Privacy Policy

1. General Provisions

This Privacy Policy (hereinafter — the "Policy") defines the procedure for collecting, storing, using, and protecting personal data processed by the Kendy platform (hereinafter — the "Platform", "we", "us").

This Policy has been developed in accordance with the Law of Ukraine "On Personal Data Protection" dated 01.06.2010 No. 2297-VI, and also takes into account the principles of Regulation (EU) 2016/679 (GDPR) as applicable to data subjects from the European Union.

By using the Platform, you confirm that you have read this Policy and consent to the processing of your personal data under the terms set forth herein.

2. Definitions

• Personal Data — information or a set of information about a natural person who is identified or can be specifically identified.
• Processing of Personal Data — any action or set of actions performed with personal data (collection, storage, use, dissemination, destruction, etc.).
• Client — a registered user of the Platform who uses Kendy services.
• Data Subject — a natural person whose personal data is being processed.
• B2B Data — information about business entities (legal entities, sole proprietors) that was voluntarily published by them in open sources.

3. What Data We Collect

3.1. Platform Client Data

Upon registration and use of the platform, we collect:

• Registration data — first name, last name, email, phone number (for account creation)
• Corporate data — company name, tax identification code, job title (for legal entity identification)
• Payment data — banking details (IBAN) for invoicing and payment processing
• Technical data — IP address, browser type, cookies (for platform functionality and security)
• Activity data — request history, API usage (for service improvement and billing)

3.2. B2B Data from Open Sources

To provide lead generation services, we collect publicly available information from Google Maps and business websites:

• Business name, address, category
• Contact details — general phone number, email (info@, office@) from Google Maps and the business website
• Public information — rating, reviews, business hours
• Online presence — website URL, social media profiles

We collect exclusively B2B data — information about business entities that they have voluntarily published for commercial purposes. We do not collect personal data of natural persons from the aforementioned sources. Businesses may submit a removal request to have their data deleted from our database.

4. Legal Basis for Processing

Kendy acts as a controller with respect to personal data of Platform clients, and as a processor with respect to B2B data collected on behalf of the client in the course of providing lead generation services.

• Client data — consent of the data subject (Articles 6, 11 of Law No. 2297-VI); performance of a contract
• B2B contact data — legitimate interest (Article 11 of Law No. 2297-VI) — enabling B2B communication using voluntarily published information
• Technical data — legitimate interest — ensuring the security and operability of the Platform

5. How We Use Data

Collected data is used for:

• Service delivery — fulfilling contractual obligations (lead generation, analytics, outreach)
• Communication — responding to inquiries, technical support, service notifications
• Billing — tracking service usage, invoicing
• Service improvement — usage analysis to enhance platform functionality
• Security — prevention of unauthorized access and abuse
• Legal compliance — adherence to the requirements of applicable Ukrainian law

6. Sharing Data with Third Parties

We do not sell client personal data. Data may be shared with:

• Hosting provider (Hetzner Online GmbH, Germany) — for data storage and processing
• Authentication providers (Clerk) — for account sign-in functionality
• Email automation platform — for executing outreach campaigns at the client's request
• Payment services (LiqPay, bank) — for payment processing
• Frontend hosting (Vercel) — for website operation
• Government authorities — upon legal request, where required by Ukrainian law

All third parties to whom data is transferred are required to maintain an adequate level of data protection.

7. International Data Transfers

To provide our services, we may transfer data outside Ukraine to the following categories of recipients:

• Hosting provider (Germany, EU) — an adequate level of protection is ensured pursuant to a European Commission adequacy decision
• Authentication and website hosting providers (USA) — transfer based on Standard Contractual Clauses and the EU-US Data Privacy Framework
• AI services — processing of anonymized data for analytics and lead scoring

In all cases, we ensure an adequate level of personal data protection in accordance with the requirements of Ukrainian law and the principles of GDPR.

8. Data Retention

• Account data — for the duration of the account + 12 months after deletion
• Payment information — 3 years from the last transaction (tax legislation requirements)
• B2B data (leads) — 12 months from the date of collection
• Technical logs — 6 months

Upon expiry of the retention period, data is deleted or anonymized.

9. Data Security

We take the following measures to protect personal data:

• Encryption — data transmission via HTTPS/TLS, password hashing
• Access control — access restricted by API keys and authentication
• Monitoring — detection of suspicious activity and unauthorized access attempts
• Backups — regular database backups
• Data minimization — we collect only the data necessary for service delivery

10. Your Rights

Under the Law "On Personal Data Protection", you have the right to:

• Know — obtain information about the processing of your personal data
• Access — receive a copy of the personal data being processed
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of personal data (where no legal ground for retention exists)
• Restriction of processing — request a restriction on the processing of your data
• Objection — object to the processing of data on the basis of legitimate interest
• Withdrawal of consent — withdraw previously given consent to data processing

To exercise your rights, please contact us at: info@getkendy.com. We will review your request within 10 business days.

11. Opt-Out for Businesses

If information about your business was collected from open sources and you wish to have it removed from our database:

1. Complete the opt-out form or send a request to info@getkendy.com with the subject line "Data Removal".
2. Please provide the business name, address, and contact details to be removed.
3. We will delete your data within 5 business days and add you to an exclusion list (to prevent re-collection of the data).

12. Cookies

12.1. Cookies We Use

12.2. Managing Cookies

You can manage cookie settings via the banner on the website or through your browser settings. Analytics cookies are only set with your consent. Disabling necessary cookies may affect Platform functionality.

13. Changes to the Policy

We reserve the right to update this Policy. We notify users of material changes by posting an updated version on the Platform and by email notification to registered clients. The date of the last update is indicated at the beginning of this document. Continued use of the Platform after changes have been made constitutes acceptance of the updated Policy.

14. Contact

For questions regarding personal data processing, please contact us: