K.I.N.D is built GDPR & POPIA-compliant by default. Every campaign, every consent signal, every suppression request is logged and auditable — automatically.
Last updated: June 2026
South Africa’s POPIA sets strict requirements for how personal information is collected, processed, and stored. K.I.N.D is built to meet these requirements automatically — not through configuration, but through architecture.
Every outreach interaction is recorded with consent basis, timestamp, and channel. You hold a compliance record for every contact FIGSY touches.
Unsubscribe requests are honoured immediately and permanently. No contact is ever re-added to a campaign once suppressed.
Data subjects can request access to their information or deletion at any time.
FIGSY only stores data required to run your campaigns. No surplus collection, no profiling beyond campaign relevance.
If your outreach targets contacts in the EU or UK, GDPR applies. K.I.N.D’s consent and suppression architecture is aligned with GDPR requirements, giving you a defensible compliance posture for cross-border campaigns.
Outbound B2B email operates under legitimate interest. K.I.N.D logs the legitimate interest assessment for each campaign automatically.
K.I.N.D acts as a data processor on your behalf. A Data Processing Agreement (DPA) is available for all customers on request.
Security is not a compliance exercise. Every layer — data in transit, data at rest, access controls, API authentication — is hardened by default.
If your outreach touches US-based contacts, the CAN-SPAM Act applies. K.I.N.D’s email infrastructure is built to satisfy all FTC requirements automatically — no manual configuration required.
Every email sent through K.I.N.D identifies the true sender clearly. No misleading headers, no deceptive subject lines.
CAN-SPAM requires a valid physical postal address in every commercial email. K.I.N.D includes this in all outbound templates.
Every email includes a clear, working unsubscribe mechanism. Opt-out requests are processed within the FTC-mandated 10 business days.
Where required, K.I.N.D marks emails as commercial and ensures advertising content is clearly identified.
The California Consumer Privacy Act (and its 2023 update, CPRA) grants California residents rights over their personal information. K.I.N.D honours these rights without requiring manual workflows.
California residents can request details on what personal information K.I.N.D holds about them, where it came from, and how it is used.
Residents can request deletion of their personal information. K.I.N.D processes deletion requests and propagates suppression across all campaigns.
K.I.N.D does not sell, share, or rent personal information to third parties for monetary or other valuable consideration.
California residents can opt out of data processing and request corrections to inaccurate personal information at any time.
Compliant email requires more than legal wording — it requires infrastructure that major providers trust. K.I.N.D’s sending stack is built to land in the inbox, not the spam folder.
K.I.N.D sends via Resend with a dedicated custom domain. No shared IP pools that inherit other senders’ reputation problems.
Full email authentication stack in place. Major providers (Google, Microsoft, Yahoo) require these for bulk senders — K.I.N.D exceeds the minimum requirements.
New customer domains are warmed gradually. Sending volume increases over time to build provider trust before high-volume campaigns start.
FIGSY validates contact data before sending. Unverified or high-risk addresses are flagged or removed before a single email goes out.
For data subject access requests, DPA agreements, or any compliance question, contact our team directly.
Compliance is as much about what you refuse to do as what you do. These are hard limits — not guidelines, not suggestions.
We do not purchase, scrape, or accept contact lists from third-party brokers. Every contact FIGSY reaches must be sourced through verified, lawful means.
Suppressed contacts are permanently removed. We do not re-activate opted-out or bounced contacts under any circumstance, even under a new campaign or sender identity.
Your campaign data, contact records, and conversation history are yours. We do not sell, rent, or share personal information with any third party for commercial gain.
Data is not held indefinitely. Inactive contact records are flagged for review and deleted according to your retention settings and applicable legal requirements.
Our full sub-processor list is available on request. We do not introduce new sub-processors without notifying affected customers and updating our DPA.
Phone outreach is only enabled where a lawful basis exists under POPIA. We do not permit unsolicited cold calling to suppressed or non-consenting contacts.