Skip to content

kyu Privacy Policy 

Last Updated: January 2026

1. General Information
The controller responsible for the processing of your personal data is:

kyu Investment, Inc. 395 Hudson Street 8th Floor New York, NY 10014 USA

General contact: kyucollective@​kyu.​com

Data Privacy Officer (DPO) E‑mail: datainquiries@​kyu.​com

This Privacy Policy explains how we collect, use, store, and share personal data when you visit our website, subscribe to our newsletter, contact us, register for events, or attend our public events.

Where this Privacy Policy refers to specific legal bases under the General Data Protection Regulation (GDPR), those references apply only to individuals whose data is subject to the GDPR or the UK GDPR, i.e. users accessing our website from within the European Economic Area (EEA) or the United Kingdom (UK).


2. Means of Collection
We collect personal data that you provide directly to us (through our website or through other communication channels), as well as information your devices provide to us automatically.


3. Provision of the Website
When you visit our website, we automatically process certain technical information required to display the website and ensure its stability and security, including your IP address, the date and time of your request, the HTTP status code, the referring website (referrer URL), your browser type and version, your operating system, and the hostname of your device. California residents, this data may include commercial information and internet or other electronic network activity information.

The processing is based on our legitimate interest in operating a secure and reliable website (Art. 6(1)(f) GDPR).

Server logs are typically retained for up to 30 days, unless a longer retention is necessary for security or incident investigation.


4. Cookies and Similar Technologies
Our website uses cookies and similar technologies. Details are accessible via the cookie banner on the site.


5. Contact Forms
You may contact us through forms on our website for business development, partnership enquiries, or general questions. When doing so, we process the following categories of data: your name, email address, the content of your message, and any other information you voluntarily provide. California residents, this data may include identifiers, data described in California’s Consumer Records Statute, commercial information, and inferences. The processing is necessary to respond to your request, manage business development communications, and maintain relationships with prospective partners.

The legal basis for this processing is our necessity to carry out pre-contractual communications (Art. 6(1)(b) GDPR) and our legitimate interest in efficient communication (Art. 6(1)(f) GDPR).

We generally delete this after your enquiry has been resolved, unless a longer retention period is justified or required by law.


6. Newsletters
You may subscribe to our newsletter by providing your name and email address and confirming your consent. We use your data to send you regular updates about our company and offers. The subscription process includes a double opt-in procedure; you will receive a confirmation email to verify your email address. The legal basis is your consent (Art. 6(1)(a) GDPR).

Where legally permitted, we may also send newsletters to existing customers without separate consent, provided that (1) we have obtained your email address in connection with the sale of a product or service, (2) we use your address solely for direct marketing of our own similar products or services, (3) you have not objected to this use, and (4) we clearly inform you, both when collecting your address and with every marketing message, that you may object to the use of your address for such purposes at any time, free of charge other than your mobile phone company’s or ISP’s usual charges. The legal basis for existing customers under the above conditions is our legitimate interest (Art. 6(1)(f) GDPR).

Your data is retained until you unsubscribe. You can unsubscribe at any time using the link provided in each newsletter or by contacting us directly. For the distribution and management of our newsletters, we engage Mailchimp, a US-based newsletter delivery platform operated by Intuit Inc. Mailchimp processes personal data on our behalf under a data processing agreement, in accordance with applicable data protection laws. Personal data is processed according to our instructions.

To improve our newsletter and tailor our content to your interests, we evaluate certain technical data with each newsletter sent (e.g., information about whether and when the newsletter was opened, and which links were clicked). Mailchimp provides us with corresponding analytical reports, which help us optimize our communications and technically improve the newsletter service. This analytical processing serves to optimize our communication and is based on our legitimate interest (Art. 6(1)(f) GDPR). An individual analysis of user behavior does not take place.


7. Event Registrations
You can register for public or private events hosted by kyu. When you register, we process your name, email address, company or affiliation, and, if provided, your job title, event-specific preferences or information, as well as any other voluntary details you share. California residents, this data includes identifiers, commercial information, and professional information. This data is used to manage your registration, organize event logistics, communicate important information before and after the event, and maintain records of participation.

The legal basis for processing is the necessity for the performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in hosting and organizing events (Art. 6(1)(f) GDPR).

Where relevant, event registration data may be shared with event partners or affiliated kyu companies for the purposes of event logistics and communications. Such sharing is based on our legitimate interest in hosting and organizing events. Partners receiving data are required to handle it in accordance with applicable data protection laws.

Your event registration data is generally retained for up to 12 months, unless a longer retention period is required for legal compliance reasons.


8. Recordings at Public Events
At certain public kyu events, including kyu House and other public gatherings, we may capture photo, video, and audio recordings. California residents, this data may include audio, electronic or video information. These recordings may be used for print media, online publications, newsletters, website content, social media channels, and other promotional materials for kyu, its affiliates, sponsors, or designees.

The legal basis for processing such recordings is our legitimate interest in documenting and promoting our events in accordance with our legitimate interests (Art. 6(1)(f) GDPR). Where required by local law, processing is also based on your consent (e.g. Art. 6(1)(a) GDPR). By attending a public kyu event, you consent to the use of photographs and recordings of you (including your voice, image, or likeness) in the media and for the purposes described above. If you do not wish to be photographed or recorded, please inform our staff on site, we will make reasonable efforts to accommodate your request.

Recordings may be stored for an extended period for archival or documentation purposes.


9. Processing for Legal Obligations
We may process your personal data where this is necessary to comply with legal obligations to which we are subject. Such obligations may include, for example, requirements relating to record-keeping, tax, reporting, regulatory compliance, or responses to legal requests.


10. Sources of Personal Data
In certain cases, we may obtain personal data from sources other than directly from you. These sources may include, for example, publicly available registers, affiliated companies, service providers and business partners (including LinkedIn and other subsidiaries). Where applicable, we will inform you separately about the specific sources, types of data obtained, and the context of such collection.


11. Processing of Applicant Data
When you apply for a position with us, we process your application data (including your name, contact details, qualifications, and any other information you submit) for the purpose of reviewing your application and assessing your suitability for the role (Art. 6(1)(b) GDPR). Where necessary, your application data may be shared with others, such as service providers supporting the application process, always under appropriate safeguards and in accordance with applicable data protection laws.

Your data is used to manage and carry out the recruitment process and will only be retained as long as necessary for these purposes.


12. Data Recipients
In certain cases, it may be necessary to share some of the personal data referenced above with third parties for the purposes described in this Privacy Policy. Categories of recipients may include, for example:

  • Affiliated companies and group entities
  • External service providers
  • Consultants such as auditors, legal counsel, or tax advisers
  • Public authorities, regulatory bodies, and courts where required by law

Based on the purpose the data sharing may be required for the performance of a contract with you (Art. 6(1)(b) GDPR), where required by law (Art. 6(1c)GDPR), or where disclosure serves our legitimate interests (Art. 6(1)(f) GDPR). US residents, we do not sell” personal data or share it for targeted advertising.

Data will only be shared in accordance with applicable legal requirements. If a third party processes personal data on our instructions and for our purposes, we ensure appropriate safeguards, e.g. by concluding a data processing agreement.


13. International Data Transfers
We and our service providers may access, store and otherwise process personal data outside of the jurisdiction in which you are located (including, for residents of the Province of Québec, outside of Québec), including in Canada, the United States, United Kingdom, and any other foreign jurisdictions.

Please note that data processed in other countries may be subject to foreign laws and may be accessible to the governments, courts, law enforcement, and regulatory authorities in those jurisdictions. However, when transferring your personal data to third countries, we will take appropriate measures to adequately protect your data.

For users in the EEA, if there is no adequacy decision by the EU Commission for the recipient country, your data will be protected by the conclusion of EU Standard Contractual Clauses with the recipient or through the implementation of binding internal data protection rules. Otherwise, a transfer will only take place if an exemption under Art. 49 GDPR applies.


14. Data Security and Retention
We have implemented administrative, technical and physical measures in an effort to safeguard the personal data in our custody and control against theft, loss and unauthorized access, use, modification and disclosure. We have controls in place that are designed to restrict access to personal data on a need-to-know basis to employees and authorized service providers who require access to fulfil their job requirements.

Unless otherwise specified in this Privacy Policy, we store your personal data for as long as is necessary for the purposes described herein. We will then delete your personal data unless we are legally permitted or required to retain it for a longer period (e.g., to comply with statutory retention obligations). After expiration of the retention periods, data will be securely deleted or anonymized.


15. Your Rights
Subject to exceptions under applicable law and depending on the jurisdiction in which you are located, you may have certain rights in respect of your personal data, such as those described below. In order to respond to your request, we may ask you to provide certain information for the purpose of verifying your identity.

  1. Right of Access
    You have the right to request information about and access to your personal data, including copies of such data. This also includes information about the purpose of processing, the categories of data being processed, the recipients and authorized persons who have access to the data, as well as, where possible, the intended retention period or, if not possible, the criteria used to determine that period.
  2. Refusal or Withdrawal of Consent
    Certain data processing operations are only possible with your express consent. You may refuse to give consent or withdraw your consent at any time. A simple informal communication by email to us is sufficient for this purpose. The lawfulness of any data processing carried out before your withdrawal remains unaffected.
  3. Rectification, Restriction, Deletion
    You have the right to have your personal data rectified, restricted, or deleted insofar as its use is impermissible under data protection law.
  4. Right to Data Portability
    You have the right to receive the data you have provided to us in a commonly used, structured, and machine-readable format, or to request the transfer of this data to another controller, where technically feasible.
  5. Automated Decision-Making Including Profiling
    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. At present, kyu does not engage in any automated processing that gives rise to these rights.
  6. Right to Object
    You have the right to object to the processing of your personal data if we process your data for direct marketing purposes or if we process your data on the basis of our legitimate interests and you have reasons arising from your particular situation.
  7. Exercising Your Rights
    To exercise these rights, please contact: datainquiries@​kyu.​com
  8. Right to Lodge a Complaint
    If you believe that your rights have been infringed as a result of the processing of your personal data in a way that does not comply with data protection requirements, you have the right to lodge a complaint with the competent supervisory authority or other applicable regulator.

You can also complain to us directly by contacting us at datainquiries@​kyu.​com.


17. Information About our Privacy Governance Policies and Practices
We are committed to protecting personal data and have implemented a comprehensive set of policies and practices that govern our treatment of personal data. These policies and procedures include, among other things, the following:

  • We have implemented policies and procedures to protect personal data in our custody and control from unauthorized access, use or disclosure.
  • We have implemented processes to respond to data subject requests and complaints in a timely and effective manner.
  • As set out above, we have implemented a framework for the retention and destruction of personal data to ensure compliance with legal obligations, and to securely destroy personal data once no longer required.
  • We have designated a DPO who is responsible for overseeing the company’s compliance with privacy legislation.
  • We have implemented a privacy framework that defines the roles and responsibilities for our employees with respect to the treatment of personal data.
  • We provide our employees with regular privacy training and awareness.


18. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to comply with legal requirements or changes in our processing activities.


19. Contact Us
If you have questions about our personal data practices, including our use of service providers outside of your jurisdiction, please contact our DPO at datainquiries@​kyu.​com.