Skip to content

Privacy policy

Privacy policy for Kimaa AS

1. Introduction to Kimaa AS

Kimaa AS (referred to as "Kimaa", "we", "us" or "our") is committed to protecting the privacy of our users. This privacy policy explains how we collect, use and protect your personal data when you use our services. We comply with the principles of the EU General Data Protection Regulation (GDPR) and other applicable Norwegian privacy laws, including the Personal Data Act.

1. Data controller

Kimaa AS

Organization number: 931 985 019

Address: Møllergata 6, 0179 Oslo, Norway

E-mail: mail@kimaa.no

Kimaa AS is the data controller for the processing of your personal data.

2. Data we collect

When you register and use the Kimaa app, we ask you to provide the following personal data:

  • Name - to identify you and customize your experience.

  • Email address - for account creation, communication and important updates.

  • Mobile number - for any communication and security purposes.

  • Language preference - to provide you with a localized user interface.

  • Company affiliation - to connect your account to your organization and enable collaboration.

  • Role in the company related to ESG reporting - to understand your role and adapt our services to your needs.

  • Kimaa app usage statistics - we collect aggregated and anonymized app usage data to improve our services, features and user experience. This includes information about how often you use certain features, but does not identify you personally.

If you voluntarily provide additional data (e.g. profile information, uploaded documents or messages), this will also be processed in accordance with this Privacy Policy.

3. Legal basis for processing

We process your personal data on the basis of one or more of the following legal bases under the GDPR:

  • Performance of contract (Article 6(1)(b)) - in order to provide and maintain your Kimaa account and give you access to our services.

  • Legal obligation (Article 6(1)(c)) - to comply with laws and regulations (such as accounting or reporting requirements).

  • Legitimate interest (Article 6(1)(f)) - to improve our services, ensure system security and prevent abuse or fraud.

  • Consent (Article 6(1)(a)) - when you expressly consent to optional uses of data, such as receiving marketing communications.

4. How we use your data

We use the data we collect for the following purposes:

  • To provide and maintain our services (including creating and managing your account).

  • To communicate with you (for example, via email or SMS with important updates or customer support).

  • To personalize your experience (based on your name and language preferences).

  • To improve our services using anonymized and aggregated usage data.

  • To ensure security and prevent fraud.

  • To comply with legal obligations.

  • We will not use your data for purposes that are incompatible with those described above.

5. Sharing and disclosure of data

We will not share your personal data with third parties, except in the following cases:

With your explicit consent: we only share data when you have given permission to do so.

With service providers (data processors): we may use trusted third party providers for data storage or IT and infrastructure services.

These include:

Amazon Web Services (AWS): secure cloud storage and data hosting.

All service providers are bound by data processing agreements and are not authorized to use the data for purposes other than those we instruct them to:

With your company: administrators from the company you are affiliated with may have access to your account and usage data for the purposes of ESG reporting and administration.

For legal reasons: if required by law, regulation or legal process, or to protect our rights, property or safety, or the rights, property or safety of others.

6. International data transfers

Your personal data is stored and processed using Amazon Web Services (AWS). AWS primarily processes data within the EU/EEA, but may also transfer data outside the EEA (for example to the USA).

When data is transferred outside the EEA, we ensure an adequate level of protection by relying on:

  • The European Commission's Standard Contractual Clauses (SCCs), or

  • Other legally recognized transfer mechanisms that safeguard data protection.

7. Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure or destruction. This includes encryption, access control and secure storage through the AWS cloud solution.

8. Storage of data

We retain your personal data for as long as your account is active or as long as it is necessary to provide our services. When your account is deleted, your data will be deleted or anonymized within 90 days.

We may retain some data for a longer period of time if the account is not deleted. This is to fulfill legal obligations and to ensure that the account and data are not deleted prematurely. Since ESG reporting takes place once a year, we will retain data for five (5) years in case of inactivity. When the user has been inactive for five years, the data will be deleted or anonymized.

9. Your rights under GDPR

You have the following rights when it comes to your personal data:

  • Right to information - to know how your data is used (this privacy policy fulfills this purpose).

  • Right of access - to request a copy of the personal data we hold about you.

  • Right to rectification - to correct inaccurate or incomplete data.

  • Right to erasure ("the right to be forgotten") - to request that your data is deleted under certain conditions.

  • Right to restriction of processing - to request that we restrict the processing of your data.

  • Right to data portability - to request to receive your data in a structured, machine-readable format.

  • Right to object - to object to processing based on legitimate interest or marketing.

  • Rights related to automated decision-making and profiling.

To exercise any of these rights, please contact us at mail@kimaa.no.

If you believe that your data has been processed in violation of the law, you have the right to submit a complaint to the Norwegian Data Protection Authority via www.datatilsynet.no.

10. Cookies and tracking technologies

The Kimaa app and website may use cookies or similar technologies to ensure proper functionality and improve the user experience. We do not use cookies or tracking technologies for advertising, profiling or other purposes that may be considered harmful to the user.

Cookies are only used to:

  • Enable basic functionality of the Kimaa platform.

  • Remember language preferences and login status.

  • Collect anonymized statistics to help us improve performance and usability.

  • You can control or delete cookies at any time through your browser settings.

11. Children's data

Our services are not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without parental or guardian consent, we will delete the data immediately.

12. Changes to this privacy policy

We may update this privacy policy from time to time. We will notify you of material changes by publishing the new version in the Kimaa App or on our website, indicating the date of the last update.

Last updated: 03.03.2026

13. Contacting us

If you have any questions or concerns about this Privacy Statement or our data practices, please contact us at:

Kimaa AS
Møllergata 6
0179 Oslo
Norway

Email: mail@kimaa.no