External Privacy Notice

1. Introduction

This Privacy Notice applies to the processing activities of Kaiko B.V. a private company with limited liability organized and existing under the laws of the Netherlands, having its registered address at Louwesweg 6 in (1066 EC) Amsterdam, and registered with the chamber of commerce under registration number 84155221, including its Zurich branch, having its registered address at Hardturmstrasse 11, 8005 Zurich, Switzerland, and registered with the commercial register of the Canton of Zurich under registration number CHE-445.930.110.

Kaiko B.V. (hereinafter: “Kaiko”, “we”, “us”, “our”) understands that your privacy is important and that you care about how your personal data is used. We respect and value your privacy and will only collect and use personal data in the manner and for the purposes as described in this document and that is consistent with our obligations and your rights under the applicable legislation and regulations.

This external Privacy Notice covers Kaiko’s business activities including but not limited to: customer & client management, financial administration, hiring & recruitment, and website administration. This external Privacy Notice does not cover:

Research involving patient data, for which we instead refer to “Privacy Notice for Participating Patients”.
Activities with respect to our employees, for which we instead refer to the Internal Privacy Notice, which we distribute to our employees.

For the context described above we may collect, hold, use and/or otherwise process personal data about you. Based on applicable data protection and privacy law (such as the laws and regulations set out in paragraph 2 below), we qualify as ‘the controller’ with respect to the personal data that we process in that context.

Attention: By using our services and/or our website and by sharing your personal data with us, you acknowledge that your personal data will be processed in the manner as described in this Privacy Notice.

Note: This does not constitute your ‘consent’ to the processing of your personal data. We do not process your personal data on the basis of your consent, unless specifically indicated.

2. What does this Privacy Notice cover and whose personal data do we process?

This Privacy Notice is intended to ensure compliance with European, Swiss and Dutch privacy legislation and regulations, including but not limited to, the General Data Protection Regulation (GDPR), the national implementation laws with respect to the GDPR, such as the Dutch Implementation Regulation (Uitvoeringswet Algemene verordening gegevensbescherming, UAVG) and the Swiss Federal Data Protection Act (DPA).

This external Privacy Notice is relevant for anyone whose personal data we may process in the context of our (business) activities, including but not limited to employees at, representatives of and/or (other) contact persons of our current and former contracting parties and/or business partners, job applicants, employee of and/or (other) contact persons of our current and former professional advisers, consultants and service providers, visitors of our website.

As mentioned above, this external Privacy Notice is not applicable to patients participating in our research projects. Please refer to our “Privacy Notice for Participating Patients”. Similarly, this Privacy Notice does not cover activities with respect to our employees, for which we instead refer to the Internal Privacy Notice, as distributed to our employees.

This Privacy Notice explains on what legal basis we may process your personal data and:

what personal data we collect;
for what purposes and how we may use/process such personal data;
how we collect the personal data;
how we store the personal data;
for what period we store the personal data; and
what your rights are under the applicable data protection and privacy legislation.

In view hereof, we encourage you to carefully read this Privacy Notice. From time to time, we may need to update this Privacy Notice. This may be necessary, for example, if the law changes or if we change our business in a way that affects the way we process personal data. The most recent version of this Privacy Notice will always be available on our website www.kaiko.ai. You may also ask us to send you a copy of the most recent version of this Privacy Notice.

In the event that the Privacy Notice will materially and/or substantially change, we will actively inform you of this change and provide you with the new version of the Privacy Notice.

Note: Where you provide personal data to us, which personal data relate to another individual than yourself (for example of the legal representative of the company you are representing), please provide the concerned individual with (a copy of) this Privacy Notice before providing us with his/her personal data.

3. What personal data do we collect and how do we collect this personal data?

If we collect your personal data, we may collect information about you in various ways:

Directly from you, for example when you provide us with your personal information by contacting us or when a contact person provides his/her personal data by email, by phone, on paper, or by means of a business card;
Directly from you when you visit our website https://www.kaiko.ai;
Directly from you, for example when you apply for a job with us (please see paragraph 6 for more information);
From third parties, for example where we obtain your contact details from companies we work with (in the course of our business activities), your employer and/or colleagues, external advisers, head-hunters, recruitment agencies;
Otherwise, for example, by consulting public sources/public records (e.g. your website, the trade register, branch associations or media), by own research and by contacting companies.

4. Legal grounds

The legal grounds used for our processing activities are:

The processing is necessary for the performance and execution of a contract with you;
The processing is necessary for compliance with legal obligations (including our obligations under applicable tax laws, our legal administration obligations, to cooperate with supervisory authorities);
The processing is necessary for our legitimate (business) interests.

If applicable laws require so, we will process your personal data upon your (explicit) consent. If any kind of processing is based on your consent, we hereby inform you that you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5. What personal data do we collect and for what purposes do we use your personal data?

Personal Data	Purpose	Legal Ground
Names Contact details, including but not limited to addresses, telephone numbers and email addresses Position/job title Signatures Business/company information Excerpts of registers (public or not, for example excerpts from the Chamber of Commerce)	To identify you	1 and 2
Names Contact details, including but not limited to addresses, telephone numbers and email addresses Position/job title Signatures Business/company information Excerpts of registers (public or not, for example excerpts from the Chamber of Commerce)	In order to enter into and execute the agreement / services and the management of relationships resulting therefrom	2 and 3
Names Position/job title Business/company information	The execution of activities aimed at increasing/improving the Client database (e.g. informing employees or representatives of our business partners with new developments)	3
Names Position/job Other (personal) information you provide if you send us an email or fill out the contact form on our website	To contact you / to communicate with you, for example via email correspondence and/or telephone calls	1 and 3
Payment information/bank account details Names Signatures	Financial administration and tax administration purposes, to send you our invoices, to collect debts	1 and 2
Names Contact details, including but not limited to addresses, telephone numbers and email addresses Position/job title Signatures Business/company information Excerpts of registers (public or not, for example excerpts from the Chamber of Commerce) Payment information/bank account details	To deal with possible disputes, to establish, defend and exercise our (legal) position	3
Names Position/job title Business/company information	For purposes of business continuity	3

6. Job applicants

As part of your application process for a position within Kaiko, we will collect and process certain personal data relating to you. This paragraph explains how we collect and use your personal data as part of your application procedure and for what purposes we process your personal data. Please note that this information only relates to your application process. Once we have accepted your application, you will receive our internal employee privacy notice.

In the context of the application procedure, we may collect and process the following personal data relating to you:

Identification and contact details (e.g. name, date of birth, gender, place of birth, nationality, address, telephone number and email address);
Resume and (additional) education and/or employment history;
Professional certificates;
Appraisals;
References;
Information on your legal and disciplinary history;
Copy of an identification document (including a driver’s license, if and to the extent relevant for the position);
Social security number (Burgerservicenummer);
All other data relating to your work experience (if and insofar as relevant to the performance of work);
All other data you include in your letter and/or resume;
Government issued information, such as a copy of a residence permit or work permit (if applicable);
Results of assessments;
Information from your professional social media account(s);
Your response to interview questions; and
In the event that we decide to offer you a position, we may request a certificate of good conduct (Verklaring omtrent gedrag) to ensure suitability, integrity and reliability for the job.

We will only use your personal data as described above for the following purposes:

To determine whether you are suitable for, and meet, the relevant requirements for the position for which you are applying;
For our records;
To contact you and to communicate with you;
To enter into a contract with you; and
To prevent reassessment of applicants.

We will collect, process and disclose your personal data where we consider it necessary to perform pre-contractual steps for purposes related to your job application or in order to pursue our legitimate interest. We may sometimes ask for your explicit consent for a certain processing activity. If we process personal data based on your consent, please note that you may revoke your consent at any time by contacting us via the contact details in paragraph 14.

Your personal data may be obtained directly from you, from publicly available sources or, where appropriate with your consent from the following third parties:

Recruitment agencies or head-hunters;
Your referees and/or (other) past employers;
Teachers/providers of your education and/or training about your educational program and its completion; and
Assessment agencies.

We may share your personal information with third parties, such as service providers we contract and our professional advisors to draft your employment agreement, but only for the purposes as set out above. We ensure that, if applicable, appropriate measures are taken when we disclose your personal data to third parties. Please refer to paragraph 9.

In case you have accepted a position within Kaiko, we will include your application data in your employee file.

If you have not been offered or have not accepted a position within Kaiko, we will erase your data as soon as is reasonably possible after the job application procedure has ended. Generally, this will be a maximum period of three (3) weeks from the date the job application procedure has ended.

Your personal data will only be retained for a longer period if it is necessary for defending our interests in the context of judicial proceedings (e.g. in case of a dispute) or where necessary to comply with our legal obligations.

If you want us to store your personal information for a longer period so that we can contact you in the event of another vacancy that suits your profile, please indicate your consent to us for retaining your personal data for a one (1) year period. You may withdraw your consent at any time after which we will delete your personal data as soon as is reasonably possible.

For your other rights regarding your personal data, we kindly refer to paragraph 10 and 11.

7. How long will we keep your personal data?

We will not store or keep your personal data for a longer period than is necessary in light of the purposes for which we process them (we refer to the purposes as listed above in paragraph 5). Only where we are legally obliged to, or where this is necessary for defending our interests in the context of judicial proceedings, we will store the personal data for longer periods.

In general, the following storage periods apply:

Category of Personal Data	Storage Period
Name and contact details, job/position, signature	5 years after our contracting/business relationship ended.
Invoices and other financial documents	7 years after the date of the invoice.
Email	The data you send will be stored as long as the nature of the form or the contents of your email is required in order to fully answer and process them.
Job applicant data (as described in paragraph 6)	Your job applicant data will be stored for the duration of the application process. In case you are hired, we will keep this information for the duration of your employment (plus 7 seven years for audit purposes). If you are not a perfect match for the position, we may ask your consent to keep the job applicant data for 1 year. If we do not receive your consent, we will delete the job applicant data within 3 weeks after the end of the application process.

8. How do we protect your personal data?

We will implement the necessary administrative, technical and organizational measures for ensuring a level of security appropriate to the specific risks that we have identified. We protect your personal data against destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. To this end, we follow the security guidelines detailed in the ISO27001 standard. This includes measures such as: encryption of sensitive data, regular access right view, employees signing confidentiality agreements, etc.

Further, we seek to ensure that we keep your personal data accurate and up to date. However, you are responsible for this and we kindly request that you inform us of any changes to your personal data (such as a change in your contact details).

9. Do we transfer and/or share your personal data?

In the context of the purposes as listed above, we may share your personal data with third parties in the following situations:

We may share your personal data with our branch in Switzerland where necessary for us to carry out our activities and provide our services.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of insurers or a government authority such as data protection authorities.
We may engage third parties to process the personal data on our behalf (for example providers of certain IT applications that we use in the context of our activities, software developers, cloud providers, direct marketing professionals). We will enter into the required contractual arrangements with those parties to ensure lawful and fair processing of your personal data on our behalf.
We may share certain personal data with your employer or business contacts, with individuals or organisations who have a direct (contractual) relationship with us and other relevant private organisations (such as recruitment and assessment agencies and head-hunters).
We may also transfer personal data in the event of the sale or transfer of all or any part of Kaiko’s business with external advisors, auditors, (potential) buyers, government authorities, if this is required in the context of that transaction.

Where relevant, we will implement safeguards to ensure the protection of your personal data when disclosing your personal data to a third party. For example, we will enter into data processing agreements with relevant parties (providing for restrictions on the use of your personal data and obligations with respect to the protection and security of your personal data).

Some of the parties with whom we may share your personal data may be located in countries outside the European Economic Area (EEA), which countries may offer a lower level of data protection than within the EEA. This is for example the case in the following situation:

Kaiko is sharing some of its personal data with its office in Switzerland. In such case, we shall ensure that the international data of your personal data shall comply with the applicable data protection laws. As Switzerland is currently recognised by the European Commission as a country with an adequate data protection level. Therefore, personal data can flow from the EEA to Switzerland without any further safeguard being necessary. In other words, transfers to Switzerland will be assimilated to intra-EEA transmissions of personal data. For more information, please refer to https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518.

With the exception of the aforementioned transfer, Kaiko will generally not share your personal data as set out above with other parties located in countries outside the EEA. This may, however, be different in the event as described above. In such case, it shall be ensured that adequate measures are taken to ensure adequate protection of your personal data in accordance with applicable data protection legislation. You may contact us (as indicated in paragraph 14) if you wish to obtain a copy of the Standard Contractual Clauses entered into or insight in other adequate measures taken.

10. Can I access my personal data?

If you want to know what personal data we have of you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a ‘data subject access request’.

All such requests should be made in writing and sent to the email or postal addresses shown in paragraph 14 below. In principle, there is no charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make unnecessary repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within one month after receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months after the date on which we received your request. In this case you will, of course, be kept fully informed of our progress.

11. What are your other rights?

Under certain circumstances you have the right to:

receive additional information regarding the processing of your personal data;
rectify your personal data;
the erasure of your personal data;
object to (part of) the processing of your personal data;
the restriction of (part of) the processing of your personal data; and
data portability (receive your personal data in a structured, commonly used and machine- readable format and to (have) transmit(ted) your personal data to another organization).

Finally, you have the right to lodge a complaint to the local data protection authority. With respect to the Netherlands, the Autoriteit Persoonsgegevens, address: Hoge Nieuwstraat 8, postal code 2514 EL, The Hague (or: Postbus 93374, 2509 AJ, The Hague), telephone no.: 070-8888 500, or via its complaint page (https://www.autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap) on its website. With respect to Switzerland, the Federal Data Protection and Information Commissioner, address: Feldeggweg 1, postal code 3003, Bern, telephone no. 058 462 43 95, or via its 6 of 6 complaint page (https://www.edoeb.admin.ch/en/report-form-data-subjects) on its website. If you reside in another EU country, you may find the contact details of your local data protection authority here (https://www.edpb.europa.eu/about-edpb/about-edpb/members_en).

12. Automated decision making and profiling

We do not undertake any automated decision making or profiling.

13. Cookies

This website uses "cookies", which are text files placed on your computer, to help the website analyse how users use the website. We use this information to keep track of how you use the website, to compile reports on website activity and to offer other services relating to website activity and internet use.

There are different types of cookies. For example:

Necessary cookies
These are cookies that are needed to make the site work quickly and easily for a visitor. We use necessary cookies to be able to deliver the website to you. These cookies do not collect personal information about individual visitors.

Functional cookies
We use functional cookies to enable the correct functioning of the website, enable you to visit different pages and to ensure that the website is properly delivered to you. These cookies also provide insight into the use of the website. Such as, which pages are visited? When do visitors visit the website? These cookies only provide general information and no information about individual visitors.

Third party websites
Our website may refer to third party websites that may also use cookies. We have no control over the cookies used by these websites. Please see the privacy statement of that respective website if you require further information.

Deleting cookies
Cookies are stored on your computer and can be deleted at any time. Click on one of the links below to find out how to do this.

It is important to know that the use of cookies on our website is safe. Cookies do not result in spam or unwanted e-mails or phone calls. Our cookies are not used to build a personal profile.

14. Contact details

To contact us about anything related to your personal data and/or data protection, including exercising your data subject rights as discussed above in paragraphs 10 and 11, in particular your right to object, please use the contact details below:

For the attention of: Data Protection Officer
Email address: privacy@kaiko.ai
Postal Address: Kaiko B.V. Louwesweg 61066 EC Amsterdam

Last updated on the 16th of December 2025