Privacy Policy

Privacy Policy

Effective date: January 2025 Last updated: April 2026

This Privacy Policy is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, “TDDDG”) and the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (“NIS2 Directive”) as transposed into German law.

1. Controller and Data Protection Officer

The controller responsible for the processing of your personal data is:

Sokomi GmbH Wachsbleiche 10, 53111 Bonn, Germany Telephone: +49 228 983 526 0 Email: team@sokomi.com Commercial Register: Amtsgericht Bonn, HRB 28998

Data Protection Officer: Rishi Maudhub Email: team@sokomi.com Postal address: Sokomi GmbH, Attn: Data Protection Officer, Wachsbleiche 10, 53111 Bonn, Germany.

2. Categories of Personal Data We Process

Data you provide directly: Name, email address, telephone number and other contact details; company name and job title; billing and payment information; content submitted through contact forms, service enquiries, job applications or customer support requests.

Data collected automatically when you visit our website: IP address, browser type and version, operating system, device identifiers; date and time of access, pages visited, referring URL, time spent on pages; data collected via cookies and similar tracking technologies as described in our Cookie Policy.

Data received from third parties: We may receive information about you from analytics providers, marketing partners or publicly available sources where a lawful basis exists for such processing.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

Performance of a contract (Art. 6(1)(b) GDPR): To provide and manage our services, including domain management, DNS engineering, brand protection and advisory services; to process payments and invoices; to communicate with you regarding your account and service delivery.

Compliance with legal obligations (Art. 6(1)(c) GDPR): To fulfil our obligations under German tax law, commercial law, the BDSG and NIS2 transposition requirements; to retain records as required by the German Fiscal Code (Abgabenordnung) and the German Commercial Code (Handelsgesetzbuch).

Legitimate interests (Art. 6(1)(f) GDPR): To improve our website, products and services through analytics; to protect our IT systems and infrastructure against cyber threats in accordance with NIS2 requirements; to communicate with you about our services where you are an existing client or contact; to exercise or defend legal claims. Our legitimate interest in each case is specified in detail in our internal Records of Processing Activities. You have the right to object to processing based on legitimate interests at any time (see Section 8).

Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, for example for marketing communications or for the use of non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

Special categories of data: We do not intentionally collect special categories of personal data as defined in Article 9 GDPR.

4. Recipients and Data Sharing

We do not sell your personal data. We may share your data with the following categories of recipients where necessary and on a lawful basis:

Service providers (processors): Hosting providers, cloud infrastructure operators, payment processors and analytics services that process data on our behalf under data processing agreements compliant with Article 28 GDPR.

Professional advisors: Lawyers, accountants and auditors where necessary for the exercise or defence of legal claims or to comply with legal obligations.

Regulatory and supervisory authorities: Where we are required to disclose data by law, regulation or court order, including to the competent data protection supervisory authority and, where applicable under NIS2, to the German Federal Office for Information Security (Bundesamt für Informationssicherheit, “BSI”).

Business transfers: In connection with a merger, acquisition, restructuring or sale of assets, where your data may be transferred to the successor entity subject to appropriate safeguards.

5. International Data Transfers

Where we transfer personal data outside the European Economic Area (EEA), we ensure that an adequate level of protection is maintained through one or more of the following mechanisms:

• An adequacy decision by the European Commission under Article 45 GDPR (for example, the EU–US Data Privacy Framework for transfers to certified US organisations).
• Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR, supplemented where necessary by a Transfer Impact Assessment.
• Binding Corporate Rules approved by the competent supervisory authority under Article 47 GDPR, where applicable.
• Your explicit consent under Article 49(1)(a) GDPR, where no other safeguard is available and you have been informed of the risks.

You may request a copy of the safeguards in place by contacting our Data Protection Officer.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

• Client account and contract data: For the duration of the contractual relationship, plus 10 years from the end of the calendar year in which the contract ended, in accordance with the retention obligations under Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB).
• Billing and payment data: 10 years from the end of the calendar year in which the invoice was issued, as required by German tax law.
• Contact form enquiries: 6 months from the date of your last communication, unless a contractual relationship is established.
• Job application data: 6 months from the completion of the recruitment process, unless you consent to longer retention for consideration in future vacancies.
• Website usage data and server logs: 90 days, unless a longer period is required for the detection or investigation of security incidents in accordance with NIS2 obligations.
• Marketing consent records: For the duration of the consent, plus 3 years following withdrawal to demonstrate lawful processing.

After the applicable retention period expires, data is securely deleted or anonymised.

7. NIS2 and Cybersecurity Obligations

As a provider of DNS services and domain management solutions, Sokomi GmbH may be classified as an essential or important entity under the NIS2 Directive (EU) 2022/2555 and its German transposition. In this context, we process certain personal data (including IP addresses, access logs and system event data) as necessary to fulfil our cybersecurity risk-management obligations, including threat detection, incident response, vulnerability management and reporting to the BSI where required. The legal basis for this processing is compliance with a legal obligation (Art. 6(1)(c) GDPR) and, where applicable, our legitimate interest in protecting the security and integrity of our network and information systems (Art. 6(1)(f) GDPR).

8. Your Rights

Under the GDPR and the BDSG, you have the following rights in relation to your personal data:

Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, a copy of that data together with supplementary information about the processing.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate personal data or the completion of incomplete data.

Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where the processing is unlawful. This right is subject to statutory retention obligations.

Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data in certain circumstances, for example while the accuracy of the data is being verified.

Right to data portability (Art. 20 GDPR): You may request a copy of the personal data you provided to us in a structured, commonly used and machine-readable format, and may request that we transmit it to another controller where technically feasible.

Right to object (Art. 21 GDPR): You may object at any time to processing based on our legitimate interests (Art. 6(1)(f) GDPR), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. Where personal data is processed for direct marketing purposes, you have an unconditional right to object at any time.

Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right not to be subject to automated decision-making (Art. 22 GDPR): We do not use your personal data for solely automated decision-making that produces legal or similarly significant effects.

To exercise any of these rights, please contact our Data Protection Officer at team@sokomi.com. We will respond within one calendar month of receiving your request. This period may be extended by a further two months where the request is complex, in which case we will inform you within the initial month.

9. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. The competent supervisory authority for Sokomi GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Kavalleriestraße 2–4, 40213 Düsseldorf, Germany Telephone: +49 211 38424 0 Website: www.ldi.nrw.de

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Article 32 GDPR and our obligations under the NIS2 Directive. These measures include encryption of data in transit and at rest, access controls, regular security assessments, incident response procedures and staff training. Our technical standards are set out in detail on our Technology Principles page.

11. Cookies and Tracking Technologies

Our use of cookies and similar tracking technologies is governed by our Cookie Policy, which sets out the types of cookies we use, their purposes and how you can manage your preferences. The legal framework for the use of cookies in Germany is provided by Section 25 TDDDG, which requires consent for non-essential cookies in accordance with the GDPR.

12. Children’s Data

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that data promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law or regulatory guidance. The revised policy will be published on this page with an updated “Last updated” date. Where changes are material, we will take reasonable steps to notify you, for example by email or by a prominent notice on our website. We encourage you to review this policy periodically.

14. Contact

If you have any questions about this Privacy Policy, our data processing activities, or if you wish to exercise any of your rights, please contact:

Sokomi GmbH, Wachsbleiche 10, 53111 Bonn, Germany Data Protection Officer: Rishi Maudhub Email: team@sokomi.com Telephone: +49 228 983 526 0