Privacy Policy

1. Who we are

K.I.N.D Technologies Ltd ("K.I.N.D", "we", "us") operates the K.I.N.D AI Platform at get-kind.com and app.get-kind.com.

We are registered in England & Wales (Company No. 17260532). Under UK GDPR and the Data Protection Act 2018, K.I.N.D Technologies Ltd is the data controller for personal data collected through our website and platform.

Where we process personal data on behalf of our clients (e.g. lead data for FIGSY campaigns), we act as a data processor under the client's instructions, as governed by our Data Processing Agreement.

For South African data subjects, K.I.N.D is a responsible party under POPIA. For Californian residents, we comply with the CCPA.

2. Data we collect

Account data: name, email address, company name, country, and billing details. Collected when you sign up. Used to deliver the service and process payments.

Lead data: B2B prospect names, work email addresses, job titles, company names, LinkedIn URLs, and country — sourced via Apollo.io on clients' behalf. Processed only under client instruction and our DPA.

Usage data: platform activity (campaigns run, leads sourced, replies received), API call logs, feature usage patterns. Used to deliver and improve the service and for billing accuracy.

Communication data: email content sent through FIGSY campaigns, replies received, and opt-out requests. Stored for campaign performance tracking and POPIA audit trails.

Technical data: IP address, browser type, device type, referring URL. Collected automatically via server logs. Retained for 90 days.

3. How we use your data

• Deliver and operate the K.I.N.D platform and all agent services (FIGSY, Milla, Vida)
• Process payments via Stripe
• Send service communications — campaign alerts, usage reports, billing receipts. Not marketing without consent.
• Generate AI-powered features using Anthropic's Claude API. We do not send identifiable personal data in AI prompts.
• Comply with legal obligations under UK GDPR, POPIA, and applicable African data laws
• Detect and prevent fraud, abuse, and security incidents
• Improve the platform using anonymised, aggregated usage data

Lawful basis (UK GDPR): Contract performance (delivering the service you signed up for); Legitimate interests (security, fraud prevention, platform improvement); Legal obligation (compliance, tax records); Consent (marketing communications, if applicable).

4. Data hosting & transfers

Database: All client account data and lead data is stored on Supabase, hosted in the af-south-1 region (Cape Town, South Africa). This hosting is GDPR-, UK GDPR- and POPIA-compliant. US and international clients can request dedicated US data residency (see below).

US & international clients: All client data is currently hosted in Cape Town (af-south-1). The United States imposes no data-residency requirement on B2B SaaS, and this hosting is fully compliant with the CCPA. Enterprise clients who require their data to be physically stored within the United States can request US data residency — contact hello@get-kind.com and we will provision a dedicated US-region instance.

Application hosting: The K.I.N.D platform (Portal, API, Admin) runs on Railway, which operates on SOC 2-audited infrastructure. No personal data is stored in Railway environment variables — only configuration keys.

Email delivery: Outbound emails are sent via Resend, which processes recipient email addresses to deliver messages. Resend is GDPR-compliant.

Lead enrichment: Lead data is sourced via Apollo.io. Apollo maintains its own consent infrastructure for B2B contact data. We process Apollo data under lawful business purpose.

AI processing: Natural language generation for email sequences and analysis uses Anthropic's Claude API (US-based). We do not include personal data (names, emails) in AI prompts.

Payments: Payment card data is processed by Stripe (PCI DSS Level 1 certified). K.I.N.D never stores card numbers.

International transfers: Where data is transferred outside South Africa or the UK, we apply appropriate safeguards — Standard Contractual Clauses for GDPR transfers, and POPIA section 72 conditions for cross-border transfers from South Africa.

5. Data retention

• Account data: held for the duration of the contract + 24 months (legal obligations)
• Lead personal data: active campaign duration + 12 months, then hard-deleted on request or account close
• Email campaign content: 12 months, then automatically purged
• Billing records: 7 years (UK tax law requirement)
• Server logs: 90 days automatic rotation
• Opt-out records: permanently retained (to honour the opt-out)

You can request deletion of your account and all associated personal data at any time by emailing privacy@get-kind.com. We will action deletion within 30 days.

6. Your rights

Under UK GDPR (UK and EU residents):

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion ("right to be forgotten")
• Right to portability — receive your data in a machine-readable format
• Right to restriction — limit how we process your data
• Right to object — object to processing based on legitimate interests
• Right to lodge a complaint with the ICO: ico.org.uk/make-a-complaint

Under POPIA (South African residents):

• Right to access, correct, and delete your personal information
• Right to object to processing
• Right to lodge a complaint with the Information Regulator: inforegulator.org.za

Under CCPA (California residents):

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt out of the sale of personal information — K.I.N.D does not sell personal information

To exercise any right, email privacy@get-kind.com. We respond within 30 days.

7. Lead data & opt-outs

Lead data used in FIGSY outreach campaigns is sourced via Apollo.io, which maintains its own consent infrastructure for B2B contact data. K.I.N.D processes this data on behalf of clients as a data processor under our DPA.

Every FIGSY campaign includes a clear unsubscribe mechanism. Any person who opts out is permanently added to a global suppression list and never re-contacted across any K.I.N.D client. Opt-out requests are honoured within 24 hours and the suppression is logged with a full audit trail for POPIA compliance.

If you have received an email via a K.I.N.D-powered campaign and wish to be removed from all future outreach, email privacy@get-kind.com with "Unsubscribe" in the subject line.

8. Third-party sub-processors

K.I.N.D uses the following sub-processors to deliver the service. Each has been assessed for GDPR/POPIA compliance and a Data Processing Agreement is in place where required.

• Supabase — database hosting (Cape Town, af-south-1) — SOC 2 Type II, GDPR compliant
• Railway — application hosting — SOC 2-audited infrastructure
• Stripe — payment processing — PCI DSS Level 1 certified
• Resend — email delivery — GDPR compliant
• Apollo.io — lead enrichment — GDPR compliant, US-based
• Anthropic — AI language model (no PII in prompts) — enterprise data agreements

The full sub-processor list is also documented in our Data Processing Agreement.

9. Cookies

The K.I.N.D website uses minimal cookies. We do not use advertising trackers or third-party analytics that share data with ad networks.

• Session cookies: Required for login and platform functionality. Expire when you close your browser or after 30 days of inactivity.
• Preference cookies: Remember your settings (e.g. theme). Expire after 12 months.

We do not use Google Analytics, Facebook Pixel, or any advertising cookies. You can disable cookies in your browser settings — this may affect platform functionality.

10. Children

The K.I.N.D platform is a B2B service intended for business use only. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has submitted data to us, contact privacy@get-kind.com and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy when our practices change, new services are added, or applicable law requires it. We will notify active clients of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page always reflects the current version.

12. Contact

For privacy requests, data subject rights, or any questions about this policy:

K.I.N.D Technologies Ltd
Company number 17260532
Registered office: 33 Townsend Road, Stratford-upon-Avon, CV37 7DE, United Kingdom
hello@get-kind.com

We aim to respond to all privacy requests within 5 business days and resolve them within 30 days as required by UK GDPR.