Skip to content
  • Trust center
  • Privacy and compliance

General data protection regulation (GDPR)

Kinde is compliant with the GDPR and here’s how we do this.

The list below are based on the key issues provided by GDPR-Info. They summarize the key issues facing companies in regard to data privacy protection. More information on the GDPR can also be found at GDPR.EU.

Please note that this document is for guidance purposes only and is only updated occasionally. For the most up to date representation of our privacy stance, please refer to our privacy policy.

If you require a Data Processing Agreement (DPA), please reach out to our team at support@kinde.com.

Kinde processes personal data as part of our authentication product. Specifically first name, last name, and email address. Note that there may be less information provided depending on the type of authentication integration being used by our customers. For example, some social providers only provide the email or only provide a custom identifier without revealing any personal details. The consent for this is part of the terms between data subjects and Kinde’s customers. Kinde’s customers are the data controller, where as Kinde is only a data processor on behalf of our customer.

With respect to marketing efforts, Kinde uses a legitimate interest assessment internally to determine broad scopes of marketing activities.

Data Protection Officer

Link to this section

Kinde has nominated a Data Protection Officer internally, whose core responsibilities include ensuring Kinde is aware of, and trained on, all relevant privacy obligations, conduct audits to ensure compliance, address potential issues proactively, and act as a liaison with the public on privacy matters. You can reach out Data Protection Officer by emailing privacy@kinde.com.

Email marketing

Link to this section

All marketing emails are sent with an opt-out link in the event that customers don’t want to receive products updates from us. Membership to the email marketing lists is collected when users voluntarily provide details to us, such as signing up for our product, registering for the newsletter, or signing up to blog post or product updates.

All customer data, including personal data, is encrypted at rest in Kinde’s production database using AES256. More information can be found on the Security at Kinde page. Access to Kinde customer data and the back-end infrastructure is strictly limited and controlled.

Privacy by Design

Link to this section

One of Kinde’s product principles is Privacy by Design. In this effort, we have made a commitment to never sell our customer data. In addition to this, we’ve included privacy related checks throughout our software lifecycle to ensure that Kinde only collects the bare minimum amount of personal data to successfully run the product.

Privacy impact assessment

Link to this section

Kinde has completed privacy impact assessments for our key processing activities, which internally we’ve called a Data Protection Impact Assessments (DPIA), based on a template provided by the UK’s Information Commissioners Office. They’re long and thorough, and have been extremely useful in mapping out the personal data being handled, but also influencing the business and technical strategies in protecting that data.

As Kinde is a business to business (B2B) company, we handle personal data on behalf of our customers, which makes us a data processor. Our customers are the data controllers. As a result, Kinde takes instruction from the customers about what to do with the personal data. With respect to the customer, Kinde is a sub-processor for them.

To review Kinde’s sub-processors, please see sub-processors.

Records of processing activities

Link to this section

One of the outputs from the DPIA mentioned earlier is a privacy data map, which includes records of processing activities (RoPA). Privacy surveys are conducted with each department to identify their own activities and what personal data is being handled. This captures information across user types such as customers, users, and employees. Once the surveys are done, the information is collated back into our RoPA and then updated as needed.

Right of access

Link to this section

Due to Kinde being a processor of data and not the controller, the right of access for a data subject should be directed at Kinde’s customers. These companies should handle the privacy request and forward onto Kinde if there’s anything that we can do to assist. For the most part, Kinde will allow customers to view, adjust, or remove personal data for their users, such as user’s names or emails.

Right to be forgotten

Link to this section

Refer to Right of access.

Right to be informed

Link to this section

Refer to Right of access.