GDPR Compliance

1. Our Commitment

KiteCX ("we," "us," or "our") is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and outlines the rights available to data subjects in the European Union and European Economic Area.

2. Roles and Responsibilities

Under the GDPR, KiteCX acts in the following capacities:

• Data Controller — for personal data of our platform users (account holders, team members), including account information, billing details, and usage data
• Data Processor — for personal data of our customers' end users that is processed through the platform, such as SMS messages, email content, and support ticket data

If you are a KiteCX customer, you act as the Data Controller for your end users' data, and we process that data on your behalf in accordance with your instructions and our Data Processing Agreement.

3. Lawful Basis for Processing

We process personal data based on the following lawful bases under Article 6 of the GDPR:

• Contract Performance — Processing necessary to provide the Service you have subscribed to, including account management, communication routing, and billing
• Legitimate Interest — Processing necessary for platform security, fraud prevention, service improvement, and analytics, where our interests do not override your rights
• Consent — Where applicable, for optional features such as marketing communications, which you may withdraw at any time
• Legal Obligation — Processing required to comply with applicable laws, including tax, telecommunications, and data retention regulations

4. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15) — You may request a copy of the personal data we hold about you, including the purposes of processing, categories of data, and recipients
• Right to Rectification (Article 16) — You may request that we correct any inaccurate or incomplete personal data
• Right to Erasure (Article 17) — You may request deletion of your personal data where there is no compelling reason for continued processing
• Right to Restrict Processing (Article 18) — You may request that we limit how we use your data while concerns are resolved
• Right to Data Portability (Article 20) — You may request your personal data in a structured, commonly used, and machine-readable format for transfer to another provider
• Right to Object (Article 21) — You may object to processing based on legitimate interests, including profiling and direct marketing
• Rights Related to Automated Decision-Making (Article 22) — You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects

5. How to Exercise Your Rights

To submit a GDPR request, you may:

• Email us at privacy@kitecx.io with the subject line "GDPR Request"
• Contact us through our in-platform support channels

We will acknowledge your request within 72 hours and respond within 30 days, as required by the GDPR. If the request is complex or we receive a large number of requests, we may extend this period by an additional 60 days, and we will notify you of any such extension.

To verify your identity, we may ask you to confirm details associated with your account. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.

6. Data Processing and Transfers

We use third-party service providers to operate and improve the Service. When personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all sub-processors
• Adequacy decisions where applicable

Our primary sub-processors include Google Firebase (infrastructure), Stripe (payments), Twilio (SMS), Resend (email), and OpenAI (AI features). A complete list of sub-processors is available upon request.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When data is no longer required, it is securely deleted or anonymized. Account data is retained for the duration of the account relationship and for a reasonable period afterward to comply with legal obligations. You may request earlier deletion by exercising your right to erasure.

8. Data Security

We implement technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Incident response procedures for data breaches

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.

10. Data Protection Contact

For any questions or concerns regarding our GDPR compliance, or to exercise your data protection rights, please contact us:

• Email: privacy@kitecx.io
• Subject: GDPR Inquiry

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

11. Changes to This Page

We may update this GDPR compliance page from time to time to reflect changes in our practices or applicable regulations. Material changes will be communicated through the platform or by updating the date below.