Kiuwo – Privacy Policy

Privacy Policy of the Kiuwo platform (arts. 12–14 GDPR).

(arts. 12–14 GDPR)

Last updated: 24/11/25

1) Data Controller

The Data Controller is Mea World S.r.l.
Registered office: Via Niccolò Machiavelli 24 – 51100 Pistoia (PT), Italy
VAT / Tax Code: 02069030472
DPO: not appointed (annual review per Art. 37 GDPR).

2) Categories of Personal Data Processed

a) Identification and Contact Data

  • first and last name (if requested)
  • email address

b) Authentication Data

  • credentials or access tokens
  • access logs and system security logs

c) Payment Data (Stripe)

  • transaction information
  • payment outcomes
    (we do not process or store card data — PAN/CVV; Stripe is an independent controller)

d) User-Generated Content (UCG)

  • maps, nodes, texts, connections
  • uploaded files
  • audio and transcriptions
  • comments and related metadata

e) Platform Usage Data

  • app events
  • telemetry, errors, performance
  • pageviews, clicks, navigation flow

f) Device and Network Data

  • IP address
  • user-agent
  • device, OS and browser information

g) Cookies and Similar Technologies

  • necessary technical cookies
  • statistical cookies via PostHog (only with consent)
    (no marketing cookies)

h) Optional Features Requiring Consent

  • heatmaps and session replay
  • geolocation
  • microphone access for voice features

i) Special or Criminal Data

Not requested or processed.
Users are asked not to upload such data.

3) Purposes and Legal Bases

a) Authentication and Account Management

  • Purpose: authenticate and manage account
  • Legal basis: contract (Art. 6(1)(b))
  • Data: identification, authentication

b) Use of Platform Features

  • Purpose: provide the service (maps, nodes, content, AI/voice features)
  • Legal basis: contract
  • Data: UCG, technical data, identification

c) Security and Abuse Prevention

  • Purpose: security, integrity, abuse prevention, technical logging
  • Legal basis: legitimate interest (Art. 6(1)(f))
  • Data: technical, security, device

d) Analytics and Service Improvement

  • Purpose: aggregated statistics and product improvement
  • Legal basis: consent
  • Data: usage data, statistical cookies

e) Payments

  • Purpose: payment processing and legal obligations
  • Legal basis: contract + legal obligation
  • Data: transaction data (via Stripe)

f) Service Communications

  • Purpose: send technical/service emails
  • Legal basis: contract
  • Data: identification, authentication

g) Optional Features with Consent

  • Purpose: voice/mic, geolocation, heatmaps
  • Legal basis: consent
  • Data: audio, transcripts, behaviour, position, technical data

4) Recipients and Providers

We use providers processing data on our behalf (Art. 28 GDPR).
Some are outside the EU: in such cases, we use Standard Contractual Clauses (SCC) and equivalent safeguards.

Processors

  • Hetzner Online GmbH (EU) — hosting and infrastructure
  • Supabase Inc. (EU Region) — database, auth, storage
  • PostHog Inc. (EU Hosting) — analytics/statistics (with consent)
  • Resend (USA) — email sending (SCC)
  • OpenAI, L.L.C. (USA) — AI processing (SCC)
  • Groq, Inc. (USA) — AI model processing (SCC)

Independent Controller

  • Stripe Payments Europe / Stripe Inc. — payments and tax obligations
    (Kiuwo does not process card data)

We do not sell data for independent commercial purposes.

5) Data Retention

We retain data only as long as necessary for service provision or legal compliance.
Kiuwo does not use proprietary backups nor create local copies; technical copies (snapshots, logs, backups) are managed by providers.

a) Account Data and Content

  • retained while the User keeps the account
  • permanently deleted after account deletion
  • provider snapshots follow their internal policies

b) Technical and Security Logs

  • typically retained up to 3 months
  • auto-deleted/overwritten by provider systems

c) Usage & Analytics Data (PostHog)

  • retained up to 12 months
  • activated only with consent
  • may be anonymized/aggregated

d) Original Audio (if used)

  • retained only during processing
  • or up to 24 hours if applicable
  • transcripts deleted upon account deletion

e) Payment Data (Stripe)

  • retained 10 years (legal & tax obligations)

f) Service Emails

  • retained up to 24 months for operational and security reasons

6) Data Subject Rights

You have the right to:

  • access
  • rectification
  • erasure
  • restriction
  • objection (including analytics/statistics)
  • portability
  • withdraw consent
  • lodge a complaint with the Data Protection Authority (www.garanteprivacy.it)

How to exercise rights:
Email: info@meaworld.it
Response within 30 days (extendable to 60 for complex cases).

7) Cookies and Similar Technologies

Technical Cookies (required)

Installed automatically for:

  • platform functionality
  • session management
  • authentication and security

Statistical Cookies (consent-based)

  • via PostHog
  • aggregated or pseudonymized data
  • never map content or files

No marketing cookies

Preference Management

  • accept all
  • refuse non-essential
  • configure through CMP
  • modifiable at any time

Dedicated Cookie Policy

Full cookie list available at [insert cookie policy link].

8) Security (Art. 32 GDPR)

We apply appropriate technical and organizational measures to ensure:

  • confidentiality
  • integrity
  • availability

9) Changes to this Policy

We may update this Privacy Policy for regulatory, technical, or organizational reasons.
Users will be informed of significant changes via the platform or direct communication.
The updated version is always available on this page.

10) Contact

For information or requests regarding your personal data:
Mea World S.r.l.
Email: info@meaworld.it