Privacy Policy
Last updated: July 16, 2025
1. Introduction
Welcome to Kindling B.V. (“Kindling”, “we”, “us” or “our”).
We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (“GDPR”), the ePrivacy Directive, and all other applicable data-protection laws.
This Privacy Policy explains, in plain language, how we collect, use, disclose, store, and protect your personal data when you use our website, mobile applications, and any related services (collectively, the “Services”).
2. Who we are
- Company name: ReStride B.V.
- Registered address: Prinsengracht 123, 1015 DL Amsterdam, The Netherlands
- Chamber of Commerce (KvK) number: 91234567
- E-mail: privacy@getkindling.app
We act as the Data Controller for the personal data described in this Policy.
3. Definitions
| Term | Meaning |
|---|---|
| Personal data | Any information relating to an identified or identifiable natural person. |
| Processing | Any operation performed on personal data, such as collection, storage, or deletion. |
| Data subject | You, the individual using our Services whose personal data are processed. |
| Data controller | The natural or legal person which determines the purposes and means of processing personal data. |
| Data processor | A natural or legal person which processes personal data on behalf of the controller. |
4. What data we collect
| Category | Details | Legal basis |
|---|---|---|
| Account data | E-mail address, password hash, preferred language, profile information you optionally add. | Contract |
| collection and activity data | collections you create or follow, steps completed, reflections, uploaded files or images, streak metrics. | Contract |
| Support or survey data | Information you provide when contacting support or responding to surveys. | Legitimate interest / Consent |
| Technical data | IP address device type, operating system, browser, time zone, and app version. | Legitimate interest |
| Usage analytics | Page views, button clicks, session duration—collected only after cookie consent via PostHog EU Cloud. | Consent |
| Cookie data | See dedicated Cookie Policy for details. | Consent |
“Contract” = necessary to provide the Services you request.
IP addresses are truncated and stored for no longer than 7 days for security purposes.
5. How and why we use your data
- To create and administer your account
We need your e-mail and password to let you sign in, manage collections, and sync progress. - To deliver the core functionality
Your activity data are processed to show streaks, reminders, and statistics. - To improve the Services
Aggregated analytics help us understand feature adoption and performance bottlenecks. - To communicate with you
We send transactional e-mails (for example, password resets) and, if you opt in, product updates. - To comply with legal obligations
We retain certain records to demonstrate GDPR compliance and fulfil tax or accounting duties.
6. Cookies and PostHog analytics
- Our website uses a cookie consent banner that appears to visitors from the European Economic Area.
- Non-essential cookies, including PostHog analytics, are disabled by default and activated only after you click “Accept analytics cookies”.
- When enabled, PostHog sets first-party cookies that store a random identifier and session timestamps.
- PostHog events are processed exclusively in the European Union (
https://eu.i.posthog.com).
You can withdraw consent at any time by opening “Cookie Settings” in the footer or calling posthog.opt_out_capturing() in your browser console.
7. Data sharing and processors
We never sell your personal data, and we share it only with the following categories of recipients:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase EU | Managed PostgreSQL database, file storage, authentication. | Frankfurt, DE | EU-only region |
| PostHog EU Cloud | Product-analytics platform. | Frankfurt, DE | EU-only region |
| E-mail provider (Resend) | Transactional e-mail delivery. | EU data center | Standard Contractual Clauses |
Each processor is bound by a Data Processing Agreement and processes data solely under our instructions.
8. Data security
- Data in transit is protected using TLS 1.3.
- Data at rest is encrypted with AES-256.
- Strict row-level security in Supabase ensures users can access only their own records.
- Access to production databases is limited to authorized personnel via fine-grained IAM roles and multi-factor authentication.
- Regular backups are encrypted and retained for 30 days.
9. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account or remain inactive for 24 months. |
| collection and activity data | Same as account data; deleted upon account deletion. |
| Analytics events | 12 months, then aggregated and de-identified. |
| Support tickets | 24 months after resolution. |
We may retain data longer if required by law (for example, tax records).
10. International transfers
All primary data are stored in the European Union. If limited transfers outside the EEA are necessary, we rely on:
- Adequacy Decisions of the European Commission, or
- Standard Contractual Clauses together with supplementary technical and organisational measures.
11. Your rights under GDPR
You may exercise the following rights at any time, free of charge:
- Right of access – obtain a copy of personal data we hold about you.
- Right to rectification – correct inaccurate or incomplete data.
- Right to erasure – request deletion (“right to be forgotten”).
- Right to restriction – limit how we process your data.
- Right to data portability – receive data in a structured, machine-readable format.
- Right to object – object to processing based on legitimate interest.
- Right to withdraw consent – without affecting prior processing.
To exercise any right, contact us at privacy@getkindling.app. We will respond within one calendar month.
If you believe that our processing violates data-protection laws, you may lodge a complaint with your local supervisory authority. Our lead authority is the Autoriteit Persoonsgegevens (Netherlands).
12. Children’s privacy
Our Services are not directed to children under 13 years of age, and we do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete such data immediately.
13. Changes to this Policy
We may update this Privacy Policy from time to time. Significant changes will be announced via an in-app notification or e-mail. The “Last updated” date at the top of this page will always indicate the latest revision.
14. Contact us
If you have questions about this Privacy Policy or our data practices, please contact:
Data Protection Officer
Kindling B.V.
Prinsengracht 123, 1015 DL Amsterdam, The Netherlands
dpo@getkindling.app
Thank you for trusting Kindling with your personal data.