Our Privacy Policy

Last Updated 1 June, 2026

KOMBO AI is committed to protecting the privacy of our users. In compliance with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR") and Spanish Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), this policy outlines how we collect, use, and protect your personal data.


Who Is Responsible for Your Data?

Entity Name: KOMBOAI TECHNOLOGIES S.L. ("KOMBOAI")

NIF: B-70709753
VAT: ESB70709753

Address: Carrer de Zamora 65, Sant MartΓ­, 08005 Barcelona

Website: www.getkombo.ai

Email: support@getkombo.ai


What Data Do We Collect?

We may collect various categories of personal data depending on how you interact with our services:

- Contact information: Name, email address, phone number, job title, company name, and similar details.

- Usage data: Data about your interaction with our platform, including pages visited, features used, and time spent.

- Professional data: Information available on external platforms including your job history, professional skills, company-related data, and other publicly accessible data relevant to business operations.

- Commercial information: Emails or other communications with prospects or leads analysed through our system.

- Recruitment data: If you apply for a job with KOMBO AI, we will collect information related to your job application, such as your CV, education history, work experience, and references.

- Payment data: If you purchase a subscription, payment details are processed by our payment provider, Stripe. KOMBO AI does not store full card details directly.

- Analytics and behavioural data: We collect data about how you interact with our website and product via analytics tools (see Third-Party Tools and Services below). This may include pages visited, clicks, scroll depth, session duration, device type, browser, operating system, approximate location derived from IP address, and unique identifiers.

- Support and communication data: If you contact us via our live chat (Intercom or WhatsApp), schedule a meeting (Calendly), or submit a support request, we collect the content of those communications and associated metadata.


In addition to collecting data from our clients, KOMBO AI processes and analyses personal data from third-party sources and APIs. The types of data we may collect from these sources include:

- Publicly available professional data: Name, job title, company, job history, skills, education, professional achievements, public pictures, contact data, revenue data, customer reviews, and other information available on public profiles. This data is used exclusively for professional and commercial purposes as described below.


We also collect aggregated data, such as statistical or demographic data, for internal analysis. This information does not directly identify any individual.


How Do We Collect Your Data?

We collect personal data through:

- Information you provide directly: When you register on our platform, use our services, apply for job positions, or communicate with us.

- Third-party sources: We gather publicly available professional data from multiple platforms and APIs.

- Automated technologies: As you use our website, information is collected automatically via cookies, tracking pixels, and analytics tools including PostHog, Google Analytics, and Mixpanel. Please refer to our Cookie Policy for full details and to manage your preferences. Analytics tools are only activated where required consent has been obtained.

- Third-party communication tools: If you interact with our live chat widget (Intercom or WhatsApp), those platforms may independently collect data subject to their own privacy policies (see Third-Party Tools and Services below).

- Scheduling tools: If you book a meeting via Calendly, your name, email address, and scheduling preferences are collected by Calendly on our behalf.


How Do We Use Your Data?

We process personal data for the following purposes:

- Providing our services: To offer data analysis and recommendations, helping sales professionals optimise their digital pitches and customer outreach efforts.

- User support: To assist with any inquiries, technical support, or requests for information.

- Improving our services: We analyse usage data to enhance the functionality and performance of our platform.

- Compliance with legal obligations: We process your data to comply with legal obligations, such as financial reporting or cooperating with regulatory authorities.

- Marketing communications: With your consent, we may send you updates and information about our services. You can opt out at any time by using the unsubscribe link in any communication or by emailing support@getkombo.ai.

- Receiving and evaluating job applications: We process data related to job applications you submit to KOMBO AI, such as evaluating your qualifications, arranging interviews, and communicating with you regarding employment opportunities.


What Is the Legal Basis for Processing Your Data?

The processing of your personal data is based on one or more of the following:

- Consent (GDPR Art. 6(1)(a)): When you voluntarily provide data for specific purposes, such as subscribing to newsletters, accepting cookies, or using our platform.

- Performance of a contract (GDPR Art. 6(1)(b)): If you are a customer, we process your data to perform the contract for services provided to you.

- Legitimate interests (GDPR Art. 6(1)(f)): We may process your data to provide our services, analyse performance, evaluate job applications, or market to you β€” provided that our legitimate interests are not overridden by your rights and freedoms.

- Legal compliance (GDPR Art. 6(1)(c)): In some cases, we process data to comply with legal or regulatory obligations.


The legal basis for processing publicly available professional data is our legitimate interest in providing data-driven insights and recommendations to our clients for business development purposes. We ensure that the data we process is limited to what is necessary and relevant for professional purposes only. You may object to this processing at any time (see Your Rights below).


How Long Do We Keep Your Data?

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and in compliance with applicable legal retention obligations and statutory limitation periods. The criteria used to determine retention periods include:

- Active accounts: Data is retained for the duration of the contractual relationship.

- Marketing data: Retained until you withdraw consent or opt out.

- Job application data: Retained for up to 12 months after a recruitment process concludes, unless you consent to a longer period.

- Publicly available professional data: Retained only as long as it remains relevant to the provision of our services.

- Legal and financial records: Retained for the minimum period required by applicable law (typically 5–7 years under Spanish commercial and tax law).


Once the retention period expires, data is securely deleted or anonymised. Where data must be retained to respond to legal claims, it will be blocked and not used for any other purpose.


International Data Transfers

Some of KOMBO AI's sub-processors are based outside the European Economic Area (EEA), including in the United States. Where personal data is transferred to third countries, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

- Standard Contractual Clauses (SCCs) approved by the European Commission, or

- Other legally recognised transfer mechanisms.


Our key sub-processors involved in international transfers include:

- OpenAI (United States) β€” AI processing β€” SCCs (DPA)

- Google Cloud / Google Analytics (United States) β€” Infrastructure, web analytics β€” SCCs (DPA)

- Stripe (United States) β€” Payment processing β€” SCCs (DPA)

- Intercom (United States, EU hosting available) β€” Customer support and messaging β€” SCCs (DPA)

- Calendly (United States) β€” Meeting scheduling β€” SCCs (Privacy Policy)

- PostHog (United States / EU) β€” Product analytics β€” SCCs / EU cloud option (DPA)

- Mixpanel (United States) β€” Product analytics β€” SCCs (DPA)

- Meta (WhatsApp) (United States) β€” Live chat widget β€” SCCs (Privacy Policy)



A full and up-to-date list of sub-processors is available on request by emailing support@getkombo.ai.


Do We Share Your Data?

We may share your personal data with:

- Sub-processors and service providers: Third-party vendors who help us with data storage, AI processing, analytics, or communication tools. These providers act as data processors and are contractually bound to process data only on our instructions and in compliance with GDPR.

- Business partners: In limited cases, we may share data with external partners if necessary for delivering services to you.

- Public authorities: We may disclose data when required by law or in response to valid legal processes, such as court orders or regulatory requests.


We do not sell your personal data to third parties.


Automated Decision-Making and Profiling

KOMBO AI uses automated data processing and AI-driven recommendations as part of its core service. Where such processing constitutes automated decision-making with a legal or similarly significant effect on you within the meaning of GDPR Article 22, you have the right to request human review of the decision, to express your point of view, and to contest the outcome. Please contact support@getkombo.ai to exercise this right.

For the avoidance of doubt, our AI-generated recommendations are advisory in nature and are reviewed by sales professionals before use. They are not intended to produce fully automated decisions with significant legal effect on individuals.


Your Rights

You have the following rights regarding your personal data under the GDPR:

- Access (Art. 15): Request access to your personal data and obtain a copy of it.

- Rectification (Art. 16): Request correction of any inaccurate or incomplete data.

- Erasure β€” "Right to be Forgotten" (Art. 17): Request the deletion of your data when it is no longer necessary for the purposes for which it was collected.

- Restriction of processing (Art. 18): Request a temporary suspension of data processing under specific circumstances.

- Data portability (Art. 20): Request the transfer of your data to another service provider in a structured, commonly used, machine-readable format.

- Right to object (Art. 21): Object to the processing of your data for direct marketing or on grounds relating to your particular situation where processing is based on legitimate interests.

- Withdraw consent (Art. 7(3)): Withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

- Rights related to automated decision-making (Art. 22): Not be subject to a decision based solely on automated processing that produces significant effects, and to request human review.


To exercise any of these rights, please contact us at support@getkombo.ai. We will respond within one month of receiving your request, as required by GDPR.

If you are not satisfied with our response, or if you believe your personal data has been processed unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Authority:

Agencia EspaΓ±ola de ProtecciΓ³n de Datos (AEPD) Website: www.aepd.es Address: C/ Jorge Juan, 6, 28001 Madrid, Spain


Third-Party Tools and Services

We use the following third-party tools on our website and platform. Each processes personal data subject to its own privacy policy and GDPR compliance documentation.

Analytics

- Google Analytics (GA4) β€” Web analytics service provided by Google LLC. Collects anonymised browsing behaviour, device and browser data, and approximate location via IP address. Data is transferred to the US under SCCs. Google Analytics is only loaded where you have provided consent via our cookie banner. IP anonymisation is enabled. Privacy Policy

- PostHog β€” Product analytics tool used to understand how users interact with our platform. Collects events, session data, and user properties. We use PostHog's EU cloud hosting where possible to limit cross-border transfers. Privacy Policy

- Mixpanel β€” Product analytics platform that tracks user events and behaviour within our application. Data is transferred to the US under SCCs. Privacy Policy

Customer Support and Communication

- Intercom β€” Live chat and customer support tool. When you interact with our chat widget, Intercom collects your name, email address, chat transcripts, and device/browser metadata. Intercom offers EU data hosting, which we use where available. Privacy Policy

- WhatsApp (Meta) β€” We offer a WhatsApp chat widget for customer enquiries. WhatsApp is operated by Meta Platforms, Inc. (United States). When you initiate a WhatsApp conversation, your phone number and message content are processed by Meta under its own privacy policy. KOMBO AI does not control Meta's data practices. By using the WhatsApp widget, you acknowledge that your data will be processed by Meta in accordance with WhatsApp's Privacy Policy. We recommend reviewing it before use.

Scheduling

- Calendly β€” Meeting scheduling tool. When you book a meeting via our Calendly link, your name, email address, timezone, and scheduling preferences are shared with Calendly and transferred to the US under SCCs. Privacy Policy

Payments

- Stripe β€” Payment processing. Stripe collects and processes payment card details, billing address, and transaction metadata. KOMBO AI does not store full card numbers. Privacy Policy


Where any of these tools require consent under GDPR (e.g. analytics cookies), we obtain that consent through our cookie banner before activating them. You can withdraw consent or manage your preferences at any time via our Cookie Policy.


Security Measures

KOMBO AI implements technical and organisational security measures aligned with industry standards β€” including the ISO/IEC 27001 information security framework and SOC 2 Trust Service Criteria [placeholder β€” update once certifications are obtained or in progress] β€” to protect your personal data from unauthorised access, alteration, disclosure, or destruction.

Our measures include, but are not limited to:

- Encryption of data in transit (TLS) and at rest.

- Role-based access controls limiting data access to authorised personnel only.

- Regular security risk assessments and vulnerability management.

- Formal incident response and data breach notification procedures.

- Confidentiality obligations for all personnel with access to personal data.

- Contractual data protection requirements imposed on all sub-processors.


In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34. We will also notify the AEPD within 72 hours where required under GDPR Article 33.


Children's Data

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at support@getkombo.ai and we will delete it promptly.


Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, practices, or legal requirements. When we make significant changes, we will notify you by email or by posting a prominent notice on our website. The latest version will always be available at www.getkombo.ai/privacy-policy. The date at the top of this policy indicates when it was last revised.


Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Email: support@getkombo.ai

Post: KOMBOAI TECHNOLOGIES S.L., Carrer de Zamora 65, Sant MartΓ­, 08005 Barcelona