Kiofe.
Home About Careers Contact
Login | Sign Up
Legal

GDPR Compliance

How Kiofe protects your data rights under the General Data Protection Regulation.

Last updated: July 8, 2025

1. Our Commitment to GDPR

Kiofe B.V. is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). As a payment gateway registered in the Netherlands, we are subject to GDPR requirements and take our obligations seriously.

This page outlines how we comply with GDPR and how we help our merchants meet their own GDPR obligations when using Kiofe's payment services.

2. Our Role Under GDPR

Kiofe acts in the following capacities depending on the context:

Data Controller

For merchant account data, website visitor data, and our own business operations. We determine the purposes and means of processing.

Data Processor

For end-customer payment data processed on behalf of our merchants. We process data according to the merchant's instructions.

3. Your Rights Under GDPR

Under the GDPR, individuals within the European Economic Area (EEA) have the following rights regarding their personal data:

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification (Article 16)

You can request the correction of inaccurate personal data or the completion of incomplete data.

Right to Erasure (Article 17)

You can request the deletion of your personal data, subject to legal retention obligations (e.g., financial regulations require us to retain transaction records).

Right to Restriction (Article 18)

You can request that we restrict the processing of your data in certain circumstances, such as when you contest its accuracy.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes at any time.

4. How We Protect Your Data

Kiofe implements comprehensive technical and organizational measures to protect personal data:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Strict role-based access with multi-factor authentication for all internal systems
  • Data Minimization: We only collect and process data that is necessary for the stated purpose
  • Regular Audits: We conduct periodic security assessments and penetration testing
  • Incident Response: We have a documented data breach notification procedure in compliance with Article 33 and 34 of the GDPR
  • Staff Training: All employees receive regular data protection training

5. International Data Transfers

When personal data is transferred outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission for the receiving country
  • Binding Corporate Rules where applicable
  • Additional supplementary measures as recommended by the European Data Protection Board

6. Data Processing Agreements

When Kiofe acts as a data processor on behalf of merchants, we enter into Data Processing Agreements (DPAs) that comply with Article 28 of the GDPR. Our DPA includes:

  • Clear description of the nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the data controller (merchant)
  • Sub-processor management and notification requirements
  • Data breach notification procedures
  • Data deletion and return upon termination

Merchants can request a copy of our DPA by contacting privacy@kiofe.com.

7. Data Breach Notification

In the event of a personal data breach, Kiofe will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required under Article 33
  • Notify affected merchants without undue delay when Kiofe acts as a data processor
  • Notify affected individuals when the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34
  • Document all breaches, including their effects and the remedial actions taken

8. Data Protection Officer

Kiofe has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO for any data protection inquiries:

Data Protection Officer
dpo@kiofe.com
Kiofe B.V., Keizersgracht 126, 1015 CW, Amsterdam

9. Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands

You may also lodge a complaint with the supervisory authority in your country of residence within the EEA.