Effective Date: February 1, 2026
Last Updated: February 1, 2026
TABLE OF CONTENTS
- Introduction
- Information We Collect
- How We Use Your Information
- How We Share Your Information
- International Data Transfers
- Data Retention
- Your Privacy Rights
- Security
- Cookies and Tracking Technologies
- Third-Party Services
- Children’s Privacy
- Data Retention Policy
- Changes to This Policy
- Contact Us
- Region-Specific Information
- Consent Acknowledgment
1. INTRODUCTION
1.1 Who We Are
Kumello Inc. (“Kumello,” “we,” “us,” or “our”) consolidates and organizes global medtech data and provides an AI-powered partnership matching platform for medtech professionals to identify and connect with strategic business partners. We are headquartered in Ontario, Canada.
1.2 Our Commitment to Privacy
We take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services.
1.3 Scope
This Privacy Policy applies to:
- The Kumello website (kumello.com)
- The Kumello web application
- Mobile applications (if applicable)
- APIs and integrations
- Any other services provided by Kumello (collectively, the “Services”)
1.4 Consent
By using our Services, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service (kumello.com/terms).
1.5 Updates to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you as described in Section 13.
1.6 Global Scope
This policy applies worldwide; region-specific details in Section 15. We comply with PIPEDA (Canada), GDPR/UK GDPR (EU/UK), CCPA/CPRA (California/US), and other applicable laws. We process data lawfully (contractual necessity, legitimate interests, legal obligations, consent where required).
2. INFORMATION WE COLLECT
2.1 Information You Provide Directly
2.1.1 Account Registration
When you create an account, we collect:
- Full name
- Email address
- Company name and job title
- Phone number (optional)
- Password (stored in hashed/encrypted form)
- Company size and industry sector
- Geographic location
2.1.2 Profile Information
As you use the Services, you may provide:
- Detailed company information
- Product descriptions and capabilities
- Target markets and partnership criteria
- Business objectives and strategic goals
- Regulatory certifications and compliance information
- Additional contact details for your organization
2.1.3 Communications
We collect information when you:
- Contact customer support
- Participate in surveys or feedback requests
- Send messages through the platform
- Correspond via email
- Engage in live chat or phone support
2.1.4 Payment Information
For paid subscriptions, we collect:
- Billing name and address
- Payment card information (processed by Stripe, not stored by Kumello)
- Billing email address
- Purchase history and transaction records
2.2 Information We Collect Automatically
2.2.1 Usage Data
When you use the Services, we automatically collect:
- Pages viewed and features used
- Time spent on various sections
- Search queries and filters applied
- Companies viewed and saved
- Clicks, interactions, and navigation patterns
- Session duration and frequency
- Feature adoption and usage patterns
2.2.2 Device and Technical Information
- IP address and geographic location (city/region level)
- Device type (desktop, mobile, tablet)
- Operating system and version
- Browser type and version
- Screen resolution and device identifiers
- Referring URLs and pages
- Date and time stamps of access
2.2.3 Cookies and Similar Technologies
We use cookies, web beacons, and similar technologies to:
- Maintain your session and keep you logged in
- Remember your preferences and settings
- Analyze usage patterns and improve the Services
- Provide personalized content and recommendations
- Measure marketing effectiveness
For more details, see Section 9 (Cookies).
2.3 Information From Third Parties
2.3.1 Authentication Services
If you use third-party authentication (e.g., Google Sign-In):
- Basic profile information (name, email)
- Profile photo (if provided by the service)
2.3.2 Data Enrichment
We may enhance our database with information from:
- Publicly available sources (company websites, press releases)
- Commercial data providers
- Industry directories and databases
- Professional networking platforms
- Public regulatory filings and databases
2.3.3 Integration Partners
If you connect third-party services to your account:
- Data shared by those services per your authorization
- Integration usage and performance data
2.4 Information We Do NOT Collect
To clarify what we do not collect:
- Sensitive health information: We do not collect personal health data
- Full credit card numbers: Payment processing is handled by Stripe
- Precise geolocation: We only collect city/region-level location from IP
- Content of your outreach messages: We track metrics but not message content
- Social Security Numbers or government IDs: We do not collect these identifiers
2.5 Categories of Personal Information (CCPA/CPRA Notice at Collection)
We collect identifiers (name/email), commercial info (company/product details), internet/electronic activity (usage/search patterns), geolocation (coarse), inferences (preferences/matching). Full list in Privacy Notice if separate. We do not collect sensitive personal information (e.g., health data, precise geolocation) unless explicitly provided and necessary.
3. HOW WE USE YOUR INFORMATION
3.1 Providing and Improving Services
We use your information to:
- Create and manage your account
- Provide AI-powered matching and recommendations
- Enable search and filtering of our company database
- Facilitate communications with potential partners
- Process payments and manage subscriptions
- Provide customer support and respond to inquiries
- Analyze usage patterns to improve the Services
- Develop new features and functionality
3.2 AI and Machine Learning
Your information is used to:
- Train AI models: Improve matching accuracy and recommendation quality
- Personalize recommendations: Tailor suggestions based on your preferences
- Enhance algorithms: Reduce bias and improve system performance
- Generate insights: Provide analytics and intelligence about partnership trends
Important Notes About AI Usage:
- We anonymize data where possible before using it for AI training
- You can opt out of AI training by contacting privacy@kumello.com
- We do not share identifiable information with AI training datasets without consent
- Third-party AI providers (Last Rev, AnswerAI) may process your data per their privacy policies
3.3 Communications
We use your contact information to:
- Send transactional emails (account confirmations, password resets, receipts)
- Provide important service updates and notifications
- Send marketing communications (with your consent — you may opt out)
- Request feedback and conduct user research
- Announce new features and product updates
3.4 Security and Fraud Prevention
We use information to:
- Detect and prevent fraud, abuse, and security incidents
- Monitor for suspicious activity
- Verify user identity and account ownership
- Protect against unauthorized access
- Enforce our Terms of Service
3.5 Legal Compliance
We use and retain information as necessary to:
- Comply with legal obligations (tax, accounting, regulatory reporting)
- Respond to legal process (subpoenas, court orders, regulatory requests)
- Establish, exercise, or defend legal claims
- Protect the rights, property, and safety of Kumello, users, and others
3.6 Analytics and Research
We use aggregated and anonymized data to:
- Understand industry trends and patterns
- Conduct research and development
- Generate industry reports and benchmarks
- Improve business operations and strategy
3.7 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
3.8 AI Model Training and Improvement
We use anonymized and aggregated forms of usage data, interaction patterns, search trends, and other non-identifiable information to train, fine-tune, and improve our AI features (e.g., partnership matching, recommendations, bias reduction). Identifiable personal data is excluded from training unless you provide explicit consent. We use anonymized/aggregated data which is retained indefinitely — even after account closure or deletion request — as it is no longer personal information under PIPEDA, GDPR/UK GDPR, and CCPA/CPRA.
4. HOW WE SHARE YOUR INFORMATION
4.1 Service Providers
We share information with third-party service providers who help us operate the Services:
4.1.1 AI Technology Partners
- Last Rev: AI-powered matching and recommendation services
- AnswerAI: Natural language processing and intelligent search
- Purpose: Provide core AI functionality
- Data Shared: Company profiles, search queries, usage patterns
- Safeguards: Contractual data protection agreements, limited data access
4.1.2 Infrastructure and Hosting
- Cloud hosting providers (e.g., AWS, Google Cloud, Azure)
- Content delivery networks (CDNs)
- Purpose: Host and deliver the Services
- Data Shared: All data necessary to operate the platform
- Safeguards: Enterprise-grade security, encryption, compliance certifications
4.1.3 Payment Processing
- Stripe: Payment processing and subscription management
- Purpose: Process payments securely
- Data Shared: Billing information, transaction details
- Safeguards: PCI-DSS compliance, tokenization
4.1.4 Communication Services
- Email service providers (e.g., SendGrid, Mailgun)
- Customer support platforms (e.g., Zendesk, Intercom)
- Purpose: Deliver emails and provide support
- Data Shared: Email addresses, support inquiries, communication history
- Safeguards: Data processing agreements, encryption
4.1.5 Analytics Providers
- Website analytics (e.g., Google Analytics)
- Product analytics (e.g., Mixpanel, Amplitude)
- Purpose: Understand usage patterns and improve the Services
- Data Shared: Usage data, anonymized user behavior
- Safeguards: Data anonymization, aggregation
4.2 Business Partners
When you use the Services to connect with potential partners:
- Your profile information may be visible to companies you contact
- Your company details may be shared with potential partners you engage
- Communication records are available to both parties
- Note: You control what information you share with potential partners
4.3 Legal and Compliance
We may disclose information when required by law or when we believe disclosure is necessary to:
- Comply with legal process (subpoenas, court orders, government requests)
- Enforce our Terms of Service
- Protect the rights, property, or safety of Kumello, users, or others
- Respond to claims of violation of third-party rights
- Investigate or prevent illegal activity, fraud, or security threats
4.4 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets:
- Your information may be transferred to the acquiring entity
- We will notify you via email and platform notice before your information is transferred
- The acquiring entity will be bound by this Privacy Policy unless you consent to a new policy
4.5 With Your Consent
We may share information for other purposes with your explicit consent.
4.6 Anonymized and Aggregated Data
We may share anonymized and aggregated data that does not identify you personally:
- Industry benchmarks and trends
- Statistical analyses and research findings
- Marketing materials and case studies
- Business intelligence reports
4.7 What We Do NOT Share
We do NOT:
- Sell your personal information to third parties
- Share your information for third-party marketing purposes without consent
- Provide your contact information to companies in our database without your action
- Share sensitive information beyond what is necessary to provide the Services
5. INTERNATIONAL DATA TRANSFERS
5.1 International Data Transfers
Kumello is based in Canada; data may be stored/processed in Canada, the US, EU/EEA, or other countries by us or providers. We ensure adequate protection for transfers:
- Adequacy decisions apply where available (e.g., Canada adequate for EEA transfers; UK adequacy; US via EU-US Data Privacy Framework if we/our providers are certified).
- For non-adequate destinations, we use:
- 2021 EU Standard Contractual Clauses (SCCs) (appropriate modules) + UK International Data Transfer Addendum where required.
- Supplementary measures: Encryption (AES-256 at rest/TLS 1.3 transit), pseudonymization, access controls, logging, regular audits.
- PIPEDA: We remain accountable; processors bound by contracts requiring comparable protection.
5.2 Transfer Mechanisms
When we transfer data internationally, we implement appropriate safeguards:
- Standard contractual clauses: EU-approved contracts for data transfers
- Privacy Shield/adequacy decisions: Where applicable
- Data processing agreements: Contractual protections with service providers
- Technical measures: Encryption, access controls, security protocols
5.3 Countries Involved
Your data may be transferred to and processed in:
- Canada: Primary operations and data storage
- United States: AI services, cloud infrastructure, payment processing
- European Union: Potential service providers or infrastructure
- Other countries: As necessary for service provider operations
5.4 Data Protection Standards
Regardless of location, we ensure:
- Appropriate technical and organizational security measures
- Contractual protections requiring service providers to protect your data
- Compliance with applicable data protection laws
- Right to access and control your information
5.5 Your Consent
By using the Services, you consent to international data transfers as described in this section. If you do not consent, please do not use the Services.
6. DATA RETENTION
We retain personal information only as long as necessary (detailed in our separate Data Retention Policy at kumello.com/data-retention-policy). Anonymized/aggregated data retained indefinitely for AI improvement/business purposes (no longer personal information).
7. YOUR PRIVACY RIGHTS
7.1 Rights for All Users
7.1.1 Access
Right: Request access to your personal information
How:
- Access most information through account settings
- Contact privacy@kumello.com for comprehensive data export
- We will respond within 30 days
We’ll provide:
- Confirmation of what data we hold
- Purposes of processing
- Categories of data
- Who we share it with
- Retention periods
7.1.2 Correction
Right: Request correction of inaccurate or incomplete information
How:
- Update directly in account settings
- Contact privacy@kumello.com for assistance
- We will correct verified inaccuracies within 30 days
7.1.3 Deletion (Right to Be Forgotten)
Right: Request deletion of your personal information
How:
- Close your account through account settings
- Contact privacy@kumello.com for specific deletion requests
- Account data deleted within 90 days of closure
Exceptions: We may retain data for:
- Legal compliance
- Active legal matters or investigations
- Fraud prevention and security
- Legitimate business interests
7.1.4 Objection
Right: Object to certain processing of your information
How: Contact privacy@kumello.com
Examples:
- Marketing communications (use unsubscribe links)
- AI training (opt out by contacting us)
- Specific data uses you find objectionable
7.1.5 Data Portability
Right: Receive your data in a portable, machine-readable format
How:
- Export data through account settings
- Request via privacy@kumello.com
Format: CSV, JSON, or other commonly used formats
Includes:
- Account information
- Profile data
- Usage history
- Communications (where technically feasible)
7.1.6 Withdraw Consent
Right: Withdraw consent for processing based on consent
How:
- Contact privacy@kumello.com
- Use unsubscribe links in emails
- Adjust settings in your account
Effect:
- Processing based on withdrawn consent will cease
- May limit ability to use certain Services
- Does not affect lawfulness of prior processing
7.1.7 Restrict Processing
Right: Request restriction of processing in certain circumstances
How: Contact privacy@kumello.com
When:
- While we verify accuracy of disputed data
- When processing is unlawful but you don’t want deletion
- When we no longer need the data but you need it for legal claims
7.2 How to Exercise Your Rights
7.2.1 Verification
To protect your privacy, we must verify your identity before fulfilling requests:
- We may ask for additional identifying information
- We may require authentication through your account
- We may request government ID or other verification (in limited circumstances)
7.2.2 Response Timeline
- Acknowledgment: Within 5 business days
- Full response: Within 30 days (may extend to 60 days for complex requests)
- Explanation: If we deny or limit a request, we will explain why
7.2.3 No Fee
Exercising your rights is free, except:
- We may charge a reasonable fee for manifestly unfounded or excessive requests
- We may charge for additional copies beyond the first copy
7.3 Complaints and Concerns
If you have concerns about our privacy practices:
7.3.1 Contact Us First
- Email: privacy@kumello.com
- We will investigate and respond to your concern
7.3.2 Supervisory Authorities
You have the right to lodge a complaint with:
- Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
- EU/EEA: Your local data protection authority
- California: California Attorney General (oag.ca.gov)
- UK: Information Commissioner’s Office (ico.org.uk)
8. SECURITY
8.1 Our Security Measures
We implement appropriate technical and organizational measures to protect your information:
8.1.1 Technical Measures
- Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
- Access controls: Role-based access, least privilege principle
- Authentication: Strong password requirements, password hashing (bcrypt)
- Network security: Firewalls, intrusion detection/prevention systems
- Monitoring: 24/7 security monitoring and logging
- Vulnerability management: Regular security assessments and penetration testing
8.1.2 Organizational Measures
- Security policies: Comprehensive information security policies
- Employee training: Regular security awareness training for all staff
- Background checks: Screening of employees with data access
- Confidentiality agreements: All employees and contractors sign NDAs
- Incident response: Documented procedures for security incidents
- Vendor management: Security assessments of third-party providers
8.1.3 Application Security
- Secure development: Security-focused development lifecycle
- Code review: Security code reviews and static analysis
- Dependency management: Regular updates of libraries and frameworks
- Authentication: Multi-factor authentication available
- Session management: Secure session handling and timeout policies
8.2 Data Breach Response
In the event of a data breach:
- Detection: We maintain systems to detect security incidents
- Assessment: We will assess the scope and impact of the breach
- Notification: We will notify affected users without undue delay
- Regulatory reporting: We will report to authorities as required by law (e.g., within 72 hours under GDPR)
- Remediation: We will take steps to prevent future incidents
What we’ll tell you:
- Nature of the breach
- Type of data affected
- Potential consequences
- Measures taken to mitigate harm
- Steps you can take to protect yourself
8.3 Your Security Responsibilities
You play a critical role in protecting your information:
- Strong passwords: Use unique, complex passwords
- Password security: Never share your password with anyone
- Multi-factor authentication: Enable MFA if available
- Secure devices: Keep your devices and software updated
- Suspicious activity: Report unauthorized access immediately
- Public networks: Be cautious when accessing the Services on public Wi-Fi
8.4 Security Limitations
Despite our efforts:
- No guarantee: No system is 100% secure
- Third parties: We cannot control third-party security practices
- User actions: We are not responsible for unauthorized access resulting from your actions
- Shared responsibility: Security is a shared responsibility
8.5 Third-Party Security
Our service providers maintain security measures including:
- Compliance certifications: SOC 2, ISO 27001, PCI-DSS (as applicable)
- Contractual obligations: Data protection agreements requiring security measures
- Regular audits: Third-party security assessments
- Incident notification: Requirements to notify us of security incidents
9. COOKIES AND TRACKING TECHNOLOGIES
9.1 What Are Cookies
Cookies are small text files stored on your device that help websites function properly and provide analytics.
9.2 Types of Cookies We Use
9.2.1 Essential Cookies
Purpose: Enable core functionality
- Session management (keep you logged in)
- Security features (CSRF protection)
- Load balancing
Duration: Session or persistent (up to 1 year)
Can you opt out?: No — required for the Services to function
9.2.2 Functional Cookies
Purpose: Remember your preferences
- Language preferences
- Display settings
- Feature toggles
Duration: Persistent (up to 1 year)
Can you opt out?: Yes — but may affect user experience
9.2.3 Analytics Cookies
Purpose: Understand how you use the Services
- Page views and navigation
- Feature usage patterns
- Performance metrics
- Error tracking
Duration: Persistent (up to 2 years)
Can you opt out?: Yes — through cookie settings
Providers: Google Analytics, Mixpanel, or similar
9.2.4 Marketing Cookies
Purpose: Measure marketing effectiveness
- Ad campaign performance
- Conversion tracking
- Retargeting (if applicable)
Duration: Persistent (up to 1 year)
Can you opt out?: Yes — through cookie settings
Providers: Google Ads, LinkedIn, or similar
9.3 Other Tracking Technologies
9.3.1 Web Beacons (Pixels)
Small transparent images used to:
- Track email opens
- Measure page views
- Trigger cookies
9.3.2 Local Storage
Browser storage used to:
- Cache data for performance
- Store preferences
- Enable offline functionality
9.3.3 SDKs and APIs
Third-party code that may collect:
- Usage data
- Device information
- Performance metrics
9.4 Managing Cookies
9.4.1 Cookie Settings
You can manage cookie preferences through:
- Cookie banner: Initial consent when you first visit
- Cookie settings: Account settings or cookie preferences page
- Browser settings: Control cookies directly in your browser
9.4.2 Browser Controls
Most browsers allow you to:
- Block cookies entirely
- Delete existing cookies
- Set preferences for types of cookies
- Get notifications when cookies are set
Instructions:
- Chrome: Settings > Privacy and Security > Cookies
- Firefox: Settings > Privacy & Security > Cookies
- Safari: Preferences > Privacy > Cookies
- Edge: Settings > Cookies and site permissions
9.4.3 Opt-Out Tools
- Google Analytics: Browser add-on available at tools.google.com/dlpage/gaoptout
- Network Advertising Initiative:optout.networkadvertising.org
- Digital Advertising Alliance:optout.aboutads.info
9.5 Do Not Track
Some browsers have “Do Not Track” (DNT) features. Currently:
- There is no industry standard for DNT
- We do not specifically respond to DNT signals
- You can control tracking through cookie settings and opt-out tools
9.6 Mobile Device Identifiers
On mobile devices, we may collect:
- Device identifiers (IDFA on iOS, AAID on Android)
- App usage data
- Device type and OS version
How to opt out:
- iOS: Settings > Privacy > Advertising > Limit Ad Tracking
- Android: Settings > Google > Ads > Opt out of Ads Personalization
10. THIRD-PARTY SERVICES
10.1 Third-Party Links
The Services may contain links to third-party websites or services. We are not responsible for:
- Privacy practices of third-party sites
- Content on third-party sites
- Terms of service of third-party services
Recommendation: Review the privacy policies of any third-party sites you visit.
10.2 Integrated Third-Party Services
If you connect third-party services to your account:
- Data sharing: Information will be shared per your authorization
- Third-party terms: Use of integrated services is subject to their terms and privacy policies
- Control: You can disconnect third-party services at any time
- Our liability: We are not responsible for third-party practices
Examples: CRM integrations, email platforms, calendar services
10.3 Third-Party Service Providers
Our service providers have their own privacy policies:
- Stripe (payments): stripe.com/privacy
- Last Rev (AI): lastrev.com/privacy
- AnswerAI (AI): answeragent.ai/privacy-policy
- Cloud providers: AWS, Google Cloud, Azure privacy policies
10.4 Social Media
We may maintain social media profiles. When you interact with us on social media:
- Platform rules: Governed by the platform’s terms and privacy policy
- Public content: Your interactions may be public
- Data collection: Social platforms may collect information about your interactions
10.5 Marketing Partners
We may work with marketing partners for:
- Email campaigns
- Advertising
- Analytics and attribution
These partners have their own privacy policies and may collect information about your interactions with our marketing materials.
11. CHILDREN’S PRIVACY
11.1 Age Requirement
The Services are not intended for use by individuals under 18 years of age (or the age of majority in their jurisdiction, whichever is greater).
11.2 No Knowing Collection
We do not knowingly:
- Collect personal information from children
- Market to children
- Allow children to create accounts
11.3 Parental Rights
If you believe we have collected information from a child:
- Contact us immediately: privacy@kumello.com
- Verification: We will verify the claim
- Deletion: We will promptly delete the information
11.4 COPPA Compliance
While we are a Canadian company, we comply with the U.S. Children’s Online Privacy Protection Act (COPPA) for any U.S. children who may inadvertently access our Services.
12. DATA RETENTION POLICY
12.1 Purpose and Scope
Kumello Inc. (“Kumello,” “we,” “us,” or “our”) is committed to privacy, data minimization, and compliance with applicable laws. This policy explains how long we retain data collected through our Services (e.g., medtech partnership platform). It applies to all personal information and other data we collect, process, or store, including from users in the United States, Canada, European Union/United Kingdom, and other international jurisdictions.
This policy should be read together with our Privacy Policy (kumello.com/privacy-policy) and Terms of Service (kumello.com/terms). We retain data only as long as necessary for the purposes for which it was collected, while balancing user privacy rights, legal obligations, security needs, and legitimate business interests — including ongoing improvement of AI-powered features.
12.2 Data Retention Principles
- Necessity & Minimization: We keep data only as long as needed for stated purposes.
- Compliance: Retention periods satisfy PIPEDA (Canada), GDPR & UK GDPR (EU/UK), CCPA/CPRA (California/other U.S. states), tax and accounting laws, and other applicable regulations.
- Legal Bases: Contractual necessity, legal obligations, legitimate interests (e.g., fraud prevention, product & AI enhancement), or user consent (where required).
- Security: Retained data is protected using encryption, access controls, and other industry-standard measures.
- Deletion / Anonymization: Data is securely deleted or irreversibly anonymized when no longer required.
- Transparency: This document discloses our retention practices.
12.3 Retention Periods by Data Type
| Data Type | Retention Period (Active Accounts) | Retention After Account Closure | Primary Purpose & Legal Basis | Notes / Legal Requirement |
|---|---|---|---|---|
| Account Information | Duration of the account relationship | 90 days | Account management, authentication — Contractual necessity, legitimate interests | |
| Client Content (business plans, files, saved searches, notes, etc.) | Duration of the account relationship | 30 days | Providing and enabling core Services — Contractual necessity | Export recommended before closure |
| Usage Data (navigation, searches, clicks, interactions, feature usage) | 24 months from collection | 24 months from collection | Product analytics, service optimization, AI improvement — Legitimate interests | Anonymized indefinitely |
| Communications (support tickets, emails, chats, feedback) | 36 months from date of communication | 36 months from date of communication | Customer support, quality assurance, dispute resolution — Legitimate interests | Longer if legally required |
| Business Relationship Data (outreach history, connection metadata) | 36 months after last interaction | 36 months after last interaction | Relationship management, business analytics — Legitimate interests | Metadata only |
| Payment & Financial Data | 7 years from transaction date | 7 years from transaction date | Accounting, tax reporting, dispute resolution — Legal obligation | Tax / GAAP requirements |
| Technical & System Logs | 12 months from creation | 12 months from creation | Security monitoring, debugging, operations — Legitimate interests | Longer for active incidents |
| AI Training Data – Identifiable Personal Data | Not used without explicit consent; limited per consent | N/A (excluded or consent-based) | AI model improvement — Consent or legitimate interests | Mostly excluded |
| AI Training Data – Anonymized / Aggregated Usage & Patterns | Indefinite | Indefinite (persists after closure) | Improve AI matching, recommendations, reduce bias — Legitimate interests | No re-identification possible |
| Legal & Compliance Records | 7 years or as required by law | 7 years or as required by law | Regulatory compliance, defending claims — Legal obligation | Indefinite under legal hold |
| Backups / Disaster Recovery Copies | 90 days after deletion from production | 90 days after deletion from production | Business continuity & recovery — Legitimate interests | Encrypted |
| Medtech Company Database Content | Indefinite (continuously curated/updated) | Indefinite | Core service functionality (search & matching) — Legitimate interests | Public / commercial sources |
Anonymized Data Note: Once data is fully anonymized (all direct and indirect identifiers removed, aggregated with others, and protected with techniques such as k-anonymity or differential privacy), it is no longer considered personal information under PIPEDA, GDPR, CCPA/CPRA, and most privacy laws. Such data may be retained indefinitely — even after account closure — for analytics, AI training, product development, and industry insights.
12.4 AI Training and Model Improvement
We use anonymized and aggregated forms of usage data, search patterns, interaction trends, and other non-identifiable information to train, fine-tune, and continuously improve our AI features (e.g., intelligent matching, recommendations, bias reduction).
- Identifiable personal data is excluded from AI training datasets unless you give explicit, separate consent (with defined retention).
- Anonymized data persists indefinitely after account closure or deletion because it cannot reasonably be linked back to any individual.
- Opt-out option: You may opt out of contributing your anonymized usage data to AI training by emailing privacy@kumello.com. This applies to future data only; patterns already incorporated into models remain.
12.5 Data Deletion and Destruction
- Methods: Secure overwrite, cryptographic erasure, removal from databases/indexes/logs.
- Automated deletion: Runs monthly for expired data; processes are verified and logged (logs retained 3 years).
- User-requested deletion: Completed within 30 days (up to 60 for complex requests); production systems deleted promptly, backups follow normal 90-day schedule.
- Backups: Automatically purged after 90 days; quarterly verification.
Exceptions: Deletion may be delayed or prevented due to legal holds, active investigations, fraud/security matters, regulatory requirements, or ongoing disputes.
12.6 Exceptions and Extensions
Retention periods may be extended when:
- Required by law (tax, audit, subpoenas, etc.)
- Subject to legal hold, litigation, or regulatory investigation
- Needed for fraud prevention, security incident response, or dispute resolution
- Within applicable statute of limitations for legal claims
- You provide explicit consent for longer retention (e.g., research or archives)
12.7 Your Rights
Depending on your location (U.S., Canada, EU/UK, etc.), you may have rights to:
- Access, correct, or receive copies of your data
- Request deletion / erasure
- Obtain data portability
- Object to or restrict certain processing
- Opt out of contributing anonymized data to AI training
- Withdraw consent (where processing is consent-based)
How to exercise rights: Email privacy@kumello.com with your request details. We will verify identity and respond within 30–60 days. Some limitations apply (e.g., legal retention obligations, anonymized data).
You may also lodge a complaint with:
- Office of the Privacy Commissioner of Canada
- Your EU/UK data protection authority
- California Attorney General (or other relevant U.S. state authority)
13. CHANGES TO THIS POLICY
13.1 Right to Modify
We may update this Privacy Policy from time to time to reflect:
- Changes to our practices
- Legal or regulatory requirements
- New features or services
- Industry best practices
13.2 Notice of Changes
13.2.1 Material Changes
For material changes that reduce your rights or significantly change our practices, we will:
- Update the “Last Updated” date at the top
- Send email notification to your registered email address
- Display a prominent notice on the platform
- Provide at least 30 days’ notice before changes take effect
13.2.2 Non-Material Changes
For minor changes (clarifications, formatting, non-substantive updates):
- Update the “Last Updated” date
- Post the revised policy on our website
- Changes effective immediately upon posting
13.3 Acceptance of Changes
Your continued use of the Services after changes take effect constitutes acceptance of the updated Privacy Policy.
If you do not agree to changes:
- Discontinue use of the Services
- Close your account
- Request deletion of your information
13.4 Version History
Previous versions of this Privacy Policy may be available upon request to privacy@kumello.com.
14. CONTACT US
14.1 Privacy Inquiries
For questions about this Privacy Policy or our privacy practices:
Email: privacy@kumello.com
Mail:
Kumello Inc.
Attention: Privacy Officer
37 Jacob Keffer Parkway, Suite 301
Concord, Ontario L4K 5N8
Canada
14.2 Data Protection Officer
For GDPR-related inquiries (EU users):
Email: privacy@kumello.com
Note: Kumello does not currently require a dedicated Data Protection Officer under GDPR Article 37, as we are not a public authority and our core activities do not involve large-scale systematic monitoring or processing of special categories of data. If you have GDPR-related questions, please contact our Privacy Officer at the address above.
14.3 General Contact
For general inquiries about the Services:
Email: support@kumello.com
Website: https://kumello.com/contact
14.4 Response Time
We aim to respond to all privacy inquiries within:
- Acknowledgment: 5 business days
- Full response: 30 days (may extend to 60 days for complex requests)
15. REGION-SPECIFIC INFORMATION
15.1 Canadian Users (PIPEDA Compliance)
15.1.1 Legal Basis
We collect and process personal information under PIPEDA (Personal Information Protection and Electronic Documents Act).
15.1.2 Your Rights
Under PIPEDA, you have the right to:
- Access your personal information
- Request correction of inaccuracies
- Challenge compliance with PIPEDA
- Withdraw consent (with limitations)
15.1.3 Complaints
File complaints with:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Phone: 1-800-282-1376
Website: www.priv.gc.ca
15.2 European Users (GDPR Compliance)
15.2.1 Legal Basis for Processing
We process your data based on:
- Consent: For marketing communications and optional features
- Contract: To provide the Services you’ve subscribed to
- Legitimate interests: For security, analytics, and service improvement
- Legal obligations: For compliance with laws and regulations
15.2.2 Your Rights Under GDPR
You have the right to:
- Access: Obtain a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Delete your data (“right to be forgotten”)
- Restrict processing: Limit how we use your data
- Data portability: Receive data in a portable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: For consent-based processing
- Automated decision-making: Not be subject to solely automated decisions with legal effects
15.2.3 Data Protection Authority
Lodge complaints with your local supervisory authority:
- EU: Your country’s data protection authority
- UK: Information Commissioner’s Office (ico.org.uk)
15.2.4 EU Representative
Note: Kumello does not currently require an EU representative under GDPR Article 27, as we do not have an establishment in the EU and are not required to appoint one based on the nature and scale of our processing activities. If our EU operations expand significantly, we will appoint an EU representative and update this policy accordingly. For all EU inquiries, please contact privacy@kumello.com.
15.2.5 Data Transfers
We transfer data from the EU/EEA using:
- Standard contractual clauses (SCCs)
- Adequacy decisions (where applicable)
- Appropriate safeguards as required by GDPR
15.3 California Users (CCPA/CPRA Compliance)
15.3.1 Categories of Information Collected
- Identifiers: Name, email, IP address
- Commercial information: Purchase history, subscription details
- Internet activity: Browsing history, interactions with the Services
- Professional information: Company name, job title, industry
- Geolocation: City/region from IP address
- Inferences: Preferences and characteristics derived from usage
15.3.2 Your California Rights
You have the right to:
- Know: What personal information we collect, use, and share
- Access: Request a copy of your personal information
- Delete: Request deletion of your personal information
- Opt out: Opt out of sale of personal information (we do not sell)
- Non-discrimination: Not be discriminated against for exercising rights
15.3.3 How to Exercise Rights
- Online: Through your account settings
- Email: privacy@kumello.com
Note: CCPA requires at least two designated methods for submitting requests. We provide online account settings and email. Toll-free phone support may be added as our California user base grows.
15.3.4 Verification Process
We will verify your identity before fulfilling requests using:
- Account authentication
- Email verification
- Additional identifying information as needed
15.3.5 Response Timeline
- Acknowledgment: Within 10 days
- Full response: Within 45 days (may extend to 90 days)
15.3.6 Business Purpose
We use information as described in Section 3.
15.3.7 No Sale of Information
We do NOT sell personal information to third parties.
15.3.8 Shine the Light (California Civil Code § 1798.83)
California residents may request information about disclosure of personal information to third parties for their direct marketing purposes. We do not share information for third-party marketing purposes.
15.3.9 Authorized Agents
You may designate an authorized agent to make requests on your behalf. We will require:
- Written authorization from you
- Verification of the agent’s identity and authority
- Direct confirmation from you (in some cases)
15.4 Other Regions
If you are located in other jurisdictions:
- You may have rights under local privacy laws
- Contact privacy@kumello.com to inquire about your specific rights
- We will comply with applicable local laws to the extent required
16. CONSENT ACKNOWLEDGMENT
BY USING KUMELLO, YOU ACKNOWLEDGE THAT:
- ✓ You have read and understood this Privacy Policy
- ✓ You consent to the collection, use, and disclosure of your information as described
- ✓ You understand how we use AI and share data with AI service providers
- ✓ You understand international data transfers may occur
- ✓ You understand your privacy rights and how to exercise them
- ✓ You have reviewed our cookie policy and can manage your preferences
IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, DO NOT USE KUMELLO.
We review this policy at least annually or when laws, services, or practices change. Material changes will be notified via email and/or platform notice (30 days in advance where required).
Questions about your privacy?
Email: privacy@kumello.com
Mail: Kumello Inc., Attention: Privacy Officer, 37 Jacob Keffer Parkway, Suite 301, Concord, Ontario L4K 5N8, Canada
This Privacy Policy was last updated on February 1, 2026. Please check kumello.com/privacy-policy for the most current version.
This policy aligns with PIPEDA (Canada), GDPR & UK GDPR (EU/UK), CCPA/CPRA (California/U.S.), and other applicable privacy, tax, and data protection laws. Appropriate safeguards (e.g., Standard Contractual Clauses) are used for international data transfers.
