EU General Data Protection Regulation (GDPR)
Personal Data Protection Policy
KohaSupport
Last updated: May 12, 2026
Introduction
We at KohaSupport are committed to processing personal data securely and respecting the privacy of all individuals whose data we process.
This policy explains how we collect, use, and protect personal data in compliance with the EU General Data Protection Regulation (GDPR).
Data Controller
KohaSupport
Email: [email protected]
Website: https://kohasupport.com
Personal Data We Collect
KohaSupport may process personal data such as:
- contact information you provide,
- billing and service-related records,
- technical data needed to operate the website or services,
- support communications,
- library service data processed on behalf of clients where KohaSupport acts as a processor.
The exact categories depend on how you use the website or services.
Legal Basis for Processing
We process personal data under the following legal bases:
- Contract Performance: To provide services you’ve requested
- Legitimate Interests: To improve our services and communicate with you
- Consent: Where you’ve given explicit consent
- Legal Obligation: To comply with legal requirements
How We Use Personal Data
We use personal data for:
- Providing and managing our services
- Customer support and communication
- Service improvement and development
- Billing and account management
- Marketing (with consent)
- Legal compliance
Data Sharing
KohaSupport may share personal data with service providers reasonably necessary to operate the business and provide services, such as:
- cloud infrastructure providers,
- billing and payment providers,
- email or communications providers,
- analytics or website tools.
KohaSupport does not sell personal data.
International Data Transfers
Where personal data is processed outside your country, KohaSupport will use appropriate safeguards where required by applicable law.
Data Retention
KohaSupport keeps personal data only for as long as reasonably necessary for the purposes described in this policy, including service delivery, legal compliance, recordkeeping, and legitimate business needs.
Your Rights Under GDPR
You have the right to:
1. Access
Request a copy of your personal data
2. Rectification
Correct inaccurate or incomplete data
3. Erasure (“Right to be Forgotten”)
Request deletion of your personal data
4. Restriction
Limit how we use your data
5. Data Portability
Receive your data in a structured, commonly used format
6. Object
Object to processing based on legitimate interests
7. Withdraw Consent
Withdraw consent at any time (where processing is based on consent)
8. Lodge a Complaint
File a complaint with your local data protection authority
How to Exercise Your Rights
To exercise any of these rights, please contact us:
- Email: [email protected]
- Subject: GDPR Data Rights Request
KohaSupport will respond in line with applicable legal timeframes.
Data Security
KohaSupport uses reasonable technical and organizational measures designed to protect personal data, taking into account the nature of the data and the risks involved.
Data Breach Notification
If a personal data breach occurs, KohaSupport will respond in accordance with applicable law and the circumstances of the incident. Where required, relevant parties will be notified without undue delay.
Children’s Privacy
Our services are not directed at children under 16. We do not knowingly collect personal data from children.
Changes to This Policy
KohaSupport may update this policy from time to time by posting the revised version on this page.
Data Processing Agreement
For clients using our services to process library patron data, we provide a separate Data Processing Agreement (DPA) that defines:
- Roles and responsibilities
- Data processing instructions
- Security measures
- Sub-processor arrangements
MARCReady — Data Processing Details
When using MARCReady (marcready.kohasupport.com):
| Data type | Purpose | Retention | Lawful basis |
|---|---|---|---|
| Account email address | Authentication (Amazon Cognito) | Until account deletion | Contract performance |
| Uploaded MARC/catalogue file (raw) | AI-assisted record repair | 2 days — deleted after processing is complete | Contract performance |
| Processed record output (preview JSON, exported MARC21/MARCXML) | Review and export download | 90 days, with automatic transition to S3 Intelligent-Tiering | Contract performance |
| File SHA-256 hash | Deterministic preview selection; stored with job record | Same as processed output (90 days) | Legitimate interest |
| Bibliographic field structure (LCCN/ISBN-keyed cache) | Avoid redundant AI processing for the same bibliographic item | 90 days with TTL | Legitimate interest |
| Anonymised MARC training pairs (source record + corrected output; fields 001, 003, and 040 cataloguing agency codes stripped before storage) | Fine-tuning a KohaSupport-hosted MARC specialist model to improve repair quality for all users | Indefinite — accumulated in a private training bucket; never shared externally | Legitimate interest |
| Payment card details | Billing | Handled by Stripe; not stored by KohaSupport | Contract performance |
Sub-processors used by MARCReady:
- Amazon Web Services (AWS Lambda, S3, DynamoDB, Cognito, API Gateway) — infrastructure; AWS region
us-east-1 - Amazon Bedrock — AI model inference for MARC field mapping. By AWS contract, Bedrock does not use customer inputs or outputs to train any Amazon foundation model. Your catalogue data is not used to improve Amazon’s AI models. See AWS Bedrock data privacy FAQ. Separately, KohaSupport may use anonymised bibliographic training pairs (see table above) to fine-tune a private MARC specialist model hosted within KohaSupport’s own AWS Bedrock account. This model is used solely to improve MARCReady repair quality and is never shared with third parties.
- Stripe — payment processing
- Google — optional Google OAuth sign-in (user-initiated; only email, name, and profile picture are transferred)
- Microsoft — optional Microsoft OAuth sign-in, if selected by the user
Patron data: MARCReady is designed to process bibliographic catalogue records only. Users must not upload files containing library patron data, borrower records, circulation history, payment records, or staff account exports. If patron data is inadvertently included, please contact [email protected] immediately for secure deletion.
Contact Us
If you have privacy-related questions, please contact:
KohaSupport
Email: [email protected]
Website: https://kohasupport.com/contact/
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. In the EU, you can find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en
KohaSupport
Committed to GDPR Compliance