Privacy Policy
Effective Date: November 23, 2025
Global Compliance: EU, UK, US, Canada, Brazil, Japan, Singapore, Australia, India
1. INTRODUCTION
Kinetix ("we", "us") respects your privacy globally. This policy explains how we collect, use, and share data in compliance with:
- EU & UK: General Data Protection Regulation (GDPR)
- USA: California Consumer Privacy Act (CCPA), Virginia CDPA
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- Brazil: Lei Geral de Proteção de Dados (LGPD)
- Japan: Act on Protection of Personal Information (APPI)
- Singapore: Personal Data Protection Act (PDPA)
- Australia: Privacy Act 1988
- India: Digital Personal Data Protection Act (DPDPA)
For GDPR/UK GDPR purposes, the Data Controller is Kinetix Development Team, based in Romania.
2. DATA WE COLLECT
- Personal Data: Email, name, billing history (via Stripe).
- Usage Data: Prompts, generated videos, IP address, device info, browser fingerprint.
- Cookies & Tracking: Session cookies, analytics (Google Analytics, optional), functional cookies.
- Sensitive Data: We do NOT collect race, religion, health data, or biometric information.
3. LEGAL BASIS FOR PROCESSING
We process data based on the following legal grounds:
Contractual Necessity (GDPR Art. 6(1)(b)): To provide the Service and process payments.
Legitimate Interest (GDPR Art. 6(1)(f)): To analyze usage patterns, prevent fraud, train/improve AI algorithms, and ensure platform security.
Consent (GDPR Art. 6(1)(a)): For marketing emails, optional analytics, and non-essential cookies (you can withdraw consent anytime).
Legal Obligation: Tax compliance, anti-money laundering (AML), and law enforcement requests.
4. SHARING DATA WITH THIRD PARTIES (Sub-Processors)
We do not sell your personal data. We share data only with necessary sub-processors under Standard Contractual Clauses (SCCs) or adequacy decisions:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & Auth | USA (SCCs) |
| Stripe | Payment Processing | USA (SCCs) |
| Replicate/Fal.ai | AI Generation | USA |
| Moonshot AI | Script Generation | China |
| Cloudflare | CDN & Security | Global |
5. INTERNATIONAL DATA TRANSFERS
5.1. Transfer Mechanisms: When transferring data outside your country, we use:
- EU Standard Contractual Clauses (SCCs) for EU→USA transfers
- UK International Data Transfer Agreement (IDTA) for UK→USA transfers
- APEC Cross-Border Privacy Rules (CBPR) for APAC regions
- Binding Corporate Rules (BCRs) where applicable
5.2. Data Residency Options: Enterprise customers can request data to be stored in specific regions (EU, USA, or APAC). Contact us for details.
5.3. Business Transfer: In the event of a merger, acquisition, or sale (e.g., transfer to UAE/Dubai), your data will be transferred as a business asset under the same or equivalent privacy protections.
6. YOUR RIGHTS (Global Privacy Laws)
Depending on your location, you have the following rights:
🌍 Universal Rights (All Users)
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Deletion: Request erasure of your account ("Right to be Forgotten")
- Portability: Receive data in a structured format (JSON/CSV)
- Opt-Out: Unsubscribe from marketing emails
🇪🇺 Additional Rights (EU/UK GDPR)
- Object to Processing: Object to data use for legitimate interests or direct marketing
- Restrict Processing: Limit how we use your data temporarily
- Withdraw Consent: Revoke consent for processing at any time
- Lodge Complaint: File complaint with your Data Protection Authority (DPA)
🇺🇸 Additional Rights (California CCPA/CPRA)
- Do Not Sell: We don't sell data, but you can opt-out via your account settings
- Shine the Light: Request list of third parties we share data with (annually)
- Non-Discrimination: We won't discriminate against you for exercising your rights
To exercise your rights: Email privacy@kinetix.app with subject "Data Rights Request - [Your Country]". We respond within 30 days (EU/UK) or 45 days (USA/other).
7. DATA RETENTION
We retain account data for as long as your account is active, plus:
- Video Content: 30 days after generation (download before deletion)
- Billing Records: 7 years (tax compliance)
- Logs: 90 days (security & debugging)
- Deleted Accounts: 30-day grace period, then permanent deletion
8. AGE RESTRICTIONS & CHILDREN'S PRIVACY
Minimum Age Requirements (by jurisdiction):
- EU/UK: 16 years (or age of digital consent in your country)
- USA: 13 years (COPPA compliance)
- Australia/Canada: 13 years
- South Korea: 14 years
We do NOT knowingly collect data from children below these ages. If you believe a child has registered, contact us immediately for account deletion.
9. SECURITY MEASURES
We implement industry-standard security:
- TLS 1.3 encryption for data in transit
- AES-256 encryption for data at rest
- Regular security audits & penetration testing
- Multi-factor authentication (MFA) for admin accounts
- Breach notification within 72 hours (GDPR requirement)
10. CONTACT & DATA PROTECTION OFFICER
General Privacy Inquiries: privacy@kinetix.app
Data Protection Officer (DPO): dpo@kinetix.app
Legal/Compliance: legal@kinetix.app
EU Representative: [To be appointed if processing >EU citizens data]
UK Representative: [To be appointed if processing >UK citizens data]
11. SUPERVISORY AUTHORITIES
You have the right to lodge a complaint with your local data protection authority:
- EU: Your national DPA (edpb.europa.eu)
- UK: Information Commissioner's Office (ico.org.uk)
- Canada: Office of the Privacy Commissioner (priv.gc.ca)
- Australia: OAIC (oaic.gov.au)
12. UPDATES TO THIS POLICY
We may update this policy to reflect legal changes or new features. Material changes will be notified via email or prominent site notice 30 days before taking effect.