[ legal ]
Kikimora Privacy Notice
Last updated:
We at Kikimora respect your privacy and are strongly committed to keeping secure any personal information we obtain. This Privacy Notice describes our practices with respect to Personal Data we collect from or about you when you use our website, applications, and services (collectively, “Services”).
1. Data Controller
1.1 Controller Information
Kikimora io AD, UIC: 207472703, a corporation incorporated under the laws of Republic of Bulgaria, having its registered address at Bulgaria, Sofia 1612, Hipodruma Building 107A, Ap.1, is the controller and is responsible for the processing of your Personal Data as described in this Privacy Notice (“Kikimora” or the “Controller”).
2. Personal Data
2.1 Data Collection Categories
We collect personal data relating to you (“Personal Data”) as described below:
a) Personal Data You Provide
We collect the following Personal Data when you create an account or communicate with us:
- Account Information: When you create a Platform account, we collect information associated with your account, including your name, contact information, account credentials, and transaction history.
- User Content: When you use our Services, we collect Personal Data that is included in the input, file uploads, or feedback that you provide to our Services.
- Communication Information: If you communicate with us, we collect your name, contact information, and the contents of any messages you send.
- Social Media Information: We have pages on social media sites like Instagram, Facebook, YouTube and LinkedIn. When you interact with our social media pages, we collect Personal Data that you choose to provide to us, such as your contact details. In addition, the companies that host our social media pages may provide us with aggregate information and analytics about our social media activity.
- Other Information You Provide: We collect other information that you may provide to us, such as when you participate in our events or surveys.
b) Personal Data We Receive Automatically From Your Use of the Services
When you visit, use, or interact with the Services, we receive the following technical information:
- Log Data: Information that your browser or device automatically sends when you use our Services. Log data includes your IP address, browser type and settings, the date and time of your request, and how you interact with our Services.
- Usage Data: We may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection.
- Device Information: Includes name of the device, operating system, device identifiers, and browser you are using. Information collected may depend on the type of device you use and its settings.
- Cookies and Similar Technologies: We use cookies and similar technologies to operate and administer our Services, and improve your experience. For details about our use of cookies, see Section 12 (Cookies and Analytics) below.
c) Personal Data We Receive From Other Sources
We receive information from trusted third-party providers who support the delivery and operation of the Services. These may include vulnerability scanning tools, cloud infrastructure providers, analytics services, and AI model vendors (such as Google Gemini) that assist with processing user inputs, generating insights, or delivering specific Platform features. This information is used solely to enable functionality, improve performance, and ensure a secure and reliable user experience.
3. Principles
3.1 Data Protection Principles
While Processing Personal Data, Kikimora will respect the following principles:
a) Fairness, Lawfulness and Transparency
When Processing Personal Data, your individual rights must be protected. Personal Data must be collected and processed lawfully, in a fair manner, in good faith and must be proportionate to the objective. You must be informed of how your Personal Data is being handled. When the Personal Data is collected, the Data Subject must be informed of:
- The existence of the present Privacy Notice
- The identity of the Controller
- The purpose of Personal Data Processing
- Whether the Personal Data is disclosed to Third-parties
b) Purpose Limitation
Personal Data handled by Kikimora should be adequate and relevant to the purpose for which they are collected and processed. This requires, in particular, ensuring that the types of Personal Data collected are not excessive for the purpose for which they are collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
c) Data Minimization
Personal Data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
d) Accuracy
Personal Data kept on file must be correct and if necessary, kept up to date. Inaccurate or incomplete Personal Data should not be kept on file and deleted.
e) Storage Limitation
Personal Data should not be kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which it is processed.
f) Integrity and Confidentiality
Personal Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
3.2 Compliance
Kikimora is responsible for, and must be able to demonstrate compliance with, these data protection principles.
4. Processing
4.1 Processing Purposes
We may use Personal Data for the following purposes:
a) To provide and maintain our Services; b) To improve and develop our Services and new features and conduct research; c) To communicate with you, including to send you information or marketing about our Services and events; d) To prevent fraud, criminal activity, or misuses of our Services, and to protect the security of our systems and Services; and e) To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, us, our affiliates, or any third party.
4.2 Aggregated Data
We aggregate or de-identify Personal Data so that it can no longer be used to identify you and use this information to analyze the effectiveness of our Services, to improve and add features to our Services, to conduct research and for other similar purposes. In addition, from time to time, we may share or publish aggregated information like general user statistics with third parties. We collect this information through the Services, through cookies, and through other means described in this Privacy Notice. We will maintain and use de-identified information in anonymous or de-identified form and we will not attempt to re-identify the information, unless required by law.
5. Legal Basis
5.1 Legal Grounds for Processing
When we process your Personal Data for the purposes described above, we rely on the following legal bases:
| Processing Purpose | Type of Personal Data | Legal basis |
|---|---|---|
| Provision and maintenance of our Services | • Account Information • User Content • Communication Information • Other Information You Provide • Log Data • Usage Data • Device Information • Cookies and Similar Technologies | Contract |
| Improving and developing our Services | • Account Information • User Content • Communication Information • Other Information You Provide • Data We Receive From Other Sources • Usage Data & Log Data • Device Information • Cookies and Similar Technologies | Legitimate interests |
| Communication, marketing | • Account Information • Communication Information • Social Media Information • Other Information You Provide • Usage Data & Log Data • Device Information • Cookies and Similar Technologies | Contract, consent |
| Fraud prevention, protecting the security of the systems | • Account Information • User Content • Communication Information • Social Media Information • Other Information You Provide • Data We Receive From Other Sources • Usage Data & Log Data • Device Information • Cookies and Similar Technologies | Compliance with legal obligation, legitimate interests |
| Compliance with legal obligations, protecting our users, us, our affiliates, or any third party | • Account Information • User Content • Communication Information • Social Media Information • Other Information You Provide • Data We Receive From Other Sources • Usage Data & Log Data • Device Information • Cookies and Similar Technologies | Compliance with legal obligation, legitimate interests |
6. Disclosure
6.1 Disclosure Circumstances
We may disclose your Personal Data in the following circumstances:
a) Vendors and Service Providers
To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of hosting services, customer service vendors, cloud services, content delivery services, support and safety monitoring services, email communication software, web analytics services, payment and transaction processors, and other information technology providers. Pursuant to our instructions, these parties will access, process, or store Personal Data only in the course of performing their duties to us.
b) Other Users and Third Parties You Interact or Share Information With
Certain features allow you to interact or share information with other users or third parties. For example, you can share vulnerability scan reports with other users on the Platform.
c) Account Administrators
When you create an account for our Services, the administrators of that account may access and control your account, including being able to access your Content. In addition, if you create an account using an email address belonging to your employer or another organization, we may share the fact that you have an account and certain account information, such as your email address, with your employer or organization to, for example, enable you to be added to their account.
d) Third-Party Applications
You can also send information to third-party applications, such as interactions with our AI Agent, integrated with Google Gemini. Information you share with third parties is governed by their own terms and privacy policies, and you should make sure you understand those terms and policies before sharing information with them.
e) Affiliates
We may disclose Personal Data to our affiliates, meaning an entity that controls, is controlled by, or is under common control with Kikimora. Our affiliates may use this Personal Data in a manner consistent with this Privacy Notice.
f) Business Transfers
If we are involved in strategic transactions, reorganization, bankruptcy, receivership, or transition of service to another provider (collectively, a “Transaction”), your Personal Data may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.
g) Government Authorities or Other Third Parties
We may share your Personal Data, including information about your interaction with our Services, with government authorities, industry peers, or other third parties in compliance with the law (i) if required to do so to comply with a legal obligation, or in the good faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law; (iv) to detect or prevent fraud or other illegal activity; (v) to protect the safety, security, and integrity of our products, employees, users, or the public, or (vi) to protect against legal liability.
7. Marketing
7.1 Direct Marketing
Subject to the applicable data protection laws, the Controller may from time to time send direct marketing materials promoting its Services and/or activities to its users, who have subscribed for updates.
7.2 Opt-Out Rights
You may, at any time, opt-out of such communications by utilizing the marketing preferences center provided with each direct marketing communication. Users may also opt-out of direct marketing by communicating your preferences to Kikimora at [email protected].
8. Retention
8.1 Retention Periods
We retain your Personal Data only as long as necessary to provide our Services or for legitimate business or legal purposes. How long we retain Personal Data will depend on a number of factors, such as:
a) Our purpose for processing the data (such as whether we need to retain the data to provide our Services); b) The amount, nature, and sensitivity of the data; c) The potential risk of harm from unauthorized use or disclosure of the data; d) Any legal requirements that we are subject to.
8.2 User Settings
In some cases, the length of time we retain data depends on your settings. For example, the AI Agent’s data controls offer you the ability to manage chat history and archived chats.
9. Transfers
9.1 Security Measures
When transferring Personal Data, Kikimora ensures that the recipient (data importer) maintains security measures for the storage and Processing of Personal Data that are materially similar to those implemented by Kikimora.
9.2 Transfer Basis
Your Personal Data may be processed, stored, and transferred to third parties as described in this Privacy Notice, in the contract(s) concluded between you and Kikimora, or based on any consents you may provide from time to time.
9.3 Adequacy Decisions
Transfers of Personal Data may occur to countries that have been deemed to offer an adequate level of data protection pursuant to “adequacy decisions” issued by the relevant supervisory authorities. In such cases, no additional safeguards are required.
9.4 Standard Contractual Clauses
Where Personal Data is transferred to a country that is not covered by an “adequacy decision” and where no alternative legal transfer mechanism applies, Kikimora will ensure that the transfer is governed by the applicable Standard Contractual Clauses or other legally recognized safeguards, in accordance with data protection laws.
10. Your Rights
10.1 Statutory Rights
You have the following statutory rights in relation to your Personal Data:
a) Access your Personal Data and information relating to how it is processed. b) Delete your Personal Data from our records, subject to legal, regulatory, and contractual obligations to retain certain data. c) Rectify or update your Personal Data. d) Transfer your Personal Data to a third party (right to data portability). e) Restrict how we process your Personal Data. f) Withdraw your consent, where we rely on consent as the legal basis for processing at any time. g) Lodge a complaint with your local data protection authority (see below).
10.2 Objection Rights
You have the following rights to object:
a) Object to our processing of your Personal Data for direct marketing at any time. b) Object to how we process your Personal Data when our processing is based on legitimate interests.
10.3 Exercising Rights
You can exercise these rights by submitting a request to [email protected].
11. Contact & Complaints
11.1 Contact Information
If you have any questions or concerns not already addressed in this Privacy Notice, you can write to us at [email protected] or the address above under Section 1 (Data Controller).
11.2 Complaints
We hope that we are able to address any questions or concerns you may have. If you have any unresolved complaints with us, you can reach out to the Commission for Personal Data Protection in Bulgaria, as our lead supervisory authority, or your local supervisory authority.
12. Cookies and Analytics
12.1 Website Analytics
Our website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited (“Google”), to understand how visitors use the site. Analytics cookies (e.g., _ga) are set only after you give consent through the cookie banner. We implement Google Consent Mode v2: until you accept, no analytics cookies are stored and no identifiable analytics data is collected.
12.2 What We Collect
With your consent, Google Analytics collects pseudonymous information about your visit: pages viewed, approximate location (country/city level), device and browser type, and interactions such as clicks on sign-up, login, or integration links. We do not use analytics data for advertising purposes and we do not sell it. Google Analytics 4 does not log or store IP addresses.
12.3 Consent Record
Your consent choice is stored in your browser’s local storage (key “kikimora-consent”) so that we do not ask again on every visit. This record contains only the value “granted” or “denied” and no personal information.
12.4 Withdrawing Consent
You can withdraw or change your consent at any time by clearing this site’s cookies and site data in your browser, after which the consent banner will be shown again. You may also block cookies in your browser settings or use Google’s opt-out browser add-on (https://tools.google.com/dlpage/gaoptout). Declining or withdrawing consent does not affect your use of the website.
12.5 Processor
Google processes this data on our behalf as a data processor. For more information on how Google handles data, see Google’s Privacy Policy (https://policies.google.com/privacy).
13. Miscellaneous
13.1 Third-Party Links
The Services may contain links which direct you to third party websites. Kikimora is not responsible for the privacy practices or content of third-party websites that may be linked to our Services.
13.2 Updates
We may update this Privacy Notice from time to time. When we do, we will post an updated version on this page, unless another type of notice is required by applicable law.
13.3 Governing Law
This Privacy Notice and any questions relating thereto shall be governed by the laws of the Republic of Bulgaria, to the exclusion of any rules of conflict resulting from private international law. Any dispute relating to this Privacy Notice must exclusively be brought before the courts of Sofia, Bulgaria.