Kineto

Kineto Data Privacy Addendum (DPA)

Last Updated: 18 May 2026

This Data Privacy Addendum ("Addendum") forms part of the Kineto Subscription Terms of Service ("Terms") between Kineto Limited, a company incorporated and registered in England and Wales (Company No. 16807588) with its registered office Tallis House, 2 Tallis Street, London, England, EC4Y 0AB ("Kineto", "Processor", "we", "us"), and the customer ("Customer", "Controller") that subscribes to or otherwise uses Kineto's no-code AI platform and related services (the "Service") as defined in the Terms.

This Addendum reflects the parties' understanding with respect to the processing of Personal Data under applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and where applicable, the EU GDPR.

This Addendum forms part of the Terms and takes effect on the same date as the Terms. It will continue for as long as the Terms remain in effect, or Kineto retains any Personal Data in its possession or control (whichever is the longer).

1. Definitions

Capitalized terms used but not defined in this Addendum have the meanings given in the underlying Terms. For purposes of this Addendum:

"Personal Data" means any information relating to an identified or identifiable natural person processed by Kineto in connection with the Service.

"Personnel" means in respect of Kineto, any of its employees, consultants, and subcontractors.

"Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings set out in the EU GDPR or UK GDPR, as applicable.

"Subprocessor" means any third party engaged by Kineto to process Personal Data on behalf of the Customer.

"Applicable Data Protection Law" means all laws and regulations relating to privacy, data protection, and data security, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.

Capitalised terms used but not defined in this Addendum have the meanings given in the Terms.

2. Roles of the Parties

The Customer acts as Controller with respect to the Personal Data it provides or makes available to Kineto.

Kineto acts as Processor in processing such data solely for the purpose of delivering and improving the Service, as described in this Addendum.

3. Nature and Purpose of Processing

Kineto processes Personal Data to:

  • Provide, operate, and maintain the Service as described in the Terms;
  • Host and support customer projects, workflows, and datasets;
  • Provide technical and customer support;
  • Handle billing, payments, and account management;
  • Monitor, maintain, and secure the Service; and
  • Comply with legal or regulatory obligations.

The categories of Personal Data processed and Data Subjects affected are those described in the Kineto Privacy Notice, including account, contact, usage, and AI interaction data.

Kineto does not intentionally collect or process special categories of data.

4. Data Ownership and Customer Instructions

All Personal Data remains the property of the Customer.

Kineto will process Personal Data only in accordance with the Customer's documented instructions as set forth in the Terms and this Addendum (including in accordance with Annex 1).

Kineto will promptly notify the Customer if it believes that an instruction violates Applicable Data Protection Law.

5. Processor Personnel

Kineto agrees to take reasonable steps to ensure the reliability of all its Personnel who may have access to Personal Data, ensuring in each case that:

  • access is strictly limited to those individuals who need to know/access the relevant Personal Data, as strictly necessary for the purposes of the Terms; and
  • the relevant Personnel are subject to confidentiality undertakings or professional statutory obligations of confidentiality.

6. Subprocessors

Kineto engages certain third parties to support the delivery of its Service. All Subprocessors are subject to written agreements that impose data protection obligations consistent with this Addendum. The Customer authorises Kineto's engagement of the Subprocessors already engaged by Kineto at the date of this Addendum that are set out in Kineto's Subprocessor List available at https://kineto.dev/legal/subprocessors ↗.

Where Kineto wishes to engage a new Subprocessor, Kineto agrees to provide written notice to the Customer of the details of the engagement of the Subprocessor at least 14 days prior to engaging the new Subprocessor (including details of the processing it will perform). The Customer may object in writing to Kineto's appointment of a new Subprocessor within 7 days of such notice, provided that such objection is based on reasonable grounds relating to data protection.

In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, Kineto may, at its election:

(a) not appoint the proposed Subprocessor;

(b) not disclose any Personal Data it processes on the Customer's behalf to the proposed Subprocessor; or

(c) inform the Customer that it may terminate the Terms (including this Addendum) for convenience in accordance with clause 12.3 of the Terms, in which case the Customer shall receive a prompt pro-rata refund of all sums paid in advance under the Terms which relate to the period after the date of termination.

The Customer agrees that the remedies described above in clauses 6.3 (a)-(c) are the only remedies available to the Customer if it objects to any proposed Subprocessor by Kineto.

Where Kineto engages a Subprocessor to process Personal Data, Kineto agrees to enter into a written agreement with the Subprocessor containing data protection obligations no less protective than those in this Addendum with respect to the Personal Data (including in relation to international data transfers), and to remain responsible to the Customer for the performance of such Subprocessor's data protection obligations under such terms.

7. International Data Transfers

Where Kineto transfers Personal Data outside the United Kingdom or European Economic Area, it will ensure that such transfers are protected by appropriate safeguards, such as:

  • Adequacy decisions; or
  • Standard Contractual Clauses (SCCs) with the UK Addendum or International Data Transfer Agreement (IDTA).

Copies of applicable transfer mechanisms are available upon request.

8. Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kineto agrees to implement appropriate technical and organisational measures in relation to Personal Data to ensure a level of security appropriate to that risk in accordance with Applicable Data Protection Law, including:

  • Encryption in transit and at rest;
  • Role-based access controls;
  • Redundant and secure hosting infrastructure;
  • Regular vulnerability and security reviews; and
  • Employee confidentiality and data protection training.

In assessing the appropriate level of security, Kineto agrees to take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

9. Data Subject Rights

Taking into account the nature of the Processing, Kineto agrees to assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Law.

Kineto agrees to:

(a) promptly notify the Customer if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of Personal Data; and

(b) ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Data Protection Law to which Kineto is subject, in which case Kineto shall, to the extent permitted by Applicable Data Protection Law, inform the Customer of that legal requirement before Kineto responds to the request.

10. Data Breach Notification

Kineto agrees to notify the Customer without undue delay upon Kineto becoming aware of a Personal Data Breach affecting Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Law.

The notification shall include, to the extent possible:

  • a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • the name and contact details of Kineto's data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the Personal Data Breach; and
  • a description of the measures taken or proposed to be taken by Kineto to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Kineto agrees to co-operate with the Customer and take reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

If the Customer decides to notify a Supervisory Authority, Data Subjects or the public of a Personal Data Breach, the Customer agrees to provide Kineto with advance copies of the proposed notices and, subject to Applicable Data Protection Law (including any mandated deadlines under the UK GDPR), allow Kineto an opportunity to provide any clarifications or corrections to those notices.

11. Data Protection Impact Assessment and Prior Consultation

Kineto agrees to provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the UK GDPR or equivalent provisions of any other Applicable Data Protection Law (to the extent the Customer does not otherwise have access to the relevant information and such information is in Kineto's control).

12. Retention and Deletion

Subject to any document retention requirements at law, Kineto retains Personal Data only for as long as necessary to provide the Service or as required by law.

Upon termination or expiration of the Terms in accordance with clause 12 of the Terms, Kineto will promptly, and in any event, within ninety (90) days ("Cessation Date"), delete and procure the deletion of all copies of Personal Data, unless otherwise required by law.

Kineto agrees to provide written certification to the Customer that it has fully complied with this clause within 10 business days of the Cessation Date.

13. Audit Rights

Subject to this clause 13, where required by law, Kineto shall make available to the Customer on request all information reasonably necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of Personal Data by Kineto or any Subprocessor.

Where clause 13 applies, any audit (or inspection):

(a) must be conducted during Kineto's regular business hours, with reasonable advance notice (which shall not be less than 30 days);

(b) will be subject to Kineto's reasonable confidentiality procedures;

(c) must be limited in scope to matters specific to the Customer and agreed in advance with Kineto;

(d) must not require Kineto to disclose to the Customer any information that could cause Kineto to breach any of its obligations under Applicable Data Protection Law;

(e) to the extent Kineto needs to expend time to assist the Customer with the audit (or inspection), will be funded by the Customer, in accordance with pre-agreed rates; and

(f) may only be requested by the Customer a maximum of one time per year, except where required by a competent Supervisory Authority or where there has been a Personal Data Breach in relation to Personal Data, caused by Kineto.

Information and audit rights of the Customer only arise under clause 13 to the extent that the Terms do not otherwise give it information and audit rights meeting the relevant requirements of Applicable Data Protection Law.

14. Liability and Conflict

Despite anything to the contrary in the Terms or this Addendum, to the maximum extent permitted by law, the Liability of each Party and its affiliates under this Addendum is subject to the exclusions and limitations of Liability set out in the Terms.

In the event of a conflict between this Addendum and any other agreement between the parties, this Addendum shall prevail with respect to the subject matter of data protection.

15. Termination

Each Party agrees that a failure or inability to comply with the terms of this Addendum and/or the Applicable Data Protection Law constitutes a material breach of the Terms. In such event, the Customer may, without penalty:

(a) require Kineto to suspend processing of Personal Data until such compliance is restored; or

(b) terminate the Terms (including this Addendum) in accordance with clause 12.3 of the Terms.

In the case of such suspension or termination under this clause, Kineto shall provide a prompt pro-rata refund of all sums paid in advance under the Terms which relate to the period of suspension or the period after the date of termination (as applicable), in accordance with clause 12 of the Terms.

Notwithstanding the expiry or termination of this Addendum, this Addendum will remain in effect until, and will terminate automatically upon, deletion by Kineto of all Personal Data covered by this Addendum, in accordance with clause 12 of this Addendum.

16. Governing Law

This Addendum is governed by the laws of England and Wales, and disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

17. General

Amendment: Other than as expressly permitted under this Addendum and to the extent permitted by law, this Addendum may only be amended by written instrument executed by the Parties or in accordance with clause 16.2 of the Terms.

Assignment: A Party must not assign or deal with the whole or any part of its rights or obligations under this Addendum without the prior written consent of the other Party (such consent not to be unreasonably withheld).

Confidentiality: Each Party agrees to keep this Addendum and any information it receives about the other Party and its business in connection with this Addendum ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law or by a Supervisory Authority; or

(b) the relevant information is already in the public domain through no fault of the receiving Party.

Contracts (Rights of Third Parties) Act 1999: Notwithstanding any other provision of this Addendum, nothing in this Addendum confers or is intended to confer any right to enforce any of its terms on any person who is not a party to it.

Entire Agreement: This Addendum, together with the Terms and the Annexes, constitutes the entire agreement between the Parties with respect to the subject matter of data protection and supersedes all prior or contemporaneous understandings, agreements, negotiations, representations and warranties, and communications, both written and oral, with respect to that subject matter.

Annex 1 — Description of Transfer

1. Categories of Personal Data

The personal data transferred may include:

a) Account Data

  • name
  • email address
  • authentication credentials
  • profile information

b) User Content

  • prompts and instructions submitted by users
  • uploaded files and data
  • generated outputs

c) Technical Data

  • IP address
  • device information
  • browser type
  • system logs
  • usage data

d) Payment Data

  • billing information
  • transaction data (processed via Stripe or equivalent providers)

2. Special Categories of Personal Data

The Company does not intentionally collect or process special categories of personal data (as defined under GDPR).

However: special categories of personal data may be included in user-submitted content (e.g. prompts, uploaded files) at the sole discretion of the user.

3. Data Subjects

The personal data transferred may concern:

  • Users of the Services
  • Customer representatives
  • Employees or contractors of the Customer
  • Any individual whose personal data is included in user-submitted content

4. Frequency of Transfer

Continuous — as part of the provision of the Services.

5. Nature of Processing

Processing operations include:

  • collection
  • storage
  • retrieval
  • transmission
  • analysis
  • generation of outputs

All processing is carried out strictly for the purpose of providing the Services.

6. Purpose of Processing

The processing is necessary for:

  • providing AI-powered functionality
  • generating outputs based on user inputs
  • maintaining and improving the Services
  • ensuring security and compliance

7. Duration of Processing

Personal data is processed:

  • for the duration of the Services
  • and retained for up to 90 days after termination (unless otherwise required by law or agreed)

8. Responsibility of the Customer

The Customer is solely responsible for the personal data submitted into the Services, including ensuring that it has the necessary legal basis for processing and transferring such data.

9. International Transfers

Where personal data is transferred outside the UK/EU, appropriate safeguards are implemented, including:

  • Standard Contractual Clauses (SCCs)
  • equivalent legal mechanisms
Term of ServicePrivacy Notice

Copyright © 2000-2025 Kineto