KafonetKafonet

Privacy Policy

Last updated: March 30, 2026

1. Introduction

Kafonet ("we", "us", "our") is a colleague matchmaking service that connects employees for 1:1 meetings. This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and what rights you have regarding your data.

By using Kafonet, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is the Kafonet project team, operated independently from Belgrade, Serbia. Kafonet is not affiliated with or operated by Microsoft Corporation.

For all privacy-related inquiries, you may contact us at hello@kafonet.com.

3. Data We Collect

We collect the following categories of personal data:

a) Data from authentication providers

When you sign in via LinkedIn or Microsoft Entra ID, we receive the following from the identity provider:

  • Full name
  • Email address
  • Profile photo (if available)
  • Provider-specific user identifier (used for account linking across sign-in methods)

b) Data you provide

During onboarding and while using the Service, you may provide:

  • Job title and team
  • Short biography
  • Office days (e.g., Monday–Thursday)
  • Preferred meeting types (coffee, lunch, walk, online call)
  • Matching frequency preference
  • Interests and spoken languages

c) Data generated through use

  • Match history (pairings and dates)
  • Account status (active or paused)
  • Account timestamps (creation date, last update)

d) Data we do not collect

We do not collect your location, device information, browsing history, IP addresses for tracking purposes, or any data from your calendar, contacts, or files.

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

  • Consent: By creating an account and completing onboarding, you consent to the processing of your data for the purposes described in this policy. You may withdraw consent at any time by pausing or deleting your account.
  • Legitimate interest: We have a legitimate interest in operating and improving the Service, including aggregated analytics on matching effectiveness.
  • Performance of a service: Processing is necessary to provide the matching and notification features you signed up for.

5. How We Use Your Data

  • Matching: Your preferences, office days, team, and interests are used by our automated matching algorithm to pair you with compatible colleagues. The algorithm prioritizes cross-team connections and considers factors such as overlapping office days, shared meeting type preferences, common interests, and past pairings.
  • Notifications: When you are matched, we send an email to both you and your match containing names, job titles, teams, profile photos, and a suggested meeting date.
  • Profile display: Your name, photo, job title, and team are visible to colleagues you are matched with, both in the notification email and within the dashboard.
  • Service improvement: We may use aggregated, anonymized usage data to improve the matching algorithm and overall user experience. Individual users are not identifiable from this data.

6. Automated Decision-Making

Kafonet uses an automated matching algorithm to pair users. This algorithm scores potential pairings based on your preferences and profile data (team, office days, meeting types, interests) and selects the best matches. No human reviews individual pairings before they are made.

The outcome of automated matching is a suggested 1:1 meeting — it does not produce legal effects or similarly significant consequences. If you have concerns about a specific match, you may contact us, and you always have the option to decline or not attend a suggested meeting.

7. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

  • With your match: When you are paired with a colleague, they receive your name, profile photo, job title, team, and a suggested meeting date. This is the core function of the Service.
  • Infrastructure providers: We use Microsoft Azure for application hosting and database services. These providers act as data processors and process data on our behalf under standard data processing agreements.
  • Email delivery: Match notification emails are sent via a third-party SMTP provider. Emails contain the minimum data necessary (names, job titles, meeting details).
  • Legal obligations: We may disclose data if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, safety, or property of our users.

8. Data Storage & Security

We implement appropriate technical and organizational measures to protect your data:

  • Data is stored in a PostgreSQL database hosted on Microsoft Azure in the West Europe region.
  • All data in transit is encrypted via HTTPS/TLS.
  • The database is encrypted at rest using Azure-managed encryption.
  • Authentication sessions use cryptographically signed JWT tokens stored in HTTP-only, secure, same-site cookies.
  • OAuth access tokens from identity providers (LinkedIn, Microsoft) are used only during the sign-in process to retrieve your profile information and are not stored persistently.
  • Administrative access to the database and infrastructure is restricted and protected by multi-factor authentication.

9. International Data Transfers

Your data is stored and processed within the European Economic Area (Azure West Europe). If data is transferred outside the EEA in the future (for example, due to infrastructure changes), we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

10. Data Retention

  • Active accounts: Data is retained for as long as your account remains active.
  • Paused accounts: Data is retained while your account is paused. If your account remains paused for more than 12 months, we may contact you to confirm whether you wish to keep or delete your account.
  • Deleted accounts: Upon your request, we will delete your personal data within 30 days. Match history may be retained in a fully anonymized form (with no link to your identity) for service analytics purposes.
  • Authentication tokens: Email magic link tokens expire after 24 hours and are marked as used upon verification.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Update or correct inaccurate personal data (you can do this directly from your Settings page).
  • Right to erasure: Request deletion of your personal data and account.
  • Right to restrict processing: Pause your account to temporarily stop your data from being used in matching.
  • Right to data portability: Request a copy of your data in a structured, machine-readable format.
  • Right to object: Object to processing of your data based on legitimate interests.
  • Right to withdraw consent: You may withdraw your consent at any time by deleting your account, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at hello@kafonet.com. We will respond to your request within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (www.poverenik.rs) or with the supervisory authority in your jurisdiction.

12. Cookies

Kafonet uses a single, strictly necessary cookie (kafonet_session) to maintain your authenticated session. This cookie is:

  • HTTP-only (not accessible to JavaScript)
  • Secure (transmitted only over HTTPS in production)
  • Same-site (not sent with cross-origin requests)
  • Valid for 30 days

We do not use analytics cookies, advertising cookies, or any third-party tracking technologies. No cookie consent banner is required because we use only strictly necessary cookies.

13. Children's Privacy

Kafonet is a workplace service intended exclusively for corporate employees. The Service is not directed at, and we do not knowingly collect personal data from, anyone under the age of 18. If we learn that we have inadvertently collected data from a minor, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes that affect how your personal data is processed, we will notify active users via email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at hello@kafonet.com.

Terms of ServiceBack to Kafonet