Kindly Legal

General terms

Once the agreement is signed, the Company will establish for the Customer an Organization Account in the Service with effect from the Subscription Commence Date. The Customer will then be able to grant users access to this Organization Account, limited to the number of users defined in this agreement. Customer shall ensure that each user of the Service (“User”) agrees to comply with applicable provisions of the Terms. Company may require Users to accept Company’s Acceptable Use Policy or similar.

The Service can only be used by Users for whom the Customer has a valid license through a paid contract price for the subscription, or at least a pending payment from the initial invoice. A User account must be connected to a valid email address. User accounts shall not be shared or used by more than one person.

The Customer shall not use the Service in a way that violates any laws, infringes on anyone’s rights, is offensive, or interferes with the Service or any features of the Service, and undertakes to ensure that all Users respect the Terms and this provision in particular. Customer is responsible for any and all activities that occur under User’s account. The Customer shall ensure that User identities, passwords, and equivalent obtained by the Customer in conjunction with registration are stored and used in a secure manner and cannot be accessed and used by third parties. Customer agrees to notify Company immediately of any unauthorized use of User’s account or any other breach of security.

The Customer is responsible for ensuring its use of the Service complies fully with all applicable laws and regulations. The Company does not provide legal advice regarding the use of the Service and is not liable for any legal consequences arising from the Customer’s use of the Service.

Company has no obligation to monitor the Service to assure compliance with the Terms. Company reserves the right at all times to edit, refuse to post or to remove and delete any information or materials, in whole or in part, if Company reasonably suspects it to be comprised by the prohibition above. The Customer guarantees that all information provided upon registration is correct.

Company shall not be liable for any losses that Customer may incur as a result of an unauthorized person using User’s password or account, either with or without User’s knowledge. However, Customer can be held liable for losses incurred by Company or a third party as a result of such unauthorized use. Users are not allowed to use anyone else’s account at any time.

Service level agreement

The Services are provided “as is” as a standardized service; the right to use is not conditional or tied to a specific version or functionality at a certain time, but allows access to and use of the Services as is at all times.

Company will use commercially reasonable efforts to make the Service available with a monthly uptime percentage of at least 99.5%, during any monthly calendar cycle, planned downtime not included. Company reserves the right to make improvements, add, modify or remove functionality, or correct any errors or defects in the Service at its sole discretion, without any obligation or liability resulting from such act or defects. Company will however not remove functionality which in Company’s reasonable opinion must be considered a core functionality for the Service.

Company and Customer agree that the Service will not always be completely free of errors and that the improvement of the Service is a continuous process. The Customer is also aware that successful use of the Services is dependent on equipment and factors (such as sufficient internet connection) that the Customer has the responsibility for. Company is not liable for the discontinuance or disruption of the operation of the Service caused by the internet or any third party service the Customer needs in order to access the Service, including operating systems etc. Company’s equipment and system requirements are stated in Clause 2 and is subject to updates as stated therein. Third party software and operating system updates etc. may influence the usability of the Service, and Company has no responsibility in this regard. Company will however always use best efforts to accommodate and develop the Service for updates etc. on supported operating systems.

Company is only responsible for the functioning of the Service itself, and undertakes the following obligations regarding error handling with regards to the Service:

The resolution time stated in the table above starts when the Customer has given Company notice of the error and sufficient information to assess and understand what the error consists of. Notice shall be given by email to the email address stated in this agreement.

If Company has not succeeded in curing a category A or B error within the resolution time stated, the Customer is entitled to a period of free extension of the Service, and must claim such free extensions within one hundred and eighty (180) days following the date of the error notification. The free extension for failing to meet the resolution time for category A errors shall be fourteen (14) days. For category B errors the free extension shall be four (4) days. For category C errors no free extension is given. Total free extension periods per year is limited to twenty-eight (28) days. The above described free extensions shall be the only remedy available to the Customer in case of failure to meet the resolution times stated above.

A category A error lasting more than ten (10) days is considered a material breach, which gives the Customer a right to terminate the agreement. The same applies for a category B error lasting more than twenty (20) days.

Planned downtime is not considered an error. Downtime may be necessary to perform updates or maintenance in hardware or software from time to time. Company may have planned downtime up to ten (10) times each calendar year. Planned downtime shall always be notified at least five (5) business days in advance and shall be done outside of normal business hours (0900-1700 CET),. For planned downtime of up to twenty-four (24) hours, notification shall be given at least ten (10) days in advance. Planned downtime pursuant to this clause is not considered a breach of contract.

Company shall provide backup of the Customer’s data, to restore it after a data loss event. For support purposes, The Company has internal administrators who can access Customers’ data. Company will never access the Customers’ data without prior approval from the Customer, however anonymized data may be used internally to further improve the machine learning algorithms. Logs are kept of any access by Company administrators.

Equipment and system requirements

The Service is available on the following browsers: Latest two versions of Safari, Chrome, Firefox and Edge.

Company does not offer compatibility between the Service and other browsers, equipment, software and operating systems.

The system requirements may be updated by the Company without notice. The updated system requirements will be made available upon request by contacting support at support@kindly.ai. The Company shall however notify the Customer at least thirty (30) days in advance if Company will stop supporting previously supported equipment or software as stated above (and later amended). Customer shall be responsible for obtaining and maintaining all hardware, software and other equipment needed for the access and use of the Services, and is responsible for all charges and expenses related thereto. Customer is also responsible for the integration between the Service and the Customer’s own systems.

The customer understands and accepts that the Service can be expected to evolve during the agreement period. The Company reserves the right to add, modify and phase out functionality and/or web services in the Service without prior notice. If the Customer will be affected by any such changes, the Company will inform the Customer in writing with 30 days notice. For description of how changes are introduced to the API's provided by the Company please see our API License & Disclaimer.

The Company reserves the right to perform scheduled upgrades and maintenance to the Service, which may cause the Service to become temporarily unavailable to the Customer and its respondents.

Intellectual property rights

Subject to the limited rights expressly granted in this agreement, the contractual relationship between Company and Customer does not constitute a transfer of any intellectual property rights from Company to Customer.

The Customer has no right to e.g. sell, lend, sub-licence, distribute in any way (free of charge or for consideration), create derivative works of, copy, frame, access or try to get access to the source code of, mirror or reverse engineer any part or feature of the Service, including all underlying intellectual property rights and/or know-how. The list is non-exhaustive. The Customer may not in any way modify, decompile, disassemble or reverse engineer the Service.

Rights to and ownership of the material supplied by Company to Customer, including all copyrights and ownership in relation thereto, shall at all times be exclusively owned by Company, and neither the direct customer nor any associated customer shall take any initiative that violates such rights and ownership. The Companys service logo and all other branding contained in the material supplied by the Company to the Customer and/or used in conjunction with the Service, are trademarks, trade names or other commercial symbols, and the rights of these will remain the exclusive property of the Company and/or its licensors.

The Customer may not under any circumstances try to modify, alter, translate or convey source code or other parts of this code in any software that the customer is given access to. In addition, the Customer may not resell or license any of the material obtained by Company to the Customer. Distribution lists, surveys and Email content, as the result of Customer use of the Service, remain the Customer's property. Collected data belongs to the Customer, and it can be retrieved by the Company and forwarded to the Customer free of charge within the contract period/period of notice. The Customer is solely responsible for the content that is created, processed and/or stored by the Service.

Customer may from time to time provide suggestions, comments for enhancements or functionality or other feedback (“Feedback”) to Company with respect to the Service or other Company IP, e.g. in connection with the customization of the Services for the Customer. Company shall have full discretion to determine whether or not to proceed with the development of the requested enhancements, new features or functionality. Customer hereby grants Company a royalty-free, fully paid up, worldwide, transferrable, sub-licensable, irrevocable and perpetual license to (a) copy, distribute, transmit, display, perform and create derivative works of the Feedback; and (b) to develop, manufacture, have manufactured, market, promote, sell, have sold, offer for sale, have imported, rent, provide and/or lease products or services which practice or embody, or are configured for use in practicing the Feedback and/or any subject matter of the Feedback.

Personal data

The Customer owns all data, information and material of any kind input or uploaded to the Service by the Customer or Users, including personal data (the “Customer Data”). The Customer is the Data Controller for all personal data Company processes as part of providing the Services as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means that the Customer is responsible for ensuring that there is a lawful basis for the processing of this data.

The Data Controller is responsible for configuring the Service to comply with their own privacy policy, the (GDPR), and other relevant data privacy regulations.  

If third-party systems or chat clients are used to consume the Company’s APIs, it is the Data Controller’s responsibility to ensure the processing is compliant with the provisions of GDPR and Data Subject rights.

Company acts as the Data Processor when processing personal data on behalf of the Data Controller as defined by Article 4(7) of the GDPR. Company will only process data, information and material in order to provide the Service to the Customer, including support, service and maintenance. Anonymized, disconnected data may be used to further improve machine learning algorithms. Data will not be processed for any other purposes unless there is a legal obligation for such processing.

Upon termination or expiration of the Agreement for any reason, Customer may request an export of the Customer Data in a pre-defined format within thirty (30) days of the effective date of such termination or expiration; provided that, such Customer Data shall remain subject to the Terms (including the restrictions with respect to its use and disclosure). Anonymized, disconnected data may be retained in order to further the quality of the Service.

Data Access, Portability and Switching

The Customer retains full ownership of all data, information and material uploaded to, generated through, or otherwise processed by the Service (“Customer Data”). The Company may process Customer Data only as necessary to provide, maintain, improve or secure the Service, or to comply with legal obligations. Nothing in these Terms transfers ownership of Customer Data to the Company.

The Customer may at any time export Customer Data through the Service in a structured, commonly used and machine-readable format (for example JSON, or CSV). The Company shall provide secure access and reasonable technical support to enable such retrieval and shall not impose contractual, technical or commercial barriers to the Customer switching to another provider or environment. The Company complies with Articles 23–25 of the EU Data Act regarding switching and interoperability.

After termination, the Customer shall have at least thirty (30) calendar days (“Retrieval Period”) to retrieve its Customer Data. After this period, or any later date agreed in writing, the Company will permanently and irreversibly delete all exportable Customer Data, except where retention is required by law.

Certain internal operational data strictly necessary for the functioning or security of the Service (such as system logs, telemetry or proprietary configuration data) are excluded from export where disclosure would compromise trade secrets, intellectual property or Service security. Such exclusions shall be applied narrowly and shall not be used to frustrate the Customer’s rights under the EU Data Act.

Standard data export and switching support are provided free of charge. If the Customer requests extensive migration assistance or custom transfer work that incurs measurable direct costs, the Company may charge a reasonable, cost-based fee, disclosed in advance and consistent with Article 25 of the EU Data Act.

Nothing in these Terms limits or excludes the Customer’s rights or the Company’s obligations arising under the EU Data Act, including rights relating to data access, portability and switching, or protections against unfair contractual terms under Article 41.

Kindly uses cookies and other technologies when you visit our website, mobile site or mobile applications (we’ll refer to these collectively as our services from now on). This policy explains what cookies are, why we use them and how you should treat them.

By using our services, you accept our use of cookies and other technologies in accordance with these guidelines and Kindly's privacy policy. In essence, you accept the use of cookies in essential, analytical, custom and functional applications as well as in marketing as described below.

If you don’t agree to the use of cookies, you can disable them by changing your browser settings so that cookies cannot be stored on your device. By disabling cookies, some parts or the entire website may stop working.

What are cookies?

Cookies are text files that contain a small amount of information that is automatically downloaded to your device when you visit a website. When you re-visit the website that initially provided you with the cookie, it will be returned. This will also occur if you visit other websites that recognize that cookie.

Cookies are convenient because they allow the site to recognize the user's device. They do a lot of different things, such as navigating between pages effectively, remembering your preferences and generally improving the website experience. They can also improve the ads you see on a webpage by shoing more relevant ads.

Cookies generally will not identify you as an individual, only the device you are using. For more information about cookies, visit allaboutcookies.org.

How does Kindly use cookies?

We use cookies and other technologies for different purposes – to remember your preferences, provide services (product and site functionality), analyze our performance, enhance and personalize your experience and provide marketing communications.

Currently Kindly uses the following cookies:

More information

If you have any questions about how Kindly handles cookies, you'll find more information in our privacy policy or contact Kindly's Data Protection Officer by sending an e-mail to dpo@kindly.ai.

GDPR

Is Kindly GDPR compliant?

General Data Protection Regulation (GDPR) is a European Union regulation  designed to protect the personal data and privacy of EU citizens

We're committed to GDPR compliance and have implemented robust measures to protect personal data. These include:

• Comprehensive data management: We ensure all necessary terms are in place for processing customer data and maintain rigorous security protocols (ISO 27001 certified).
• Privacy-focused platform: Our platform is designed with privacy in mind, featuring automatic anonymization, chat log deletion, and user control over their data.
• Data breach preparedness: We have established procedures to handle any potential data breaches and provide ongoing training to our staff.
• Dedication to data protection: Our Data Protection Officer oversees compliance and offers expert guidance

Do you have a Privacy Governance Framework?

We have implemented an Information Security Management System (ISMS) in line with the ISO/IEC 27001:2022 standard. Our ISMS encompasses a comprehensive Governance Framework that not only ensures the protection of information assets but also addresses privacy concerns, aligning with the GDPR requirements.

How do you prevent function creep in the chatbot?

Kindly prioritizes a user-centric approach to ensure new features align with user needs and the chatbot’s core purpose. We actively involve stakeholders like product managers, designers, and subject matter experts in the decision-making process to ensure that any proposed enhancements are carefully evaluated from various perspectives.

To gain valuable insights into user preferences, we collect and analyze customer feedback. This helps us identify areas where new features could be beneficial and ensures that they align with user expectations.

To prevent the addition of unnecessary features, we limit the scope of the chatbot to specific use cases. By maintaining a clear focus on defined objectives, we ensure that any proposed functionalities contribute meaningfully to the chatbot’s overall purpose.

This comprehensive approach helps us maintain a focused and valuable platform for users, preventing function creep and ensuring that Kindly remains aligned with its core mission.

How do you ensure compliance with the data minimization principle?

Kindly limits administrators registered in the platform to only adding relevant personal information to their profile.

Due to the nature of a chatbot, the end-user can message the service in free text. This opens up to the risk of end-users providing sensitive or other personal data to the chatbot unnecessarily. This can lead to breach of the data minimization principle.

To avoid it, Kindly enables the Data Controller to:

• configure a filter that will anonymize specific types of personal data.
• configure the chatbot to proactively inform the end-user of what data they should not input into the chatbot.

What measures do you have for ensuring data quality?

Kindly provides the Data Controller functionality which can be configured so end-users can update the information in the chat log by sending additional messages in the same session. This can be limited by the end-user ending the chat or from the session timing out. The duration before a session timeout is configured by the Customer.

How do you ensure accountability under the GDPR

Kindly has a designated Data Protection Officer (DPO) who is responsible for overseeing data protection and privacy matters in the organization.

We also implemented and communicated a Data Protection Policy which is accepted by all  employees.

Are you a Data Controller or Processor?

The GDPR recognizes different roles in data handling: controllers and processors. Controllers decide how and why data is used, while processors handle data on the controller's behalf, following their instructions (often outlined in a contract).

Kindly is the data controller for personal data related to our customers' employees during the sales/marketing cycle but not chat visitors or end customers.

For data shared on our platform, the customer is the data controller, and Kindly acts as the data processor. We process data according to the Data Processing Agreement (DPA) agreed upon with our customers

Does Kindly provide a Data Processing Agreement for its customers?

It's a requirement under the Art 28, of the GDPR to have a DPA in place which clearly defines everyone's role in relation to the personal data being handled. A DPA clarifies responsibilities, outlines data processing terms, and mitigates certain liabilities for data processors and controllers.

All of our customers are able to enter into a DPA with us.

Our DPA covers all of the main terms needed under the GDPR. It also describes our processes when it comes to informing customers aboutpotential breaches or subprocessor changes (for example if we want to update the product).  

Who has access to customer data at Kindly?

Our teams have access to customer data only when necessary for their jobs. We follow the principle of least privilege, granting access on a need-to-know basis.

As a data controller, we may share data with third-party providers to support our operations. For more information see our Privacy Policy page.

As a data processor, we use third-party sub-processors to deliver our services. See the full list here: https://www.kindly.ai/legal-policies/subprocessors

Where does Kindly store personal data?

Data is securely stored in Google Cloud data centers in Belgium. Google Cloud is certified to meet high security standards, including ISO 27001, PCI, and SOC compliance.

How long does Kindly store personal data?

Customer is able to configure how long the chat logs are stored.

Customer data is retained for as long as the account is in active status. When a user closes an account, all data linked to the account is anonymized. If the workspace the account is knit to is also deleted, no data is kept.

What types of personal data do you collect?

To allow our customers to log in to our platform and recover their password, and for administrators to provide customer support and account maintenance we collect the following data:

• Email and password
• First name and last name
• Profile picture (optional)

For end-users, a typical user is anonymous, so no personal identifiable information is stored. Chat logs and associated meta-data is stored, which typically includes:

- Message content

- Timestamps

Not explicitly stored by Kindly, provided by the cloud provider and accessible in aggregations:

- Location

In addition, some anonymized and filterable analytics data from  interactions are stored for statistical purposes.

Does the chatbot support anonymization of personal data?

Kindly Chatbot supports automatic anonymization of end-users and their personal data in the inquiries.

The chatbot identifies anonymous end-users using randomly generated identities, such as "Green Banana", so that the Customer can still keep track of end-users and their inquiries.

Personal data such as e-mail addresses, telephone numbers, credit card numbers, social security numbers, etc. can be detected automatically by the chatbot and immediately overwritten by asterisks.

If anonymization is turned on, the data gets anonymised in transit which means it's never stored on the platform and never sent to our subprocessors.

The Customer chooses which personal data is to be anonymized by the chatbot.

Does Kindly use subprocessors?

Yes, see the full list of these sub-processors (with further information).

Does Kindly transfer personal data abroad?

Kindly is located in the EEA and all customer account data is stored within the EU, however certain opt-in features like Kindly GPT might require processing personal data outside the EU. For details see subprocessor list: https://www.kindly.ai/legal-policies/subprocessors

If for processing purposes we have to transfer any data outside the EU, we always  rely on lawful transfer mechanisms allowed by the GDPR.

This includes for example the decision made by the European Commission deeming some countries or organizations as having adequate measures to protect any personal data coming from the EU, the Data Privacy Framework (DPF), and Standard Contractual Clauses (SCCs).  

Whenever engaging a third party vendor, we conduct careful due diligence to assess their GDPR compliance practices considering factors such as data security measures.

We also ensure that we have Data Processing Agreements with all vendors.  

Have you considered Schrems III?

Schrems III aims to undermine one of the mechanisms which currently permits the flow of data between the European Union and the United States -  Data Privacy Framework, but the outcome remains to be determined.

We continuously monitor changes in legislation and regulatory guidelines to stay ahead of any new requirements that might affect us. Our priority is to maintain the highest standards of service for our clients while safeguarding the privacy and security of their data.

Does Kindly have a Data Protection Officer?

Yes we do. Our DPO is Anna Wojcicka, who oversees the Privacy program at Kindly and can be contacted at dpo@kindly.ai

Questions specific to Kindly Plus

What sub processors from the list are relevant to Kindly Plus?

Entity Name: Google Cloud Services

Purpose: Hosting & infrastructure

Location: Belgium, EU

Applicable service: Bot platform

Subject matter: Platform users, chat messages

Duration: seconds

How does Kindly Plus use personal Data?

The Kindly Plus model analyzes the user input (which may contain personal data) to identify their intention and match it with a  predefined answer in the Kindly platform.  

Chat messages from the end-users are analyzed using our machine learning technology for the purpose of suggesting how to improve the chatbot.

We do not use Customer Data to improve our Product, train or fine-tune any AI/ML models.

Questions Specific to Kindly GPT

What sub processors are relevant to Kindly GPT?

Depending on client configuration it will be one of the below.

‍

Entity Name: OpenAI

Purpose: NLU functionality for KindlyGPT

Location: USA

Applicable service: Bot platform

Subject matter: Chat logs

Duration: 30 days

‍

Entity Name: Microsoft Azure

Purpose: NLU functionality for KindlyGPT

Location: France or UK

Applicable service: Bot platform

Subject matter: Chat logs

Duration: 30 days

What does Kindly GPT do with user Data?

Kindly GPT uses the customer's knowledge base and chat user's input to generate an answer. To do that, Kindly leverages generative AI models. Individual user messages are being processed without metadata or association to the chat log.

We do not use Customer Data to improve our Product, train or fine-tune any AI/ML models.

Is Kindly GPT GDPR compliant?

Yes. If for processing purposes we have to transfer any data outside of the EU, we rely on lawful transfer mechanisms allowed by the GDPR including:

- Adequacy decisions

- Standard Contractual Clauses

- Data Privacy Framework

- and conduct careful due diligence of the sub processors involved to ensure commitment to data protection and security.

Organizational Security Measures

Does Kindly have any security certifications?

Kindly is ISO/IEC 27001:2022 certified which means we maintain an ISMS which encompasses policies, processes, and procedures that ensure regular testing, assessment, and evaluation of both technical and organizational aspects of our services related to information security.

Do you undertake IT security audits, vulnerability assessments and/or testing?

Kindly undertakes all IT security audits, risk assessments, vulnerability assessments and testing necessary to ensure that it's ISMS in accordance with ISO/IEC 27001:2022. This includes yearly external and internal audits, yearly penetration tests performed by a third party and monthly vulnerability testing.

Furthermore, Kindly's security team is kept up to date on new and upcoming vulnerabilities through information security forums and newsletters to identify risks/threats.

What's your risk management process?

Kindly has implemented a risk management process, which consists of the following:

1. Risk identification

We proactively identify potential threats and vulnerabilities across our operations and products, which lays the foundation for effective risk management.

2. Risk assessment

Each risk undergoes a detailed assessment to understand its impact and probability, which enables the prioritization and management of risks based on their severity.

3. Risk management

We use tailored strategies to mitigate identified risks, including implementing controls, transferring risks, avoiding high-risk activities, or accepting risks when appropriate.

4. Continuous improvement

Our risk management practices are subject to regular reviews and updates, ensuring they remain effective against evolving threats and changes in our operational environment.

5. Documentation and reporting

All aspects of our risk management process are thoroughly documented, providing a clear and accountable record of our actions and outcomes

How does Kindly manage employee access to client solutions

Access Reviews

Access to all systems and services is reviewed and updated annually to ensure proper authorizations align with job functions. This process is regulated by role-based access control (RBAC) and adheres to the Principle of Least Privilege, ensuring that users are granted the minimum necessary access required for their job responsibilities.

Unique User Identification

Access to platform systems and applications is managed using unique User Login IDs and passwords for each individual user and developer. Password requirements enforce strong password controls, and all users are provided with unique, secure temporary authentication information that must be acknowledged upon receipt and changed upon first use.

Authentication and Authorization

Multi-Factor Authentication (MFA) is mandated for all administrative access accounts and enterprise assets, where supported. Internal access to the platform is secured with application keys that are rotated monthly. Developers use Bitwarden password manager for generating passwords, and two-factor authentication is required for logging into all production systems. All employee disks are encrypted with FileVault, BitLocker, and LUKS.

Monitoring of Access

System activities, including audit logs, access reports, and security incident tracking reports, are reviewed frequently, not exceeding a year. Internal access controls follow the principle of least privilege, ensuring that employees have only the necessary access to perform their required job functions.

Infrastructure Security

Kindly uses Identity and Access Management (IAM) to provide users and applications with the narrowest set of permissions necessary for accessing data. Permissions to access running production systems and databases are granted only to users with an explicit need. Internal accounts are managed using a Google Workspace domain with enforced two-factor authentication, and external services for internal use are authenticated using Single Sign-On (SSO) via SAML 2.0 to Google Workspace accounts.

Access Control for Employees

Access to systems and applications is formally managed and reviewed by the Compliance team. Annual access reviews ensure that proper authorizations are in place according to job functions. When an employee is offboarded, they lose access to all systems, which is logged in an offboarding checklist.

How do you handle Security Incidents or Personal Data Breaches?  

The procedures for handling security breaches involve several steps. When an information security breach is identified or discovered, employees must notify their immediate supervisor within 24 hours. The manager must immediately notify the on-call Information Security Manager (ISM) for an appropriate response. The notification must include a description of the incident, date, time, and location of the incident, the person who discovered the incident, how the incident was discovered, known evidence of the incident, and affected system(s).

Within 48 hours of the incident being reported, ISM conducts a preliminary investigation and risk assessment to review and confirm the details of the incident. If the incident is confirmed, ISM assesses the impact on the company and assigns a severity level, which determines the level of remedial work required.

If the incident is considered High or Medium, the ISM must work with the CEO and Product Manager to create and execute a communication plan that communicates the incident to users, the public and other stakeholders.

In the event of a personal data breach that poses a high risk to individuals' rights and freedoms, Kindly will immediately inform the relevant data controller. The notification will clearly and simply detail the nature of the breach, contact information for the data protection officer or other contact for further information, the potential consequences of the breach, and the measures taken or proposed by the controller to deal with the breach and mitigate any negative consequences.

Describe measures for event, error and security incident logging

Kindly uses the Google Cloud Platform Audit Logging tool, which provides a complete record of all activity that occurs in the platform. All user activity, system activity, and data access are stored in a central location with a retention period of 400 days. Access to the audit logs are restricted on a "least-privilege" basis using RBAC (IAM)

System errors and security incidents are logged internally and are exposed on status.kindly.ai. Here, both real-time events and previous events are available, as well as status for all components of the platform.

All security incidents are logged with the event date.

What are your practices for secure software development?

Secure coding principles

All developers are trained in secure coding principles based on OWASP, and these principles are implemented in software development.

Communication method

Whenever something is major and breaking, Kindly notifies all clients by email in advance and in status meetings. The notice will be sent 3 months in advance.

Otherwise, upgrades are communicated in the changelog.

Key activities and effort required from the Customer

The Kindly service lives in the cloud, meaning that the Customer will receive updates on the fly without the need to do anything.

Version control

It is possible to version control the chat service. Then the Customer would need to update the version number of the service that is being requested.

If the Customer wants to use a specific version, then you can follow our changelog or API changelog in order to know when you want to update to a given version. With major updates Kindly will notify the Customer by email in advance and in the status meetings, regardless if you use version control or subscribed to the latest changes.

Code implementation

Any change is reviewed by at least two developers, then auto-deployed to staging environment by CI/CD. This automatic process already runs pre-defined tests, however the staging environment is used for manual checks prior to triggering the deployment to production (we use Release tags for triggering this).

Code patches

Utilizing automated tools like Dependabot, we ensure the proactive generation of code patches in response to updates within open-source software frameworks. These patches, once generated, require formal approval through our code review process.

Additionally, Software Development Lifecycle Policy provides details on the process for secure development of software.

What are your physical access controls?

Access to Kindly's offices is restricted to authorized personnel only. All access requires an active access card, and the access card must be used at all doors. Authorized visitors to the offices are always accompanied by Kindly employees.

All computers with sensitive information are locked with passwords, and login to services with files and other sensitive information, such as Google Drive (archiving and sharing files), Slack (internal communication), Trello (task delegation), and login to the Kindly platform itself is secured with two-factor authentication, where unknown attempts to log in require approval from the employee via their mobile phone.

This policy regulates the chatbot platform Kindly – an automated chat service. The service is delivered by the Norwegian company Kindly AS.

What data do we collect?

To allow our users to log in and recover their password, and for administrators to provide customer support and account maintenance we collect the following data:

• Email and password
• First name and last name
• Profile picture (optional)
• User activity within the platform 

The personal data collected depends on which features are enabled and configured by platform users.

How is the data used?

Personal data is and will never be sold or brokered in any way to third parties, though we may on occasion share or provide your personal data when we are required to do so by law

The email address is solely used for the purpose of identifying the user and for opt-in communication. Names and profile pictures are used for the purpose of identifying the user when cooperating in the administrator interface and for support purposes.

User activity within the platform is collected to improve the user experience, and optimize platform performance.

Sharing of Data and International Transfers

We may share personal data with carefully selected third-party service providers, such as:

• Hosting and infrastructure partners
• Analytics providers
• Customer support and communication tools

These providers only process data on our behalf and in accordance with our instructions. We ensure that they implement appropriate technical and organizational measures to protect personal data.

Where service providers are located outside the European Economic Area (EEA), we use lawful transfer mechanisms to ensure adequate protection of your data. These mechanisms include reliance on:

• Adequacy decisions issued by the European Commission, or
• Standard Contractual Clauses (SCCs) approved by the European Commission.

Legal Basis for Processing Personal Data

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing personal data:

• Performance of a contract: Processing necessary to provide our services to users, including authentication, support, and account maintenance.
• Legitimate interests: Processing based on our legitimate interest in improving our platform, ensuring security, and analyzing user activity.
• Consent: When required, we seek user consent for specific data processing. 
• Legal obligation: Processing necessary to comply with legal and regulatory requirements.

Your choices

Withdraw or modify consent. Where we rely on your consent you can withdraw it at any time by contacting us at dpo@kindly.ai. Withdrawal will not affect processing carried out before you withdrew consent.

Object to processing. Where we process your personal data based on legitimate interests, you may object by contacting dpo@kindly.ai. If you object, we will assess your request and stop the processing unless we have compelling legitimate grounds or the processing is required for legal claims.

Kindly as a Data Processor 

Our customers, who have incorporated the chatbot function to their websites, may process personal data in accordance with their own privacy policies. Kindly AS acts as a data processor on behalf of its customers regarding chatbot interactions.

1. Introduction

This Privacy Policy explains how Kindly AS ("Company," "we," "us," or "our") collects, uses, and protects your personal data when you visit and interact with our website, https://www.kindly.ai ("Website").

We are committed to safeguarding your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using the Website, you agree to the terms outlined in this Privacy Policy.

2. Who We Are and How to Contact Us

Kindly AS, located at Fred Olsens gate 1, 0152 Oslo, Norway, is the Data Controller for the personal data collected through this Website. This means we determine why and how your data is processed.

If you have any questions about this Privacy Policy or your data, please contact our Data Protection Officer:

• Email: dpo@kindly.ai
• Mail: Fred Olsens gate 1, 0152 Oslo, Norway

3. What Information We Collect

When you use our Website, we may collect the following types of personal data:

a. Information You Provide Directly

This includes information you actively submit to us:

• Name
• Email address
• Phone number
• Any other information you provide through contact forms or chatbots.

b. Information Collected Automatically (Usage Data)

This data is gathered as you interact with our Website:

• IP address (Internet Protocol address)
• Browser type and version
• Device type and operating system
• Referring pages and pages visited on our Website
• Time and date of your visits
• Cookie data and unique identifiers (for more details, see our Cookie Policy)

4. How We Use Your Information and Our Legal Basis (GDPR)

We use your personal data for the following purposes, always based on a valid legal reason as required by GDPR:

• To Operate and Maintain the Website: To ensure our Website functions correctly and securely.
  
  • Legal Basis: Our legitimate interests in providing a functional and secure online presence.
• To Respond to Your Inquiries or Support Requests: To communicate with you and address your questions or service needs.
  
  • Legal Basis: Performance of a contract (e.g., if your inquiry relates to a service agreement) or our legitimate interests in effective customer communication.
• To Analyze Website Usage and Improve Our Services: To understand how our Website is used and make improvements to its features and performance.
  
  • Legal Basis: Our legitimate interests in continuously enhancing our services and user experience.
• To Send Marketing Communications: To provide you with news, special offers, and information about our products and services that may interest you. You can opt out at any time.
  
  • Legal Basis: Your consent (for direct marketing where required) or our legitimate interests (for existing customers under "soft opt-in" rules).
• To Deliver Personalized Advertising: To tailor and display content and advertisements based on your interests and Website interactions.
  
  • Legal Basis: Our legitimate interests in promoting our services and, where required, your consent for certain types of advertising cookies.
• To Comply with Legal Obligations: To fulfill legal requirements, enforce our terms, or protect our legal rights.
  
  • Legal Basis: Legal obligations.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (like web beacons, tags, and scripts) to enhance your user experience, analyze Website traffic, and serve targeted advertisements. These technologies help us:

• Provide essential Website functionalities.
• Remember your preferences (e.g., login details, language).
• Understand how you use our Website.
• Deliver relevant advertisements.

You can manage your cookie preferences via our Cookie Banner or through your browser settings.

For more detailed information on the types of cookies we use, their specific purposes, their providers, and how you can manage your preferences, please see our dedicated [Cookie Policy].

6. Who We Share Your Data With

We do not sell or rent your personal data to third parties. We may share your data in specific situations:

Service Providers
We share your personal information with trusted third-party companies who perform services on our behalf. These include:

• Analytics Providers: (e.g., Google Analytics, Hotjar, LinkedIn Insight) to monitor and analyze Website usage.
  
• CRM & Sales Tools: (e.g., HubSpot, Salesloft) for managing customer relationships, sales processes, and communications.
  
• Email Marketing Services: (e.g., HubSpot) for managing and sending emails.
  
• Account-Based Marketing & Targeting: (e.g., 6sense) for identifying and engaging potential business prospects.
  
• Other providers who assist in operating and improving our Service. These providers are considered Data Processors under GDPR and are contractually obligated to protect your data and only use it as instructed by us.

Business Partners: We may share your information with our business partners to offer you certain products, services, or promotions.

Affiliates and Group Companies: We may share your information with our parent company, subsidiaries, joint venture partners, or other companies under common control, ensuring they honor this Privacy Policy.

Authorities (Legal Compliance): We may disclose your data when required by law, court order, or governmental regulation, or if we believe it's necessary to protect our rights, property, or safety, or that of others.

Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. Your personal data may be transferred as part of such a transaction.

With Your Consent: We may share your information for any other purpose if you give us your explicit consent.

7. International Data Transfers

Your information, including Personal Data, is processed at Kindly AS's operating offices in Norway and at other locations where our service providers may be located. This means your information may be transferred to—and maintained on—computers outside of your country, or other governmental jurisdiction, where data protection laws may differ.

When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place to protect your data. This typically includes using Standard Contractual Clauses (SCCs) approved by the European Commission, or relying on other legally compliant transfer mechanisms that provide equivalent protection. By continuing to use our Service and providing your information, you agree to such transfers.

8. Data Retention

We retain your personal data only for as long as is necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. This means we keep your data for as long as you use our services or interact with us, and then for a period to comply with our legal, accounting, or reporting obligations, or to resolve disputes and enforce our legal agreements.

Usage data is generally kept for a shorter period unless it is used to strengthen the security or improve the functionality of our Service, or if we are legally obligated to retain this data for longer time periods.

9. Your Data Protection Rights (GDPR)

Under GDPR, you have important rights regarding your personal data. We are committed to respecting the confidentiality of your Personal Data and guaranteeing you can exercise these rights:

• Right to Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete data we hold about you.
• Right to Object to Processing: You have the right to object to our processing of your personal data where we are relying on a legitimate interest as the legal basis, or for direct marketing purposes.
• Right to Erasure ("Right to be Forgotten"): You have the right to ask us to delete or remove your personal data when there is no good reason for us to continue processing it (e.g., if it's no longer necessary for the purposes for which it was collected).
• Right to Restriction of Processing: You have the right to ask us to limit the way we use your personal data in certain circumstances (e.g., if you contest the accuracy of the data).
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to have it transferred to another organization, where technically feasible. This right applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Right to Withdraw Consent: Where we rely on your consent to process your data, you have the right to withdraw that consent at any time. This won't affect any processing that occurred before you withdrew your consent.

To exercise any of these rights, please contact us at dpo@kindly.ai. We may ask you to verify your identity before responding to such requests. We will do our best to respond to your request as soon as possible.

You also have the right to lodge a complaint with your local data protection supervisory authority. For Norway, this is Datatilsynet (the Norwegian Data Protection Authority).

10. Security

The security of your Personal Data is important to us. We take appropriate technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, and destruction. However, please remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

11. Children's Privacy

Our Website is not intended for anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13 without verification of parental consent, we will take steps to remove that information from our servers.

12. Links to Other Websites

Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We may also let you know via email and/or a prominent notice on our Service, prior to the change becoming effective. You are advised to review this Privacy Policy periodically for any changes.

14. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact our Data Protection Officer:

• Email: dpo@kindly.ai
• Mail: Fred Olsens gate 1, 0152 Oslo, Norway

Note: We do not have a bug bounty rewards program, but we do appreciate your report.

Purpose

To allow for the reporting and disclosure of vulnerabilities discovered by external entities, and anonymous reporting of information security policy violations by internal entities.

Scope

Kindly’s Responsible Disclosure Policy covers applies to Kindly’s core platform and its information security infrastructure, and to internal and external employees or third parties.

Background

Kindly is committed to ensuring the safety and security of our customers and employees. We aim to foster an environment of trust, and an open partnership with the security community, and we recognize the importance of vulnerability disclosures and whistleblowers in continuing to ensure safety and security for all of our customers, employees and company. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise and whistleblowers who add an extra layer of security to our infrastructure.

Roles and Responsibilities

The Data Protection Officer is responsible for updating, reviewing and maintaining this policy.

Legal Posture

Kindly will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the Kindly chatbot platform. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming Kindly or its customers.
• Engage in vulnerability testing within the scope of our vulnerability disclosure program.
• Test on products without affecting customers, or receive permission/consent from      customers before engaging in vulnerability testing against their devices/software, etc.
• Adhere to the laws of their location and the location of Kindly. For example, violating laws that would only result in a claim by Kindly (and not a criminal claim) may be acceptable as Kindly is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Vulnerability Report/Disclosure

How to Submit a Vulnerability

To submit a vulnerability report to Kindly’s Product Security Team, please utilize the following email:

security@kindly.ai

Preference, Prioritization, and Acceptance Criteria

We will use the criteria from the next sections to prioritize and triage submissions.

What we would like to see from you:

• Well-written reports in English will have a higher probability of resolution.
• Reports that include proof-of-concept code equip us to better triage.
• Reports that include only crash dumps or other automated tool output may receive lower priority.
• Reports that include products not on the initial scope list may receive lower priority.
• Please include how you found the bug, the impact, and any potential remediation.
• Please include any plans or intentions for public disclosures.

What you can expect from Kindly:

• A timely response to your email within 5 business days.
• After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
• An open dialog to discuss issues.
• Notification when the vulnerability analysis has completed each stage of our review.
• Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, Kindly may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Whistle Blowing

How to Submit a Report

To anonymously report an information security program violation or a violation of related laws and regulations, please utilize our email address: security@kindly.ai

Preference, Prioritization, and Acceptance Criteria

We will use the criteria from the following sections to prioritize and review submissions.

What we expect from you:

• Detailed report made in good faith or based on a reasonable belief.
• Good Faith means the truthful reporting of a company-related violation of information security policies, procedures, or regulations, as opposed to a report made with reckless disregard or willful ignorance of facts.
• Reasonable Belief refers to the subjective belief in the truth of the disclosure AND that any reasonable person in a similar situation would objectively believe based on the facts.
• Details of the violation (i.e., what, how, why).
• Details of the reported event, with facts (i.e., who, where, when).
• You are NOT responsible for investigating the alleged violation, or for determining fault or corrective measures.

What you can expect from Kindly:

• Your report will be submitted to the Compliance team for review.
• Protection of your identity and confidentiality.
• CAVEAT: It may be necessary for your identity to be disclosed when a thorough investigation, compliance with the law, or due process of accused members is required.
• Protection against any form of retaliation and harassment, such as termination, compensation decreases, or poor work assignments and threats of physical harm.
• If you believe that you are being retaliated against, immediately contact the Compliance Manager.
• Any retaliation or harassment against you will result in disciplinary action.
• CAVEAT: Your right for protection against retaliation does not include immunity for any personal wrongdoing alleged in the report and investigated
• Due process for you and for the accused member(s).
• Corrective actions taken to resolve a verified violation and a review and enhancement of applicable policies and procedures, if necessary or appropriate.
• Continuous information security awareness training and understanding your rights as a whistleblower.

To support delivery of our Services, Kindly may engage and use third party data processors with access to certain Customer Data (each, a "Subprocessor").

This page details the identity, location and purpose of each Subprocessor.

Kindly may use the following Subprocessors to host or process Customer Data, or provide other infrastructure that helps with delivery of our Services:

The following subprocessors are tied to optional services affiliated with using the platform: