Privacy Policy

Kyme Procurement Platform Effective date: 1 June 2026 Last updated: 1 June 2026

1. Introduction

Kyme ("we", "us", or "our") operates the procurement platform available at kyme.ai (the "Platform"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Platform.

By creating an account or using Kyme, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Platform.

2. Who We Are

Kyme is a procurement SaaS platform that helps organisations manage the full procurement lifecycle including requests for quotation (RFQs), adjudication, purchase requests, purchase orders, supplier management, and electronic signatures.

Data Controller: Kyme contact@kyme.ai kyme.ai

3. Information We Collect

3.1 Account Information

When you register for Kyme, we collect:

  • Full name
  • Email address
  • Password (stored as a secure hash — we never store plaintext passwords)
  • Role within your organisation (admin, approver, or requester)

3.2 Procurement Data

In the normal course of using the Platform, you and your organisation will create and store:

  • Supplier details (company name, contact information, commercial terms)
  • Request for quotation documents and line items
  • Supplier quotation responses and pricing information
  • Adjudication scores, justifications, and approval decisions
  • Purchase requests and approval records
  • Purchase orders and associated line items
  • Electronic signature requests and signed records
  • Uploaded documents including contracts, compliance forms, and attachments

3.3 Usage Data

We automatically collect certain technical information when you use the Platform:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Date and time of access
  • Referring URLs

3.4 Communications

If you contact us for support or with enquiries, we retain records of that correspondence including your name, email address, and the content of your messages.

4. How We Use Your Information

We use the information we collect to:

  • Provide the Platform — operate, maintain, and improve the Kyme procurement platform
  • Authenticate users — verify your identity and manage your session securely
  • Enable procurement workflows — facilitate the creation and management of RFQs, purchase orders, approvals, and signatures
  • Send notifications — notify relevant users of actions requiring their attention such as approval requests and signature requests
  • Provide support — respond to your questions, requests, and technical issues
  • Ensure security — detect, investigate, and prevent fraudulent or unauthorised activity
  • Comply with legal obligations — meet our legal and regulatory requirements
  • Improve the Platform — analyse usage patterns to improve features and user experience

We do not sell your personal information to third parties. We do not use your data for advertising purposes.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

| Processing Activity | Legal Basis | |---|---| | Account registration and authentication | Performance of contract | | Operating procurement workflows | Performance of contract | | Sending signature and approval notifications | Performance of contract | | Usage analytics and platform improvement | Legitimate interests | | Legal compliance | Legal obligation | | Support communications | Legitimate interests |

6. Data Storage and Infrastructure

6.1 Database

Your data is stored in a Supabase managed PostgreSQL database hosted in the EU West (Ireland) region on AWS infrastructure. Supabase implements industry-standard security including encryption at rest and in transit.

6.2 File Storage

Documents and attachments you upload are stored in Supabase Storage, also hosted in the EU West (Ireland) region. Files are stored in private buckets and are not publicly accessible without authentication.

6.3 Hosting

The Kyme application is hosted on Vercel, which operates a global edge network. Application code and caches may be distributed across Vercel's global infrastructure. Vercel is SOC 2 Type 2 certified.

6.4 DNS and Network

Domain routing is managed through Cloudflare, which processes DNS queries for kyme.ai. Cloudflare's privacy policy applies to DNS-level data.

6.5 Email

Transactional emails (such as signature requests and approval notifications) are sent via Resend. Resend processes recipient email addresses and message content to deliver emails on our behalf.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Platform.

| Data Type | Retention Period | |---|---| | Account information | Duration of account + 12 months after deletion | | Procurement records (RFQs, POs, signatures) | 7 years (legal/audit requirement) | | Usage and access logs | 90 days | | Support communications | 3 years | | Uploaded documents | Duration of account + 12 months |

When you request deletion of your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it for legal, regulatory, or audit purposes.

8. Data Sharing and Third Parties

We share your data only in the following circumstances:

8.1 Service Providers

We use trusted third-party service providers to operate the Platform. These providers process data on our behalf under data processing agreements:

| Provider | Purpose | Location | |---|---|---| | Supabase | Database, authentication, file storage | EU (Ireland) | | Vercel | Application hosting and deployment | Global (EU primary) | | Cloudflare | DNS and network routing | Global | | Resend | Transactional email delivery | US (with SCCs) |

8.2 Within Your Organisation

Procurement data you create is visible to other authorised users within your organisation on the Platform. Access is controlled by role (admin, approver, requester).

8.3 Suppliers

When you send an RFQ or signature request to a supplier, their contact information is used to deliver that communication. Suppliers who receive signing links can view the document they are asked to sign.

8.4 Legal Requirements

We may disclose your information if required to do so by law, court order, or regulatory authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

8.5 Business Transfers

If Kyme is acquired, merged, or its assets are transferred, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

9. Security

We implement appropriate technical and organisational measures to protect your personal information including:

  • Encryption in transit — all data is transmitted over HTTPS/TLS
  • Encryption at rest — database and file storage are encrypted at rest
  • HSTS — HTTP Strict Transport Security prevents downgrade attacks
  • Row Level Security — Supabase RLS ensures users can only access data they are authorised to view
  • Role-based access control — different permission levels for admin, approver, and requester roles
  • Secure authentication — passwords are hashed using bcrypt; sessions are managed via secure HTTP-only cookies
  • Security headers — standard HTTP security headers are implemented on all responses

While we take security seriously, no system is completely secure. We encourage you to use a strong, unique password and to notify us immediately if you suspect any unauthorised access to your account.

10. Cookies and Tracking

Kyme uses the following cookies:

| Cookie | Purpose | Duration | |---|---|---| | sb-auth-token | Supabase authentication session | Session | | sb-refresh-token | Supabase session refresh | 30 days |

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or similar tracking services.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data (subject to legal retention requirements)
  • Right to restriction — request that we restrict processing of your data
  • Right to data portability — request your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@kyme.ai. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are in the EEA or UK and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority.

12. Children's Privacy

Kyme is a business-to-business platform intended for use by professionals aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

13. International Data Transfers

Our primary infrastructure is hosted in the EU (Ireland). Where data is processed outside the EEA (for example, by Resend in the United States), we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) as required by GDPR.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a notice within the Platform before the changes take effect. The "Last updated" date at the top of this policy reflects the most recent revision.

Your continued use of the Platform after changes take effect constitutes your acceptance of the updated policy.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@kyme.ai Website: kyme.ai

For data protection enquiries specifically, please mark your email with the subject line: "Data Protection Request"

This Privacy Policy was last reviewed on 1 June 2026.