K
Kermo
Sign inGet started

Last updated: 30 April 2026

Privacy Policy

This Privacy Policy explains how Kermo collects, uses, shares, and protects your personal data when you use our Service. We comply with the EU General Data Protection Regulation (GDPR) and the Ukrainian Law on Personal Data Protection.

1. Who We Are

Kermo is operated by an individual entrepreneur (ФОП) registered in Ukraine. We are the data controller for personal data you provide directly to us. For payment data, Paddle.com Inc. is the controller — see Paddle's privacy notice at paddle.com/legal/privacy.

For privacy questions or to exercise your rights, contact privacy@kermo.app.

2. Data We Collect

Account data: name, email, password (hashed), preferred language, profile photo (optional).

Company data: company name, branches, VAT number (if provided for B2B billing), subscription plan.

Operational data: vehicles, drivers, transfer records, inspections, incidents — entered by you to operate your fleet.

Usage data: log of actions taken in the Service (audit log), IP address, device/browser type for security and debugging.

Communication data: emails you send to us, support requests.

3. Why We Process Your Data (Lawful Basis)

  • Contract (Article 6(1)(b) GDPR): to provide the Service you signed up for — most processing falls under this.
  • Legitimate interest (Article 6(1)(f)): security, fraud prevention, service improvement, basic analytics.
  • Consent (Article 6(1)(a)): non-essential cookies, marketing emails (you can withdraw at any time).
  • Legal obligation (Article 6(1)(c)): tax records, fraud reporting if required by law.

4. Who We Share Data With

We share data only with the following sub-processors, all of whom act on our instructions:

  • Paddle.com Inc. — payment processing, VAT compliance, invoicing (USA / UK).
  • Resend — transactional email delivery (USA).
  • Vercel Inc. — application hosting (USA / EU).
  • Cloud storage providers — file uploads (vehicle photos, incident photos). Currently AWS S3-compatible storage.

We do not sell your personal data. We do not share it with advertisers or data brokers.

5. International Transfers

Some of our sub-processors are located outside the EU/EEA. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for these transfers, and we ensure equivalent levels of protection.

6. How Long We Keep Data

  • Account data: while your account is active, plus 30 days after deletion.
  • Operational data (vehicles, drivers, etc.): while you maintain those records, or per your retention settings.
  • Audit log: 12 months from the action date.
  • Billing records: retained as required by Ukrainian and applicable EU tax law (typically 3-7 years).
  • Communication data: 24 months from last contact.

7. Your Rights

Under GDPR you have the right to:

  • Access your personal data — request a copy from your account settings or by emailing us.
  • Rectify inaccurate data — most fields can be edited directly in the app.
  • Erase your data — "Delete account" in account settings, or email us.
  • Restrict or object to processing.
  • Port your data — receive your data in a structured, machine-readable format.
  • Withdraw consent for any consent-based processing.
  • Lodge a complaint with a supervisory authority (e.g. your local DPA, or the Ukrainian Ombudsman).

To exercise any right, email privacy@kermo.app. We respond within 30 days.

8. Cookies

We use cookies for authentication, language preference, branch context, and theme. We do not use third-party tracking or advertising cookies. See our Cookie Policy for full details.

9. Children

Kermo is not intended for users under 18. We do not knowingly collect data from minors.

10. Security

We implement reasonable technical and organisational measures to protect your data, including TLS encryption in transit, password hashing, principle-of-least-privilege access controls, and audit logging. No system is 100% secure; we will notify affected users and competent authorities of any data breach within 72 hours of discovery, as required by GDPR Article 33.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect.

12. Contact & Complaints

Privacy contact: privacy@kermo.app
Supervisory authority for EU residents: your national Data Protection Authority.
Supervisory authority for Ukrainian residents: Office of the Ombudsperson of Ukraine.