Privacy Policy — Kbylabs LLC

1. Identity of the Data Controller

Kbylabs LLC ("Kbylabs", "we", "us", "our") is the data controller for all personal data processed through this website (kbylabs.com) and its associated contact channels. Kbylabs LLC is a limited liability company organized and registered under the laws of the State of New Mexico, United States of America.

For all privacy-related inquiries, you may contact us via the contact form on our website. We will respond within 30 days to any data subject request.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected, processed, and stored by Kbylabs LLC in connection with the operation of this website and our consulting services, regardless of the country of origin of the data subject. It governs data subjects located in the European Economic Area (EEA), the United Kingdom, the United States (including California), and all other jurisdictions.

3. Data We Collect

3.1 — Data You Provide Directly (Contact Form)

When you submit an inquiry through our contact form, we collect:

First name and last name — to address you appropriately
Professional email address — to respond to your inquiry
Engagement scope / service interest — to route your request correctly
Free-text message — the content of your inquiry

We do not collect payment information, government IDs, or special category data (GDPR Art. 9) through this website. You are not required to provide sensitive personal data to contact us.

3.2 — Data Collected Automatically (Technical Data)

This website does not operate server-side infrastructure that logs requests. We do not deploy analytics scripts (Google Analytics, Mixpanel, Plausible, etc.), advertising pixels, heatmap tools, or session recording software. No IP address, browser fingerprint, or behavioral data is stored by Kbylabs.

Note: this website loads CSS from cdn.tailwindcss.com and fonts from fonts.googleapis.com / fonts.gstatic.com. These third-party CDN requests may cause your browser to transmit your IP address to Google's servers. Kbylabs has no control over Google's processing of that data. Refer to Google's Privacy Policy for details.

4. Legal Basis for Processing (GDPR)

For data subjects located in the EEA or UK, we rely on the following legal bases under GDPR Art. 6:

Art. 6(1)(b) — Contract performance: processing your contact form submission to respond to your pre-contractual inquiry or consulting request.
Art. 6(1)(f) — Legitimate interests: maintaining records of business correspondence for internal administrative purposes, provided such interests are not overridden by your rights.
Art. 6(1)(a) — Consent: where we ask for specific consent (e.g., to send follow-up commercial communications), such consent is freely given, specific, informed, and unambiguous, and may be withdrawn at any time without detriment.

5. Purpose and Retention of Data

Responding to inquiries: contact form data is used solely to respond to your message. Data is retained for a maximum of 24 months from last contact, after which it is permanently deleted unless a contractual relationship has been established.
Contractual engagements: if you become a client, data is retained for the duration of the engagement plus 7 years to comply with US accounting and tax record-keeping obligations and applicable EU member state equivalents.
We do not use your data for automated decision-making or profiling (GDPR Art. 22).

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers, data brokers, or social media platforms.

Personal data may be disclosed only in the following limited circumstances:

Service providers: email hosting and communication services necessary to reply to your inquiry. Any such processor is bound by a Data Processing Agreement (DPA) consistent with GDPR Art. 28.
Legal obligation: where required by applicable US federal or state law, EU law, court order, or legitimate governmental request.
Business transfer: in the event of a merger, acquisition, or sale of substantially all assets, data may be transferred to the successor entity subject to the same privacy protections.

7. International Data Transfers

Kbylabs LLC is organized under the laws of the State of New Mexico, United States of America. If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to the United States. Such transfers are carried out under appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) adopted pursuant to GDPR Art. 46(2)(c), and reliance on the EU-U.S. Data Privacy Framework where applicable.

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Right of Access

Request a copy of all personal data we hold about you. (GDPR Art. 15 / CCPA)

Right to Rectification

Request correction of inaccurate or incomplete data. (GDPR Art. 16)

Right to Erasure

Request deletion of your data ("right to be forgotten"). (GDPR Art. 17 / CCPA)

Right to Portability

Receive your data in a structured, machine-readable format. (GDPR Art. 20)

Right to Object

Object to processing based on legitimate interests at any time. (GDPR Art. 21)

Right to Restriction

Request restriction of processing in specific circumstances. (GDPR Art. 18)

Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

CCPA — Opt-Out of Sale

We do not sell personal data. This right is inherently satisfied.

To exercise any of these rights, submit a written request via our contact form, clearly identifying yourself and the right you wish to exercise. We will respond within 30 calendar days (extendable by 60 days for complex requests, with notice). We may need to verify your identity before processing the request. We will not discriminate against you for exercising any privacy rights.

If you are located in the EEA, you also have the right to lodge a complaint with your local supervisory authority (e.g., CNIL for France, ICO for the UK, BfDI for Germany).

9. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted communications (TLS/HTTPS), access controls, and periodic security reviews consistent with the sensitivity of the data processed. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

This website is directed exclusively at business professionals and is not intended for individuals under the age of 18 (or the applicable age of digital consent in their jurisdiction). We do not knowingly collect data from minors. If you believe a minor has submitted data to us, contact us immediately and we will delete it without delay.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal obligations. Material changes will be indicated by updating the "Last updated" date at the top of this page. Continued use of the website after changes are posted constitutes acceptance of the revised policy. We recommend reviewing this page periodically.

12. Governing Law

This Privacy Policy is governed by the laws of the State of New Mexico, United States of America, without regard to its conflict of law provisions. For EEA and UK data subjects, the GDPR and UK GDPR respectively apply as mandatory law and take precedence over conflicting provisions where required by those instruments.