Skip to main content

COOKIES POLICY

1. GENERAL INFORMATION ABOUT COOKIES

KINMU DIGITAL S.L., with its registered office at Calle Teide, 4, 28703 Madrid, Spain, CIF B24996803, operates cookie systems on the Kinmu platform (https://kinmu.app) and its mobile applications. A cookie is a small file, typically alphanumeric, that is stored on the hard drive of the user's device (personal computer, tablet, smartphone, or other Internet-connected device) when the user accesses the platform. Cookies are used to store user session information, browsing preferences, authentication data, technical device information, and information related to platform compatibility and operation. Cookies may be created directly by Kinmu or by third-party technical service providers contracted by Kinmu.

This Cookies Policy fully complies with Spanish cookie regulation, including Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications, Regulation (EU) 2016/679 on Data Protection (GDPR), and Organic Law 3/2018 on Personal Data Protection (LOPDGDD).

2. CONSENT FOR COOKIES

Kinmu distinguishes between cookies that are technically essential for the operation of the platform and non-essential cookies. In accordance with applicable legislation, essential cookies (classified as technically necessary for authentication, security, and basic operation) are installed automatically without prior user consent, with implicit consent proportional to the indispensable technical nature of such cookies.

For non-essential cookies (including those oriented to analytics, marketing, or user experience improvement), Kinmu implements a consent management system that appears on first access to the platform, allowing the user to: accept all cookies, reject all non-essential cookies, or customize which cookie categories are accepted. The user can change cookie preferences at any time by accessing preference settings in the platform, with changes effective immediately. Withdrawal of consent for non-essential cookies does not affect the legality of cookies used before the withdrawal.

3. AUTHENTICATION AND SESSION COOKIES

Kinmu uses the following technically essential cookies for authentication, session maintenance, and secure operation of the platform. These cookies are created and maintained automatically when the user accesses the platform and are indispensable for service provision:

Application Session: Session cookie created when the user logs into the platform and stored on the user’s device. This cookie contains a unique session identifier that links user requests to their user profile on Kinmu servers, allowing Kinmu to maintain an active session state. Without this cookie, the platform could not remember the user between consecutive requests and the user could not access protected functionalities. The cookie expires automatically thirty minutes after the user’s last activity or when the web browser is closed.

Access Token: Cookie that contains a JWT (JSON Web Token) cryptographic token providing user authorization to access platform functionalities. The token is cryptographically signed by Kinmu servers and cannot be forged without access to Kinmu’s private keys. The server validates the token signature before processing any request and rejects invalid tokens. The token expires automatically every six hours, and a new token is generated automatically without user intervention if the user remains active.

Anti-CSRF Token (XSRF-TOKEN): Security cookie that provides protection against Cross-Site Request Forgery (CSRF) attacks. This cookie contains a random unique token that must be included in the header of any data-modifying request (POST, PUT, DELETE) and is validated by the server before processing the request. Without this protection, an attacker on a different site could induce the user’s browser to perform unauthorized requests against the platform. The cookie expires upon logout.

Platform Preferences (kinmu_preferences): Cookie that stores user interface preferences, including interface language (Spanish or English), visual theme (light or dark), and layout of interface elements. This cookie allows the platform to remember user preferences between sessions so the user can maintain a consistent experience. The cookie expires ninety days after the last update.

4. TECHNICAL ANALYSIS COOKIES

On the public marketing website, Kinmu uses analytics cookies and similar technologies only after the user gives consent. These tools are PostHog, loaded directly for product and web analytics, and Google Analytics 4, loaded through Google Tag Manager. Google Tag Manager is not used to bypass consent: analytics tags are loaded under a Basic Consent Mode approach after consent has been granted.

These analytics tools may use identifiers such as ph_*, posthog, _ga, _ga_*, _gid or similar cookies/local storage keys to measure page views, traffic sources, CTA clicks, scroll depth and conversions in aggregated form.

Kinmu also performs technical analysis through server-side logging that does not require cookies. This analysis includes HTTP request logs, anonymized IP addresses and short retention for security and service availability.

5. MARKETING AND ADVERTISING COOKIES

On the public marketing website, Kinmu may use advertising and conversion measurement tags through Google Tag Manager after marketing consent has been granted. This includes Meta Pixel for Facebook/Instagram campaigns and may include TikTok Pixel in the future if a TikTok pixel identifier is configured.

Marketing cookies may include identifiers such as _fbp, _fbc, fr, ttclid, _ttp or ttwid, depending on the campaigns and platforms enabled. These tags are not loaded before marketing consent. Kinmu does not sell user data to advertising platforms.

6. THIRD-PARTY COOKIES AND EXTERNAL PROVIDERS

The current public website providers are Google Tag Manager and Google Analytics 4 (Google), PostHog, Meta Pixel and, if configured in the future, TikTok Pixel. The user can accept, reject or change these preferences at any time from the cookie settings.

Kinmu mobile applications (iOS and Android) do not use traditional cookies, but rather native device storage systems. For mobile applications, authentication and session data are stored in:

iOS: iOS Keychain, a secure storage service of the operating system that requires biometric authentication (Face ID or Touch ID) or the device password for access. Authentication tokens are stored encrypted according to Apple standards.

Android: Android Keystore, a secure private key repository that requires user authentication for access. Tokens are stored protected by device-based encryption.

Both mobile implementations do not allow access to authentication data by third-party applications without explicit user consent.

7. DURATION AND EXPIRATION OF COOKIES

Kinmu implements automatic cookie expiration in accordance with security and operational needs:

Authentication session cookies expire automatically thirty minutes after the user’s last activity or when the web browser is closed, requiring the user to log in again after expiration.

Access token cookies are automatically renewed every six hours while the user remains active, allowing the user to stay logged in for multiple days without manual action. When the browser is closed, all session cookies are automatically deleted.

User preference cookies persist for ninety days, allowing the user to maintain interface settings between sessions.

The user can manually delete all cookies associated with Kinmu at any time from the privacy settings of their web browser, which requires the user to log in again.

8. SECURITY ATTRIBUTES OF COOKIES

All cookies created by Kinmu implement security attributes required by data protection legislation and web security standards:

HttpOnly Attribute: All cookies containing sensitive information (session, authentication, tokens) are marked with the HttpOnly attribute, which prevents JavaScript code in the user’s browser from reading cookie content. This attribute removes attack vectors through malicious code injection (Cross-Site Scripting - XSS) that could otherwise extract user sessions.

Secure Attribute: All cookies are marked with the Secure attribute, forcing cookie transmission only over encrypted HTTPS connections. The browser will reject cookie transmission over unencrypted HTTP connections, protecting against communication interception attacks (Man-in-the-Middle).

SameSite Attribute: All cookies are marked with SameSite=Strict, which prevents automatic cookie sending when the user is redirected from an external site. This attribute protects against Cross-Site Request Forgery (CSRF) attacks intended to cause the user’s browser to perform unauthorized requests against Kinmu.

9. PRIVACY AND DATA PROTECTION IN COOKIES

Cookies created by Kinmu contain only technical information necessary for platform operation, and are processed in accordance with Kinmu’s Privacy Policy. Cookies do not contain identifiable personal data such as name, email address, identification number, phone number, or health information.

However, cookies contain a unique session identifier that allows Kinmu to associate consecutive requests with the same authenticated user. This identifier is linked to the user database on Kinmu servers, and it is the combination of cookie and database that allows Kinmu to identify the user and provide personalized functionality. The user may verify what personal data Kinmu maintains in its database by exercising the right of access under Article 15 of Regulation (EU) 2016/679, by contacting dpo@kinmu.app.

Kinmu takes measures to limit exposure of cookie data to accidental or malicious changes. Cookies are transmitted encrypted in transit (HTTPS), and it is not possible for a third party on the network to read cookie content without access to cryptographic keys. Cookies are protected against modification through cryptographic signing algorithms, and any cookie modification is detected automatically by the server during signature validation.

10. USER RIGHTS REGARDING COOKIES

In accordance with European privacy and cookies legislation, the user has the right to:

Reject or delete cookies: The user can reject installation of any cookie by accessing privacy settings in their web browser. Modern browsers (Chrome, Firefox, Safari, Edge) provide user interfaces to delete existing cookies and prevent future cookies. Users can access these settings typically in Settings > Privacy > History > Cookies.

Customize consent: When accessing Kinmu, the user is presented with a consent manager that allows the user to choose which cookie categories to accept. The user can customize consent at any time by accessing privacy options within the platform or contacting dpo@kinmu.app.

Withdraw consent: The user who previously consented to non-essential cookies may withdraw such consent at any time, with withdrawal effective immediately. Withdrawal of consent does not affect the legality of cookies used before withdrawal.

Use cookie blockers: The user may install browser extensions (cookie blockers, Privacy Badger, uBlock Origin) that automatically block third-party and tracking cookies. Such tools can partially affect the functionality of some websites, and the user is responsible for evaluating the trade-off between privacy and functionality.

Request information: The user can contact dpo@kinmu.app to request detailed information about which cookies are used, what information they contain, how long they persist, and what rights the user has.

11. COOKIES IN MOBILE APPLICATIONS

Kinmu mobile applications (available in the Apple App Store for iOS and Google Play Store for Android) use authentication tokens stored in secure operating system storage systems instead of traditional HTTP cookies. These tokens function similarly to cookies but with higher security levels provided by the operating system.

On iOS, tokens are stored in iOS Keychain, which is an encrypted storage service that requires biometric authentication or device password for access.

On Android, tokens are stored in Android Keystore, a repository of encrypted keys that requires device authentication.

Both implementations prevent third-party applications from accessing tokens without explicit user consent. The user can revoke the Kinmu app’s access to tokens in operating system settings (iOS Settings > Kinmu or Android Settings > Apps > Kinmu > Permissions).

Mobile applications do not implement third-party advertising or behavior tracking. The applications do not transmit user data to third parties without consent, and all communication with Kinmu servers is encrypted via HTTPS.

12. CONSENT BY TERRITORY

As Kinmu is an online service accessible from multiple territories, cookie consent is managed according to the legislation of the user’s territory:

Users in the European Union: Users located in the European Union receive a consent manager that requires explicit consent before installing non-essential cookies, in accordance with the ePrivacy Directive 2002/58/EC and the GDPR. Users are presented with options to accept all, reject all, or customize cookies.

Users outside the European Union: Users located in jurisdictions outside the European Union may receive an informational notice about cookies without a prior consent requirement if local legislation does not require it. However, Kinmu respects the user’s privacy preferences regardless of territory.

Kinmu does not modify cookie content or platform functionalities based on the user’s territory and applies European Union standards to all users by default.

13. CHANGES TO THIS POLICY

Kinmu may modify this Cookies Policy at any time to adapt to legislative changes, new security practices, or new functionalities. Substantial modifications will be notified by updating the timestamp at the header of this Policy and through a notice on the platform. The user should review this Policy periodically to stay informed of changes.

Continued use of the platform after changes to this Policy constitutes acceptance of such changes. If the user does not accept changes, the user may request deletion of their account and personal data by contacting dpo@kinmu.app.

14. CONTACT ABOUT COOKIES

For questions about the implementation of cookies in Kinmu, consent preferences, or to report technical issues related to cookies, the user may contact:

Data Protection Officer: dpo@kinmu.app
Technical Support Service: support@kinmu.app

Kinmu will endeavor to respond to inquiries within fifteen business days.

Kinmu Digital S.L.
Calle Teide, 4
28703 Madrid, Spain
CIF: B24996803
https://kinmu.app