Privacy Policy
Effective Date: April 10, 2025

 

Kimia Pty Ltd (“Kimia”, “we”, “us” or “our”) is an Australian AI Software-as-a-Service (SaaS) company committed to protecting the privacy of our corporate and individual users. This Privacy Policy outlines how we collect, use, disclose, and safeguard personal data when you use Kimia’s websites, applications, and services (collectively, the “Services”).

We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) (see OAIC website), the EU and UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as amended by the CPRA. By using our Services, you agree to this Policy.

 

Australian Privacy Compliance

  • We remain accountable for how personal data is handled when transferred offshore under APP 8.
  • We ensure overseas service providers, like AWS in the United States, uphold privacy protections consistent with Australian law.
  • Complaints can be directed to the Office of the Australian Information Commissioner (OAIC).

 

GDPR and CCPA Marketing Practices

  • EU users: We seek active opt-in for marketing communications and analytics cookies.
  • Australian users: You can opt out of marketing communications via unsubscribe links in emails.

 

Cookies and Consent

  • We provide a cookie banner with granular controls for users to enable or disable non-essential cookies, especially for analytics.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services. We may provide additional privacy disclosures or notices to supplement this policy for certain regions or services; those should be read together with this Privacy Policy.

 

Personal Data We Collect

 

We collect and process different types of personal data from users of our Services. The types of information we may collect include:

  • Identification and Contact Information: When you create an account or register for our Services, we collect basic personal details such as your first name, last name, email address, and any other contact information you provide. If you represent a business, we may also collect your company/organization name, job title, and business contact details. These details are used for account creation, authentication, and communication purposes.
  • Account Credentials: If an account is required, we collect the credentials you use to sign up (such as username and password). We store passwords in an encrypted format and do not disclose them to anyone.
  • User Communications: If you contact us (for example, by email or through support channels) or provide feedback, we collect the information in those messages (such as your name, email, and the content of your inquiry) to address your request and keep records of correspondence.
  • Usage Data and Technical Information: When you interact with our Services, we automatically collect certain information about your device and usage of the Services. This may include your IP address, browser type, device type, operating system, unique device identifiers, pages or features accessed, the date/time of your visits, and other log data. We collect this information to understand how our Services are used, to monitor and prevent fraud or misuse, and to improve performance and user experience.
  • Cookies and Tracking Technologies: Like most online services, we use cookies, pixels, and similar tracking technologies on our website and platform. Cookies are small text files placed on your device to remember your preferences and enhance your experience. We (and authorized third parties acting on our behalf) use cookies to:
  • Authenticate your login and maintain your session;
  • Remember preferences and settings;
  • Analyze site usage and performance via analytics tools (e.g. Google Analytics, Mixpanel) to understand user interactions; and
  • Advertising and Marketing (if applicable): Currently, Kimia does not display third-party ads on our platform, and we do not use personal data for targeted advertising. We may use cookies to inform you of our own services or features, but we do not share your personal data with third-party advertisers.

You have control over cookies. You can set your browser to refuse or delete cookies, and our site will still function, though some features (like staying logged in or remembering preferences) may be limited. For more details, please see our Cookie Notice (if available) and the “Your Rights and Choices” section below.

  • Other Information You Provide to Us: You may provide additional data when using our Services. For example, if our AI Services allow you to input text, files, or other content, any personal data included in such content is provided at your discretion. Kimia does not require or intentionally collect sensitive personal information (such as government IDs, financial information, or health data) through user inputs. Importantly, Kimia does not use personal data from your inputs to train our AI models; user-provided content is processed only to deliver the requested AI service or answer and then handled in accordance with this Privacy Policy (e.g., retained for a limited time for quality assurance or deleted, as described below).

We limit our collection of personal data to what is relevant for the purposes described in this Policy. If we obtain personal data from third-party sources (for example, if your employer provides your contact details to set up an enterprise account, or if we use a marketing lead database), we will treat that information in accordance with this Privacy Policy and any additional restrictions imposed by the source.

 

How We Use Personal Data

 

Kimia uses your personal data for the following purposes, and we ensure that each use is supported by a valid legal basis (see “Legal Bases for Processing” below for additional detail for users in the EU/UK):

  • Providing and Improving the Services: We use the collected information to operate, maintain, and provide you with our Services’ functionality. For example, we use your name and email to register your account, authenticate you when you log in, and deliver core features of our AI SaaS platform. We also analyze usage data and feedback to understand performance and improve our Services, develop new features, and enhance user experience.
  • Communications: We use contact information (name, email) to send you service-related communications. This includes confirmations, invoices or billing information (if applicable), updates about new features or changes to our Services, and important security or support messages. We may also send you promotional communications about our products or events if you have opted in to receive such communications. You can opt out of marketing emails at any time by using the unsubscribe link in those emails or contacting us as described below.
  • Customer Support: If you reach out with questions, feedback, or support requests, we will use your provided information to respond to and resolve your inquiries, troubleshoot issues, and improve our support processes.
  • Analytics and Service Enhancement: We process usage data (including via cookies and third-party analytics tools) to gain insights into user behavior and preferences. This helps us identify trends, debug and improve the functionality and security of our platform, and inform our business strategy. Any analytics processing is done on de-identified or aggregated data where possible. For instance, we use Google Analytics and Mixpanel to understand which features are most popular or how users navigate our site, which informs us on how to improve the Service. These analytics providers may set their own cookies as controllers of usage data; however, we do not allow them to use personally identifying information from our users for their own purposes.
  • Security and Fraud Prevention: We use personal data (especially usage and technical data, and sometimes account data) to monitor for and prevent fraudulent, abusive, or unlawful activities. For example, we may use IP address and account activity to detect multiple failed login attempts or suspicious behavior to protect against unauthorized access. We also use it to enforce our Terms of Service and other policies.
  • Legal Compliance: We may process personal data as required to comply with applicable laws and regulations, or to respond to lawful requests or court orders. For example, we may retain certain transaction records for tax or accounting regulations, or disclose information to law enforcement where legally compelled.
  • No Selling or Sharing for Third-Party Use: Kimia does not sell your personal data to third parties. We do not rent or trade your information, and we do not share personal information with third parties for their own marketing or advertising purposes. Any data sharing we do is solely as described in the next section (with service providers or for legal reasons), and always under protective measures.
  • No Personal Data in AI Model Training: As noted above, we do not use personal data to train our AI models. Any content you input into our Services is used only to generate results for you and to maintain or improve the quality of the service in a non-identifying manner. We do not incorporate your personal details (such as your name, contact info, or any identifiable content from your prompts) into our AI training datasets.

If we need to use your personal data for a purpose materially different from the purposes listed in this Policy, we will provide you with additional notice and, if required by law, seek your consent.

 

Legal Bases for Processing (GDPR Compliance)

 

For individuals located in the European Economic Area (EEA), the United Kingdom, or other regions with similar laws, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

  • Contractual Necessity: In most cases, we process personal data because it is necessary to perform our contract with you or to take pre-contractual steps at your request. For example, when you register an account and use our Services, we must process your name, email, and other information to provide the Service, maintain your account, and fulfill our obligations to you.
  • Legitimate Interests: We process certain data as needed for our legitimate interests, and only after confirming that your rights and interests do not override these interests. Our legitimate interests include: improving and securing our Services, understanding how our Services are used, communicating important updates to customers, preventing fraud, and pursuing business transactions (e.g., corporate reorganization or merger – see “Disclosure of Personal Data” below). When we rely on this basis, we limit our processing to what is necessary and proportionate, and we consider potential impacts on your privacy. For example, using your usage data for analytics and improvement, or using your email to send service announcements, may be considered under legitimate interests.
  • Consent: In certain cases, we rely on your consent. For instance, we will obtain your consent to send you marketing emails if you are not already our customer, or to place non-essential cookies (such as analytics cookies) on your device where required by law. If we ever process any sensitive personal data (which we generally do not seek to collect), we would do so based on your explicit consent or as otherwise permitted by law. You have the right to withdraw your consent at any time, as described in the “Your Rights & Choices” section, but this will not affect any processing already performed.
  • Legal Obligation: Where processing is necessary for us to comply with a legal obligation, we will process personal data on that basis. For example, we may have to retain records for tax law or respond to government requests under laws that apply to us.

We will normally identify the legal basis for processing at the point of collection or in this Privacy Policy. If you have any questions about the legal bases or need more information, please contact us using the details provided in the “Contact Us” section.

 

Disclosure of Personal Data

 

Kimia treats your personal data with care and confidentiality. We do not disclose or share personal data except in the following circumstances and only to the extent necessary:

  • Service Providers and Subprocessors: We may share personal data with third-party companies that provide services to us and act on our instructions (“data processors” or “subprocessors”). These include:
  • Cloud Hosting and Storage: We use Amazon Web Services (AWS) (with servers located in the United States, specifically the us-east-1 region) to host our application and store data. All personal data you provide is thus transferred to and stored on AWS servers in the USA. AWS acts as our data processor, and we rely on AWS’s robust security measures to protect your data.
  • Analytics Providers: As noted, we use tools like Google Analytics and Mixpanel to collect usage analytics. These providers process usage data on our behalf for analytics purposes. IP addresses and usage info may be shared with these providers, but we do not allow them to use this data for their own marketing. We have agreements in place (including data protection addenda) to safeguard data shared with analytics providers.
  • Email and Communication Tools: We may use third-party email services (for example, services like SendGrid or Mailchimp) to send transactional or marketing emails. These processors will have access to your email address and name only to send communications on our behalf.
  • Payment Processors: If our Services involve paid subscriptions or transactions, we use compliant payment processing companies who will handle payment information (such as credit card numbers or billing details). We do not store your full payment card details on our systems; that is handled by the payment processor. Such processors are PCI-DSS compliant and authorized to process your transactions.
  • Customer Support Tools: We may use third-party platforms to manage support tickets, chat, or other customer service interactions. They will process any data you provide in a support request (e.g., helpdesk software that organizes emails).

These service providers are bound by contractual obligations to only process personal data for the purposes we specify, to maintain confidentiality, and to implement appropriate security measures. We carefully vet our subprocessors and ensure they meet high data protection standards. A list of key subprocessors can be provided upon request.

  • Affiliates: If Kimia Pty Ltd is part of a group of companies, we may share personal data with our parent company, subsidiaries, or other affiliates for purposes consistent with this Privacy Policy. Any such entity will be required to follow this Privacy Policy and protect your personal data to the same extent that we do.
  • Business Transfers: If Kimia engages in or is subject to a corporate transaction such as a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be disclosed to counterparties (e.g., to attorneys, auditors, and potential acquiring entities) as part of the transaction and transferred to the successor or purchaser entity as one of the transferred assets. We will ensure any such third party is bound to respect your personal data as per this Policy or we will notify you and give you an opportunity to opt-out of the transfer when required by law.
  • Legal Obligations and Safety: We may disclose personal data to government authorities, law enforcement, regulators, courts, or other third parties when we believe in good faith that such disclosure is required or permitted by law. This includes:
  • To comply with a legal obligation, subpoena, court order, or legal process served on us;
  • To respond to a verified request relating to a criminal investigation or alleged illegal activity;
  • To protect the rights, property, and safety of Kimia, our users, or the public. For example, we may disclose information if we believe it is necessary to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity.
  • With Your Consent: Apart from the cases listed above, we will share your personal data with third parties only with your consent. For instance, if you opt-in to an integration or request that we share data with a third-party application, or if you participate in a co-sponsored event where you consent to us sharing your information with the co-sponsor, we will do so as instructed by you. You have the right to withdraw your consent at any time (which will not affect sharing that has already occurred).

No Sale of Personal Data: Kimia does not sell personal data to data brokers or third parties for monetary or other valuable consideration. In the context of the CCPA, we also do not “share” personal information for cross-context behavioral advertising. In the past 12 months, we have not sold or shared personal information of our users, and we have no intention of doing so. If this ever changes, we will update this Policy and provide required notices and opt-out mechanisms.

 

Cookies and Tracking Technologies

 

(Note: This section provides more details on our use of cookies and similar technologies, some of which was outlined in “Personal Data We Collect” above.)

 

We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your use of our website and Services. This helps us personalize your experience, understand user interactions, and improve our offerings. Here is a summary of how we use these technologies:

  • Types of Cookies: We use both session cookies (which expire when you close your browser) and persistent cookies (which stay on your device for a set period or until you delete them). Cookies may be first-party (placed by us) or third-party (placed by our service providers).
  • Essential Cookies: These are necessary for our site and Services to function properly. For example, they enable you to log in, stay logged in as you navigate through secure areas, and keep track of your preferences or inputs. You cannot opt out of essential cookies because our Service cannot function without them.
  • Analytics Cookies: We use these to collect information about how users access and use the site (e.g., which pages are visited, in what order, and any errors encountered). This helps us improve site performance and user experience. For instance, Google Analytics may place cookies to track page view counts and user interactions. These cookies gather information in an aggregated form and do not directly identify individuals. We treat analytics data as personal data if it can be linked to an identifiable person, and we process it according to this Policy.
  • Functionality Cookies: These remember your settings and preferences, such as language or region, and provide enhanced features to improve your experience. For example, if our application has a setting for theme or a feature toggle, a cookie might remember your choice.
  • Advertising Cookies: Kimia currently does not host advertising on our platform. We do not allow third-party advertising networks to track you on our site. Thus, you should not receive third-party advertising cookies through our site. If in the future we engage in any advertising or retargeting, we will update this policy and, if required, obtain your consent.
  • Other Tracking Technologies: Emails we send you might include a pixel or web beacon that lets us know if you received or opened the email, which helps us gauge effective communication and improve our outreach. We also may use local storage or similar technologies for certain features.
  • Your Choices for Cookies: When you first visit our website, you may be presented with a cookie banner or preferences manager that allows you to accept or reject certain cookies (except strictly necessary ones). Even after consenting, you can always manage your browser settings to delete or block cookies. Please note that disabling cookies may affect the functionality of our Services – for example, you might not be able to log in or some preferences may not be saved. For information on how to manage cookies in your browser, refer to your browser’s help documentation. Additionally, Google provides an opt-out mechanism for Google Analytics (a browser add-on), and you can learn more on Google’s site if you wish to disable Analytics tracking.
  • “Do Not Track” Signals: Web browsers can send “Do Not Track” (DNT) signals to indicate you do not wish to be tracked. There is currently no industry standard for recognizing or honoring DNT signals. As such, our website does not respond to Do Not Track signals. We will update our practices if a uniform standard is established in the future.

For more detailed information, please see our separate Cookie Policy/Notice (if we maintain a standalone one). By using our Services, you consent to the use of cookies and tracking technologies as described unless you disable them as per the options provided above.

 

International Data Transfers

 

Kimia is based in Australia, but we use infrastructure located in the United States (AWS us-east-1 region) to provide our Services. This means that your personal data will likely be transferred to, stored, or processed in the United States, and possibly in other countries outside of your home country. In particular, users in Australia, the EEA/UK, or other regions are advised that your data will be transferred to and hosted on servers in the United States. It may also be accessed by Kimia’s personnel in Australia or in other jurisdictions where we or our service providers operate.

Different countries have different data protection laws. The United States, in particular, may not be deemed by some jurisdictions (such as the EU) to provide an “adequate” level of data protection. We take steps to ensure that your personal data is treated securely and lawfully wherever it is processed, including as follows:

  • Australian Users: When we transfer personal information from Australia to overseas service providers (like our U.S. servers on AWS or other tools located abroad), we do so in compliance with Australian Privacy Principle 8. This means we take reasonable steps to ensure the overseas recipient (e.g., AWS) does not breach the APPs in relation to your information. By providing us with your information or using our Services, you consent to your personal information being transferred and stored overseas. We remain responsible for protecting your personal data even when it is abroad, and we will seek your consent for international transfers in circumstances where Australian law requires us to do so.
  • EU/EEA, UK, and Switzerland Users: For personal data subject to European data protection law, when we transfer such data out of the EEA/UK (for example, to Australia or the U.S.), we rely on appropriate safeguards under GDPR Article 46. Typically, this involves using European Commission-approved Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum, as applicable) in our contracts with recipients of the data. These clauses contractually obligate the recipient to protect the personal data to European standards. In some cases, we may rely on another legal basis for transfer, such as the fact that the transfer is necessary for the performance of a contract (e.g., when you, an EU user, sign up to use a service hosted in the U.S.), or your explicit consent when offered and obtained. You may contact us for more information on the safeguards we have in place for international transfers.
  • Other Regions: For transfers from other jurisdictions (for example, Canada, Mexico, Japan, South Korea – see Additional Jurisdiction-Specific Disclosures below), we similarly ensure that appropriate legal mechanisms are in place to lawfully transfer data internationally. In many cases, your consent to this Privacy Policy and use of our Services serves as your consent to the cross-border transfer of your information. We will also comply with any local requirements such as obtaining separate consent for overseas transfers if required by local law.

Regardless of where your personal data is processed, we apply the protections described in this Privacy Policy. Kimia implements uniform high standards of privacy and security across all our operations globally. We also require that our third-party service providers and partners protect personal data in accordance with applicable laws and contractual obligations. If you have questions about international data transfers, you can contact us as outlined in the “Contact Us” section.

 

Data Security

 

We take the security of your personal data seriously. Kimia has implemented a variety of technical, administrative, and organizational security measures to protect your personal data from unauthorized access, use, alteration, and destruction. These measures include, but are not limited to:

  • Encryption: We use encryption protocols (e.g., HTTPS/TLS) to protect data in transit between your device and our servers. For data at rest, we rely on AWS’s secure storage solutions, which include encryption at rest for databases and backups where appropriate.
  • Access Controls: We limit access to personal data to authorized Kimia personnel and contractors who have a legitimate need to know in order to perform their job duties (principle of least privilege). All such persons are bound by confidentiality obligations. Access to our production databases, for example, is restricted and logged. We also employ multi-factor authentication and strong password policies for our internal systems.
  • Monitoring and Testing: Our systems are monitored for security vulnerabilities and potential intrusions. We regularly update and patch software to address security issues. Kimia may conduct periodic security audits, risk assessments, and penetration testing, and we utilize intrusion detection and prevention systems provided by our hosting environment.
  • Organizational Policies: We have internal policies and training for our staff regarding data protection, security best practices, and incident response procedures. We ensure our employees understand the importance of protecting personal data.
  • Data Minimization: We strive to collect only the personal data that we need. We retain data only for as long as necessary (see “Data Retention” below) and securely dispose of or anonymize data that we no longer require.

While we employ robust safeguards, it’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security of your information. In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by law. You also play a role in protecting your information by keeping your account credentials secure and by notifying us immediately if you suspect any unauthorized access to your account.

 

Data Retention

 

We retain personal data for only as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, and as required or permitted by law. The criteria we use to determine retention periods include:

  • Duration of the Relationship: We keep your account information while your account is active or as needed to provide you with Services. For example, your profile information and credentials will be retained until you deactivate your account or request deletion, and then for a limited period thereafter in case you decide to reactivate or if needed for legal purposes.
  • Purpose Fulfillment: We retain personal data as long as it is necessary to achieve the purposes described in this Policy. For instance, if you have communicated with us for support, we may retain those communications until your issue is resolved and for a short period after for quality assurance and training.
  • Legal Obligations: We may need to retain certain records to comply with our legal and financial obligations. For example, records of transactions or payments might be kept for accounting/tax purposes for a statutory period (such as 5-7 years, depending on jurisdiction). Similarly, if required by applicable law to keep certain data (e.g., under Australian corporate law or applicable data retention laws), we will retain the data for the mandated period.
  • Disputes and Enforcement: If we are resolving a dispute or enforcing our agreements or this Privacy Policy, we may retain relevant information until the issue is resolved and for a period necessary to demonstrate compliance (for example, the statute of limitations for a legal claim).

When personal data is no longer needed for the above purposes, we will either delete it securely, anonymize it, or if deletion is not feasible (for example, if the data is stored in backups), we will isolate it from further processing until deletion is possible.

User Requests: If you request deletion of your personal data (see “Your Rights” below), we will honor that request to the extent we are legally permitted to do so and will erase your data from our active systems. Some minimal information may be retained (i) to comply with legal obligations, (ii) in backup archives (which are securely stored and restricted in use), or (iii) to the extent needed for our internal purposes such as detecting fraud, safety, and enforcing our rights (in which case it will be retained only as long as necessary for such purpose).

 

Your Rights and Choices

 

Depending on your location and applicable privacy laws, you have certain rights regarding your personal data. Kimia is committed to honoring your rights and providing you with appropriate control over your information. Below, we outline general rights and how to exercise them, followed by specific rights under GDPR and CCPA for users in those jurisdictions.

  • Access and Correction: You have the right to request access to the personal data we hold about you and to request correction of any inaccuracies. Many of your basic account details can be reviewed and updated directly by logging into your account settings (if applicable). For anything you cannot change yourself, you may contact us to make a request.
  • Deletion: You can request that we delete personal data we hold about you. Provided we do not have a legal obligation or other valid reason to retain it, we will delete (or de-identify) the information as requested. Note that if you simply delete your account or stop using our Services, we may retain certain data as outlined in the Data Retention section above.
  • Objection and Restriction: You may object to our processing of your personal data, or ask us to restrict processing. This is particularly relevant if you believe we are processing data on a legitimate interest basis and you object, or if you contest the accuracy of the data or the lawfulness of processing. We will review such requests and comply when required by applicable law.
  • Portability: Where applicable (e.g., under GDPR), you have the right to obtain a copy of certain personal data in a structured, commonly used, and machine-readable format, and to request that we transfer that data to another controller where technically feasible. This typically applies to data you provided to us and that we process by automated means based on your consent or a contract with you.
  • Withdraw Consent: If we rely on your consent for any processing (for example, for marketing emails or certain types of cookies), you have the right to withdraw that consent at any time. You can unsubscribe from marketing communications by clicking the “unsubscribe” link in any email or by contacting us. For cookies, you can adjust your preferences as described in the Cookies section. Withdrawing consent will not affect the lawfulness of processing that occurred before your withdrawal.
  • Choices in Communications: As noted, you can opt out of marketing emails at any time. Please note that you will still receive transactional or service-related messages from us (such as account notifications, security alerts, and administrative messages) even if you opt out of marketing, as those are necessary for the operation of the Service.
  • No Automated Decision-Making: Kimia does not make decisions about you that have legal or similar significant effects solely by automated means (without human involvement). If this changes in the future, and if required by law, we will inform you and provide you with any rights you may have in relation to such processing.

To exercise any of your rights or choices, please contact us at the contact information provided in the “Contact Us” section below. We may need to verify your identity before fulfilling certain requests (for example, by confirming that the email address requesting data deletion is indeed associated with the account in question). Verification is to protect your security and prevent unauthorized access to your data.

We will respond to your request within a reasonable timeframe and in accordance with the applicable law. If we cannot fulfill your request, we will provide an explanation, subject to any legal or regulatory restrictions.

 

Rights Under GDPR (EEA, UK, and Equivalent Jurisdictions)

 

If you are located in the European Economic Area, United Kingdom, Switzerland, or a jurisdiction that affords the below rights by law, you have the following specific data subject rights under the GDPR (or equivalent legislation):

  • Right to Access: You have the right to obtain confirmation as to whether or not we are processing personal data about you, and if so, to request a copy of the data along with information on what data we have, how we use it, who we share it with, how long we keep it, and the safeguards for transfer if it’s sent outside your jurisdiction. (Much of that information is provided in this Privacy Policy.)
  • Right to Rectification: You have the right to request correction of inaccurate personal data and to have incomplete data completed. If any of your information we hold is outdated or incorrect, please let us know and we will update it.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (also known as the “right to be forgotten”). For example, you can request erasure if the data is no longer necessary for the purpose it was collected, if you have withdrawn consent and no other legal basis exists, or if you believe the data was processed unlawfully. We will honor valid erasure requests and also instruct any relevant service providers to delete your data, unless exceptions apply (such as if retention is required by law or if the data is needed for legal claims).
  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain situations. This could apply if you contest the accuracy of your data (for a period enabling us to verify it), if the processing is unlawful but you prefer restriction over deletion, or if you just need us to retain data longer than our retention period for the establishment, exercise, or defense of legal claims.
  • Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests, including any profiling based on legitimate interests. If you lodge an objection, we will cease the processing in question unless we have compelling legitimate grounds to continue that override your interests, or if needed for legal claims. You also have an unconditional right to object to the processing of your personal data for direct marketing purposes at any time. If you object to marketing, we will stop sending you marketing communications.
  • Right to Data Portability: You have the right to receive personal data that you have provided to us in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller, where technically feasible, if the processing is based on your consent or a contract and is carried out by automated means. This right, however, does not apply to data we create (like analytics) nor to data in non-digital form.
  • Right Not to Be Subject to Automated Decisions: As noted, Kimia does not use automated decision-making (including profiling) that produces legal effects or similarly significant effects on individuals. If we did, you would have the right to not be subject to such decisions without human intervention.
  • Right to Withdraw Consent: If we rely on consent to process any of your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have infringed your privacy rights or data protection laws. For example, in the EU you can contact the supervisory authority in your country of residence or where the issue occurred; in the UK, you can contact the Information Commissioner’s Office (ICO). We encourage you to first reach out to us so we can try to address your concern directly.

To exercise your GDPR rights, please use the contact details in the “Contact Us” section. We will respond to your request in accordance with applicable law, typically within one month. If we require additional time (due to complexity or number of requests), we will inform you of the extension period and the reason.

 

Rights Under CCPA/CPRA (California Residents)

 

If you are a resident of California, you are protected by specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The following disclosures and rights apply only to California residents:

Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information (as defined by CCPA) from California consumers: identifiers (such as name, email address, IP address, and other similar identifiers), internet or other electronic network activity information (such as usage data, browsing history on our site, interaction with our application), and professional or employment-related information (if you provided a company name or job title). We collect these categories of information from the sources and for the purposes described in the “Personal Data We Collect” and “How We Use Personal Data” sections of this Policy. We do not collect sensitive personal information of California residents (as defined under CPRA) except possibly account login credentials (which are handled securely) and any contents of communications you choose to send us.

Categories of Personal Information Disclosed for a Business Purpose: We may disclose the above categories of personal information for our operational business purposes. For example, identifiers and usage data may be shared with our service providers (analytics providers, cloud hosts, etc.) in order to perform services on our behalf, as described in “Disclosure of Personal Data.” We do not disclose sensitive personal information except as necessary to provide the Services or as permitted by law.

 

Sale or Sharing of Personal Information: Kimia does not sell personal information, and we have not sold personal information in the past 12 months. We also do not “share” personal information for cross-context behavioral advertising. Therefore, we do not provide a “Do Not Sell or Share My Personal Information” link, because it is not applicable. We do not have actual knowledge that we collect or maintain personal information of consumers under 16 years of age, and we do not sell or share the personal information of minors under 16.

California Privacy Rights: As a California resident, you have the following rights with respect to your personal information:

  • Right to Know: You have the right to request that we disclose to you the specific pieces of personal information we have collected about you in the 12-month period preceding your request, as well as additional details including the categories of information we collected, the categories of sources of that information, the business or commercial purpose for collecting (or selling/sharing, if applicable) the information, and the categories of third parties with whom we disclosed the information. (Much of this information is provided in this Privacy Policy.) We are obligated to provide this information to you free of charge, up to two times in a 12-month period, upon a verifiable request.
  • Right to Delete: You have the right to request deletion of personal information that we have collected from you and retained, subject to certain exceptions. Upon receiving a verified deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. For example, we may retain information needed to complete a transaction you requested, detect security incidents, comply with legal obligations, or other purposes permitted by CCPA.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you. Upon verifying the validity of a correction request, we will use commercially reasonable efforts to correct the information as you direct.
  • Right to Opt-Out of Sale/Sharing: As noted, we do not sell or share your personal information as defined by CCPA. If in the future we consider selling or sharing personal data, we will provide notice and the opportunity to opt-out. Since we do not sell or share, you do not need to submit opt-out requests to us at this time.
  • Right to Limit Use of Sensitive Personal Information: This right applies if a business uses or discloses sensitive personal information for reasons other than those allowed by law. We do not use or disclose sensitive personal information of California residents except for providing our Services or other permissible purposes, so this right is not applicable to Kimia’s practices. If that changes, we will update this Policy and honor any exercise of this right.
  • Right of No Retaliation/Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means, for example, we will not deny you our Services, charge you a different price, or provide a lesser quality of service just because you exercised your rights under CCPA. However, if you request deletion of data that is necessary to provide the Service, we may not be able to continue providing you the full Service (for instance, if you delete your account information entirely, you would no longer be able to log in).

Submitting CCPA Requests: To exercise your California privacy rights, you (or your authorized agent) may contact us using the information in the “Contact Us” section below, with a description of your request. Please indicate that you are a California resident making a “CCPA request.” We will need to verify your identity to process requests (for example, by verifying your email address or requesting additional information if needed to ensure the request is valid). For a request to know or delete, we will attempt to match information you provide with our records. If we cannot verify your identity, we may be unable to fulfill the request with respect to certain information (we will inform you if that is the case).

If you designate an authorized agent to make a request on your behalf, we may require the agent to provide proof of your written permission or a power of attorney, and also verify your identity directly with us, unless the agent has an appropriate legal documentation (such as power of attorney).

For any questions about your California privacy rights or this Privacy Policy, you can also contact us at the information below.

 

Children’s Privacy

 

Our Services are not intended for children under the age of 16, and we do not knowingly collect personal data from anyone under 16. Kimia does not target or offer Services to minors. If you are under 16, please do not use our Services or provide any personal information to us. If we become aware that we have inadvertently collected personal data from a child under 16 (or a higher minimum age in certain jurisdictions, such as under 13 in the United States), we will take steps to delete such information as soon as possible.

Parents or guardians who believe that Kimia might have collected unauthorized information about their child should contact us immediately so that we can investigate and delete it. In the event our Services are used in an educational context or by minors above 16, it should be done with appropriate consent and supervision by a parent or guardian or as otherwise permitted by law (for example, GDPR allows member states to set a lower age for valid consent, but in no case under 13). In all cases, we treat anyone under 18 as a minor who should only use the Services with the involvement of a parent or guardian.

 

Updates to This Privacy Policy

 

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Effective Date” at the top of this Policy to indicate when the revisions became effective. If the changes are significant, we may also provide a more prominent notice, such as by email notification to registered users or by a notice on our website’s homepage or dashboard.

 

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Services after any update to this Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you should stop using the Services and may request deletion of your data as described above.

In some cases, we may seek your explicit consent to materially new uses or disclosures of personal data, if required by applicable law. For example, if in the future Kimia intends to use personal data for a purpose significantly different from those disclosed at the time of collection, we will inform you and obtain consent if required.

 

Contact Us

 

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us using the details below. We will do our best to address your inquiry promptly and professionally.

 

Contact Information for Privacy Inquiries:

Kimia will review and respond to legitimate privacy inquiries within a reasonable time frame, in accordance with applicable laws. When you contact us to exercise your rights, we may ask you to verify your identity (to our satisfaction) before we disclose or correct any personal data, for security purposes.

If you have an unresolved privacy concern, you may also contact your local data protection authority. For example:

  • In Australia, if you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) to file a complaint or seek further guidance.
  • In the EU/EEA, you can contact your national Data Protection Authority; in the UK, the Information Commissioner’s Office (ICO).
  • In California, if you have concerns about the results of a CCPA request, you can contact the California Attorney General’s Office.

We welcome your questions and feedback about privacy and will use them to improve our practices.

 

Additional Jurisdiction-Specific Disclosures

 

Because privacy laws and expectations differ around the world, we provide the following additional information for individuals in certain jurisdictions. These provisions apply to you only if you are a resident of or otherwise subject to the privacy laws in the region specified and supplement the information in the main Privacy Policy. In case of conflict between this section and the rest of the Privacy Policy, the provision that is more protective of personal data shall govern.

 

Canada

 

If you are in Canada, your personal information is protected under laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar provincial laws (e.g., in Quebec, Alberta, or British Columbia). In addition to the rights outlined above, the following applies:

  • Consent: By providing us with personal information and using our Services, you consent to the collection, use, and disclosure of your personal information as described in this Policy. We will seek additional consent from you where required by Canadian law (for example, for certain secondary uses of your information if not obvious from context). You have the right to withdraw your consent at any time, as described above, provided there are no legal or contractual restrictions preventing you from doing so.
  • International Transfer: Your personal information may be transferred to and processed in countries outside of Canada, including the United States and Australia. Such information may be accessible to law enforcement and national security authorities of those jurisdictions. By using our Services or providing information to us, you consent to this transfer and acknowledge that the privacy laws in those countries may differ from Canada’s. However, as noted, we take measures to ensure that your privacy is protected to a comparable standard as provided under Canadian law while your data is in our custody or control.
  • Access and Correction: Canadian individuals have the right to request access to the personal information we hold about them and to request corrections for any inaccuracies. We will respond to access requests within a reasonable time and as required by law (generally within 30 days). In certain rare situations, we may not be able to provide access (for example, if it would reveal personal information about another individual, or if it is subject to legal privilege or security concerns), but we will explain any denial of access. To make an access or correction request, please contact us at the information provided above.
  • Challenging Compliance: If you have inquiries or complaints about our privacy practices, you may contact our Privacy Officer at the contact information above. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal information. If you are not satisfied with our response, you have the right to contact the Office of the Privacy Commissioner of Canada (OPC) (for PIPEDA-related complaints) or your provincial Privacy Commissioner (if applicable) to file a complaint.

We do not require you to provide social insurance numbers (SIN) or other government identifiers for using our Service. We generally advise you not to include sensitive personal information in your interactions with us unless necessary for the Service.

 

Mexico

 

If you are located in Mexico, the following additional provisions apply in accordance with the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and its regulations:

  • Data Controller: Kimia Pty Ltd, as identified at the start of this Policy, is responsible for the processing of your personal data. Our contact information is provided in the “Contact Us” section above. By using our Services, you acknowledge that you have been informed of the processing of your data and you consent to the terms of this Privacy Policy.
  • Primary and Secondary Purposes: We collect and use your personal data for the primary purposes of providing you with the Services, maintaining and supporting your accounts, improving our offerings, and communicating with you, as described in this Policy. We may also use your data for secondary purposes such as marketing our services to you or conducting analytics, but only in accordance with Mexican law. In most cases, secondary purposes (like marketing) will require your consent (e.g., by opting in to a newsletter), and you have the right to object or opt-out at any time.
  • ARCO Rights: Under Mexican law, you have the following rights with respect to your personal data:
  • Access: The right to know what personal data we have collected about you, and to obtain information regarding the processing of your data.
  • Rectification: The right to request correction of your personal data if it is inaccurate or incomplete.
  • Cancellation: The right to request deletion or removal of your data when you believe it is not being processed in accordance with applicable law or when you withdraw your consent, provided it is not a situation where we have a legal obligation to continue processing (cancellation is analogous to the right of erasure).
  • Opposition (Oposición): The right to object to the processing of your personal data for specific purposes, especially when processing is based on your consent or a legitimate interest. For example, you can oppose processing for marketing or profiling.

To exercise any of these ARCO rights, please send us a request at our contact email with the subject “ARCO Rights Request – Mexico” and clearly describe your request. In accordance with the law, we may ask you for certain information to verify your identity (such as your name, account info, and a copy of an identification document) and process your request. We will respond within the timeframe established by law (generally within 20 business days to inform you of the resolution, and execute the resolution within 15 business days after that, once deemed appropriate). If for some reason we cannot fulfill your request, we will provide a justification (e.g., if an exception applies such as needing to retain data to comply with a legal obligation).

  • Consent and Data Transfers: We will not transfer your personal data to third parties without your consent, except for transfers allowed by law. By “transfer,” Mexican law refers to sharing data with third parties other than Kimia and its service providers. The common exceptions where consent is not required include: transfers within our company and affiliates; transfers necessary by virtue of a contract with you (for instance, using payment processors to fulfill a transaction); transfers to service providers who process data on our behalf (which we do under confidentiality agreements – these are not considered “transfers” requiring consent under Mexican law but rather transmissions); or when the transfer is legally required for safeguarding public interest, law enforcement, or for the recognition, exercise, or defense of a right in judicial proceedings. In all other cases, if we ever needed to transfer your data to an unrelated third party in Mexico or internationally (for example, if we partner with another company for a joint service), we would obtain your prior consent as required. For international transfers (e.g., to our servers in the U.S.), by using our Service and providing your data, you expressly consent to the transfer of your data outside Mexico, with the understanding that the receiving parties (our processors) will treat your data in accordance with this Privacy Policy and the agreements in place consistent with Mexican privacy law.
  • Revocation of Consent: Where we rely on your consent to process personal data, you have the right to revoke that consent at any time. This includes withdrawing consent for us to use your data for marketing or secondary purposes. You may submit a request to revoke consent by contacting us. Please note that revoking consent will not have retroactive effect; it will not affect data processing that has already occurred, but it will prevent future processing for the purposes you withdraw consent from. Additionally, if the consent is necessary to provide you services (for example, consent to process your data for account creation), revoking consent may require that we terminate those services for you.

If you have any questions or concerns about how we handle personal data under Mexican law, or if you need assistance with exercising your rights, please contact us. We can provide our privacy notice and communications in Spanish upon request.

 

Japan

 

If you are a resident of Japan or if the Act on the Protection of Personal Information of Japan (“APPI”) applies to our processing of your information, the following additional terms apply:

  • Data Controller: Kimia Pty Ltd is the entity responsible for the management of your personal data. Our contact details are listed in the “Contact Us” section above. We do not have a physical presence in Japan, but we provide Services to Japanese users from Australia/US. By using our Services, you are providing personal data to an overseas business operator (Kimia in Australia).
  • Purpose of Use: In compliance with APPI, we inform you that we handle personal data for the purposes stated in this Privacy Policy (see “How We Use Personal Data”). We will not use your personal data for any purpose other than those stated, except with your consent or as permitted by law. If we intend to use your personal data for a new purpose not originally stated, we will notify you and obtain consent if required.
  • Third-Party Provision: We will not provide your personal data to third parties (as defined under APPI) without your prior consent, except in cases permitted by APPI (such as when required by law or for protection of life, body, or property and it’s difficult to obtain consent). Note that sharing with our service providers (e.g., AWS, analytics providers) for processing on our behalf is not considered a “third-party provision” under APPI as they are handling data under our direction (similar to a “trustee”). We ensure these service providers are bound by contracts that require them to protect personal data.
  • Transfer to Foreign Countries: Your personal data will be transferred to countries outside Japan (notably the United States and Australia). These countries may not have the same level of data protection as Japan. Under APPI, we are required to ensure that overseas recipients either (a) are in jurisdictions with data protection standards equivalent to those in Japan, or (b) have systems in place to properly protect personal data equivalent to APPI standards, or (c) we obtain your consent to the foreign transfer. In this case, the United States and Australia are not currently designated by Japan as having equivalent data protection laws. We rely on safeguards such as contractual agreements that require the recipient to handle personal data in accordance with APPI’s principles. By agreeing to this Privacy Policy and using our Services, you consent to the transfer of your personal data to our facilities and service providers in the United States, Australia, and other jurisdictions as necessary. We will handle your personal data in these jurisdictions in compliance with this Policy and take appropriate measures to protect it. You have the right to refuse or withdraw consent to international transfer, but please be aware that we may not be able to provide our Services without such transfer (since our infrastructure is based outside Japan).
  • Anonymously Processed Information: Kimia does not presently create or handle “anonymously processed information” or “pseudonymously processed information” as defined under APPI separately from our standard practices of de-identifying data for analytics. If we ever engage in those practices, we will ensure compliance with APPI’s requirements and update our policy accordingly.
  • Your Rights (Japan): In addition to the rights described elsewhere, under Japanese law you have the right to request disclosure of the personal data we hold about you, the right to request correction, addition, or deletion of your personal data if it is inaccurate or has changed, and the right to request cessation of use or erasure of your personal data or cessation of its provision to third parties if you find that the data is being handled in violation of APPI or was collected in a fraudulent manner. You also have the right to request us to notify you of the purpose of use for the personal data we have, if it’s not clear. To exercise any of these rights, please contact us with your request. We may ask for verification of your identity and specifics of your request. We will respond in accordance with APPI, typically within 2 weeks to one month. Please note, there are some cases where we may not be able to comply with your request (for example, if complying would violate other laws or if we no longer retain the data), and we will explain any such situation to you.

These provisions are meant to comply with Japan’s privacy requirements and ensure Japanese users are fully informed. We may provide a Japanese translation of this Privacy Policy upon request for convenience, but the English version will remain the official text for legal purposes.

 

Republic of Korea (South Korea)

 

If you are in the Republic of Korea (“South Korea”), the following additional terms apply in accordance with the Personal Information Protection Act (“PIPA”) and other applicable Korean laws:

  • Consent for Collection and Use: By using our Services and providing your personal information, you agree that we may collect, use, and process your personal information as described in this Privacy Policy. In certain cases, we may seek your separate consent for specific uses or disclosures as required by Korean law (for example, if we were to collect unique identifiers or sensitive information, we would obtain explicit consent, though we do not generally do so). You have the right to withdraw your consent at any time, and we will notify you of this right whenever we obtain consent from you.
  • Items of Personal Information Collected: For clarity under Korean law, the personal information we collect includes:
  • Required items: name, email address, and any other information that is necessary to create and maintain your account or provide the Services (as detailed in “Personal Data We Collect” above).
  • Optional items: any information you choose to provide through using the Services or contacting us (such as additional profile information, feedback, etc.). We will clearly indicate if any particular information is optional and can be omitted without consequence to service provision.

We do not collect any “resident registration numbers” or government-issued identification numbers from individuals in Korea, nor do we collect biometric identifiers or information about criminal convictions, as those would require special handling under Korean law.

  • Purpose of Collection and Use: We collect and use personal information for the purposes stated in this Policy (see “How We Use Personal Data”), such as providing Services, improving them, and complying with legal obligations. We will not use the information for any purpose other than those stated, except with your consent or as permitted by law.
  • Retention Period: We will retain your personal information for as long as necessary to fulfill the purposes of collection and use, or as required by applicable law. If Korean law requires a certain retention period for specific data (e.g., records of consumer complaints or dispute resolution for 3 years, records of payment and transactions for 5 years, records of web log history and visited sites for 3 months, etc.), we will retain the data for at least that period. Once the retention period expires and the purpose of collection has been achieved, we will promptly destroy the personal information in a secure manner, unless retention is required to comply with other laws. We will also honor any request from you for deletion of your personal information as described below, unless retention is required by law.
  • Provision to Third Parties: We do not provide your personal information to third parties except with your consent or as authorized by law. Sharing information with our contractors or subprocessors (such as AWS or analytics providers) for service provision does not constitute a “provision to third parties” under PIPA, as they are processing the information on our behalf. Nonetheless, we ensure that all such parties are bound by confidentiality and data protection obligations. If we ever need to provide your information to an unrelated third party in Korea or overseas (for example, in response to a legal requirement or a business transfer as described above), we will do so in compliance with PIPA, and if required, we will obtain your consent.
  • Cross-Border Transfer and Consent: Your personal information will be transferred outside Korea to our servers and processors in the United States, Australia, and possibly other countries as necessary for the Services. Under Korean law, we inform you of the following regarding overseas transfer:
  • The personal information to be transferred includes all data listed in “Personal Data We Collect” that pertains to you.
  • Destination countries: United States (primary server location), Australia (company headquarters), and any other country where our service providers may operate (for example, if we use an email service with servers in the EU or a support center in another country; currently, key service providers are based in the U.S.).
  • Date and Method of Transfer: Transfers occur automatically and continuously as you use the Service (e.g., when you input data it is transmitted to our servers in real-time via secure internet connection). We use secure networks for data transfer.
  • Name of Recipient Company and Contact: For example, Amazon Web Services, Inc. (AWS) is a recipient for storage/hosting (410 Terry Avenue North, Seattle, WA 98109, USA). Google LLC (for Google Analytics) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). [Note: These are examples; the actual list of key recipients (subprocessors) can be provided upon request.] You may contact our Privacy Officer for details on other recipients.
  • Purpose of Use by Recipient: Recipients will handle the data for the purposes of providing services to Kimia (e.g., AWS for storage/hosting, Google for analytics) and not for independent purposes.
  • Retention Period by Recipient: The data is retained by the recipients only as long as needed to provide their service to us or to comply with their legal obligations. For instance, AWS will store the data until we delete it from their servers per our retention policies.

By using our Services, you agree to the overseas transfer of your personal information as described above. We undertake to ensure that your information is safely managed in accordance with this Privacy Policy and Korean legal requirements. If you do not agree to such transfer, we may be unable to provide the Services to you (since core functionality depends on overseas processing).

  • Your Rights (Korea): As a data subject in Korea, you (or your legal representative, such as a parent for minors under 14) have the right to request access to, correction of, deletion of, or suspension of processing of your personal information that we hold. You also have the right to withdraw your consent to processing. To exercise these rights, please contact us at our listed contact information. We may ask for verification of identity (or authority, if through a legal representative) and specific details of your request. We will respond in accordance with Korean law, usually within 10 days for access/correction requests. Please note:
  • For access requests, we will provide you with your personal information we hold, and details on how it has been used or disclosed.
  • For correction or deletion, if you demonstrate that any personal information we hold about you is incorrect or out of date, we will correct it. If you request deletion, we will delete the information unless retention is required by law.
  • For suspension of processing, we will cease processing your personal information (other than storing it securely) if required by law or if you withdraw consent (to the extent consent was the basis for processing).
  • If we reject your request (for example, due to a legal exception), we will provide you with the reason and how you can challenge our decision.
  • Data Protection Officer: Under Korean law, we designate a person in charge of handling personal information inquiries and complaints (a Privacy Officer/DPO). For Kimia, please contact [email protected], Attn: Privacy Officer. This person is responsible for overseeing our compliance with PIPA and dealing with any inquiries from individuals. (If no specific name is provided, it will be handled by our Privacy Compliance team.)
  • Remedies: If you feel your personal information rights have been infringed under Korean law, and our response to your inquiry or request is not satisfactory, you can seek resolution through organizations such as the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center, or other dispute resolution bodies in Korea. You also have the right to file a complaint with the Personal Information Protection Commission (PIPC) or seek other legal remedies.

By providing these jurisdiction-specific terms, Kimia aims to ensure full compliance with local laws and provide transparency to our users around the world. If you are reading a translated version of this Privacy Policy and it differs from the English version, please note that (unless otherwise indicated by us) the English version prevails for legal purposes, but we will strive to resolve any discrepancies in favor of protecting individual rights.