Login

Privacy Policy

Introduction

Welcome to Kitchain. This Privacy Policy explains how KITCHAIN LTD (“Kitchain“, “we“, “us” or “our“) collects, uses, discloses, and protects personal data when you use our website and platform. Kitchain is a business-to-business (B2B) software-as-a-service platform that matches food brand operators with third-party commercial kitchen partners, currently operating in Dubai and London. We are registered in the United Kingdom as KITCHAIN LTD (Company No. 16563531) with a business address at 71–75 Shelton Street, Covent Garden, London, UK. For the purposes of applicable data protection laws (including the UK General Data Protection Regulation (UK GDPR), EU GDPR, and relevant United Arab Emirates data protection frameworks), Kitchain acts as the “data controller” of your personal data described in this Policy, unless otherwise stated.

By using our website or platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use our services. We may also act as a “data processor” on behalf of our brand or kitchen partners in certain cases (for example, when processing any personal data contained in the content they upload to our platform); in such cases, our partners remain the data controllers for that data, and we process it only according to their instructions.

Definitions: In this Policy, “Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”), such as a user’s name or contact details. The term “Services” refers to the Kitchain website, platform, and related services. “Brand User” refers to a representative of a food brand using Kitchain, and “Kitchen User” refers to a representative of a kitchen partner using Kitchain. “You” refers to any person who uses our Services, whether on behalf of a company (as a Brand or Kitchen user) or as a website visitor.

Information We Collect

We collect both personal and business information in order to provide and improve our Services. The types of data we may collect include:

  • Account and Contact Information: When you register or contact us, we collect information such as your name, email address, phone number, job title/role, company or business name, and login credentials. For example, representatives of food brands and kitchens provide personal contact details and work information so we can set up and manage their accounts.

  • Business Content and Documents: As part of our platform’s matching and operational services, users upload business data. Brand users may upload proprietary information including standard operating procedures (SOPs), recipes, menus, training videos, sales figures/reports (e.g. from delivery aggregators), and other documents related to their restaurant brand. Kitchen users may upload information about their facilities such as kitchen layouts and floor plans, equipment specifications, photos or videos of their kitchen, food safety certifications (e.g. Food Safety or HACCP certificates), and related documents. This content is typically business information and may not be personal data, but it is treated as confidential and is used solely for the purposes of our Services (such as evaluating compatibility between brands and kitchens, facilitating training, and maintaining quality standards).

  • Platform Usage Data: When you use the Kitchain platform, we collect data about your usage and activities. This includes records of communications and interactions on the platform (since all collaboration and communication between brands and kitchens is done through our centralized messaging system), activity logs of actions taken (for example, when a user uploads a file or completes a checklist), quality control and performance metrics (such as timing of order fulfillment, compliance with standards, and sales performance of brand offerings in each kitchen), and other analytics. We collect this information to monitor service quality, generate reports (like sales and performance analytics), and improve the platform’s functionality.

  • Financial and Transaction Data: We may collect information related to payments and transactions on the platform. For instance, we keep records of subscription payments, setup fees, and revenue-sharing calculations. The platform centrally tracks revenue generated through partnered kitchens (e.g. sales of a brand’s menu items in each kitchen) in order to calculate any applicable royalties or commissions and to provide financial reports to both brands and kitchens. If you make payments to us (such as subscription fees), we will process information like invoicing details and payment confirmations. Note: For online payments, we use reputable third-party payment processors (at this time, payment details like credit card numbers are not collected directly by us through the site). We do not store your sensitive financial information such as full credit card numbers on our systems; any payment transactions are encrypted and processed by our payment provider.

  • Site Visit Data and Cookies: If you visit our marketing website (outside of the logged-in platform), we automatically collect certain technical information through cookies and similar tracking technologies. This may include your device’s IP address, browser type, device identifiers, pages viewed, and the date/time of visits. We use cookies to enable site functionality (e.g., keeping you logged in on the platform), as well as optional analytics and advertising cookies (with your consent) to understand how our website is used and to market our services. Please see Cookies and Tracking Technologies below for more details.

  • Communication Records: When you communicate with us (for example, via a contact form, email, or through support chat on the platform), we will collect and retain those communications, including any information you choose to provide. This may include inquiries from potential partners or investors, support requests, or feedback. These communications help us address your questions and improve our services.

  • No Sensitive Personal Data: We do not intentionally collect any special categories of personal data (for example, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or information concerning a person’s sex life or sexual orientation). Our platform is not intended for processing such sensitive data, and we ask that you do not upload or submit any such information.

We obtain most of this information directly from you or through your use of our platform. In the future, if you choose to integrate your Kitchain account with third-party services (for instance, linking a delivery aggregator platform to import sales data), we may receive information from those third parties as needed to provide the integration. We will inform you at the time of any such data integration about the nature of data collected and ensure any required consent is obtained.

We do not knowingly collect any personal data from children. Our platform and website are intended for use by adults in a business capacity. We do not target or offer services to individuals under the age of 18. If you are a minor, please do not provide personal information to us. If we discover that we have inadvertently collected personal data from someone under 18, we will delete it.

How We Use Your Information

We use the collected information for the following purposes:

  1. Providing and Improving the Service: We process data to operate the Kitchain platform and provide services to our users. This includes using Brand and Kitchen information to facilitate matches between food brands and suitable kitchens (using our AI-driven matching algorithm that analyzes recipes and kitchen capabilities), to onboard new partners, and to maintain and improve platform functionality. For example, we use the recipes and SOPs provided by a Brand and the equipment and certifications data from Kitchens to recommend optimal partnerships and ensure kitchens can meet the brand’s standards. We also use user account details to manage logins and authenticate authorized users, and to provide dashboards and tools (such as analytics, quality control checklists, and report exports in PDF/XLS format).

  2. Facilitating Communication and Collaboration: All communications between Brand users and Kitchen users are centralized on our platform. We process the content of messages, shared files, and feedback exchanged through our platform to ensure effective collaboration and to enforce platform rules. This centralized communication system allows us to monitor compliance with our terms (preventing off-platform circumvention, misuse, or sharing of unauthorized content) and to assist users if needed. Platform moderators or administrators may review communications on a limited, role-authorized basis for trust and safety purposes, such as investigating a complaint or ensuring quality assurance.

  3. Monitoring Quality and Performance: We analyze data related to kitchen performance and brand standards to maintain high quality across the platform. This includes tracking key performance indicators (KPIs) like food preparation times, order accuracy, customer feedback (if provided via integrated delivery platforms or review reports), and adherence to brand recipes and standards. We use this data to generate performance reports and ratings for kitchens, and to alert brands if standards are not met. These processes may involve automated analysis using AI, but no automated decision is made that would deny someone access without human review — for example, any decision to discontinue a partnership due to performance is reviewed by our team.

  4. Financial Operations: We process personal and business data as needed to handle billing, payments, and revenue sharing between parties. For instance, we use sales and transaction data from kitchens to calculate the royalty or commission owed to brand partners, and to produce financial statements or royalty reports. We also use your contact and company information to issue invoices, process subscription payments, and manage our accounting records. All revenue and payments in the network are controlled centrally through our system for transparency and auditability.

  5. Customer Support and Service Communication: We use contact information and communications to provide support, respond to inquiries, and send service-related notifications. For example, we may inform you about important updates or changes on the platform, such as updates to terms or this Privacy Policy, or send alerts related to your use of the service (maintenance notices, security alerts, password resets, etc.). These communications are part of our service and not promotional in nature.

  6. Analytics and Product Development: With your consent where required, we use cookies and analytics tools (such as Google Analytics) to understand how our website and platform are being used, so we can improve user experience and optimize our Services. Internally, we might also aggregate usage data (e.g., overall number of brands and kitchens in a city, popular types of equipment, performance trends) to improve our matching AI algorithms and add new features. These analytics are typically done on an aggregated or pseudonymized basis without identifying individual users. Any use of your data for improving our product is done under strict access controls and only to the extent permitted by law or under our legitimate interests.

  7. Legal and Compliance: We may process personal data to fulfill our legal obligations and regulatory requirements. This includes compliance with applicable food safety regulations, know-your-customer (KYC) and anti-money laundering (AML) laws when onboarding partners, tax and financial reporting obligations, and responding to lawful requests by public authorities. For example, before finalizing a partnership, we might need to verify a kitchen’s business license or a brand’s food license as required by law; any personal data involved in such compliance checks will be processed under the appropriate legal basis (such as compliance with a legal obligation or performance of the contract).

  8. Security and Fraud Prevention: We use data (such as account information and usage logs) to maintain the security of our Services, to detect or prevent fraud, unauthorized activities, and other harmful actions. We monitor login activity, employ technical measures to protect against bot attacks or hacking, and may suspend or terminate accounts that violate our terms or present security risks. These actions are taken to protect our users’ data and the integrity of our platform.

We will use your personal data only for the purposes above or for closely related purposes. If we need to process your data for a new purpose that is incompatible with the original purposes, we will notify you and, if required, obtain your consent.

Legal Bases for Processing

We process personal data only when we have a valid legal basis to do so under applicable data protection laws such as the GDPR (EU/UK) and the UAE Personal Data Protection Law (PDPL). Depending on the context, our legal bases include:

  • Performance of a Contract: Most of our processing is necessary to provide you with our Services under our Terms of Service (or another agreement with you). For example, when you sign up and use our platform, we must process your account data, uploaded content, and communications to deliver the matching service, dashboards, and reports as promised. This also covers steps taken at your request prior to entering into a contract (e.g., if you inquire about our service or begin the onboarding process).

  • Legitimate Interests: In some cases, we process personal data as necessary for our (or a third party’s) legitimate interests, provided those interests are not overridden by your data protection rights. Our legitimate interests include: maintaining and improving our platform (e.g., internal analytics on service usage, enhancing our AI matching algorithm using business data — not sensitive personal data), ensuring the security of our systems and preventing fraud, managing business relationships (e.g., keeping a CRM with partner contact details and interaction history), and communicating with you about our existing services. When relying on this basis, we will always consider your rights and interests and will provide an opt-out or objection right where applicable (for instance, you have the right to object to certain analytics or communications based on legitimate interest as described in Your Rights below).

  • Consent: We rely on consent in specific situations where we are required to do so. For example, we obtain your consent before placing non-essential cookies or using analytics and advertising tracking (see Cookies and Tracking Technologies), and if we ever send direct marketing communications (which we do not do without your permission). If we introduce any feature that processes personal data in a way that requires consent under law, we will obtain consent. You have the right to withdraw your consent at any time, as described in Your Rights.

  • Legal Obligation: When applicable, we process personal data to comply with our legal obligations. This includes obligations under financial laws, tax laws, and regulations in the jurisdictions we operate (UK, EU, UAE). For instance, we may need to retain invoicing records for a certain number of years as required by tax law, or collect certain identification details to satisfy AML/KYC regulations mandated by law. We will only process the minimum amount of personal data necessary to meet these obligations.

  • Vital Interests or Public Interest: These bases are unlikely to apply to our B2B service, but if ever processing is necessary to protect someone’s life or for a task in the public interest formally assigned to us, we would rely on those legal bases as appropriate.

If you have questions about the specific legal basis for a particular processing activity, please contact us (see Contact Us below) and we will provide additional information.

Cookies and Tracking Technologies

Like most websites and online platforms, we use cookies and similar tracking technologies to collect data about your device and browsing actions on our site. Cookies are small text files that are placed on your computer or device when you visit a website. We use the following categories of cookies on our site:

  • Strictly Necessary Cookies: These cookies are essential for the operation of our website and platform. They enable core functionality such as user authentication, session management, and user preferences (for example, keeping you logged in as you navigate through the platform). Without these cookies, the Services you have asked for cannot be provided properly. These cookies do not require consent.

  • Analytics Cookies: We use analytics cookies to collect information about how visitors use our website, such as which pages are visited and any errors encountered. Specifically, we use Google Analytics (GA4) to help analyze site traffic and usage. These cookies gather technical and usage information (like IP address, device type, browser, and pages visited) that we use in aggregate form to improve our website and services. We anonymize or pseudonymize IP addresses where required. We will only deploy analytics cookies if you have given consent via our cookie banner or settings. You can withdraw your consent at any time by adjusting your cookie preferences or browser settings.

  • Advertising/Marketing Cookies: We may use marketing cookies or pixels (such as the Google Ads conversion tag) to help deliver and measure our advertisements. For example, if we run ads on Google or other platforms, these cookies help us understand if you visited our site through an ad and allow us to reach you again with relevant advertising (retargeting) or measure the effectiveness of our ad campaigns. These cookies will also only be used with your consent.

When you first visit our site, you will be presented with a cookie notice allowing you to accept or manage your cookie preferences. You can change your cookie settings at any later time through our website’s cookie settings tool or via your browser settings. Please note that disabling certain cookies (like necessary cookies) may impact your ability to use the platform effectively.

We currently do not respond to “Do Not Track” (DNT) signals or Global Privacy Control (GPC) headers, because there is no consistent industry standard for compliance. We honor your cookie consent choices made through our cookie banner.

For more details on our use of cookies (including a list of specific cookies and their retention periods), please see our Cookie Policy or contact us.

Data Sharing and Disclosure

We treat your personal and business information with care and confidentiality. We do not sell your personal data. However, we may share your information with selected third parties in the following situations:

  • Service Providers (Processors): We share data with trusted third-party service providers who perform services on our behalf, strictly under contractual instructions and for the purposes described in this Policy. These include:

    • Hosting and Infrastructure: We host our platform and database on secure cloud servers (for example, on Hetzner data centers in the EU). These providers store and process data (including your personal data and uploaded files) on our behalf to keep the service running.

    • Data Storage and Backup: We maintain data backups in secure facilities (with the same hosting provider) to ensure resilience and disaster recovery. Backup data is encrypted and stored with similar protections.

    • Analytics and Advertising Partners: As noted, we use Google Analytics for website analytics and Google Ads for marketing; these third-party tools will receive certain data via their cookies/pixel when you have consented. Google may process some of this data on servers in the United States or other countries. We have configured Google Analytics to anonymize IP addresses in the EU where applicable, and we rely on approved safeguards (such as Standard Contractual Clauses) for any international transfers (see International Data Transfers below).

    • Customer Relationship Management (CRM) and Communications: We use a CRM system (such as Bitrix24’s EU-based service) to organize our contacts with partner brands and kitchens, track onboarding progress, and log interactions. If you correspond with us or sign a contract, your name, business contact details, and communications may be stored in our CRM database. This data is hosted in the European Union (for example, Bitrix24’s EU servers in Germany).

    • Payment Processors: If and when we accept online payments, we use external payment gateways (such as Stripe or similar) to handle payment transactions securely. These processors receive your payment card details directly to process payments and will only share with us limited information (like a confirmation that payment was completed). They are themselves PCI-DSS compliant and responsible for the secure handling of payment information. (As of the latest update, our website does not directly collect card information; any payments are handled off-site by the payment provider.)

    • Other Vendors: From time to time, we might use other tools or services, such as email service providers (for sending notifications) or IT support services. We will ensure any such vendors are bound by confidentiality and data protection obligations.

  • Within our Corporate Group: If Kitchain forms any subsidiaries, affiliates, or if we have personnel in different locations (e.g., our operational staff in Dubai), your information may be shared within our organization on a need-to-know basis. All our staff are subject to confidentiality agreements and role-based access controls, meaning they can only access the data necessary for their role.

  • Business Transfers: If we undergo a business transaction such as a merger, acquisition, corporate investment, or sale of all or a portion of our assets, your personal data may be disclosed to the parties involved (e.g., to lawyers, auditors, and potential acquiring entities) as part of due diligence or transferred to the new owners as part of the transaction. In such cases, we will ensure that appropriate safeguards for your data are in place and that the receiving party agrees to respect your personal data in a manner consistent with this Policy.

  • Legal Compliance and Protection: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, law enforcement inquiry, or regulatory demand). We may also disclose data if we believe in good faith that such action is necessary to comply with a legal obligation, to protect and defend our rights or property, to prevent fraud or abuse of our platform, or to protect the safety of our users or the public. For example, if a government regulator in one of the jurisdictions we operate requests information as part of an investigation, we may need to provide it as mandated by law.

  • With Your Consent: In situations where you have explicitly consented to data sharing, we will share your information accordingly. For instance, if in the future we offer an option to share certain data with a third-party integration or partner (such as an integration with a food delivery aggregator or a marketing partner for a joint promotion), we will only do so with your knowledge and consent, or at your direct request.

We require all third parties who process personal data on our behalf to respect the security of your data and to treat it in accordance with the law. We remain responsible for the handling of your personal data by any such third-party service providers.

International Data Transfers

Kitchain operates internationally, and your personal data may be transferred to or accessed from outside your country of residence in order to provide our services. In particular, our primary servers and data storage are currently located in the European Economic Area (EEA) (for example, in Germany where our hosting and CRM data reside). However, members of our team as well as certain service providers may be located in other countries, including countries outside the EEA such as the United Arab Emirates (UAE) or the United States.

Whenever we transfer personal data out of the UK/EEA, we take steps to ensure an adequate level of protection for the data, as required by applicable law. These measures include:

  • Standard Contractual Clauses: If your data is transferred from the EEA or UK to a country that the European Commission (or UK authorities) does not recognize as providing an adequate level of data protection (for example, to our staff or contractors in the UAE), we implement Standard Contractual Clauses (SCCs) approved by the European Commission and, where relevant, the UK International Data Transfer Addendum. These contractual obligations require the recipient to protect personal data to EU GDPR standards. We also apply internal policies and technical controls (such as encryption and access limitations) to protect data that is accessed remotely from outside the EU.

  • Data Residency Choices: We strive to keep the primary storage of personal data in jurisdictions with strong data protection laws (currently within the EU for our databases). Our CRM and platform data are stored on servers in Germany. We do not routinely transfer or store personal data in the United States or other third countries except through the controlled use of third-party services like Google Analytics/Ads as noted above, or through remote access by our authorized personnel.

  • Service Providers’ Compliance: Whenever we engage service providers that may process data in other jurisdictions, we ensure they participate in appropriate compliance frameworks or provide other safeguards. For example, our analytics and advertising partner (Google) has committed to legal transfer mechanisms (and as of the last update, large providers like Google may participate in the EU-U.S. Data Privacy Framework or rely on SCCs). Our agreements with such providers include data protection addendums to cover international transfer compliance.

By using our Services, you understand that your personal data may be transferred to our facilities and those third parties with whom we share it as described in this Policy. We will take all measures reasonably necessary to ensure that your data is treated securely and in accordance with this Policy wherever it is processed. If you would like more information about international data transfers or copies of the agreed safeguards, you can contact us using the details below.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

In practice, this means:

  • Account Data: If you are a registered user (Brand or Kitchen), we keep your personal account information for as long as your account is active or as needed to provide you with our Services. If you terminate your relationship with Kitchain (or your company’s contract ends), we will delete or anonymize your personal data upon request or after a reasonable period following the end of our relationship. Some basic information may be retained for a certain time after account deletion in backups or archives or as required for legal reasons (for example, to resolve disputes, enforce our agreements, or comply with legal obligations). By default, if you simply stop using the platform without an official termination, we may retain your data for a period of time in case you return or to keep records of our interactions, but we will not keep it longer than necessary.

  • Business Content: Content that you upload (recipes, documents, etc.) can be deleted by you at any time via the platform. If you delete content or your account, we will endeavor to remove the data from active use promptly. However, some content may persist in backup copies for a short duration (due to routine backup processes) before being fully erased, and in audit logs (to maintain integrity of our records of system use). We do not use your business content for any purpose other than providing the Services to you and will delete it upon your request or upon termination of the contract, subject to any retention required for legal compliance.

  • Communications and Support Records: If you contacted us or we provided support, we may retain those communications for a period of time to ensure we have a history of your support requests and our responses. Generally, routine inquiries are kept for a reasonable period (e.g. one to two years). Where required by law (for example, certain business correspondence must be retained for a set number of years under local regulations), we will retain communications for that period.

  • Analytics Data: Data collected via cookies and similar technologies is retained as long as necessary for the purposes. Analytics data is often kept in aggregate form; for instance, Google Analytics data may be retained for a default period (such as 14 months) or as configured in our settings. You can delete cookies from your own browser at any time, which will remove the data stored on your device. We will periodically review and purge or anonymize old analytics data.

  • Legal Retention: In some cases, we must retain personal data for a certain period by law. For example, in the UK, financial records are often kept for at least 6 years for tax audit purposes. If we collected any identity verification info for compliance, we would retain it as long as required under applicable KYC/AML regulations. During such retention, your data will be securely stored and isolated from routine use.

When we no longer have a lawful reason or business need to keep your personal data, we will securely erase it or irreversibly anonymize it so that you can no longer be identified from the data. If erasure is not immediately possible (for instance, because the data is stored in archives), we will ensure it is not actively processed until deletion is possible.

Importantly, you also have the right to request deletion of your data at any time (see Your Rights below), and we will honor such requests in accordance with legal requirements.

Data Security

We take the security of your personal and business information very seriously. We implement a variety of technical and organizational security measures to protect your data from unauthorized access, loss, misuse, or alteration. These measures include:

  • Encryption: We use encryption to protect data in transit and at rest. All communications between your browser and our platform are secured via industry-standard TLS (Transport Layer Security) encryption (HTTPS). Sensitive data stored in our databases is encrypted or hashed where appropriate. We also encrypt data backups.

  • Access Controls and Authentication: We maintain a strict role-based access control system. This means that both our users and our internal staff have access only to the information necessary for their role. Brand users and Kitchen users can only access their own organization’s data and any shared project data, not each other’s confidential information unless explicitly shared through the platform. Our administrators and support personnel have tiered access rights, and access to personal data is granted only to those team members who need it to perform their duties (for example, providing technical support or moderating content). We use secure authentication protocols for user logins (and encourage strong passwords and two-factor authentication where available), and our internal systems require strong authentication for any staff access.

  • Monitoring and Logging: We log user activities and administrative access within the platform. This audit trail of actions (e.g., uploads, edits, logins, and important configuration changes) helps us detect irregular activities and provides accountability. The logging system is designed to protect against unauthorized tampering and is only accessible to authorized personnel for security monitoring.

  • Network and Application Security: Our servers are protected by firewalls and network security controls to prevent unauthorized external access. We keep our software and infrastructure up to date with security patches. Regular vulnerability scans and security assessments are conducted on our systems. When feasible, we engage in penetration testing or third-party security audits to test the strength of our defenses.

  • Backup and Disaster Recovery: We perform regular backups of critical data to prevent data loss. Backup data is stored securely (and encrypted) at offsite locations. We have a disaster recovery plan in place that outlines procedures for responding to major incidents (such as data center outages or security breaches) to ensure we can restore availability and access to personal data in a timely manner. Our systems are built with redundancy to reduce single points of failure, and we regularly test our backup restoration process to verify its effectiveness.

  • Organizational Measures: Our team is trained on data protection best practices and confidentiality. We have internal policies governing how personal data must be handled and protected by our staff. Only employees who have a business need to access personal data (such as customer success or IT personnel) are permitted access, and they are bound by strict confidentiality obligations. We also utilize secure development practices to ensure that privacy and security are considered at each stage of our platform development.

While we strive to protect your data, no system can be guaranteed 100% secure. We continuously improve our security measures to cope with evolving threats. In the unfortunate event of a data breach that affects your personal data, we will promptly notify the affected individuals and relevant authorities as required by law. In particular, if we become aware of a personal data breach, we will evaluate the risk to your rights and freedoms; if there is a significant risk, we will notify the appropriate supervisory authority (such as the ICO in the UK or other EU authority) within 72 hours, and if the risk to you is high, we will also inform you without undue delay (via email or through the platform) about the nature of the breach and any steps you should take to protect yourself.

Your Rights

You have rights regarding your personal data that we process. We are committed to respecting these rights and have processes in place to enable you to exercise them. Your rights include:

  • Right to Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you, along with information about how we use and share it. This is commonly known as a “data subject access request.”

  • Right to Rectification: You have the right to request that we correct or update any inaccurate or incomplete personal data we hold about you. If you maintain an account, you can also log in and correct certain information directly in your profile.

  • Right to Erasure: You have the right to request that we delete your personal data, also known as the “right to be forgotten.” This right is not absolute – for example, we may need to retain certain information to comply with legal obligations or for legitimate business purposes. However, we will honor valid deletion requests and remove applicable data from active use. If you are a platform user, you may also have the ability to delete certain content you uploaded, and you can request full account deletion by contacting us.

  • Right to Restrict Processing: You can ask us to limit the processing of your personal data in certain circumstances – for instance, if you contest the accuracy of the data or object to our processing, we will consider requests to restrict usage while we resolve the issue.

  • Right to Data Portability: For data that you have provided to us and that we process by automated means on the basis of your consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (and you have the right to have that data transmitted to another controller where technically feasible). In practice, this could include basic account information or content you uploaded. Our platform provides some export tools (e.g., exporting reports or data in PDF/XLS), and we can also assist in providing your data in a suitable format upon request.

  • Right to Object: You have the right to object to our processing of your personal data when we base our processing on legitimate interests (or perform a task in the public interest). If you object, we will evaluate whether our legitimate grounds for processing override your rights. You also have an absolute right to object to the use of your personal data for direct marketing purposes – as noted, we currently do not send marketing emails without consent, but if you were to receive any, you can opt out at any time.

  • Right to Withdraw Consent: If we rely on your consent for any processing (such as for analytics cookies or optional data collection), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing that was already carried out based on consent before its withdrawal. For example, you can adjust your cookie settings to withdraw consent for analytics, or unsubscribe from a newsletter if you had agreed to receive one.

  • Right Not to Be Subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects on you. As noted earlier, Kitchain does not make significant decisions about individuals without human involvement. Our AI matching suggestions and performance scoring are applied to business entities and are always subject to human review when it comes to any action affecting users.

  • Right to Complain to a Supervisory Authority: If you believe we have infringed your data protection rights or processed your personal data in a way that is not lawful, you have the right to lodge a complaint with a supervisory authority. If you are in the UK, this would be the Information Commissioner’s Office (ICO). If you are in the European Economic Area, you can contact your local Data Protection Authority. If you are in the UAE, you may contact the UAE Data Office or other relevant regulator (for instance, the Telecommunications and Digital Government Regulatory Authority (TDRA) or a free zone authority, as applicable under the PDPL). We would, however, appreciate the chance to address your concerns before you approach a regulator, so we encourage you to contact us first.

These rights may be subject to certain conditions and legal limitations. For example, we might not be able to delete your data if we are required by law to keep it, or we may deny a request for data portability if it adversely affects the rights of others.

Exercising Your Rights: You can exercise your rights by contacting us using the details provided in Contact Us below or by using any dedicated tools we provide (such as account settings or contact forms). For instance, if you wish to make a data access or deletion request, you can email us at our privacy contact. Please be as specific as possible about which right you want to exercise and what information your request pertains to. We will need to verify your identity before fulfilling certain requests, to ensure we do not disclose data to the wrong person or delete data at an improper request. We may ask you to provide information to confirm your identity (such as verifying your email address or other details we have on file).

We will respond to your request as soon as possible, generally within one month (30 days). If your request is complex or if we receive a high volume of requests, we may extend this period by an additional two months (we will inform you if an extension is needed). For requests under the UAE PDPL, the timeframe may be up to 45 days (with a possible similar extension). We will let you know if we need more time and the reasons why. In any case, we will communicate with you in a timely manner and do our best to address your concerns.

There is usually no fee for exercising your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request, as permitted by law. We will explain any such decision to you if it occurs.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us:

KITCHAIN LTD (Data Protection Team)
Address: 71–75 Shelton Street, Covent Garden, London, United Kingdom
Email: info@kitchain.co
Telephone: +44 7440 788779

We will be happy to assist you and will do our best to respond promptly to your inquiry.

As of the effective date of this Policy, we do not have a designated Data Protection Officer (DPO) since it is not required for our current scale of operations. We also currently operate out of the UK; if you are an EU/EEA resident, our UK establishment handles your data under UK GDPR, which is deemed essentially equivalent to EU GDPR. In the event that we target or significantly engage with individuals in the EU, we may appoint an EU representative as required by Article 27 of the EU GDPR and will update this Policy accordingly. Similarly, if we establish a legal entity or office in the UAE, we will update our company and contact information in this Policy to reflect compliance with the UAE PDPL.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated Policy on our website and update the “Last Updated” date below. If the changes are significant, we may also notify registered users via email or through a notice on the platform prior to the change becoming effective, as required by applicable law.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or Services after any updates become effective will constitute your acknowledgment of the revised Policy, to the extent permitted by law.

Last updated: August 11, 2025.