the providers of social media platforms, the latter are recipients of the data within the meaning of Art. 4 No. 9 GDPR. As personal data is transferred to countries outside the EU and the EEA (including the USA) when visiting and interacting with the social media platforms we use, further protective mechanisms are required to ensure the level of data protection under the GDPR.

  • Facebook: Meta Platforms, Inc. is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: dataprivacyframework.gov/s/participant-search. For potential transfers to other third countries outside the EU and the EEA for which there is no adequacy decision by the EU Commission, the provider states that it uses standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the third country to process the data in accordance with the level of protection in Europe, see here: de-de.facebook.com/privacy/policy/
  • LinkedIn: according to its privacy policy, it takes appropriate measures for third country transfers, including in particular standard data protection clauses, to ensure an adequate level of data protection in accordance with the requirements of the GDPR for data transfers to the USA or other third countries outside the EU: linkedin.com/help/linkedin/answer/a1343190?trk=microsites-frontend_legal_privacy-policy&lang=de

In cases where providers process your personal data under their own responsibility (para 1, sub-para a. ii.), we have no influence on the processing of this data by the provider and their handling of this data (at least after transmission of the data). For further information, please check the privacy policy of the respective provider and, if necessary, use the opt-out / personalization options with regard to data processing by the provider:

  • X (previously named Twitter) 
    - Privacy policy: twitter.com/de/privacy 
    - Opt-out: twitter.com/personalization 
    - According to the privacy policy, X uses standard data protection clauses to ensure an adequate level of data protection in accordance with the requirements of the GDPR for data transfers to the USA or other third countries outside the EU for which there is no adequacy decision by the EU Commission: twitter.com/de/privacy
  • Instagram 
    - Privacy policy/Opt-out: instagram.com/about/legal/privacy 
    - Instagram (Meta Platforms Inc.) is certified in accordance with the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: dataprivacyframework.gov/s/participant-search. For potential transfers to other third countries outside the EU and the EEA for which there is no adequacy decision by the EU Commission, the provider states that it uses standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the third country to process the data in accordance with the level of protection in Europe, see here instagram.com/about/legal/privacy
  • YouTube/Google 
    - Privacy policy: policies.google.com/privacy?hl=de&gl=de
    - Opt-out: adssettings.google.com/authenticated
    - Google (Google LLC) is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: dataprivacyframework.gov/s/participant-search. For potential transfers to other third countries outside the EU and the EEA for which there is no adequacy decision by the EU Commission, the provider states that it uses standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the third country to process the data in accordance with the level of protection in Europe, see here policies.google.com/privacy?hl=de&gl=de
  • TikTok
    - Privacy policy / Opt-Out: tiktok.com/legal/page/eea/privacy-policy/de-DE
    - Where available, TikTok relies on an adequacy decision of the EU Commission for the transfer of personal data. Otherwise, according to the privacy policy, standard data protection clauses are used to ensure an adequate level of data protection in accordance with the requirements of the GDPR for data transfers to the USA or other third countries outside the EU. tiktok.com/legal/page/eea/privacy-policy/de-DE (chapter „Unsere globalen Aktivitäten und Datenübertragungen“).

c. Accessing and storing information in terminal equipment (Cookies)

When you visit our Facebook fan page or our other social media sites, one or more cookies are placed on your device by the platform provider. Cookies are small text files that are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser. 

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or language settings). Other cookies are used to evaluate user behavior or display advertising. 

By interacting with our Facebook fan page or our other social media presences, information (e.g. your IP address) may be accessed or information (e.g. cookies) may be stored in your end devices. This access or storage may involve further processing of personal data within the meaning of the GDPR.

The period of activity or validity of cookies can vary greatly, but you can delete them manually at any time using your web browser settings. If you have any technical questions, please contact the manufacturer of your web browser. Further information on the use of cookies and their legal basis can be found in the respective privacy policy of the provider. Links to the respective privacy policies can be found above under "Data transfer and recipients". If you have any further questions, please contact the provider of the respective social media platform directly.

d. Data processing for research and publicity purposes 

As a rule, personal data is processed on the company page for market research and advertising purposes of the provider of the social media platform. For this purpose, a cookie is set in your browser, which enables the respective provider to recognize you when you visit a website. The provider also carries out a comprehensive analysis of your interactions on the social media platform. The data collected can be used to create user profiles. These are used to place advertisements within and outside the platform that presumably correspond to your interests. Furthermore, data can also be stored in the usage profiles independently of the devices you use. This is regularly the case if you are a member of the respective platforms and are logged in to them. Further information on this can be found in the data protection information of the respective provider.

If you visit or interact with our social media presence, we may receive personal data from you, which we process on our own responsibility in addition to the provider, other than in the cases mentioned in section 2 of this privacy policy. This may be information that you actively provide (comments, likes and information that you make publicly available, such as your profile picture or name).

Collection of information about who has viewed our social media presence: Depending on the provider and your settings on the provider's platform, we may also be informed about who has accessed our presence or page within the platform. 

Our access to the aforementioned data results from the operation of our social media presence; no further processing of this data by us takes place except in the cases mentioned in this privacy policy. We have a legitimate interest in the operation of our social media presence and the associated processing of personal data that you actively publish or make available to us within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the advertising approach as well as in the provision of an effective communication and interaction option with our company.

e. Data processing when contacting us

We collect personal data ourselves when you contact us, for example via a contact form or a messenger service of the respective platform, such as Facebook Messenger. Which data is collected depends on the information you provide and the contact details you provide or share. This data is stored by us for the purpose of processing the request and in the event of follow-up questions. The legal basis for processing the data is our legitimate interest in responding to your request in accordance with Art. 6 para. 1 lit. f GDPR and, if applicable, Art. 6 para. 1 lit. b GDPR if your request is aimed at concluding a contract. Your data will be deleted after final processing of your request, provided that there are no legal storage obligations to the contrary. We assume that processing is complete if it can be inferred from the circumstances that the matter in question has been conclusively clarified.

f. Data Processing to execute a contract 

If your contact via a social network or other platform is aimed at concluding a contract for the delivery of goods or the provision of services with us, we process your data to fulfill the contract or to carry out pre-contractual measures or to provide the desired services. The legal basis for the processing of your data in this case is Art. 6 para. 1 lit. b GDPR. Your data will be deleted if it is no longer required for the performance of the contract or if it is clear that the pre-contractual measures will not lead to the conclusion of a contract corresponding to the purpose of the contact. Please note, however, that it may be necessary to store personal data of our contractual partners even after the conclusion of the contract in order to comply with contractual or legal obligations.

g. Data processing on the basis of consent

If you are asked by the respective providers of the platforms for consent to processing for a specific purpose, the legal basis for processing is Art. 6 para. 1 lit. a., Art. 7 GDPR. Any consent given can be revoked at any time with effect for the future.

2. Processing in joint responsibility with the provider of the Social Media - Plattform

a. Facebook-Fanpage (Insights-functionality)

i. Datenverarbeitung hinsichtlich „Seiten-Insights“ beim Besuch unserer Facebook-Fanpage

When you visit our Facebook fan page, your personal data is processed by Facebook as the operator of the platform and by us as the operator of the fan page. Insofar as this data processing takes place in connection with the Insights functionality of Facebook (Meta Platforms Ireland Ltd. or Meta Platforms Inc.), we are jointly responsible with Facebook (Art. 26 para. 1 GDPR).

Page Insights (facebook.com/business/a/page/page-insights) is a function provided by Facebook that allows the operator of a Facebook fan page (us) to receive summarized data about the interaction of visitors. 

Page Insights can be based on personal data that is collected in connection with a visit or interaction of people on or with our page and in connection with the content provided. Please note which personal data you share with us via Facebook. Your data may be processed for market research and advertising purposes, even if you are not logged in to Facebook or do not have a Facebook account. For example, user profiles can be created from user behavior and the resulting interests of users. The user profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of the users. The user profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of the users. This data collection takes place via cookies that are stored on your end device. Furthermore, data that is independent of the devices used by the users can also be stored in the user profiles, especially if the users are members of the respective platforms and are logged in to them.

We only receive summarized (aggregated) data from Facebook, which does not allow any conclusions to be drawn about individual persons.

We process your personal data for advertising and marketing purposes. (e.g. increasing the reach and awareness of our fan page by designing posts to suit the target group, evaluating the success of marketing campaigns).
The legal basis for the processing of your personal data in relation to the Insights functionality is your consent given to Facebook or Meta in accordance with Art. 6 para. 1 lit. a GDPR.

For information on the purposes that Facebook pursues with the processing of your personal data and the legal basis for this data processing, please refer to Facebook's privacy policy.

Please note that we have no influence on the data collection and further processing under Facebook's responsibility. As a result, we cannot provide any information about the extent to which, where and for how long the data is stored by Facebook. Furthermore, we cannot make any statements about the extent to which Facebook complies with existing deletion obligations, which evaluations and links are made with the data by Facebook and to whom the data is passed on by Facebook.

You can find information about the processing of your personal data, which Facebook processes for its own purposes, in the  privacy policy of Facebook: facebook.com/about/privacy

ii. Your rights as data subject

If you would like to exercise your rights as a visitor of the site or fanpage (information, correction, deletion, restriction, data portability, complaint to the supervisory authority, objection or revocation), you can contact both Facebook and us. You can adjust your advertising settings yourself in your user account. To do this, click on the following link and log in: facebook.com/settings?tab=ads or youronlinechoices.com

You can (also) restrict the visibility of your Facebook account to us via the Facebook settings.

For further details, please refer to Facebook's privacy policy: facebook.com/about/privacy/

iii. Data processing officer of Facebook

To contact Facebook's data protection officer, you can use the online contact form provided by Facebook at the following link facebook.com/help/contact/540977946302970 

b. LinkedIn Profile

i. Data processing concerning „Page Insights“ when visiting our  LinkedIn profile

When you visit our LinkedIn site, your personal data will be processed by LinkedIn as the operator of the platform and by us as the operator of our site within the platform. Insofar as this data processing takes place in connection with the Insights functionality of LinkedIn (LinkedIn Ireland Unlimited Company. or LinkedIn Corporation.), we are jointly responsible with LinkedIn (Art. 26 para. 1 GDPR).

LinkedIn Page Insights (legal.linkedin.com/pages-joint-controller-addendum) is a function provided by LinkedIn that allows the operator of a LinkedIn site (us) to receive summarized data about the interaction of visitors. 

As part of the Page Insights function, LinkedIn analyzes your interaction with our LinkedIn presence and also uses the personal information you provide (professional activity, industry, country, etc.). The evaluated data is made available to us by LinkedIn, but only in aggregated form (i.e. LinkedIn does not provide us with specific information about individual users as part of this function, but only summarized information). We use this aggregated data for the target group-oriented presentation of our LinkedIn presence and generally for its optimization with regard to the above-mentioned advertising purposes.

We have a legitimate interest in these advertising purposes; the processing of your data is based on Art. 6 para. 1 lit. f GDPR.

For information on the purposes that LinkedIn pursues with the processing of your personal data and on the legal basis of this data processing, please refer to LinkedIn's privacy policy. Please note that we have no influence on the data collection and further processing under LinkedIn's responsibility. As a result, we cannot provide any information about the extent to which, where and for how long the data is stored by LinkedIn. Furthermore, we cannot make any statements about the extent to which Instagram complies with existing deletion obligations, which evaluations and links are made with the data by LinkedIn and to whom the data is passed on by LinkedIn.

ii. Your rights as data subject

If you would like to exercise your rights as a visitor of the site (information, correction, deletion, restriction, data portability, complaint to the supervisory authority, objection or revocation), you can contact both LinkedIn and us. You can adjust the visibility of your LinkedIn account to us. 

For more information on data processing by LinkedIn, please refer to LinkedIn's privacy policy: linkedin.com/legal/privacy-policy 

iii. Data processing officer of  LinkedIn

To contact Linkedin’s data protection officer, you can use the online contact form provided by Linkedin at the following link linkedin.com/help/linkedin/ask/TSO-DPO verwenden.

H. Your rights. Right to information, questions, suggestions and comments

You have the right to be informed about your personal data stored in connection with the Kiron platform free of charge. Below you will find information on the rights the applicable data protection law grants you with regard to the processing of your personal data. 

a. The right to request information about your personal data processed by us pursuant to Art. 15 GDPR. In particular, you can request information on the purpose of processing, the category of personal data being processed, the categories of recipients to whom your data has been disclosed, the planned retention period, the right to rectification or erasure of personal data, or restriction of processing of your data, the right to lodge a complaint, what the source of the data is, if it wasn’t collected by us, and if any automated decision-making, including profiling exists and, where appropriate, meaningful information about their details.

b. The right, in accordance with Art. 16 GDPR, to demand the correction of incorrect or completion of incomplete personal data stored by us without delay.

c. The right to demand the deletion of your personal data stored with us, according to Art. 17 GDPR, as far as the processing is not required for the right of freedom of expression and information, the compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims.

d. The right to demand the restriction of the processing of your personal data, in accordance with Art. 18 GDPR, as far as the accuracy of the data is disputed by you, the processing is unlawful, but you oppose the erasure and we no longer need the data, but they are required by you for the establishment, exercise or defence of legal claims or you have lodged an objection against the processing pursuant to Art. 21 GDPR

e. The right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of the federal state of our above named seat or, if applicable, your usual place of residence or work place.

f. Right to withdraw granted consent pursuant to Art. 7 para. 3 GDPR: You have the right to withdraw the previously given consent in the processing of data at any time with effect for the future. In the case of withdrawal, we will delete the data concerned immediately, as far as further processing cannot be based on a legal basis where consent is not required for processing. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation;

If your personal data is processed by us on the basis of legitimate interests pursuant to Art. 6 para. 1 s. 1 lit. (f) GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, insofar as this is for reasons that arise from your particular situation. If you object to the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement of specifying a particular situation.

If we process your personal data on the basis of your consent according to Article 6 para. 1 lit. (a) GDPR, you have the right according to Article 7 para. 3 GDPR to withdraw your consent to us at any time. As a result, we are no longer allowed to continue processing data based on this consent in the future.

You can assert your right via email at: datenschutzbeauftragter@datenschutzexperte.de or contact us at the contact details specified in section A.1. of this Privacy Policy.

I. Versions, Modification of this Privacy Policy

We reserve the right to change this Privacy Policy at any time in accordance with the law. In this way, we can adapt it to current legal requirements and take changes in our services into account, e.g. when introducing new services. The most current version applies to your visit.

This is version 6.0 of this policy, effective as of 01st February 2024.

Previous versions:

Version 5.0 (effective from August 8th, 2020 to January 31st, 2024) can be found here.
Version 4.0 (effective from May 25th, 2018 to August 8th, 2020) can be found here.
Version 3.0 (effective from January 18th to May 24th, 2018) can be found here.
Version 2.1 (effective from October 13th, 2016 to January 17th, 2018) can be found here.
Version 2.0 (effective from July 1st to October 12th, 2016) can be found here.
Version 1.2 (effective from May 11th to June 30th, 2016) can be found here.
Version 1.1 (effective from March 16th to May 10th, 2016) can be found here.
Version 1.0 (effective from October 15th, 2015 to March 15th, 2016) can be found here.