Privacy Policy

Last Updated: 2 December 2025

1. About this privacy notice

This Privacy Notice provides detailed information about how Kiin AI Ltd ("Kiin AI", "we", "us", or "our"), registered in England and Wales with company number 15829728, collects and processes your personal data through your use of our KiinOS platform and related services.

This Privacy Notice is intended to meet our obligations under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. It explains in detail what data we collect, why we collect it, how we use it, who we share it with, how we protect it, and your rights regarding your data.

This Privacy Notice applies to both the KiinOS Community Edition and the KiinOS Commercial Edition. We have clearly indicated where our data processing activities differ between editions.

2. Who we are and our role as data controller

Kiin AI Ltd is the data controller for personal data collected through our website and the KiinOS platform. This means we determine the purposes and means of processing your personal data.

Full legal name: Kiin AI Limited
Registered address: 131 Finsbury Pavement, London, United Kingdom, EC2A 1NT
Company registration number: 15829728
ICO registration number: ZB867769

Our Data Protection Officer can be contacted at:

Email: legal@kiin.bio
Post: Data Protection Officer, Kiin AI Ltd, 131 Finsbury Pavement, London, United Kingdom, EC2A 1NT

3. Personal data we collect

We collect and process the following categories of personal data:

3.1. Identity and contact data

We collect your full name, email address, professional affiliation, job title/position, and optional profile picture directly from you during registration or profile creation. This data is processed on the basis of performance of a contract or legitimate interests and retained for the duration of your account plus 1 year.

3.2. Account data

We collect your user ID, encrypted password, account creation date, account status, and optional security questions/answers. This data is generated by our systems or provided directly by you during registration. It is processed on the basis of performance of a contract and retained for the duration of your account plus 1 year.

3.3. Technical and usage data

We automatically collect your IP address, device information, login timestamps, features accessed, clickstream data, time spent on features, resource usage metrics, and error logs when you access or use our services. This data is processed on the basis of legitimate interests and retained for up to 24 months (12 months for error logs).

3.4. User content data

We collect research inputs you upload for processing, research outputs generated by our platform, research project structures, saved settings, and notes and annotations. This data is processed on the basis of performance of a contract. Retention periods are 12 months after last activity for Community Edition and as per service agreement for Commercial Edition.

3.5. Communications data

We collect the content of support requests, feedback submissions, email communications, notifications, and survey responses. This data is processed on the basis of performance of a contract, legitimate interests, or consent. Retention periods range from 12 to 36 months depending on the type.

3.6. Payment data (commercial edition only)

We collect billing contact information, invoice records, payment records, and tax information. This data is processed on the basis of performance of a contract or legal obligation and retained for 7 years for tax purposes.

4. Purposes of processing

We process your personal data for the following purposes:

4.1. Service provision and account management

Creating and maintaining your user account; authenticating your identity when you log in; providing access to platform features and functionality; processing your inputs and generating outputs; customising your experience based on your preferences; storing your data and research projects; maintaining security of your account and our platform.

4.2. Customer support and communication

Responding to your inquiries and support requests; communicating important service updates and notices; sending you technical alerts and security notifications; providing guidance on how to use the platform; resolving technical issues you encounter.

4.3. Product development and improvement

Enhancing existing features based on usage patterns; developing new features and functionality; fixing bugs and technical issues; training and improving our AI models and algorithms; conducting research to enhance our technology; analysing usage patterns to optimise user experience.

4.4. Security and compliance

Detecting and preventing fraud and abuse; identifying and addressing security vulnerabilities; protecting against unauthorised access; maintaining audit trails for security purposes; complying with legal obligations and regulatory requirements; establishing, exercising, or defending legal claims.

4.5. Business operations (commercial edition only)

Processing payments and managing billing; administering contracts and service agreements; conducting account reviews and business analytics; managing customer relationships; planning resource allocation based on usage patterns.

5. Legal basis for processing

Under the UK GDPR, we must have a valid legal basis for processing your personal data. Our legal bases include:

5.1. Performance of a contract

We process much of your personal data because it is necessary to perform our contract with you (our Terms and Conditions and EULA) or to take steps at your request before entering into a contract.

5.2. Legitimate interests

We process certain personal data because it is necessary for our legitimate interests or the legitimate interests of a third party. When we rely on this basis, we consider if you would reasonably expect us to use your data in this way, balance our interests against your rights and freedoms, and will not use your personal data if your interests override ours, unless we have your consent or are otherwise required or permitted by law.

Our legitimate interests include: improving and developing our services; ensuring the security of our platform; understanding how users interact with our services; promoting our business and services; running our business efficiently.

5.3. Legal obligation

We process certain personal data because it is necessary for compliance with a legal obligation to which we are subject.

5.4. Consent

In some cases, we process personal data based on your consent. Where we rely on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Data sharing and recipients

We may share your personal data with the following categories of recipients:

6.1. Service providers

Cloud hosting providers (UK/EEA) to host our platform and store your data. Customer support software providers (UK/EEA, US) to manage support tickets and inquiries. Email service providers (UK/EEA) to send emails and notifications. Analytics providers (UK/EEA, US) to analyse usage patterns and improve our services. Authentication service providers (UK/EEA) to enable secure login. All service providers are bound by Data Processing Agreements, with Standard Contractual Clauses in place for US transfers.

6.2. Professional advisers

Legal advisers (UK) to receive legal advice and establish, exercise, or defend legal claims. Accountants and auditors (UK) for tax, accounting, and audit purposes. Insurers (UK/EEA) for insurance claims and coverage. All are bound by professional confidentiality obligations.

6.3. Authorities and required disclosures

Regulatory authorities (UK/EEA) to comply with regulatory requirements. Law enforcement (UK/EEA, potentially worldwide) to comply with valid legal requests. Courts (UK/EEA, potentially worldwide) to comply with court orders.

6.4. Business transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal data.

6.5. Your organisation (commercial edition only)

If you are using the KiinOS Commercial Edition through your organisation, we may share information about your account and usage with authorised administrators from your organisation.

7. International transfers

While we primarily store and process your personal data within the United Kingdom, we may transfer your personal data to recipients in other countries, including outside the UK and European Economic Area (EEA).

When we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place to provide adequate protection for your data, including: transferring to countries that have been deemed to provide an adequate level of protection by the UK or European Commission; implementing appropriate data transfer mechanisms, such as the UK or EU Standard Contractual Clauses; obtaining your explicit consent for the proposed transfer (in limited circumstances).

Cloud hosting providers are located in the UK and Ireland (UK adequacy decision for EU countries). Analytics providers are located in the US (UK International Data Transfer Agreement). Email service providers are located in the UK, Ireland, and US (UK adequacy decision for EU countries, UK IDTA for US transfers). Customer support software is located in the US (UK IDTA).

You can obtain a copy of the relevant transfer mechanism by contacting our Data Protection Officer at legal@kiin.bio.

8. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

8.1. Technical measures

Encryption of data in transit using TLS/SSL protocols. Encryption of data at rest using AES-256 encryption. Multi-factor authentication for administrative access. Regular security scanning and penetration testing. Intrusion detection and prevention systems. Regular security patches and updates. Firewalls and network security controls. Regular backups with secure storage. Logging and monitoring of system activities.

8.2. Organisational measures

Staff training on data protection and security. Background checks for employees with access to sensitive data. Access controls based on role and need-to-know principles. Documented incident response procedures. Regular security audits and assessments. Data processing agreements with service providers. Confidentiality obligations for staff and contractors. Physical security measures for our facilities.

8.3. Breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, unless: we have implemented appropriate technical and organisational protection measures to the affected data; we have taken subsequent measures to ensure the high risk is no longer likely to materialise; it would involve disproportionate effort, in which case we will make a public communication.

9. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

9.1. Retention criteria

To determine the appropriate retention period for personal data, we consider: the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process the personal data; whether we can achieve those purposes through other means; the applicable legal, regulatory, tax, accounting, or other requirements.

9.2. Retention periods by data category

Detailed retention periods for specific data types are provided in Section 3 of this Privacy Notice.

9.3. Data deletion and anonymisation

After the applicable retention period expires, we will either securely delete your personal data, or anonymise your personal data so that it can no longer be associated with you.

10. Your legal rights

Under the UK GDPR, you have several rights in relation to your personal data. These include:

10.1. Right of access

You have the right to request a copy of the personal data we hold about you and to check that we are lawfully processing it. Submit a Subject Access Request to legal@kiin.bio. We may need to verify your identity and may ask for specific information to help us confirm your identity.

10.2. Right to rectification

You have the right to request that we correct any incomplete or inaccurate personal data we hold about you. You can update most of your account information directly through your account settings. For other data, contact legal@kiin.bio.

10.3. Right to erasure

You have the right to request that we delete or remove personal data where there is no good reason for us continuing to process it. This is not an absolute right and is subject to certain exceptions. Contact legal@kiin.bio with your erasure request. Please note that we may not always be able to comply with your request due to specific legal reasons which will be notified to you.

10.4. Right to restrict processing

You have the right to request that we suspend the processing of your personal data in certain scenarios. Contact legal@kiin.bio specifying which data you wish to restrict processing of and the reason for your request.

10.5. Right to data portability

You have the right to request that we transfer your personal data to you or to a third party in a structured, commonly used, machine-readable format. Contact legal@kiin.bio specifying which data you wish to receive or transfer and, where applicable, the third party to whom you wish us to transfer the data.

10.6. Right to object

You have the right to object to processing of your personal data where we are relying on a legitimate interest and there is something which makes you want to object to processing on this ground. You also have the right to object to direct marketing. Contact legal@kiin.bio specifying the processing you object to and the reasons for your objection.

10.7. Rights related to automated decision making

You have rights related to automated decision making, including profiling, which produces legal or similarly significant effects concerning you. Contact legal@kiin.bio if you believe you are subject to automated decision making that may require human intervention.

10.8. Time for response

We aim to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

10.9. No fee usually required

You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

11. Cookies and similar technologies

We use cookies and similar technologies to enhance your experience on our platform, analyse usage, and for security purposes.

11.1. What are cookies

Cookies are small text files that are placed on your device when you visit our platform. They allow us to recognise your device and store certain information about your preferences or past actions.

11.2. Types of cookies we use

Essential Cookies are required for the platform to function properly, including authentication, security, and basic functionality. They last from session to 1 year and cannot be opted out of.

Preference Cookies remember your settings and preferences to enhance your experience. They last 1 year and can be opted out of.

Analytics Cookies help us understand how users interact with our platform by collecting and reporting information anonymously. They last 2 years and can be opted out of.

Functionality Cookies allow the platform to remember choices you make and provide enhanced features. They last 1 year and can be opted out of.

11.3. Third-party cookies

Some cookies are placed by third parties on our behalf. These third parties may collect information about your online activities over time and across different websites. We do not have control over these third-party cookies. Google Analytics places _ga, _gid, and _gat cookies for analytics purposes.

11.4. Managing cookies

Most web browsers allow you to control cookies through their settings. You can usually find these settings in the "Options" or "Preferences" menu of your browser. You can also configure your browser to reject all cookies, but this may prevent you from using some functionalities of our platform.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

12. Children's privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at legal@kiin.bio. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information.

13. Changes to this privacy notice

We may update this Privacy Notice from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by displaying a prominent notice on our platform, sending you an email notification, and indicating at the top of the Privacy Notice when it was most recently updated.

We encourage you to review this Privacy Notice periodically to stay informed about how we are protecting your personal data.

14. How to complain

If you have a concern about our privacy practices, including the way we handle your personal data, you can contact us at legal@kiin.bio. We hope that we can resolve any query or concern you raise about our use of your information.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

15. Contact details

If you have any questions about this Privacy Notice or our data protection practices, please contact us:

Data Protection Officer
Kiin AI Ltd
131 Finsbury Pavement, London, United Kingdom, EC2A 1NT
Email: filippo@kiin.bio
Phone: 07565307680

By using our services, you acknowledge that you have read and understood this Privacy Notice.