GDPR Policy
Effective date: 1 May 2026 - Kutamo Pty Ltd, Victoria, Australia
This GDPR Policy supplements our Privacy Policy and applies to individuals in the European Economic Area (EEA), United Kingdom, and Switzerland ("EEA Users"). It describes how Kutamo Pty Ltd complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR where applicable.
1. Data Controller
For personal data processed in connection with the Kutamo platform, Kutamo Pty Ltd acts as the data controller, unless a business customer has engaged us under a Data Processing Agreement, in which case the customer is the controller and Kutamo acts as data processor for that customer's data.
Kutamo Pty LtdPO Box 7319 Melbourne Victoria, 3004 Australia
Email: [email protected]
2. Legal Bases for Processing
We process personal data of EEA Users on the following legal bases:
| Processing Activity | Legal Basis (GDPR Article 6) |
|---|---|
| Providing the platform services (account management, meeting features) | Article 6(1)(b) — Performance of a contract |
| Processing payments | Article 6(1)(b) — Performance of a contract |
| Sending transactional emails (e.g., meeting invitations, password resets) | Article 6(1)(b) — Performance of a contract |
| Sending marketing communications | Article 6(1)(a) — Consent (opt-in) or Article 6(1)(f) — Legitimate interests (existing customers) |
| Security, fraud prevention, and platform integrity | Article 6(1)(f) — Legitimate interests |
| Compliance with legal obligations | Article 6(1)(c) — Legal obligation |
| Analytics (anonymised/aggregated usage data) | Article 6(1)(f) — Legitimate interests |
3. Your Rights Under GDPR
As an EEA User, you have the following rights regarding your personal data:
- Right of access (Article 15): Request a copy of the personal data we hold about you.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), where it is no longer necessary or where you withdraw consent.
- Right to restriction of processing (Article 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Article 20): Receive your personal data in a structured, machine-readable format and transfer it to another controller, where processing is based on consent or contract.
- Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making (Article 22): Kutamo does not make solely automated decisions that produce significant legal effects on EEA Users.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any of these rights, please email [email protected]. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may ask you to verify your identity before fulfilling your request.
4. International Data Transfers
Kutamo is based in Australia, which the European Commission does not currently recognise as providing an adequate level of data protection under Article 45 GDPR. Where we transfer personal data from the EEA to Australia or other third countries, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Transfers to processors (e.g., Microsoft Azure, Stripe) under their own GDPR-compliant transfer mechanisms.
You may request a copy of the relevant transfer mechanisms by contacting [email protected].
5. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. See our Privacy Policy for detailed retention periods.
6. Data Breach Notification
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR. We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, as required by Article 33 GDPR.
7. Sub-Processors
As a data processor for business customers, we use sub-processors to provide our services. These include Microsoft Azure (hosting), Mailgun/SendGrid (email), Twilio (SMS), and Stripe (payments). We require all sub-processors to provide equivalent data protection guarantees. A current list of sub-processors is available on request.
8. Right to Lodge a Complaint
If you believe we have not handled your personal data in compliance with GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority at edpb.europa.eu. In the UK, the supervisory authority is the Information Commissioner's Office (ICO).
We encourage you to contact us first at [email protected] so we can try to resolve your concern directly.
9. Data Protection Officer
Kutamo is not currently required to appoint a Data Protection Officer under GDPR. Privacy queries can be directed to our Privacy Officer at [email protected].
10. Changes to This Policy
We may update this GDPR Policy as our practices or legal requirements change. Material updates will be communicated by email or in-app notification at least 14 days in advance.