Kiuwo LogoKiuwo

Privacy Policy of Kiuwo

Last update: 1 October 2025

Summary

Kiuwo Privacy Notice (Arts. 12–14 GDPR)

At‑a‑glance summary (iubenda style)

Controller: Mea World S.r.l. — Via Niccolò Machiavelli, 24 – 51100 Pistoia (PT), Italy – VAT/Tax ID: 02069030472

Privacy contacts: privacy@kiuwo.com — (tech) dev@meaworld.com — PEC: pec@pec.meaworld.it

DPO: not appointed.

Data we collect automatically

  • Usage data (app events, telemetry, errors, performance)
  • Tracking tools (cookies and similar technologies)
  • Device and browser information
  • IP address, pageviews, clicks, internal browsing history
  • [if enabled] heatmaps and session replay

Trusted third parties that help us process them:

  • Vercel Inc. (hosting/frontend)
  • Supabase, Inc. (database, backend, authentication)
  • PostHog, Inc. (analytics, A/B tests, heatmaps, surveys)

How we use them:

  • Hosting & backend infrastructure
  • Registration and authentication
  • Statistics / product analytics
  • A/B testing & feature flags
  • Heat mapping and session recording [if enabled]
  • Forms and surveys management

Data you provide to us

  • Email, first/last name [if requested]
  • User‑generated content (maps, nodes, files, audio/transcripts)
  • Answers to questions/surveys

How we use them:

  • Service delivery (account, maps, cloud sync)
  • Support, service communications, KIU [if you publish content]
  • Payments [if any] via Stripe (independent controller)
  • Marketing only with consent (with opt‑out in every email)

Legal basis: contract, legal obligation, legitimate interest, consent (for analytics/marketing/light profiling/geolocation etc.)

Retention (extracts): account for the lifetime of the account; analytics 12 months; security logs 12 months; tax 10 years

Rights: access, rectification, erasure, restriction, objection (incl. marketing), portability, withdrawal of consent

Cookies/CMP: non‑essential cookies are blocked until consent; details at kiuwo.com/cookies

1) Controller

Mea World S.r.l. — Via Niccolò Machiavelli, 24 – 51100 Pistoia (PT), Italy
VAT/Tax ID: 02069030472 – Share capital: € 10,000 paid‑in
Email for privacy rights/DSR: privacy@kiuwo.com — (tech) dev@meaworld.com
PEC: pec@pec.meaworld.it
DPO: not appointed. Any appointment will be communicated here.
Subjective scope: Mea World acts as Controller. The providers listed in § 8 act as Processors under Art. 28 GDPR, unless marked ‘independent controller’.

2) Essential definitions

‘Platform’: the Kiuwo app (web/app).
‘KIU’: shared knowledge graph (public user contributions).
‘UCG’: user‑generated content (maps, nodes, files, audio/transcripts).
GDPR definitions (Art. 4) continue to apply.

3) Types of data processed

  • Identifiers and contact: first name, last name, email.
  • Authentication: credentials, tokens, access/security logs.
  • Payments (Stripe): transactional data and outcomes (we do not store PAN/CVV).
  • UCG: maps, nodes, links, files, attachments, audio/transcripts [if enabled], comments.
  • Usage data: app events, telemetry, errors, performance, pageviews, clicks, internal browsing history.
  • Device & network: IP, user‑agent, device and browser information.
  • Cookies and similar technologies: technical, preferences, statistics, marketing (managed by CMP).
  • [if enabled] Heatmaps and session replay.
  • [if enabled] Geolocation (approx./precise), microphone, push notifications (with consent).

Special categories (Art. 9) and criminal data: not requested nor intentionally processed; please avoid including them in UCG.

4) Minors

For information society services in Italy, standalone consent is valid from age 14; below that, consent of the holder of parental responsibility is required. We apply onboarding notices and reasonable checks.

5) Purposes, legal bases, categories, retention

PurposeLegal basisDataRetention
Service delivery (account, maps, sync, real‑time)Contract Art. 6(1)(b)Identifiers, authentication, UCG, technicalFor the lifetime of the account; content deleted on closure (subject to rotational backups)
Security & abuse prevention (rate‑limit, antispam, audit)Legitimate interest Art. 6(1)(f)Technical logs, IP, device info12 months (logs)
Support/HelpdeskContractIdentifiers, content relevant to the ticket24 months from closure
Payments & invoicing (Stripe)Legal obligation + ContractTransaction data, outcomesTax‑relevant documents 10 years
Analytics & product improvement (PostHog EU)ConsentPseudo/anonymous app events, device12 months
A/B testing & feature flagsConsent (if non‑essential cookies) / Legitimate interest (technical only)Usage data, device12 months
Heatmaps & session replayConsentUsage data, deviceUp to 12 months or less if configured
Surveys and formsConsentEmail, responses, device12 months
Direct marketing (newsletter, promos)ConsentEmail, preferencesUntil withdrawal; soft spam to customers with opt‑out
Service communications (T&C/Privacy changes, incidents)Legal obligation / ContractEmail, account IDAccount lifetime
Geolocation/permissionsConsent (or Legitimate interest for non‑intrusive services)Location data, permissionsFor the session or until you revoke
KIU (publication to public graph)Contract + specific consentUCG marked ‘public’As long as published; withdrawal → removal from our copies

Note: at the end of the retention period, data are deleted or irreversibly anonymized.

6) Marketing, light profiling and soft spam

  • Marketing: emails only with consent (opt‑out in every email).
  • Light profiling [optional]: non‑intrusive personalizations based on usage/features; no automated decisions with legal effects (Art. 22).
  • Soft spam (Italy): if you are a customer, we may email you about products/services similar to those purchased, with immediate opt‑out.

7) UCG and KIU (shared knowledge)

  • Content is private by default. You may mark nodes/maps as public and link them to KIU.
  • If you withdraw publication, we remove copies on our Platform; we cannot remove any third‑party copies/indexes already created.
  • Avoid uploading third‑party personal data or special categories unless strictly necessary and lawful.

8) Recipients / Providers

Processors (Art. 28 GDPR)

  • Supabase, Inc. — database, storage, Supabase Auth (EU region selected; DPA/SCC).
  • Vercel Inc. — hosting and frontend/backend serverless delivery.
  • PostHog, Inc. — product analytics, feature flags/A‑B testing, heatmaps & session replay [if enabled], surveys.
  • OpenRouter — routing of generative‑AI requests (Zero Data Retention profile when available).

Independent controllers (for specific purposes)

  • Stripe — payments, KYC, anti‑fraud (extra‑EU transfers compliant with DPF/SCC, see § 9).

We keep an up‑to‑date list of sub‑processors at kiuwo.com/subprocessors and notify material changes via in‑app/email.

9) Extra‑EU transfers

  • We prefer EU data residency.
  • If transfer is necessary: use of DPF (where applicable) or SCC plus supplementary measures (encryption, minimization).
  • Generative AI: for OpenAI via API (through OpenRouter or direct), we set profiles with no‑training and/or zero‑retention when available.

10) Security and retention

  • Encryption: TLS in transit; at‑rest encryption on storage/DB.
  • Account: password hashing, key rotation, least‑privilege, MFA [if enabled].
  • Environment segregation and admin‑access auditing.
  • Backups: incremental with typical 35‑day retention.
  • Security logs: 12 months.
  • Tax/accounting: relevant documents 10 years.

11) Data breach

In case of a personal data breach, we will notify the competent Authority within 72 hours where required and, if the breach entails high risk, we will inform the data subjects without undue delay, unless adequate encryption or measures render data unintelligible.

12) Data subject rights

You have the right to access, rectification, erasure, restriction, objection (incl. marketing), portability and withdrawal of consent at any time.
Response time: within 1 month, extendable by 2 months for complex/numerous requests (we will inform you within the first month).
To exercise your rights: privacy@kiuwo.com.
Complaint to the Authority: Italian Data Protection Authority (Garante) (Piazza Venezia 11, 00187 Rome; protocollo@gpdp.it; PEC: protocollo@pec.gpdp.it; phone +39 06 696771).

13) Cookies & similar technologies

  • We use a CMP (cookie banner) to capture granular consents (necessary, preferences, statistics, marketing).
  • Until consent, we block non‑essential cookies (e.g., PostHog analytics/heatmaps/session replay).
  • Updated list of cookies and purposes at kiuwo.com/cookies.

14) Geolocation, notifications and microphone [if enabled]

You can allow/deny geolocation, push notifications and microphone. Choices can be revoked in‑app and from device settings. Legal basis: consent (or legitimate interest for non‑intrusive services, with right to object).

15) Audio & transcription [if enabled]

In audio mode (batch or real‑time) we process your voice and the related transcription to generate/update maps. Involved AI providers are bound to no data training and minimization; we prefer Zero Data Retention when available.

16) Disclosures to third parties (vs. selling)

  • Disclosure: recipients process data only on our behalf and purposes (§ 8).
  • Selling: we do not sell data to third parties for their own marketing. Mandatory disclosures to law/authorities remain.

17) Sources of data

Data provided directly by the data subject; [if you use social login] we may receive data from Identity Providers (e.g., Google/Apple) in line with your settings.

18) Detailed retention (extract)

  • Account & UCG: account lifetime; deletion on closure; rotational backups auto‑expire (§ 10).
  • Analytics / A/B / Heatmaps/Replay: 12 months.
  • Marketing: until withdrawal; soft spam until opt‑out.
  • Security logs: 12 months.
  • Tax/accounting: 10 years.

19) Complaints

Besides contacting us, you can contact the Italian Data Protection Authority (Garante) (instructions/contacts on the Authority’s website).

20) Changes to this notice

We may update this notice to reflect legal/technical evolutions. In case of material changes, we will notify via email/in‑app and request renewed consent where necessary. Always check the ‘last update’ date above.

Annex A — Details of services/providers (iubenda‑style cards)

A.1 Forms & surveys — PostHog surveys (PostHog, Inc. — USA; EU instance when available)

Data processed: usage data, email, device information, IP, responses, cookies/IDs.
Purpose: form creation/analysis, feedback collection and research.
Legal basis: consent.
Retention: 12 months (unless anonymized).

A.2 Heat mapping & session replay — PostHog Replay (PostHog, Inc.)

Data processed: usage data, device information, cookies/IDs.
Purpose: UX improvement, areas of interest, friction analysis.
Legal basis: consent.
Retention: up to 12 months or less if configured.
Notes: we mask/anonymize sensitive fields where technically possible.

A.3 Hosting & backend — Vercel Inc. / Supabase, Inc.

  • Vercel: hosting, CDN, edge/serverless. Data: usage data, technical logs, any metadata required by the service.
  • Supabase: database, storage, Supabase Auth. Data: usage data, cookies/IDs, various types necessary for the service.

Legal basis: contract (service delivery) and legitimate interest (security).
Retention: consistent with § 10 and § 18.
Data residency: EU preferred for Supabase; Vercel may be geo‑distributed.

A.4 Registration & authentication — Supabase Auth (Supabase, Inc.)

Data processed: email/credentials, tokens, minimal usage data.
Purpose: user identification and access management.
Legal basis: contract.
Retention: for the lifetime of the account.

A.5 Statistics & A/B — PostHog product analytics (PostHog, Inc.)

Data processed: clicks, pageviews, internal browsing history, browser/device info, IP, cookies/IDs.
Purpose: measurements, funnels, product insights, feature flags/A‑B testing.
Legal basis: consent (if non‑essential cookies).
Retention: 12 months (aggregated/anonymous data longer).

A.6 Payments — Stripe (independent controller)

Data processed: transactional data, outcomes, anti‑fraud/KYC.
Legal basis: legal obligation + contract.
Retention: tax‑relevant documents 10 years.

A.7 Generative AI — OpenRouter (routing to model providers)

Data processed: prompts and content necessary for processing (minimization by default).
Assurances: Zero Data Retention profile (when available), no training without consent, encryption in transit.
Legal basis: contract (feature delivery) and/or consent for specific modes.
Retention: minimum necessary for technical processing; none when ZDR is active.

Annex B — Security measures (extract)

  • Organizational: access control, need‑to‑know, training, vendor due‑diligence (DPA/SCC).
  • Technical: encryption in transit/at rest, environment segregation, backup + disaster recovery, hardening, secret vault, intrusion monitoring, rate‑limiting, CSP.
  • Processes: incident response (72h SLA toward Authority), change management, privacy by design/default, RoPA, DPIA when necessary (e.g., AI/minors).

Annex C — Summary record of purposes

  • Auth & account → basis: contract → data: identifiers/credentials → retention: account lifetime.
  • Maps & KIU → contract / specific consent → data: UCG → retention: account lifetime / as long as published.
  • Audio/RT → contract → data: audio/transcripts → retention: see § 18.
  • Analytics (EU) → consent → data: app events → retention: 12 months.
  • Marketing → consent / soft spam → data: email/preferences → retention: until withdrawal.
  • Payments → legal obligation/contract → data: transactions → retention: 10 years.

More information not contained herein

Further details about processing can be requested from the Controller at privacy@kiuwo.com.

Return to Home