1. Data Controller
The controller of your personal data is Kornify (hello@kornify.ai). We determine the purposes and means of processing personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable local data protection laws.
2. Data We Collect
Standard data: name, phone number, email, clinic name — when you register or fill out forms on our website. Technical data: IP address, browser type, operating system — automatically when visiting the site. Call data: duration, conversation content, outcome (appointment booking, reminders) — when using the AI assistant. Health data (special category, Art. 9 GDPR): visit information, diagnoses, treatment plans — when using the transcription module and clinic CRM integration.
3. Legal Basis for Processing
We process your data based on: contract performance (Art. 6(1)(b) GDPR) — to provide Kornify platform services; consent (Art. 6(1)(a) GDPR) — for marketing communications; legitimate interest (Art. 6(1)(f) GDPR) — for service improvement and security; provision of healthcare (Art. 9(2)(h) GDPR) — for processing health data within clinic services. You may withdraw consent at any time by contacting hello@kornify.ai.
4. Sub-processors
We engage the following sub-processors: Supabase Inc. — database hosting, server in Frankfurt (Germany, EU), data does not leave the EU; Retell AI Inc. — voice AI assistant, US servers, data transfer based on EU Standard Contractual Clauses (SCCs), call recordings are automatically deleted within 10 minutes after processing; Resend Inc. — email delivery. We have a Data Processing Agreement (DPA) with each sub-processor in accordance with Art. 28 GDPR.
5. International Data Transfers
Voice data is processed by Retell AI on US servers. This transfer is carried out under EU Standard Contractual Clauses (SCCs) approved by the European Commission. We minimize transferred data: call recordings are not stored on Retell AI servers and are automatically deleted within 10 minutes after the call ends. All other data is stored exclusively on EU servers (Frankfurt, Germany).
6. Data Retention
Account data (name, email, phone) — for the duration of the contract and 90 days after termination. Call data (transcriptions, notes) — for the duration of the contract, deleted upon clinic request. Website form data (leads) — 12 months from last contact. Technical data (logs) — 30 days. Health data — in accordance with the legislation of the clinic's country.
7. Your Rights
Under GDPR, you have the right to: access your data (Art. 15); rectification of inaccurate data (Art. 16); erasure of data (Art. 17); restriction of processing (Art. 18); data portability (Art. 20); object to processing (Art. 21). We will respond to your request within 30 days. To exercise your rights, contact hello@kornify.ai.
8. Right to Complain
If you believe the processing of your data violates legislation, you have the right to lodge a complaint with a supervisory authority: in Poland — Urząd Ochrony Danych Osobowych, UODO (uodo.gov.pl); in Ukraine — the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua); or the supervisory authority in your country of residence.
9. Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of discovery (Art. 33 GDPR). If the breach poses a high risk to your rights, we will also notify you directly (Art. 34 GDPR).
10. Cookies
We use only functional cookies for authentication and service operation (session cookies). We do not use advertising, analytics, or third-party cookies. See our Cookie Policy page for details.
11. Changes to This Policy
We may update this policy. We will notify you of significant changes via email or the platform interface 14 days before they take effect.
12. Contact
For privacy and data protection inquiries: hello@kornify.ai