KinetoBeta

Kineto Data Privacy Addendum (DPA)

Last Updated: November 24, 2025

This Data Privacy Addendum (“Addendum”) forms part of the agreement between Kineto Limited, a company incorporated and registered in England and Wales (Company No. 16807588) with its registered office at Alpha House, 100 Borough High Street, London, SE1 1LB (“Kineto”, “Processor”, “we”, “us”), and the customer (“Customer”, “Controller”) that subscribes to or otherwise uses Kineto’s no-code AI platform and related services (the “Service”).

This Addendum reflects the parties’ understanding with respect to the processing of Personal Data under applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and where applicable, the EU GDPR.

1. Definitions

Capitalized terms used but not defined in this Addendum have the meanings given in the underlying Agreement. For purposes of this Addendum:

  • “Personal Data” means any information relating to an identified or identifiable natural person processed by Kineto in connection with the Service.
  • “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings set out in the UK GDPR.
  • “Subprocessor” means any third party engaged by Kineto to process Personal Data on behalf of the Customer.
  • “Applicable Data Protection Law” means all laws and regulations relating to privacy, data protection, and data security, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.

2. Roles of the Parties

  • The Customer acts as Controller with respect to the Personal Data it provides or makes available to Kineto.
  • Kineto acts as Processor in processing such data solely for the purpose of delivering and improving the Service, as described in this Addendum.

3. Nature and Purpose of Processing

Kineto processes Personal Data to:

  • Provide, operate, and maintain the Service;
  • Host and support customer projects, workflows, and datasets;
  • Provide technical and customer support;
  • Handle billing, payments, and account management;
  • Monitor, maintain, and secure the Service; and
  • Comply with legal or regulatory obligations.

The categories of Personal Data processed and Data Subjects affected are those described in the Kineto Privacy Notice, including account, contact, usage, and AI interaction data.

Kineto does not intentionally collect or process special categories of data.

4. Data Ownership and Customer Instructions

  • All Personal Data remains the property of the Customer.
  • Kineto will process Personal Data only in accordance with the Customer’s documented instructions as set forth in the Agreement and this Addendum.
  • Kineto will promptly notify the Customer if it believes that an instruction violates Applicable Data Protection Law.

5. Subprocessors

Kineto engages certain third parties to support the delivery of its Service. All Subprocessors are subject to written agreements that impose data protection obligations consistent with this Addendum. A current list of Subprocessors is available in Kineto’s Subprocessor List ↗, which is updated regularly. Kineto will notify the Customer of any intended changes to Subprocessors, giving the Customer an opportunity to terminate the agreement if necessary.

6. International Data Transfers

Where Kineto transfers Personal Data outside the United Kingdom or European Economic Area, it will ensure that such transfers are protected by appropriate safeguards, such as:

  • Adequacy decisions; or
  • Standard Contractual Clauses (SCCs) with the UK Addendum or International Data Transfer Agreement (IDTA).

Copies of applicable transfer mechanisms are available upon request.

7. Security Measures

Kineto maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit and at rest;
  • Role-based access controls;
  • Redundant and secure hosting infrastructure;
  • Regular vulnerability and security reviews; and
  • Employee confidentiality and data protection training.

8. Data Subject Rights

Kineto will, to the extent legally permitted, assist the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection, or consent withdrawal). If Kineto receives a request directly from a Data Subject related to Customer data, it will forward the request to the Customer unless prohibited by law.

9. Data Breach Notification

In the event of a confirmed Personal Data Breach, Kineto shall:

  • Notify the Customer without undue delay;
  • Provide sufficient information to enable the Customer to comply with its obligations under Applicable Data Protection Law; and
  • Cooperate with the Customer in managing notifications to Supervisory Authorities or affected individuals, if required.

10. Retention and Deletion

Kineto retains Personal Data only for as long as necessary to provide the Service or as required by law. Upon termination of the Agreement, Kineto will delete or anonymize Personal Data within ninety (90) days, unless otherwise required by law.

11. Audit Rights

Upon reasonable written notice and subject to confidentiality obligations, Kineto shall make available documentation demonstrating compliance with this Addendum.

12. Liability and Conflict

Each party’s liability arising under this Addendum is subject to the limitations of liability in the underlying Agreement. In the event of a conflict between this Addendum and any other agreement between the parties, this Addendum shall prevail with respect to the subject matter of data protection.

13. Governing Law

This Addendum is governed by the laws of England and Wales, and disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.