KiteFishAI logoKiteFishAI
KiteFishAI logoKiteFishAI
Contact Us
Legal

GDPR Data Processing Addendum

Supplementary terms for users and customers in the EEA, UK, and Switzerland.

Effective June 14, 2026/Kitefish Technology Pvt Ltd
01

Scope and Relationship to Privacy Policy

This GDPR Data Processing Addendum ("Addendum") supplements the KiteFishAI Privacy Policy and Terms of Service. It applies where Kitefish Technology Pvt Ltd processes personal data of individuals located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland. In the event of a conflict between this Addendum and the Privacy Policy, this Addendum prevails for EEA/UK/Switzerland-related processing.

02

Definitions

Terms in this Addendum carry the meanings given by the EU General Data Protection Regulation (2016/679) ("GDPR") and, where applicable, the UK GDPR and Swiss Federal Act on Data Protection ("FADP"):

  • Controller — the entity that determines the purposes and means of processing personal data.
  • Processor — the entity that processes personal data on behalf of the Controller.
  • Data Subject — the identified or identifiable natural person whose personal data is processed.
  • Personal Data — any information relating to a Data Subject.
  • Standard Contractual Clauses (SCCs) — clauses approved by the European Commission under Decision 2021/914/EU for international data transfers.
03

Roles of the Parties

Where KiteFishAI is the Processor

When you (the enterprise customer) use the KiteFishAI APIs or platform to process personal data of your own users or employees, you act as the Controller and Kitefish Technology Pvt Ltd acts as the Processor. We process such data solely on your documented instructions.

Where KiteFishAI is the Controller

When we collect personal data directly from you (e.g., account registration, billing data, support communications), we act as the Controller and are independently responsible for that processing under our Privacy Policy.

On-Premises Deployments

Where model packages are deployed on your own infrastructure, Kitefish Technology Pvt Ltd does not process your inference data at all. You are the sole Controller and Processor of any personal data within your deployment environment.

04

Lawful Basis for Processing

We rely on the following lawful bases under Article 6 GDPR:

  • Contractual necessity (Art. 6(1)(b)): processing required to perform our contract with you, including providing the Services, managing your account, and billing.
  • Legitimate interests (Art. 6(1)(f)): security monitoring, abuse detection, and fraud prevention, including the 30-day retention of interaction logs. We have conducted a legitimate interests assessment confirming these interests are not overridden by Data Subjects' rights.
  • Legal obligation (Art. 6(1)(c)): where processing is required by applicable EU, UK, or Indian law.
  • Consent (Art. 6(1)(a)): where you have explicitly opted in to model training use of your data. Consent is freely given, specific, informed, and may be withdrawn at any time without detriment.
05

Data Processing Obligations (Processor Role)

Where we act as Processor, we commit to:

  • Process Personal Data only on your documented instructions, unless required otherwise by law
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement the technical and organisational measures described in Section 7
  • Assist you in fulfilling obligations to respond to Data Subject requests under Chapter III of the GDPR
  • Assist with security obligations (Art. 32), breach notifications (Arts. 33–34), DPIAs (Art. 35), and prior consultations (Art. 36)
  • Delete or return all Personal Data after the end of the Services, and delete existing copies unless law requires further storage
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR and support audits
06

Sub-Processors

We currently engage the following categories of sub-processors:

  • Cloud infrastructure providers (e.g., Microsoft Azure — for compute in non-on-premises deployments)
  • Payment processors (for billing and subscription management)
  • Security and monitoring tools (for platform integrity and abuse prevention)

A current list of sub-processors is available on request at legal@kitefishai.com. We will give you at least 30 days' prior written notice before adding or replacing a sub-processor. If you object on reasonable grounds, you may terminate the affected Services without penalty within 30 days of receiving notice.

We impose data protection obligations on all sub-processors equivalent to those in this Addendum.

07

International Data Transfers

Our primary infrastructure is located in India, which is not currently designated as adequate under EU GDPR. Where we transfer EEA/UK Personal Data to India or other third countries, we rely on:

  • Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914/EU (Module 2: Controller-to-Processor or Module 1: Controller-to-Controller as applicable). SCCs are incorporated by reference and available on request.
  • UK International Data Transfer Agreement (IDTA) — for transfers from the UK, issued by the UK Information Commissioner's Office.
  • Swiss standard data protection clauses — for transfers from Switzerland under the revised FADP.

For on-premises deployments where data does not leave your infrastructure, no cross-border transfer by KiteFishAI occurs.

08

Technical and Organisational Security Measures

Confidentiality

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256 or equivalent
  • Role-based access controls limiting access to authorised personnel only
  • Confidentiality obligations for all personnel with access to production systems

Integrity and Availability

  • Redundant infrastructure with automated failover
  • Regular automated backups with tested restoration procedures
  • Network segmentation and firewall controls
  • DDoS protection and rate limiting

Accountability

  • Audit logging of access to Personal Data
  • Periodic internal security assessments
  • Designated personnel responsible for data protection compliance
  • Documented incident response and breach notification procedures
09

Data Subject Rights

Where we act as Controller, we will respond to Data Subject rights requests within the timeframes required by GDPR (typically one month):

  • Right of access (Art. 15): obtain a copy of your Personal Data we hold.
  • Right to rectification (Art. 16): correct inaccurate Personal Data.
  • Right to erasure (Art. 17): request deletion, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): limit how we use your Personal Data.
  • Right to data portability (Art. 20): receive your Personal Data in a machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Rights related to automated decision-making (Art. 22): not be subject to solely automated decisions with significant effects without human review.

To exercise these rights, contact legal@kitefishai.com. We will not charge a fee unless requests are manifestly unfounded or excessive.

Where we act as Processor, please direct Data Subject requests to the Controller (our enterprise customer). We will assist the Controller in responding.

10

Personal Data Breach Notification

  • Where we are the Controller: we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to Data Subjects' rights, and notify affected individuals without undue delay where the risk is high.
  • Where we are the Processor: we will notify you without undue delay (and in any event within 48 hours) upon becoming aware of a breach affecting your Personal Data, with sufficient information to allow you to fulfil your own notification obligations.
11

Data Protection Impact Assessments

Where you determine that processing using the Services is likely to result in a high risk to Data Subjects (e.g., large-scale processing of special category data), we will provide reasonable assistance with any required DPIA under Art. 35 GDPR upon written request.

12

Special Category Data

Our Services are general-purpose AI infrastructure and are not specifically designed for processing special categories of Personal Data (Art. 9 GDPR). If you intend to process health, biometric, racial/ethnic, or political data using our Services, you must:

  • Notify us in advance at legal@kitefishai.com
  • Ensure an appropriate legal basis under Art. 9(2) GDPR is in place
  • Execute any additional technical or contractual safeguards we may reasonably require

Enterprise customers in regulated healthcare sectors (e.g., using KF-ClinicalAssist) have sector-specific data processing terms in their enterprise agreements.

13

Supervisory Authority and Complaints

If you are located in the EEA, you have the right to lodge a complaint with your local Data Protection Authority. A list of EEA DPAs is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ico.org.uk).

We encourage you to contact us first at legal@kitefishai.com so we can address your concerns directly.

14

Governing Law

To the extent required by EU GDPR, disputes relating specifically to this Addendum shall be subject to the courts of the EU member state in which the Controller is established, without prejudice to the governing law provisions of the main Terms of Service for all other matters.

15

EU/UK Representative

We are evaluating the appointment of an EU/UK representative under Art. 27 GDPR. Enterprise customers who require a named representative for regulatory purposes should contact legal@kitefishai.com to discuss contractual arrangements.

Questions?

Kitefish Technology Pvt Ltd

legal@kitefishai.com

kitefishai.com