This DPA governs how K.I.N.D processes personal data on behalf of clients under POPIA (South Africa), GDPR (EU/UK), CCPA/CPRA (California, USA), and applicable data protection laws.
Effective date: 31 May 2026
K.I.N.D processes personal data solely for the purpose of B2B lead generation and outreach services performed on behalf of the Client. The categories of personal data processed include:
K.I.N.D does not process special categories of personal data (as defined under POPIA and GDPR) and will not do so without explicit written consent from both the Client and the Data Subject.
Processing is carried out only on documented instructions from the Client, as set out in the Client's Ideal Customer Profile (ICP) configuration and campaign settings. K.I.N.D will inform the Client if it believes any instruction infringes applicable data protection law.
All personal data processed by K.I.N.D is stored in South Africa on Supabase's af-south-1 region (Cape Town). This includes lead records, campaign data, email logs, opt-out records, and client account data.
K.I.N.D does not transfer personal data outside of South Africa without:
Where sub-processors (see Section 5) are located outside South Africa, K.I.N.D has assessed the transfer basis and relies on appropriate safeguards including Standard Contractual Clauses (SCCs) and the sub-processor's own adequacy certifications.
K.I.N.D implements and maintains the following technical and organisational measures to protect personal data:
K.I.N.D will notify the Client without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Subjects.
K.I.N.D engages the following sub-processors in the delivery of its services. Each sub-processor is subject to contractual obligations that provide equivalent data protection to this DPA.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting, authentication, storage | Cape Town, South Africa (af-south-1) | In-country; SOC 2 Type II |
| Resend | Transactional email delivery | United States | SOC 2 Type II; SCCs applied |
| Apollo.io | B2B contact database and lead sourcing | United States | DPA in place; SCCs applied |
| Anthropic | AI language model for email generation | United States | No data retained per API terms; SCCs applied |
| Stripe | Payment processing | United States | PCI DSS Level 1; SCCs applied |
| Railway | Application hosting (Portal, API, Admin) | United States | SOC 2-audited infrastructure; SCCs applied |
K.I.N.D will notify Clients of any intended changes to this list (additions or replacements of sub-processors) with reasonable prior notice, giving the Client the opportunity to object to such changes.
K.I.N.D retains personal data only for as long as necessary to deliver the services and meet legal obligations:
Upon expiry of the applicable retention period, personal data is deleted or anonymised in a manner that renders re-identification impossible.
Clients may exercise the following rights in relation to personal data held by K.I.N.D on their behalf:
K.I.N.D will action deletion and export requests within 30 days of receipt. Where a request cannot be fulfilled in full (for example, where retention is required by law), K.I.N.D will explain the basis for retaining the data.
K.I.N.D has implemented the following mechanisms for Data Subjects (leads and prospects) to exercise their rights:
Where K.I.N.D receives a Data Subject request that relates to data processed on behalf of a specific Client, K.I.N.D will promptly forward the request to the relevant Client and assist in fulfilling it.
K.I.N.D's total aggregate liability under this DPA — whether in contract, delict, or otherwise — is limited to the total fees paid by the Client to K.I.N.D in the three calendar months immediately preceding the event giving rise to the claim.
K.I.N.D is not liable for any indirect, consequential, incidental, or punitive damages arising from or related to this DPA, even if advised of the possibility of such damages.
Nothing in this clause limits liability for death or personal injury, fraud, or any liability that cannot be limited by applicable law.
This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) is governed by and construed in accordance with the laws of England and Wales.
The parties submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute or claim arising out of or in connection with this DPA. For South African clients, K.I.N.D acknowledges the application of POPIA; for European clients, K.I.N.D acknowledges the primacy of applicable EU supervisory authority guidance in relation to GDPR obligations.
This DPA forms part of and is incorporated into K.I.N.D's Terms of Service. In the event of any conflict between this DPA and the Terms of Service on data protection matters, this DPA shall prevail.
For clients and data subjects located in California, USA, K.I.N.D complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The following rights apply to California residents:
K.I.N.D does not have actual knowledge that it sells or shares personal information of consumers under 16 years of age.
For all California privacy requests, contact: privacy@get-kind.com
Our team is based in South Africa and is happy to answer any questions about how we process your data or your clients' data.
Email privacy@get-kind.com