GDPR Compliance

1. Our Commitment

KamoCRM Inc. is committed to full compliance with the General Data Protection Regulation (GDPR) and upholding the highest standards of data protection for all users, regardless of their geographic location. We believe that strong privacy protections are not just a legal requirement but a fundamental right of every individual who uses our platform.

We have implemented comprehensive technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. This page outlines our approach to GDPR compliance and explains how we protect the rights of data subjects.

2. Legal Basis for Processing

Consent: Where required, we obtain clear and explicit consent from data subjects before processing their personal data. Consent can be withdrawn at any time through account settings or by contacting our Data Protection Officer. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

Contractual Necessity: We process personal data that is necessary for the performance of our contract with you, including providing access to the platform, delivering features and functionality, processing payments, and providing customer support.

Legitimate Interest: We process certain data based on our legitimate interests, including platform security, fraud prevention, service improvement through anonymized analytics, and communication about service updates. We conduct legitimate interest assessments to ensure that our interests do not override the rights and freedoms of data subjects.

3. Your Rights Under GDPR

Right of Access: You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data. We will provide this information in a structured, commonly used, and machine-readable format upon request.

Right to Rectification: You have the right to request correction of any inaccurate personal data we hold about you, and to have incomplete data completed. Most account information can be corrected directly through the platform.

Right to Erasure: You have the right to request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected, when you withdraw consent, or when there is no other legal basis for continued processing. Certain data may be retained where required by law.

Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you do not wish the data to be erased.

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Our platform provides built-in data export tools to facilitate this right.

Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

4. Data Protection Officer

KamoCRM Inc. has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy, ensuring compliance with GDPR, and serving as the primary point of contact for data subjects and supervisory authorities.

You can reach our Data Protection Officer through our contact form for any questions or concerns related to data protection, privacy, or GDPR compliance. The DPO will respond to all inquiries within a reasonable timeframe.

5. Data Processing Activities

We maintain a comprehensive Record of Processing Activities (ROPA) as required by Article 30 of the GDPR. Our data processing activities include:

Account Management: Processing of name, email, company information, and credentials for the purpose of account creation, authentication, and administration. Legal basis: contractual necessity.

Platform Usage: Processing of interaction data, feature usage, and session information for the purpose of providing and improving the Service. Legal basis: contractual necessity and legitimate interest.

Communications: Processing of email, messaging, video, and phone data within the platform for the purpose of enabling business communication features. Legal basis: contractual necessity. This data belongs to the user's organization and is processed on their behalf.

Analytics: Processing of anonymized and aggregated usage data for the purpose of improving platform performance and identifying usability issues. Legal basis: legitimate interest.

Security: Processing of IP addresses, device information, and behavioral patterns for the purpose of detecting and preventing unauthorized access and fraud. Legal basis: legitimate interest.

6. Sub-Processors

We engage a limited number of third-party sub-processors to assist in providing the Service. Each sub-processor is carefully vetted for GDPR compliance and is bound by Data Processing Agreements (DPAs) that require them to process personal data only as instructed by KamoCRM Inc. and in accordance with applicable data protection laws.

Categories of sub-processors include: cloud infrastructure providers for hosting and data storage; email delivery services for transactional notifications; payment processors for billing and subscription management; and monitoring services for platform reliability and performance.

We maintain an up-to-date list of sub-processors and will notify users of any material changes to sub-processor arrangements. Users may object to new sub-processors as described in our Data Processing Agreement.

7. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, KamoCRM Inc. is committed to notifying the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.

Where a data breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay, providing clear information about the nature of the breach, the likely consequences, and the measures taken to address it.

We maintain an incident response plan that includes procedures for detecting, investigating, containing, and remediating data breaches. All breaches are documented regardless of their severity, and our response processes are regularly tested and updated.

8. International Transfers

Where personal data of EEA residents is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place to protect that data in accordance with Chapter V of the GDPR.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our primary mechanism for international data transfers. Where applicable, we also conduct Transfer Impact Assessments to evaluate the legal framework of the recipient country and implement supplementary measures as needed.

Our infrastructure is designed to allow organizations to control where their data is processed. Enterprise customers may request data residency within specific geographic regions as part of their service agreement.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our data retention periods are as follows:

Account data is retained for the duration of your account and for 30 days after account termination to allow for data export. After this period, account data is permanently deleted.

Usage and analytics data is retained in anonymized form for up to 24 months for the purpose of trend analysis and platform improvement. Individual-level usage data is deleted or anonymized within 90 days.

Communication data (emails, messages, call records) is retained as part of the organizational account and is subject to the organization's own retention policies. Upon account termination, this data follows the same 30-day export window described above.

Security logs and audit trails are retained for up to 12 months for security and compliance purposes.

10. Exercising Your Rights

To exercise any of your rights under the GDPR, you may submit a request through your account settings within the platform, or by contacting our Data Protection Officer through our contact form.

We will acknowledge receipt of your request within 5 business days and provide a substantive response within 30 days, as required by the GDPR. If a request is particularly complex or if we receive a large number of requests, we may extend the response period by an additional 60 days, in which case we will notify you of the extension and the reasons for it.

To protect your privacy, we may need to verify your identity before processing your request. We will not charge a fee for processing reasonable requests, but we reserve the right to charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

11. Contact

For any questions, concerns, or requests related to GDPR compliance or data protection, please contact our Data Protection Officer: