Privacy Policy

Effective Date: March 21, 2026 | Last Updated: March 24, 2026

KYMA Tech Solutions ("KYMA", "we", "us"), a subsidiary of Sage Holdings LLC, operates the ICOSA Certification platform at kymatech.io. This Privacy Policy describes how we collect, use, disclose, and protect your personal data in connection with our AI compliance assessment services.

1. Data Controller

The data controller responsible for your personal data is:

KYMA Tech Solutions (subsidiary of Sage Holdings LLC)
2442 Vassar Pl, Costa Mesa, CA 92626
Email: compliance@kymatech.online
Phone: 714-612-8902

2. Data We Collect

2.1 Information You Provide

• Account information: Name, organization, email address, job title
• Assessment data: AI system descriptions, behavioral observations, risk classifications, and attestation statements you submit for compliance scanning
• Payment information: Payment method, transaction identifiers, billing details (processed by Stripe; we do not store card numbers)
• Communications: Emails, partnership inquiries, support requests

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, timestamps, referral source
• Device data: IP address, browser type, operating system
• Analytics: Aggregated page view counts, unique visitor counts (no personal profiling)

2.3 Information We Do NOT Collect

• AI model weights, source code, or training data
• Internal system architecture or proprietary algorithms
• Biometric data of any kind
• Data from your AI system's end users

ICOSA operates on a black-box behavioral assessment methodology. We evaluate observable behavior only and never require access to proprietary internals.

3. How We Use Your Data

• Service delivery: Processing compliance assessments, generating reports, issuing certificates
• Blockchain attestation: Compliance verdicts (pass/fail) and certificate hashes are recorded on the Polygon blockchain. These records contain no personal data — only anonymized assessment identifiers and cryptographic hashes
• Communication: Responding to inquiries, sending assessment results, service notifications
• Security: Detecting and preventing unauthorized access, fraud, and abuse
• Improvement: Aggregated, anonymized analytics to improve service quality

4. Legal Basis for Processing (GDPR Article 6)

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver compliance assessment services you have requested
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
• Consent (Art. 6(1)(a)): Where specifically requested, such as marketing communications
• Legal obligation (Art. 6(1)(c)): Where required by applicable law or regulation

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share data with:

• Payment processors: Stripe, for payment processing only
• Blockchain networks: Anonymized certificate hashes on Polygon (public, immutable, contains no personal data)
• AI model providers: Your system descriptions are processed by AI models for compliance assessment. No personal data is sent to model providers — only the assessment content you submit
• Law enforcement: Only when compelled by valid legal process

6. Data Retention

• Assessment data: Retained for 3 years from the date of assessment, or as required for ongoing certification validity
• Account data: Retained for the duration of the business relationship plus 1 year
• Payment records: Retained for 7 years per financial recordkeeping requirements
• Analytics data: Aggregated data retained indefinitely; raw logs purged after 90 days
• Blockchain records: Immutable by design; contain no personal data

7. Your Rights

Under applicable data protection laws (including GDPR and CCPA), you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Port your data to another service
• Restrict processing in certain circumstances
• Object to processing based on legitimate interest
• Withdraw consent where processing is based on consent

To exercise these rights, contact: compliance@kymatech.online

We will respond within 30 days (GDPR) or 45 days (CCPA).

8. International Data Transfers

Your data may be processed by AI models hosted in multiple jurisdictions as part of our multi-model consensus protocol. All transfers are conducted with appropriate safeguards, including Standard Contractual Clauses where required.

9. Security Measures

• TLS 1.3 encryption for all data in transit
• Encrypted storage for sensitive data at rest
• Firewall protection with rate limiting
• Automated intrusion detection (fail2ban)
• DDoS protection via Cloudflare
• Security headers (HSTS, XSS protection, CSRF protection)
• Regular security audits and vulnerability scanning
• API credentials encrypted and never stored after use

10. Cookies and Tracking

We use minimal cookies:

• Essential cookies: Session management and security (strictly necessary, no consent required)
• Analytics: Aggregated page view counting via server-side analytics. We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts

We do not engage in cross-site tracking, behavioral profiling, or targeted advertising.

11. Children's Privacy

ICOSA services are designed for business use and are not directed at individuals under 18. We do not knowingly collect data from minors.

12. Incident Response

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify affected individuals within 72 hours of discovery (per GDPR Article 33)
• We will notify the relevant supervisory authority where required
• Notification will include: nature of the breach, data affected, likely consequences, and mitigation measures taken
• All incidents are logged and reviewed to prevent recurrence

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users and prominently displayed on our website. The "Last Updated" date at the top reflects the most recent revision.

14. Contact

For privacy inquiries, data requests, or complaints:

KYMA Tech Solutions — Data Protection
Email: compliance@kymatech.online
Mail: 2442 Vassar Pl, Costa Mesa, CA 92626
Phone: 714-612-8902

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.