GDPR Compliance & Privacy Policy

Effective Date: 01/01/2023

Introduction

At KMPUS, we are committed to protecting the privacy and personal data of our clients and users in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy explains how we collect, use, store, and delete personal data, and clarifies the responsibilities of both KMPUS and our clients.

1. Who We Are

KMPUS (“we”, “us”, or “our”) provides a software platform that may be used by clients to manage their own data and the data of their customers. As per GDPR definitions, KMPUS acts as a Data Processor, while our clients are the Data Controllers of the information they enter into our systems.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Performance of a Contract – when processing is necessary to fulfill the services we provide to our clients.
  • Legal Obligation – when we are required to retain or disclose information under EU or Member State law.
  • Legitimate Interests – where processing is necessary for our legitimate business interests, provided these are not overridden by individual rights.

3. Data Collection and Use

We may collect and process the following types of data:

a) Data We Collect from Clients

  • Name, email, contact information
  • Billing and payment information
  • Usage data of our platform

b) Data Clients Enter into Our System

Clients may store personal data of their own users or customers on our platform. In such cases:

  • Clients are the sole Data Controllers and are responsible for ensuring GDPR compliance.
  • Clients must obtain appropriate consent or have a lawful basis to collect and process such data.

4. Responsibilities of Clients as Data Controllers

All clients using the KMPUS platform are responsible for:

  • The lawful collection, management, and deletion of any personal data entered into the system.
  • Ensuring compliance with GDPR obligations, including obtaining consent and responding to data subject requests.
  • Deleting personal data from the system when no longer necessary, or when required by law.

KMPUS provides tools to support these actions but does not assume responsibility for how clients manage third-party data.

5. Data Retention and Deletion Policy

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal obligations.

a) Upon Contract Cancellation:

  • When a client terminates their contract with KMPUS, all associated data is deleted from our systems.
  • Deletion is carried out within 30 days, unless a shorter retention period is agreed upon or required by law.
  • Clients may request earlier deletion in writing.

6. Data Subject Rights

Under GDPR, data subjects have the following rights:

  • Right to Access – Request access to personal data we hold.
  • Right to Rectification – Request correction of inaccurate or incomplete data.
  • Right to Erasure (“Right to be Forgotten”) – Request deletion of personal data.
  • Right to Restrict Processing – Request limited use of data.
  • Right to Data Portability – Receive data in a structured, commonly used, machine-readable format.
  • Right to Object – Object to processing based on legitimate interests or for direct marketing.

If you are a user of a KMPUS client, please contact the client directly regarding your data, as they are the Data Controller.

7. Data Transfers

We store data within the European Economic Area (EEA) and comply with GDPR requirements for any transfers outside the EEA by using appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Data Protection Agreements (DPAs) with our clients

8. Security Measures

We implement appropriate technical and organizational measures to ensure the security of personal data, including:

  • Encryption at rest and in transit
  • Access control and authentication mechanisms
  • Regular system audits and penetration testing
  • Data breach notification procedures

9. Sub-Processors

KMPUS may use trusted sub-processors (such as cloud hosting providers) to deliver our services. All sub-processors are contractually bound to comply with GDPR and are regularly assessed for compliance.

A list of current sub-processors is available upon request.

10. Cookies and Analytics

Our website and platform may use cookies for functionality and analytics. Please refer to our separate Cookie Policy for more details on how we use cookies and how users can control them.

11. Breach Notification

In the unlikely event of a data breach involving personal data, KMPUS will:

  • Notify the client without undue delay
  • Cooperate fully in investigating and mitigating the incident
  • Provide sufficient information to enable clients to fulfill their own breach notification obligations as Controllers

12. Contact Information

If you have any questions or requests regarding this GDPR policy or your personal data, please contact:

  • Email: support@kmpus.io
  • Address: 36 North Great George Street
  • Dublin, Dublin 1 D01 XK19
  • Ireland

13. Changes to This Policy

We reserve the right to update this GDPR Compliance Policy to reflect changes in legal requirements or our business practices. Any changes will be posted on this page with an updated “Last Updated” date.

If you're ready to take the next step, we're here to help you do it!

Whether you want to schedule a demo to see how KMPUS works, contact our team for personalized guidance, or simply learn more about our platform, we'd love to help you.