Skip to main content

PRIVACY POLICY

1. DATA CONTROLLER

KINMU DIGITAL S.L., a company incorporated under Spanish law, with its registered office at Calle Teide, 4, 28703 Madrid, Spain, and Tax Identification Code B24996803, acts as the controller of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights. To exercise rights related to data protection, you may contact Kinmu's Data Protection Officer at dpo@kinmu.app.

2. NATURE OF PROCESSING AND DATA CATEGORIES

Kinmu processes personal data derived from the access and use of the Kinmu platform (https://kinmu.app) and its associated mobile applications. The processing is carried out for the specific purpose of: (i) providing time tracking and attendance recording functionalities; (ii) managing requests for absence, leave, and rest; (iii) maintaining team, department, and organizational structure information; (iv) generating reports on attendance and schedules; (v) providing assistance through artificial intelligence chat; (vi) complying with legal obligations for recording working hours in accordance with Spanish labor legislation; (vii) detecting and preventing fraud, data falsification, or fraudulent conduct in attendance control; (viii) ensuring the security and technical availability of the platform; (ix) communicating with users about their account, policy changes, service updates, or technical support issues; (x) analyzing usage trends and technical operation only in anonymized form.

The personal data processed includes: full name, email address, employee number assigned by the client company, entry and exit records (date, time, device from which it was performed), history of absences and their type (illness, leave, vacation, etc.), weekly rest days, contractual schedule, department and assignment team, profile picture if provided by the user, contact information (optional telephone), and technical session data (anonymized IP address, browser, device, access timestamp).

If the user chooses to use specific functionalities, the following are also processed: content of conversations with the artificial intelligence chat, validation data through QR code or biometrics (facial recognition) if such functionality is implemented, and location data only if the user explicitly authorizes the geolocated check-in function.

Kinmu does not collect, request, or process: exact GPS coordinates of the device location unless the client company explicitly activates the geolocated attendance control function; browsing history outside the platform; communication history or third-party data without consent; biometric data such as fingerprints or iris recognition unless the optional facial recognition functionality is implemented; health data, genetic data, or data revealing ethnic origin, political opinions, religious beliefs, union affiliation, or user's sex life.

3. LEGAL BASIS FOR PROCESSING

The processing of personal data carried out by Kinmu is based on the following legal bases in accordance with articles 6 and 9 of Regulation (EU) 2016/679:

Article 6.1.a) - Consent: Kinmu processes entry and exit recording data, absence history, and department data based on explicit consent provided by the user when creating their account and accepting these Terms and Privacy Policy. The user may revoke this consent at any time by contacting dpo@kinmu.app, the revocation being effective from that request without affecting the legality of the previous processing.

Article 6.1.c) - Compliance with legal obligation: Kinmu processes data for compliance with obligations derived from the Workers' Statute Law, Royal Decree 1619/2012 on the recording of working hours, Social Security regulations, and other working hour recording obligations that weigh on Spanish companies. These processings are mandatory by law, revocation being impossible without violation of legal obligations of the client company.

Article 6.1.f) - Legitimate interest: Kinmu processes data for fraud detection in attendance control, detection of falsified schedule records, investigation of potentially fraudulent conduct, ensuring the technical security of the platform against cyberattacks, technical improvement of platform availability and operation in anonymized form, and compliance with Kinmu's legal rights in administrative or judicial procedures. These processings are based on predominant legitimate interest, the user being informed of such processings and having the right to object.

Article 9 - Special data: In the exceptional case that the user provides health data (for example, to justify a medical absence), Kinmu processes it only with separate explicit consent and exclusively for the purposes of absence management of the client company, not being used for other purposes.

4. SUB-PROCESSORS AND INTERNATIONAL TRANSFERS

4.1 General authorization for the use of sub-processors

The user expressly authorizes Kinmu to appoint sub-processors for the provision of specific services, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

Kinmu declares to have performed due diligence in the selection of the sub-processors listed below, verifying that they offer sufficient guarantees to apply appropriate technical and organizational measures so that the processing is in accordance with the requirements of the GDPR.

The user acknowledges and accepts that:

  • The use of sub-processors is necessary for the provision of the service.
  • Kinmu has signed or adhered to the corresponding Data Processing Agreements (DPA) with each sub-processor.
  • Sub-processors are responsible for compliance with their own data protection obligations.

4.2 Current list of sub-processors

Sub-processor Function Server location International transfers
DigitalOcean, LLC Hosting and cloud infrastructure Frankfurt, Germany (EU) Not applicable
Mistral AI Conversational assistant (Chat IA) Paris, France (EU) Not applicable
Anthropic PBC Company policy generation with AI United States SCCs + DPF
Resend, Inc. Transactional email delivery European Union Not applicable
Stripe Payments Europe, Ltd. Payment processing Ireland (EU) Not applicable
PostHog, Inc. Product usage analysis Frankfurt, Germany (EU) Not applicable

4.3 Sub-processor details

DigitalOcean, LLC

Mistral AI

  • Company name: Mistral AI
  • Address: 15 rue des Halles, 75001 Paris, France
  • Function: Provider of the artificial intelligence model for the Kinmu conversational assistant. Processes chat conversations to generate contextual responses about schedules, absences, and user queries.
  • Server: Paris, France (EU)
  • Processed data: Content of conversations with the AI assistant.
  • Guarantees: DPA in accordance with the GDPR. Mistral AI is contractually committed not to use user data for training its models. Data remains in the European Union and is not transferred to third countries.
  • Privacy Policy: https://mistral.ai/terms/

Anthropic PBC

  • Company name: Anthropic PBC
  • Address: 548 Market St, San Francisco, CA 94104, United States
  • Function: Provider of the Claude artificial intelligence model, used exclusively for the company policy configuration functionality through natural language. Processes administrator instructions to generate labor policy configurations.
  • Server: United States
  • Processed data: Policy configuration instructions provided by administrators. User personal data is not processed through this service.
  • Guarantees: Standard Contractual Clauses (SCCs) of the European Commission; certification under the EU-U.S. Data Privacy Framework (DPF). Anthropic is contractually committed not to use data for model training.
  • Privacy Policy: https://www.anthropic.com/privacy

Resend, Inc.

  • Company name: Resend, Inc.
  • Address: 2261 Market Street #4324, San Francisco, CA 94114, United States
  • Function: Transactional email delivery including registration confirmation, password recovery, change notifications, and administrative notices.
  • Server: European Union
  • Processed data: Email address and recipient name.
  • Guarantees: DPA in accordance with the GDPR; infrastructure hosted in the EU.
  • Privacy Policy: https://resend.com/legal/privacy-policy

Stripe Payments Europe, Ltd.

  • Company name: Stripe Payments Europe, Limited
  • Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
  • Function: Secure card payment processing and subscription management.
  • Server: Ireland (EU)
  • Processed data: Billing data and payment method.
  • Guarantees: DPA in accordance with the GDPR; PCI-DSS Level 1 certification; SOC 2 Type II. Kinmu does not store, process, or have access to full credit card data, and Stripe is the sole controller of such sensitive data.
  • Privacy Policy: https://stripe.com/es/privacy
  • Sub-processor list: https://stripe.com/es/legal/service-providers

PostHog, Inc.

  • Company name: PostHog, Inc.
  • Address: 2261 Market Street #4008, San Francisco, CA 94114, United States
  • Function: Product usage analysis to improve user experience.
  • Server: Frankfurt, Germany (EU)
  • Processed data: Anonymized browsing data, platform usage events. PostHog is configured not to collect identifiable personal data.
  • Guarantees: DPA in accordance with the GDPR; EU Cloud infrastructure hosted in Germany; SOC 2 Type II.
  • Privacy Policy: https://posthog.com/privacy

Public website measurement providers

The public marketing website may also use, subject to cookie consent, Google Tag Manager and Google Analytics 4 (Google), Meta Pixel and, if configured in the future, TikTok Pixel. These providers are used only to measure traffic sources, page views, CTA clicks and advertising conversions on the public website. They are not used to process authenticated time tracking records inside the Kinmu application.

4.4 Security guarantees of sub-processors

Kinmu contractually requires all its sub-processors to comply with appropriate security measures, including:

  • Data encryption in transit using TLS 1.2 or higher.
  • Data encryption at rest using AES-256 or equivalent.
  • Role-based access controls and the principle of least privilege.
  • Periodic security audits and recognized certifications (SOC 2, ISO 27001).
  • Documented procedures for incident response.
  • Commitments to notify security breaches within GDPR-compatible timeframes.

4.5 International data transfers

User data primarily resides within the European Union. For services that involve transfers to the United States, Kinmu ensures an adequate level of protection through:

  • Standard Contractual Clauses (SCCs): Modules approved by Commission Implementing Decision (EU) 2021/914.
  • Data Privacy Framework (DPF): For providers certified under the EU-U.S. Data Privacy Framework.
  • Transfer Impact Assessments (TIAs): Kinmu has conducted the necessary assessments to verify that offered safeguards are effective in practice.

Kinmu does not carry out international transfers of data outside the scope of the sub-processors indicated in this policy.

4.6 Modification of sub-processors

Kinmu reserves the right to add, replace, or remove sub-processors when necessary for service provision, provided that:

  • The new sub-processor offers guarantees equivalent to or higher than those of the replaced sub-processor.
  • Users are notified at least thirty (30) days in advance through an update to this Privacy Policy and, where applicable, by email.
  • The corresponding Data Processing Agreement is executed with the new sub-processor.

The user who does not agree with the incorporation of a new sub-processor may exercise the right to object by contacting dpo@kinmu.app within fifteen (15) days from notification. If the objection is well-founded and the service cannot be provided without such sub-processor, the user may terminate the contract without penalty.

4.7 Responsibility regarding sub-processors

Kinmu will be responsible to the user for compliance with the data protection obligations of its sub-processors as provided in Article 28.4 of the GDPR. However, Kinmu will not be responsible for:

  • Non-compliance by sub-processors that exceeds Kinmu’s documented instructions.
  • Autonomous decisions by sub-processors that contravene the signed DPA.
  • Security breaches in sub-processor systems that were not reported to Kinmu in due time.

In any case, Kinmu’s liability will be limited as set forth in the Terms and Conditions of the service.

4.8 Disclaimer regarding artificial intelligence services

The user expressly acknowledges and agrees that:

  • Responses generated by artificial intelligence services (Mistral AI, Anthropic) are indicative and do not constitute legal, labor, or professional advice.
  • Kinmu does not guarantee the accuracy, completeness, or suitability of AI-generated responses for any specific purpose.
  • The user is solely responsible for verifying and validating any policy configuration or information provided by the AI assistant before applying it.
  • AI providers process data exclusively to generate real-time responses and are contractually committed not to use such data for training their models.

5. DATA RETENTION PERIOD

Kinmu retains personal data for specific periods determined by legal obligation, operational necessity, or fulfillment of contractual obligations. Once the established retention period is reached, data is securely deleted through cryptographic destruction or physical deletion of media.

Attendance control and working time recording data are retained for four years from their creation, this period being required by Spanish Labor Inspection legislation under Social Security regulations.

Absence, leave and rest request data are retained for four years from the date of conclusion of the absence, as required to justify the legality of working time records before labor authorities.

Organizational structure, team, department and hierarchy data are retained while the client company is an active user of the platform, and are deleted thirty days after subscription cancellation.

Artificial intelligence chat conversation data is retained for six months from the conversation and is automatically deleted without user intervention. The user may request immediate deletion of conversations by contacting dpo@kinmu.app.

Technical session data (anonymized IP address, browser, timestamp) is retained for thirty days for security analysis and attack pattern detection.

Deleted user data is retained in anonymized form for two years for statistical analysis of platform usage in a manner that does not allow direct or indirect identification of the person.

Data related to administrative procedures, lawsuits or fraud investigations is retained for the duration of the procedure plus six years, in accordance with limitation periods.

6. SECURITY MEASURES

Kinmu implements technical, organizational and legal measures to ensure the protection of personal data against unauthorized access, accidental or intentional disclosure, alteration, destruction or damage. Security measures include: data encryption in transit using TLS (Transport Layer Security) protocol version 1.3 or higher for all communications between client and Kinmu servers; data encryption at rest using AES-256 for all records stored in databases; irreversible hashing using the bcrypt algorithm for password storage, making recovery of the original password impossible; network segmentation through firewalls, with data access restricted to authorized systems; optional multi-factor authentication for users, allowing activation of a second factor via an authenticator app; role-based access control (RBAC) limiting data access to authorized Kinmu personnel only; access auditing through detailed logging of all operations on sensitive data with timestamp, responsible user and action performed; incident response with escalation protocol to the security officer in real time.

Cookies and authentication tokens are transmitted with security attributes: HttpOnly flag preventing reading via JavaScript and eliminating XSS attack vectors; Secure flag limiting transmission to encrypted HTTPS connections; SameSite attribute preventing cross-site cookie sending and eliminating CSRF attack vectors; automatic session expiration after thirty minutes of inactivity; automatic renewal of JWT tokens every six hours.

Administrative access to infrastructure is protected by two-factor authentication, making access with a single credential impossible; intermediate bastion hosts for database server access; absolute prohibition of storing credentials in source code or application configuration; auditing of all administrative accesses.

7. SECURITY BREACH NOTIFICATION

If Kinmu detects a Security Breach compromising user personal data, including unauthorized access, accidental disclosure, alteration or destruction of data, Kinmu will proceed in accordance with Article 33 of Regulation (EU) 2016/679. Kinmu will notify the Data Protection Supervisory Authority (Spanish Data Protection Agency - AEPD) within seventy-two (72) hours from detection of the breach. Kinmu will provide the AEPD with: description of the nature of the breach, estimate of the number of persons affected, description of compromised data, likely consequences of the breach, measures adopted to contain the breach, and measures proposed to mitigate impact.

If the security breach poses a high risk to user rights and freedoms (including risk of discrimination, financial harm, identity theft, or public disclosure of sensitive data), Kinmu will notify the affected user without undue delay by email to the registered address, in clear and understandable language. Notification will include: description of the nature of the breach, type of data compromised, technical measures adopted for containment, measures recommended to the user for self-protection, and a contact reference at Kinmu for further inquiries (dpo@kinmu.app).

Kinmu will keep a documented record of all security breaches, even if they do not require notification due to low risk, with the record available for AEPD review in case of investigation.

8. USER RIGHTS

In accordance with Articles 15 to 22 of Regulation (EU) 2016/679, the user has recognized the following rights over their personal data:

Right of access (Article 15): The user has the right to obtain confirmation of whether Kinmu is processing their personal data and, if so, to receive a copy of such data in a structured, commonly used, and machine-readable format. The user may exercise this right once per calendar month free of charge. To exercise the right of access, the user should contact dpo@kinmu.app stating “Access Request under Article 15 GDPR,” and Kinmu will provide a complete copy of data within a maximum of thirty days.

Right of rectification (Article 16): The user has the right to request correction of inaccurate or incomplete data. The user may update profile information directly on the platform (name, email address, photograph) with changes effective immediately. Attendance record data cannot be rectified by the user themselves, but by the client company administrator or by request to Kinmu support.

Right to erasure (Article 17): The user has the right to request deletion of their personal data in specific circumstances, including where data is no longer necessary for the purposes for which it was collected, the user withdraws consent on which processing is based, or processing is unlawful. However, Kinmu may retain data if there is a legal obligation to retain it (compliance with labor law) or if there is an overriding legitimate interest (defense of legal rights in litigation). A user who wishes to exercise the right to erasure should contact dpo@kinmu.app, and Kinmu will evaluate the request and respond within thirty days.

Right to restriction (Article 18): The user has the right to request restriction of processing of their data, with data stored but not processed for specific purposes. This request is useful when the user disputes the accuracy of data (restriction during investigation), when the user considers processing unlawful but opposes deletion, or when the user exercises the right to object. Restricted data will only be processed for the defense of Kinmu’s legal rights, compliance with legal obligation, or with the user’s explicit consent.

Right to data portability (Article 20): The user has the right to receive their personal data in a structured format (typically JSON or CSV) and to transmit it to another controller. This right allows the user to change platforms while retaining their historical data. The user should contact dpo@kinmu.app stating “Portability Request under Article 20 GDPR,” and Kinmu will provide the data in a structured electronic format within a maximum of thirty days. Exported data includes: user profile, attendance history, absence requests, team/department configuration, and AI chat conversations.

Right to object (Article 21): The user has the right to object to processing of their data based on Kinmu’s legitimate interest. Specific objections include: objection to processing for fraud detection (with the risk that fraudulent conduct may not be detected), objection to analysis of usage patterns for technical improvement of the platform, objection to commercial or marketing communications from Kinmu. However, the user cannot object to processing that is mandatory by law.

Right not to be subject to automated decision-making (Article 22): The user has the right not to be subject to decisions that produce legal effects or significantly affect them when such decisions are based solely on automated processing (including profiling). However, Kinmu does not currently implement automated decisions that affect the user beyond technical recommendations; all labor decisions (absence approval, discipline, contract changes) are the responsibility of a natural person representing the client company.

To exercise any right, the user should contact dpo@kinmu.app providing clear identification of the request, the affected personal data, and the grounds for the right exercised. Kinmu will respond within a maximum of thirty days. If a request is particularly complex or requires additional identity verification, Kinmu may extend the period up to sixty days with justified communication.

9. MINORS’ DATA

The Kinmu platform is not designed or directed to persons under eighteen (18) years of age. Kinmu does not knowingly collect personal data from users under eighteen. In the exceptional case that a minor accesses the platform, Kinmu requires consent from a parent or legal guardian for any data processing. If Kinmu discovers that personal data has been collected from a minor without the required consent, it will delete such data immediately without undue delay.

10. COMMUNICATIONS AND MARKETING

Kinmu will use the user’s email data to send transactional communications essential to the operation of the service, including: account registration confirmation, password recovery, notifications of policy or terms changes, security alerts, account suspension or cancellation notices, and responses to technical support inquiries.

Kinmu does not use user personal data for marketing, advertising, or proactive commercial communications directed individually to the user. Kinmu does not sell, transfer, or trade user personal data to third parties for marketing or advertising purposes. If in the future Kinmu implements marketing communications (newsletters, product updates, promotions), Kinmu will require explicit and separate consent before sending them, and the user may unsubscribe at any time via the link included in each communication or by contacting dpo@kinmu.app.

11. CONSENT FOR ARTIFICIAL INTELLIGENCE CHAT

Use of the artificial intelligence chat functionality is optional and requires explicit and separate user consent, distinct from general consent to use the platform. The user will be explicitly informed before activating AI chat that: (i) conversations will be processed by a specialized third party (Mistral AI) under a Data Processing Agreement; (ii) Mistral AI does not use conversation data to train its models; (iii) conversations are private and not accessible to a manager or company administrator; (iv) chat responses are indicative and do not constitute a guarantee of legal or labor accuracy; (v) the user may withdraw consent by disabling the functionality at any time without penalty.

Conversation data is retained for six months and then automatically deleted. The user may request immediate deletion by contacting dpo@kinmu.app.

12. CHANGES TO THIS POLICY

Kinmu reserves the right to modify this Privacy Policy at any time to adapt to legislative changes, new security practices, implementation of new functionalities, or changes in technical architecture. Substantial modifications will be communicated by email at least thirty (30) days in advance, and the user may cancel their subscription during the notice period without penalty if they do not accept the changes.

The current version will always be accessible at https://kinmu.app/privacy. Continued use of the platform after the effective date of modifications constitutes acceptance of the modifications.

13. JURISDICTION AND SUPERVISORY AUTHORITIES

This Privacy Policy is governed by Spanish and European data protection law, with the competent supervisory authority being the Spanish Data Protection Agency (AEPD). The user has the right to file a complaint with the AEPD if they consider that Kinmu’s processing of their data violates applicable law; complaints can be submitted at: www.aepd.es or by mail to: C/ Jorge Juan, 6, 28001 Madrid.

Kinmu Digital S.L.
Calle Teide, 4
28703 Madrid, Spain
CIF: B24996803
https://kinmu.app