GDPR Privacy Notice

This GDPR Privacy Notice supplements our main Privacy Policy (www.kudosstream.com/privacy-policy) and applies specifically to individuals in the European Economic Area (EEA) and the United Kingdom (UK). If you are located outside the EEA/UK, our main Privacy Policy governs your use of the Service.

1. Who We Are (Data Controller)

Under the General Data Protection Regulation (GDPR) and the UK GDPR, KudosStream acts as the data controller for personal data processed in connection with the Service. This means we determine the purposes and means of processing your personal data.

KudosStream
Website: www.kudosstream.com
Privacy contact: privacy@kudosstream.com

We do not currently have a designated Data Protection Officer (DPO), as we are not required to appoint one under Article 37 of the GDPR at this stage of our operations. Privacy inquiries are handled directly by the KudosStream founding team. If our processing activities change in a way that requires a DPO, we will appoint one and update this notice.

2. Personal Data We Process

We process the following categories of personal data about you as an EEA/UK user:

Account and Identity Data

• Name and email address provided at registration
• Business name and profile information
• Login credentials (passwords stored in hashed form only)

Payment Data

• Billing name and address
• Payment card details (handled exclusively by our payment processor; we do not store raw card numbers)

Usage and Technical Data

• IP address, browser type, device information
• Pages visited, features used, session duration
• Dashboard activity and review request logs

Third-Party Review Data

• Review content, ratings, and reviewer names synced from your Google Business Profile and Facebook Page
• OAuth tokens for Google and Facebook connections (stored in encrypted form)

Customer Contact Data (Processed on Your Behalf)

When you upload customer contact lists to send review requests, KudosStream processes that data as a data processor on your behalf. You are the data controller for your customers' data. You are responsible for ensuring you have a valid lawful basis to send review request emails to those individuals under applicable law.

3. Lawful Basis for Processing

The GDPR requires us to identify a lawful basis for each processing activity. The table below sets out our lawful basis for each activity:

4. International Data Transfers

KudosStream is based in the United States and our infrastructure runs on AWS in US regions. If you are located in the EEA or UK, your personal data will be transferred to and processed in the United States, which is a country outside the EEA and UK that does not have an adequacy decision from the European Commission.

We rely on the following safeguards to protect your data during such transfers:

• Standard Contractual Clauses (SCCs): where we transfer data to third-party processors outside the EEA/UK, we use the European Commission's approved Standard Contractual Clauses or the UK's International Data Transfer Agreement (IDTA) as appropriate.
• Processor agreements: all third-party vendors who process EEA/UK personal data on our behalf are required to maintain appropriate data protection safeguards under contractual terms.

As KudosStream grows and EU/UK usage increases, we will evaluate whether to add AWS EU regions to localize data storage. We will update this notice if our transfer mechanisms change.

5. Your Rights Under GDPR

As a data subject in the EEA or UK, you have the following rights regarding your personal data. We will respond to all verified requests within 30 days, with the possibility of a 60-day extension for complex requests (we will notify you if an extension is needed).

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Article 16)

You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purpose it was collected; (b) you withdraw consent and there is no other lawful basis; (c) you object to processing and we have no overriding legitimate grounds; or (d) the data has been unlawfully processed. This right does not apply where we are required to retain data for legal obligations.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while we verify a rectification request or while you contest our legitimate interests basis.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object at any time to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. Where you object to legitimate interests processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7)

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Right Not to Be Subject to Automated Decision-Making (Article 22)

KudosStream does not make automated decisions about you that produce legal or similarly significant effects. This right is therefore not currently applicable to our processing activities.

To exercise any of the above rights, contact us at privacy@kudosstream.com. We may ask you to verify your identity before processing the request. There is no fee for submitting a rights request.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this notice, taking into account legal, accounting, and reporting requirements:

• Account data: retained for the duration of your subscription and deleted or anonymized within 90 days of account closure
• Billing records: retained for 7 years to comply with applicable tax and accounting obligations
• Customer contact data (uploaded for review requests): retained only as long as needed to complete the send operation, then deleted within 30 days
• Usage and analytics data: aggregated and anonymized after 24 months; raw logs deleted after 12 months
• Support correspondence: retained for 3 years from the date of last contact

7. KudosStream as Data Processor

In addition to acting as a data controller for our own purposes, KudosStream acts as a data processor when processing your customers' personal data on your behalf (for example, when sending review request emails to your customer list).

As a KudosStream subscriber, you are the data controller for your customers' data. You are responsible for:

• Ensuring you have a valid lawful basis under GDPR to send review request emails to your customers
• Providing appropriate privacy notices to your customers disclosing that their data may be shared with service providers like KudosStream
• Responding to any data subject requests from your own customers regarding data you have processed through KudosStream

KudosStream processes customer contact data strictly in accordance with your instructions as a data controller. We do not use your customers' contact data for our own marketing or other purposes.

If you require a Data Processing Agreement (DPA) to document our processor relationship under Article 28 of the GDPR, please contact us at privacy@kudosstream.com and we will provide one.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:

• SSL/TLS encryption for all data in transit
• Encrypted storage for sensitive credentials including OAuth tokens and passwords
• Access controls limiting data access to authorized personnel only
• Regular security reviews and vulnerability assessments
• Incident response procedures to detect, investigate, and report personal data breaches

In the event of a personal data breach likely to result in a high risk to the rights and freedoms of EEA/UK individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay, in accordance with Articles 33 and 34 of the GDPR.

9. Right to Lodge a Complaint

If you are an EEA resident and believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence or the supervisory authority in the country where the alleged infringement occurred.

If you are a UK resident, you may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please contact us first at privacy@kudosstream.com and we will make every effort to resolve your concern promptly.

10. Updates to This Notice

We may update this GDPR Privacy Notice to reflect changes in our processing activities, applicable law, or guidance from supervisory authorities. When we make material changes, we will update the Effective Date and, where appropriate, notify affected users by email.

We encourage EEA/UK users to review this notice periodically.

11. Contact Us

For any GDPR-related inquiries, rights requests, or to request a Data Processing Agreement, please contact us:

KudosStream — Privacy Team
Email: privacy@kudosstream.com
Website: www.kudosstream.com
Response time: within 30 days of receipt

© 2026 KudosStream. All rights reserved.