GDPR & Data Processing

GDPR and Data Processing Policy

Effective Date: April 27, 2026
Version: 1.0
Governing Law: Wyoming, United States (with EU/UK GDPR compliance obligations)

This policy applies to users in the European Union, United Kingdom, European Economic Area, and other jurisdictions with data protection laws comparable to GDPR.

Alayra Group LLC ("Alayra") is committed to complying with the General Data Protection Regulation (EU 2016/679) ("GDPR") and the UK General Data Protection Regulation ("UK GDPR") where applicable.

1. Data Controller

Alayra Group LLC is the Data Controller for personal data processed in connection with Kinetic IDE.

Contact for data protection matters:
Email: privacy@kinetic-ide.com
legal@kinetic-ide.com

2. Legal Bases for Processing

We process your personal data under the following legal bases:

Contract Performance (Article 6(1)(b))

We process your email address, plan status, device count, and session data to perform our contract with you — providing you with access to Kinetic IDE and its features according to your subscription.

Legitimate Interests (Article 6(1)(f))

We process IP addresses, usage logs, and error reports based on our legitimate interest in maintaining security, preventing abuse, and improving the reliability of the service.

Legal Obligation (Article 6(1)(c))

We may process and retain data where required to comply with applicable laws, tax regulations, or law enforcement requests.

Consent (Article 6(1)(a))

Where we send optional communications (such as product updates or early access announcements), we do so only with your explicit consent, which you may withdraw at any time.

3. Your Rights Under GDPR

As an EU or UK data subject, you have the following rights:

Right of Access (Article 15)

You may request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You may request deletion of your personal data. We will erase your data within 30 days unless retention is required by law.

Right to Data Portability (Article 20)

You may request your data in a structured, machine-readable format (JSON or CSV).

Right to Restrict Processing (Article 18)

You may request that we limit how we use your data in certain circumstances.

Right to Object (Article 21)

You may object to processing based on legitimate interests. We will cease such processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@kinetic-ide.com. We will respond within 30 days (or within 72 hours for urgent erasure requests).

4. Data Retention

We retain personal data only for as long as necessary:

• —Account data: retained for the duration of your account plus 30 days after deletion
• —Billing records: retained for 7 years as required by tax law
• —Security logs: retained for 90 days
• —Session tokens: expire within 30 days of issuance

5. International Data Transfers

Alayra Group LLC is based in Wyoming, United States. If you are located in the EU or UK, your data is transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international transfers where required. We ensure that our sub-processors also comply with appropriate transfer mechanisms.

6. Sub-Processors

We use the following sub-processors to operate the service:

• —Paddle.com Market Limited (UK) — payment processing; acts as Merchant of Record and Data Controller for payment data
• —Railway (US) — infrastructure and database hosting
• —Resend (US) — transactional email delivery
• —Redis Cloud (US) — session token cache
• —Anthropic, OpenAI, Groq, and other AI providers (US) — inference; your prompts are processed by these providers under their own privacy policies and data processing agreements

We contractually require all sub-processors to process data only as instructed and to maintain appropriate security measures.

7. Data Security

We implement technical and organisational measures to protect your data, including:

• —TLS 1.2+ encryption in transit
• —AES-256 encryption at rest
• —Role-based access controls
• —Automated session expiry
• —Bcrypt hashing for passwords
• —SHA-256 hashing of refresh tokens in the database

8. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or significant effects on you, except for automated rate limiting and abuse detection, which do not have legal effects.

9. Complaints

If you believe we have violated your rights under GDPR, you have the right to lodge a complaint with your local supervisory authority.

EU users may contact their national Data Protection Authority.
UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.

You may also contact us directly at privacy@kinetic-ide.com before escalating to a supervisory authority — we commit to resolving concerns promptly.

10. Changes to This Policy

We will notify EU and UK users of material changes at least 30 days in advance. Changes that affect your rights will be communicated by email.

Contact

Privacy enquiries: privacy@kinetic-ide.com
Legal enquiries: legal@kinetic-ide.com
Alayra Group LLC — kinetic-ide.com