Privacy Policy

Kinset Limited

This Privacy Policy (the “Policy”) explains how Kinset Limited (“Kinset”, “we”, “us” or “our”) collects, uses, discloses and protects Personal Data where Kinset acts as a Controller. Kinset Limited is a private company limited by shares incorporated in Ireland under company number 745880, with registered office at 15 Sandymount Road, Dublin 4, D04 X9K4, Ireland.

Contact: privacy@kinset.com

This Policy applies to our website (kinset.com), to the Kinset platform (the connected product platform comprising digital link, digital product passport, life cycle assessment, impact reporting, supply chain traceability and supplier portal modules), to the digital product passport pages and connected label landing environments hosted on the platform, and to our communications with customers, business contacts and users.

Where Kinset processes Personal Data on behalf of business customers using the platform, Kinset acts as a Processor, and that processing is governed by the applicable customer agreement and the Kinset Data Processing Agreement available at kinset.com/legal/dpa. Section 11 explains how this distinction works on digital product passport and connected label landing pages, which is important if you have scanned a product.

1. Definitions

1. “Applicable Data Protection Law” means Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”), the Irish Data Protection Act 2018, the UK GDPR and the UK Data Protection Act 2018, the ePrivacy Regulations 2011 (S.I. No. 336/2011) and any other data protection or privacy legislation in force in the European Economic Area (“EEA”) or the United Kingdom (“UK”) that applies to Kinset, in each case as amended or replaced from time to time.

2. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” and “Supervisory Authority” have the meanings given to them in the GDPR.

3. “Services” means Kinset’s connected product platform and related services, as further described on our website.

2. Role of Kinset — Controller and Processor

Kinset acts as a Controller when processing Personal Data in connection with:

(a) account creation, administration and authentication;

(b) subscription management, billing and customer relationship management;

(d) platform security, fraud prevention and incident response;

(e) marketing and business development communications; and

(f) compliance with legal, regulatory and contractual obligations.

1. Where business customers upload, manage or publish Personal Data within the Services, including via digital product passport content, supplier portals or traceability records, those customers act as Controllers and Kinset acts as a Processor on their behalf. In that role, Kinset processes Personal Data solely in accordance with the customer’s documented instructions and the applicable Data Processing Agreement.

2. This Policy describes Kinset’s processing as a Controller. It does not govern Personal Data that a business customer collects through the Services as its own Controller; that processing is governed by that customer’s own privacy notice. Section 11 explains how these two roles operate together on digital product passport and connected label landing pages.

3. Categories of Personal Data

As a Controller, Kinset may collect and process the following categories of Personal Data:

(a) Business contact information name, job title, employer, business email address, business telephone number and business postal address;

(b) Account and platform data login credentials (in hashed form), account identifiers, role and permission settings, subscription and billing information, and platform usage data;

(c) Technical and usage information IP address, device and browser information, log data, website interaction data, scan and click data on connected label landing environments, and analytics data;

(d) Communications correspondence, support queries, survey responses and marketing preferences; and

(e) Submitted information any Personal Data included in submissions made through digital product passport interfaces, forms or supplier portals hosted on the platform (noting that, where this is collected on behalf of a business customer, that customer is the Controller — see Section 11).

1. Kinset does not intentionally collect or process special categories of Personal Data within the meaning of Article 9 GDPR, or Personal Data relating to criminal convictions and offences within the meaning of Article 10 GDPR.

2. The Services are not directed at children, and Kinset does not knowingly collect Personal Data from children under the age of digital consent in the relevant jurisdiction.

4. Sources of Personal Data

Kinset may collect Personal Data:

(a) directly from you when you create an account, contact us, attend an event or interact with our website or Services;

(b) from your employer or organisation, where they provide your details in connection with use of the Services;

(c) automatically through use of the website or Services, including through cookies, tags and similar technologies (subject to consent where required);

(d) from publicly available sources or commercial business contact databases, for the purpose of maintaining accurate business records and lawful business development; and

(e) from third-party service providers (for example, payment, identity, analytics or CRM providers) acting on our behalf or providing data to us for legitimate business purposes.

5. Lawful Bases for Processing

Kinset relies on the following lawful bases under Article 6 GDPR:

(a) Performance of a contract to provide the Services, manage subscriptions and respond to requests made in connection with a contract;

(b) Compliance with legal obligations to meet our obligations under applicable law, including tax, accounting, regulatory and data protection law;

(c) Legitimate interests to operate, secure, improve and develop the Services, to prevent fraud, to manage business relationships, and to conduct lawful direct marketing to business contacts, in each case where such interests are not overridden by the rights and freedoms of Data Subjects; and

(d) Consent where required by law, including in relation to certain cookies and certain marketing communications. Where consent is the basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Purposes of Processing

Personal Data is processed for the following purposes:

(a) providing, maintaining and securing the Services;

(b) managing subscriptions, billing and contractual relationships;

(d) providing customer support and responding to enquiries;

(e) analysing usage trends and improving service performance and reliability;

(f) sending service-related communications, including security updates, contractual notices and updates to legal terms;

(g) sending marketing communications where permitted by Applicable Data Protection Law;

(h) complying with legal, regulatory and contractual obligations; and

(i) establishing, exercising or defending legal claims.

7. Cookies and Analytics

1. Kinset uses cookies and similar technologies (such as pixels, tags and local storage) on its website and in connection with the Services to enable functionality, analyse usage and improve performance.

Kinset uses the following categories of cookies:

(a) Strictly necessary cookies required for the operation of the website and Services, including authentication, security, network management and accessibility. These cookies do not require consent and are used on the basis of Kinset’s legitimate interests in operating and securing the website and Services.

(b) Analytics cookies used to understand how users interact with the website and Services, including page views, navigation patterns and performance metrics, in order to improve functionality and user experience. We use Google Analytics for this purpose.

(c) Marketing and advertising cookies used to measure the effectiveness of our advertising and communications, to understand engagement with Kinset’s content, and to show relevant Kinset advertising to people who have visited our website as they browse other sites (remarketing). We use Google Ads for this purpose. See our Cookie Policy for details.

2. All non-essential cookies (including analytics and marketing cookies) are deployed only where the user has provided consent, in accordance with the ePrivacy Regulations 2011 and Applicable Data Protection Law. Users may withdraw or modify their consent at any time through the cookie consent mechanism available on the website.

3. Users can manage cookie preferences through the cookie consent banner presented on the website. Most web browsers also allow users to control cookies through browser settings, including blocking or deleting cookies, although disabling certain cookies may affect the functionality or performance of the website and Services.

4. Questions, queries or complaints about our use of cookies may be sent to privacy@kinset.com.

8. Disclosure of Personal Data

Kinset may disclose Personal Data to:

(a) cloud hosting and infrastructure providers;

(b) IT, security, monitoring and support service providers;

(c) analytics, CRM, communications, advertising and marketing providers (including Google, for Google Analytics and Google Ads);

(d) payment processors and accounting providers;

(e) professional advisers, including lawyers, auditors and insurers;

(f) regulators, supervisory authorities, courts and law enforcement, where required by applicable law; and

(g) an actual or prospective acquirer in connection with a merger, acquisition, financing or corporate reorganisation, subject to appropriate confidentiality safeguards.

Kinset does not sell Personal Data. A current list of subprocessors engaged by Kinset is available at kinset.com/legal/subprocessors.

9. International Transfers

1. Personal Data may be processed by Kinset and its service providers outside the EEA or the UK, including in the United States. For example, where you consent to analytics and advertising cookies, Google processes related data in the United States under the EU–US Data Privacy Framework and the Standard Contractual Clauses.

Where Personal Data is transferred to a country that has not been the subject of an adequacy decision, Kinset implements appropriate safeguards in accordance with Applicable Data Protection Law, including:

(a) the European Commission’s Standard Contractual Clauses, supplemented by the UK Addendum where applicable;

(b) Binding Corporate Rules, where applicable; or

2. Where required, Kinset performs and documents transfer impact assessments to evaluate whether the laws of the destination country provide an essentially equivalent level of protection. A copy of the safeguards relied upon may be requested at privacy@kinset.com (subject to redaction of commercially sensitive information).

10. Data Security

1. Kinset implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk associated with the processing of Personal Data.

2. Such measures include encryption of data in transit, role-based access controls, multi-factor authentication, logical separation of customer environments, security monitoring and logging, vulnerability management, secure software development practices, regular backups and secure cloud hosting infrastructure.

3. While Kinset takes reasonable steps to safeguard Personal Data, no system can guarantee absolute security.

11. Digital Product Passports and Connected Label Landing Pages

This section is important if you have scanned a QR code, NFC tag or other smart label on a product, or otherwise reached a digital product passport or landing page powered by Kinset. These pages involve two different organisations handling data in two different roles, and it matters which one you need to contact.

On a digital product passport or connected label landing page:

(a) The brand, manufacturer, retailer or supplier is the Controller of information you actively provide. If you submit information through a form, registration, survey, warranty sign-up, supplier portal or similar feature on the page, the organisation whose product you scanned (not Kinset) is the Controller of that information and decides how it is used. That processing is governed by that organisation’s own privacy notice, which should be presented to you on or alongside the page. Kinset handles that information only as a Processor, on that organisation’s instructions, under the Data Processing Agreement.

(a) Kinset is the Controller of limited technical and analytics data about the page itself. As the operator of the platform, Kinset separately collects, as its own Controller, limited technical and usage data when a page is accessed, such as scan and click events, IP address, device and browser information and log data. This data is logged when the page loads and is used to operate, secure, measure and improve the platform, on the basis of Kinset’s legitimate interests. Where Kinset provides scan and engagement reporting to a business customer about that customer’s own products, Kinset does so on that customer’s behalf and as the customer directs.

1. If you want to exercise your rights in respect of information you provided through a digital product passport, smart label or other Output published by a brand, manufacturer, retailer or supplier, you should contact that organisation directly, as they are the Controller of that information. Kinset will support that organisation in responding to your request as required by Applicable Data Protection Law. If you want to exercise your rights in respect of the technical and analytics data for which Kinset is the Controller, you can contact Kinset at privacy@kinset.com.

12. Data Retention

1. Personal Data is retained only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services, perform contractual obligations, comply with legal and regulatory requirements, resolve disputes and enforce agreements.

Typical retention periods include:

(a) account and customer relationship data for the duration of the customer relationship and up to seven (7) years thereafter for tax, accounting and contractual record-keeping;

(b) platform usage and log data typically up to twelve (12) months;

(c) marketing data until consent is withdrawn or the recipient otherwise objects, and in any event no longer than necessary for the purpose; and

(d) support and communications data typically up to thirty-six (36) months following the last interaction.

2. Personal Data processed on behalf of customers is retained and deleted in accordance with the contractual arrangements set out in the Data Processing Agreement.

13. Data Subject Rights

Subject to Applicable Data Protection Law, Data Subjects may have the following rights:

(a) to access their Personal Data;

(b) to rectify inaccurate or incomplete Personal Data;

(d) to restrict processing in certain circumstances;

(e) to receive their Personal Data in a portable format and have it transmitted to another controller, where applicable;

(f) to object to processing based on legitimate interests, and to object to direct marketing at any time;

(g) to withdraw consent at any time, where consent is the lawful basis;

(h) not to be subject to a decision based solely on automated processing that produces legal effects (Kinset does not engage in such automated decision-making in respect of its Controller activities); and

(i) to lodge a complaint with a Supervisory Authority.

In Ireland, the relevant Supervisory Authority is the Data Protection Commission (www.dataprotection.ie). In the UK, it is the Information Commissioner’s Office (ico.org.uk). EEA Data Subjects may also lodge complaints with the Supervisory Authority in the Member State of their habitual residence, place of work or place of the alleged infringement.

Requests may be submitted to privacy@kinset.com. Kinset will respond within the time period required by Applicable Data Protection Law (generally one month, extendable by a further two months for complex requests). Kinset may need to verify the identity of the person making the request before responding. Where a request concerns information for which a business customer is the Controller, see Section 11.

14. Third-Party Websites

Our website and Services may contain links to third-party websites, applications or services. Kinset is not responsible for the privacy practices of such third parties. You should review the privacy notices of any third-party site or service before providing Personal Data.

15. Changes to This Policy

Kinset may update this Policy from time to time. The most recent version will always be available on our website with an updated “Last Updated” date. Where changes are material, Kinset will provide additional notice as required by Applicable Data Protection Law.

16. Contact Us

Questions or requests relating to this Policy or to Kinset’s processing of Personal Data may be directed to: