Kinde Privacy Guide

Kinde is developer platform founded for SaaS founders and product teams, headquartered in Australia (Kinde Australia Pty Ltd) with co-founders including Dave Berner based near Byron Bay, New South Wales. According to company mission, Kinde aims to create world with more founders by reinventing way software companies get started, enabling founders to authenticate users safely without building complicated infrastructure.

According to platform positioning, Kinde addresses complete authentication and authorization challenge that B2B SaaS teams face by combining auth, feature flags, organizations, billing entitlements, and workflows in single platform rather than requiring multiple vendor integrations. This unified approach means teams implement authentication once and receive infrastructure for entire customer management system.

Service capabilities according to documentation include authentication (comprehensive options spanning password-based login, passwordless authentication via magic links and one-time codes, social login supporting Google, Facebook, Apple, GitHub and dozens of other providers, enterprise SSO with SAML 2.0, OIDC support, multi-factor authentication with TOTP, SMS, or authenticator apps, passkeys for phishing-resistant biometric authentication, mobile authentication flows, machine-to-machine authentication for backend services and APIs), organization management (multi-tenant architecture supporting B2C and B2B+ business models, hierarchical organization structures enabling users belonging to multiple organizations with different roles in each, email domain-based auto-assignment to organizations simplifying onboarding, default role assignment when users join organizations automating access management, organization-level custom domains and branding customization enabling white-label experiences), role-based access control (custom role definitions, granular permission assignments, role-based feature access integrated with feature flags, permission checks via API and SDKs), feature flags (release management controls for gradual rollouts, role-based feature targeting, A/B testing capabilities, environment-specific configurations, integration with authentication layer eliminating separate feature flag vendor), billing integration (Stripe Connect integration for subscription management, plan configuration and entitlements, automated billing workflows, usage-based billing support, managing paid customer relationships), workflows (custom logic execution written in TypeScript and JavaScript, Git repository integration syncing workflow code, first-party access to Kinde properties, roles, permissions, feature flags, environment variables, extensible auth flows for custom business logic at any authentication stage), and customization (hosted authentication with full HTML/CSS/JavaScript control, custom authentication pages matching brand identity, beautiful default UI requiring no coding, support for most languages, webhook events for integrations with external systems like Salesforce, Mailchimp, Slack, Zapier).

The data controller-processor relationship according to Privacy Policy and GDPR guidance documentation establishes clear distinctions. For end-users authenticating into customer applications, Kinde acts as processor on behalf of customer controllers. According to GDPR documentation explicit statement, customers are data controller while Kinde is data processor on behalf of customers. With respect to authentication product, Kinde processes personal data including first name, last name, and email address with potentially less information depending on authentication integration type (some social providers only provide email or custom identifier without revealing personal details). Consent for this processing is part of terms between data subjects and Kinde customers.

For customer account information (developer teams managing Kinde platform, configuring authentication, accessing dashboard), Kinde acts as independent controller collecting data necessary to provide developer platform services, process billing, deliver support, and maintain security.

According to compliance framework, Kinde built from ground up using best-in-class security protocols with security as center of everything built. Compliance certifications include ISO 27001:2022 certified by Compass Assurance Services maintaining Information Security Management System with dedicated internal security team (public listing available on JASANZ certified organizations register and IAF CertSearch register, certificate downloadable via documentation), SOC 2 examination in progress with report intended to meet needs of broad range of users requiring detailed information about controls relevant to security, availability, processing integrity, confidentiality, or privacy (typical maturity trajectory for SaaS companies), HIPAA compliant supporting customers as Business Associate with BAA available upon request from support team for healthcare applications processing Protected Health Information, CCPA/CPRA compliant giving consumers control over personal information collected, and CSA CAIQ Level 1 self-assessment submitted to Cloud Security Alliance public STAR registry.

From privacy framework perspective, Privacy Policy takes into account requirements of Australian Privacy Act 1988 (Cth). Additionally, individuals located in EU/EEA have rights under GDPR 2016/679 and individuals in UK have rights under UK GDPR and Data Protection Act 2018. Privacy Policy details additional rights for EU and UK individuals as well as information on processing personal information of individuals in EU and UK.

Privacy by Design principle embedded as core product principle according to documentation. In this effort, Kinde made commitment to never sell customer data. Privacy-related checks included throughout software lifecycle ensuring Kinde collects bare minimum amount of personal data necessary to successfully run product. This data minimization approach reflected in authentication typically collecting only first name, last name, and email with some integrations collecting even less.

According to Data Protection Officer governance, Kinde nominated DPO internally with core responsibilities including ensuring Kinde aware of and trained on all relevant privacy obligations, conducting audits to ensure compliance, addressing potential issues proactively, and acting as liaison with public on privacy matters. DPO contactable via [email protected].

Pricing structure according to tiers includes Free plan (10,500 monthly active users with no credit card required, unlimited emails and SMS, comprehensive authentication including passwordless and social login, organizations, feature flags, workflows, custom pages, audit logs—notably generous compared to competitors charging for basic features), Starter, Growth, Pro, and Scale plans with volume-based pricing, and Enterprise custom pricing with dedicated infrastructure, migration support, SLAs, priority support through Kinde Care add-on. Importantly, paid customers on customer's own billing plans do not count toward MAU allowance per no-double-dipping policy preventing duplicate charges.

Integration ecosystem according to SDKs and documentation includes over 20 SDKs covering Next.js, React, Vue, Angular, Express, Django, Laravel, Go, and other frameworks, single library per integration eliminating multiple dependencies, unified architecture meaning integrate once and new features become available automatically, migration tools supporting imports from Auth0, Firebase, Cognito and other providers with free migration assistance, webhooks for event-driven workflows, and API for programmatic management.

Kinde data collection framework follows Privacy by Design principle deliberately minimizing data collected to bare minimum necessary for authentication functionality. According to Privacy Policy and GDPR guidance, following data categories apply distinguishing between customer account data (controller role) and end-user authentication data (processor role).

Customer Account Information (Controller Role): For developers and teams using Kinde platform, according to Privacy Policy, Kinde collects as independent controller customer registration data (name, email address, company name, contact information for account administrators), account credentials (password stored securely, API keys generated for programmatic access, authentication tokens for dashboard sessions), billing information (processed through third-party payment processors for Kinde subscription charges, billing addresses, tax information, subscription tier, transaction history for platform usage), platform configuration data (authentication settings, organization structures configured, roles and permissions defined, feature flag configurations, workflow code synced from Git repositories, custom page HTML/CSS/JavaScript, webhook endpoint URLs, branding customizations), usage and analytics data (monthly active user counts, authentication volumes, feature adoption metrics, API usage patterns, dashboard activity, error logs), support interactions (support tickets submitted, email correspondence with Kinde support team, problem descriptions and resolutions, live chat transcripts), and authentication activity (login timestamps for customer accounts accessing Kinde dashboard, IP addresses for security monitoring, device information and user agents, session identifiers).

End-User Authentication Data (Processor Role): When individuals authenticate into customer applications via Kinde, according to processor framework and data minimization principle, Kinde processes on behalf of customer controllers end-user information including email addresses provided during signup (required for most authentication methods), first name if collected (may not be required depending on authentication method chosen by customer), last name if collected (may not be required depending on authentication method), profile photos if provided via social login or upload, authentication method used (password, passwordless, social provider, SSO, passkey), social provider identifiers if using social login (Google ID, Facebook ID, Apple ID, GitHub ID—these are pseudonymous identifiers, not full social profiles), organization memberships (which customer organizations user belongs to), role and permission assignments (what roles user has in each organization, which permissions granted), authentication timestamps (when user signed up, last login, login history), MFA enrollment status (whether user enabled multi-factor authentication, which MFA methods configured), session data (active sessions, session duration, device information for sessions), and consent records (acceptance of customer's terms of service and privacy policy, timestamps of policy acceptance).

Critically important according to Privacy by Design: there may be less information provided depending on type of authentication integration. Some social providers only provide email address or only provide custom identifier without revealing personal details. This minimization means not all authentication flows collect full name—Kinde processes only what social provider shares based on user consent to that provider.

Feature Flag and Workflow Data: For customers using feature flags and workflows, according to platform functionality, Kinde processes feature flag states (which features enabled for which users, organizations, or roles), workflow execution data (when workflows trigger, execution logs, environment variables used in workflows, API calls made by workflows), and entitlement data if using billing integration (which subscription plans users have, feature access based on billing tier).

Audit Log Data: For compliance and security monitoring, according to audit log features, Kinde processes authentication event logs (login attempts, failed authentication, password resets, MFA challenges), user management actions (role changes, permission grants, organization assignments), security events (suspicious login patterns, rate limit triggers, API abuse), and administrative actions (configuration changes, user deletions, export requests).

Website and Dashboard Analytics: For visitors to kinde.com website and Kinde dashboard users, according to cookie framework, Kinde collects website usage information via cookies including technical cookies ensuring anonymous data about surfing behavior collected with each visit enabling improvement based on usage patterns (used for understanding how visitors use website), billing functionality cookies supporting Billing feature including remembering billing preferences and facilitating smooth transaction processes, and potential analytics cookies for measuring website effectiveness (consent-based where required by applicable law).

Data Kinde Does NOT Collect: According to Privacy by Design and data minimization commitments, Kinde does not collect payment card details directly for end-user transactions (Stripe Connect processes payments when customers use billing features—Kinde receives transaction notifications only), does not access end-user social media profiles beyond authentication identifiers (no reading of posts, friends lists, or activities), does not track end-user browsing behavior outside authentication flows (no cross-site tracking or advertising profiles), does not collect sensitive categories of personal data like health information, racial/ethnic origin, political opinions unless customer explicitly configures custom fields requiring such data (rare and discouraged), and does not sell, rent, or lease any personal information per explicit Privacy by Design commitment.

Records of Processing Activities: According to GDPR Article 30 compliance, Kinde maintains Records of Processing Activities capturing information across user types (customers using Kinde platform, end-users authenticating via customer applications, Kinde employees) including data categories, group of data subjects, purpose of processing, and data recipients. Privacy surveys conducted with each department to identify processing activities and personal data handling. Information collated into Records of Processing Activities and updated as needed.

Kinde legal basis for processing personal data varies depending on whether Kinde acts as processor (for end-user authentication data) or controller (for customer account information), and differs by jurisdiction. According to Privacy Policy and GDPR guidance documentation, following legal bases apply.

Contractual Necessity for Processor Role: When customers use Kinde for authentication services, Kinde acts as processor on behalf of customer controllers. According to processor framework, Kinde processes end-user personal data to fulfill contractual obligation to provide authentication services to customer per agreement. This processing necessary to execute contract between Kinde and customer enabling customer to authenticate their end-users.

Customer's Legal Basis Responsibility: While Kinde as processor relies on contractual necessity with customers, customers themselves bear responsibility as controllers for establishing appropriate legal bases for collecting and processing end-user data. According to data protection principles, customers typically rely on consent (where end-users explicitly agreed to create account and provided information voluntarily during signup with clear privacy disclosures), contractual necessity (where authentication required to provide services end-user requested from customer application), or legitimate interests (where authentication serves legitimate customer business purposes not overriding end-user rights with proper balancing conducted).

Customers responsible for providing privacy notices to end-users explaining Kinde involvement as authentication processor, obtaining necessary consents where required by jurisdiction or data type, implementing data subject rights fulfillment mechanisms, conducting Data Protection Impact Assessments for high-risk processing, and maintaining documentation demonstrating legal bases including consent records where applicable.

Kinde as Controller - Contractual Necessity: For customer account information, according to Privacy Policy, Kinde processes data based on contractual necessity to provide developer platform services including creating and maintaining customer accounts for accessing Kinde dashboard and configuring authentication, processing subscription payments for Kinde platform usage, providing authentication infrastructure and API services, delivering customer support and resolving technical issues, providing platform analytics and usage reporting, and maintaining platform security and operational integrity per Terms of Service obligations.

Kinde as Controller - Legitimate Interests: For certain operational activities, according to Privacy Policy and legitimate interest assessment, Kinde relies on legitimate business interests including security monitoring (detecting unauthorized access to customer accounts, preventing abuse of authentication infrastructure, maintaining audit logs for security investigations), fraud prevention (identifying fraudulent account creation, preventing payment fraud, protecting legitimate customers), service improvement (analyzing aggregated platform usage patterns for optimization, identifying feature adoption for product development, conducting A/B tests for UX enhancements), business operations (managing vendor and infrastructure relationships, conducting internal audits, maintaining financial records, defending legal claims), and marketing communications (informing customers about new features like workflows or custom pages, sending relevant product updates, conducting customer surveys with opt-out mechanisms available).

With respect to marketing efforts according to GDPR guidance, Kinde uses legitimate interest assessment internally to determine broad scopes of marketing activities. All marketing emails sent with opt-out link enabling customers to unsubscribe from product updates.

Compliance with Legal Obligations: In certain circumstances, according to Privacy Policy, processing necessary to comply with legal requirements including responding to valid legal process (subpoenas, court orders from Australian or other relevant courts), complying with Australian Privacy Act 1988 reporting obligations under Notifiable Data Breaches scheme where required, meeting tax and financial reporting obligations under Australian law, and cooperating with law enforcement when legally mandated with appropriate legal basis.

Consent: According to Privacy Policy and Cookie Policy, consent serves as legal basis for certain processing activities including non-essential cookies for analytics and marketing (where ePrivacy Directive or Australian Privacy Act requires consent), optional data collection beyond service necessity, third-party integrations requiring additional permissions, and marketing communications where opt-in legally required.

GDPR-Specific Legal Bases for EU/EEA/UK: According to additional rights and information section for individuals located in EU or UK, GDPR establishes specific legal bases for processing. For EU/EEA/UK end-users authenticating via Kinde, customers as controllers must establish GDPR-compliant legal basis (typically consent or contractual necessity). For EU/EEA/UK customers using Kinde platform, Kinde as controller relies on contractual necessity for service provision and legitimate interests for operational activities with balancing conducted per GDPR Article 6(1)(f).

CCPA/CPRA Framework: According to CCPA compliance, for California residents and other US states with comprehensive privacy laws, Kinde provides data subject rights including access, deletion, correction, and opt-out from sale/sharing. However, Kinde does not sell personal information per explicit commitment. According to CCPA definitions when acting as service provider processing authentication data on behalf of business customers, Kinde prohibited from using personal information outside scope of providing services per CCPA service provider provisions.

Australian Privacy Act Compliance: According to Privacy Policy primary framework, Kinde complies with Australian Privacy Act 1988 (Cth) and Australian Privacy Principles. Under APP 11 (Security of Personal Information), Kinde takes reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification or disclosure. ISO 27001 certification provides documented evidence of security safeguards addressing APP 11 requirements.

Cross-Border Transfer Legal Basis: For international transfers from EU/EEA/UK to Australia and other countries, according to DPA framework available from [email protected], Standard Contractual Clauses and UK International Data Transfer Agreement provide contractual framework for transfers though specific SCC version (Decision 2021/914 vs. older clauses) not disclosed in public documentation. Customers requiring international data transfer documentation should request DPA from [email protected] to review transfer mechanisms incorporated.

Kinde subprocessor framework not comprehensively disclosed in publicly available documentation. Unlike enterprise SaaS providers maintaining detailed public subprocessor registries, Kinde does not publish dedicated subprocessor list with processing descriptions, locations, and data categories. According to typical SaaS architecture and compliance requirements, Kinde engages subprocessors to provide services but specific subprocessors not enumerated in public documentation.

Limited Public Subprocessor Disclosure: No publicly accessible comprehensive subprocessor list found despite extensive research of Kinde documentation, trust center, legal pages, and third-party compliance platforms. While DPA addresses subprocessor engagement obligations, specific Annex listing subprocessors with purposes and locations not included in publicly available materials.

Developers and customers requiring detailed subprocessor documentation for procurement compliance, vendor assessments, or GDPR Article 28 purposes should request subprocessor list directly from Kinde support team via [email protected] or [email protected].

Potential AWS Infrastructure: According to AWS Marketplace listing where Kinde available for purchase, platform potentially utilizes Amazon Web Services infrastructure though not explicitly confirmed in Kinde public documentation. AWS Marketplace presence suggests deployment on or integration with AWS services which would make AWS subprocessor for infrastructure, compute, storage, networking, and potentially other cloud services. If AWS is infrastructure provider, AWS processes all authentication data, customer account information, configuration data, and platform operations data. AWS maintains own extensive security certifications (SOC 2, ISO 27001, PCI DSS, HIPAA) and publishes own subprocessor list at aws.amazon.com/compliance/sub-processors.

However, absence of explicit AWS infrastructure disclosure in Kinde public documentation means this remains inference based on AWS Marketplace availability rather than confirmed subprocessor relationship. Customers should verify infrastructure provider directly with Kinde.

Stripe Connect for Billing: According to billing features and Stripe Connect integration documentation, Stripe serves as payment processor when customers use Kinde billing functionality to charge their own end-users for subscriptions and products. Stripe handles payment card processing, subscription management, invoicing, fraud detection, and funds disbursement to customer bank accounts. Stripe maintains PCI DSS Level 1 certification and publishes own Data Processing Agreement for GDPR compliance. Stripe processes payment data for customers using billing features but not for Kinde platform subscription charges (separate payment processor for Kinde own billing not disclosed).

Email Delivery Services: For transactional emails including authentication codes for passwordless login, password reset emails, MFA verification codes, account notifications, and welcome messages, Kinde necessarily engages email delivery service provider though specific provider not disclosed. Typical email delivery subprocessors include SendGrid, AWS SES, Mailgun, Postmark, or similar transactional email services processing recipient email addresses, message content, delivery timestamps, and engagement metrics.

Customer Support Platforms: For providing customer support via email, live chat, Slack, and Discord channels, Kinde likely utilizes customer service platform processing support tickets, chat transcripts, customer communications, and resolution records. Specific support platform not disclosed in public documentation.

Analytics and Monitoring: For platform performance monitoring and usage analytics, Kinde likely engages analytics services though specific tools not disclosed beyond cookie references. Services may process aggregated usage data, performance metrics, error tracking, and security monitoring.

Social Login Providers: When end-users authenticate via social login, social identity providers (Google, Facebook, Apple, GitHub, etc.) act as independent controllers for their own services rather than Kinde subprocessors. These providers share limited authentication information with Kinde per OAuth/OIDC protocols based on end-user consent to social provider. Social providers not subprocessors in GDPR sense—they are separate controllers with own privacy policies.

No Comprehensive Public Subprocessor List: Critical limitation—Kinde does not maintain publicly accessible detailed subprocessor inventory comparable to enterprise B2B SaaS vendors publishing subprocessor registries with descriptions, locations, and update notifications. This creates due diligence challenges for developers conducting vendor assessments, privacy impact assessments, or responding to enterprise customer requirements for third-party data flow documentation.

According to typical DPA subprocessor provisions, advance notice and objection rights likely provided to customers when engaging new subprocessors, but specific notice period (e.g., 30 days) and objection process not detailed in publicly available documentation. Enterprise customers should clarify subprocessor notification mechanisms and obtain current subprocessor list through direct engagement with Kinde support or sales team.

Kinde approach to international data transfer reflects Australian headquarters with global customer base serving developers worldwide. According to Privacy Policy and DPA framework, international transfers addressed through contractual mechanisms though specific data center locations not publicly disclosed.

Australian Headquarters: According to company information, Kinde Australia Pty Ltd headquartered in Australia (Byron Bay area, New South Wales) suggesting potential Australian data processing operations. However, specific data center locations, cloud regions utilized, and geographic distribution of infrastructure not disclosed in public documentation. Global customer base spanning North America, Europe, Asia Pacific and other regions means authentication data potentially flows across borders during processing.

Standard Contractual Clauses and UK IDTA: According to Privacy Policy statement and DPA framework available from [email protected], for international transfers from EU/EEA/UK to Australia or other countries, Kinde provides Standard Contractual Clauses approved by European Commission and UK International Data Transfer Agreement issued by UK Information Commissioner. According to guidance documentation, both SCCs and IDTA included in Kinde Data Processing Addendum incorporated into Privacy Policy setting forth terms for international transfers.

However, specific version of SCCs (Decision 2021/914 vs. older Directive 95/46/EC clauses) not disclosed in public documentation. Customers should request DPA to verify SCC version ensuring compliance with current European Commission requirements post-Schrems II.

No Adequacy Decision Reliance Disclosed: Unlike US-based providers, Kinde as Australian company cannot rely on EU-US Data Privacy Framework adequacy decision. Australia does not have GDPR adequacy decision from European Commission meaning transfers from EU/EEA to Australia require appropriate safeguards under GDPR Article 46 such as SCCs. Kinde DPA framework incorporating SCCs addresses this requirement though absence of adequacy means additional documentation burden compared to adequacy-covered destinations.

No Regional Data Residency Options: Unlike cloud infrastructure providers offering regional deployments, Kinde does not provide customer-selectable data residency controls enabling data to remain exclusively in EU, US, or other specific jurisdictions. Developers serving EU end-users cannot configure Kinde to process authentication data exclusively within EU data centers. All processing flows through Kinde infrastructure regardless of developer or end-user jurisdiction.

This limitation means European developers must rely on SCCs and appropriate safeguards to legitimize transfers rather than maintaining EU-only processing. Developers with strict data localization requirements (certain financial services, government agencies, healthcare organizations under jurisdiction-specific rules) may find Kinde architecture incompatible with compliance mandates requiring all processing remain in specific geographic boundaries.

GDPR Transfers from EU/UK to Third Countries: According to Privacy Policy additional rights section for EU/UK individuals, personal information may be disclosed to recipients in countries other than country in which personal information was originally collected. Those countries may not have same data protection laws as country in which personal information initially provided. When personal information transferred to recipients in other countries (including United States and Australia), Kinde ensures appropriate safeguards including Standard Contractual Clauses or other mechanisms approved under GDPR.

Australian Privacy Act Cross-Border Disclosure: According to Australian Privacy Act and Australian Privacy Principles, when Kinde discloses personal information to overseas recipients, Kinde takes reasonable steps to ensure overseas recipient does not breach Australian Privacy Principles. This may include contractual arrangements with overseas processors requiring compliance with data protection obligations.

Supplementary Transfer Measures: Following Schrems II requiring supplementary measures beyond SCCs, according to typical security practices though not explicitly detailed in public Kinde documentation, measures likely include encryption in transit via TLS/SSL for all data transmission, encryption at rest for stored authentication and customer data, access controls limiting personnel access based on roles and need-to-know principle, authentication and authorization mechanisms for platform access, security monitoring and logging per ISO 27001 certification requirements, incident response procedures for security events, and regular security audits as part of ISMS maintenance.

However, Kinde has not published Transfer Impact Assessment evaluating third country surveillance law risks and adequacy of SCCs plus supplementary measures providing essentially equivalent protection to GDPR. According to European Data Protection Board guidance, controllers (Kinde customers) should conduct and document TIAs for transfers to third countries without adequacy decisions. Developers should conduct own TIAs or request Kinde assistance in documenting supplementary measures.

When developers integrate Kinde for authentication and access management, they assume extensive compliance responsibilities as data controllers for end-user data. According to controller-processor distinction and data protection principles, following developer responsibilities apply.

Understanding Controller Role: Developers must recognize they are data controllers for end-user authentication data—Kinde merely provides technical infrastructure as processor. According to GDPR guidance explicit statement, customers are data controller while Kinde is data processor. This means developers bear primary legal responsibility for GDPR, CCPA, Australian Privacy Act, and all applicable privacy law compliance including obtaining consents, establishing legal bases, fulfilling data subject rights, and ensuring lawful processing.

Privacy Policy Requirements: Developers must maintain comprehensive privacy policies explaining authentication practices and Kinde processing. Policies should identify Kinde as authentication platform processor, disclose what end-user data collected during signup (email, name, social provider identifiers based on authentication methods enabled), explain how data used (authentication, session management, access control, security monitoring), describe retention periods (how long authentication data kept, deletion process), detail international data transfers (processing may occur across borders via Kinde infrastructure with SCCs), explain end-user rights (access, deletion, rectification, portability, objection under GDPR or equivalent laws), provide contact information for privacy inquiries and rights requests, reference applicable regulations (GDPR for EU users, CCPA for California users, Australian Privacy Act for Australian users), and disclose third-party integrations beyond Kinde (if using webhooks to send data to Salesforce, Mailchimp, or other systems).

Implementing Data Subject Rights: Under GDPR, CCPA, and similar laws, end-users have rights developers must implement including access (provide end-users with their personal data held in Kinde—developers can export user data via Kinde API or dashboard), deletion (permanently delete end-user data from Kinde account when requested per GDPR right to erasure or CCPA deletion—Kinde provides user deletion functionality), rectification (update inaccurate end-user information via Kinde dashboard or API), portability (export end-user data in machine-readable format—Kinde supports CSV export and API access), objection (honor end-user objection to certain processing like marketing based on authentication data), and restriction (limit processing pending resolution of disputes or verification per GDPR Article 18).

Kinde provides tools supporting rights fulfillment according to GDPR features including ability to access and update subscriber data anytime via dashboard or API, delete subscribers anytime at their request or honor removal requests if subscribers contact Kinde directly, export subscriber lists maintaining GDPR compliance, and select subscribers by country and region enabling targeted communications or rights fulfillment for specific jurisdictions.

Authentication Method Selection and Consent: Developers should select authentication methods appropriate for use case and end-user expectations including password authentication (traditional but increasingly disfavored for security reasons—developers should enforce strong password policies and consider requiring MFA), passwordless authentication (magic links, one-time codes—better security and user experience, requires end-user email access), social login (convenient but shares data from social provider—developers should understand what data each provider shares and disclose in privacy policy), enterprise SSO (SAML, OIDC—appropriate for B2B applications where organizations manage employee access), and passkeys (phishing-resistant biometric authentication—highest security, limited browser/device support in 2026).

For each method enabled, developers responsible for obtaining appropriate consents, providing clear information about what authentication data collected and how used, and implementing security measures protecting authentication credentials and sessions.

Policy Acceptance at Signup: According to Kinde features for compliance, developers can configure policy acceptance at signup requiring end-users to accept terms of service and/or privacy policy before account creation. Kinde provides checkbox on signup with acceptance recorded including terms of service acceptance timestamp and privacy policy acceptance timestamp visible in user profiles and audit logs providing GDPR consent documentation.

Developers should enable policy acceptance ensuring explicit consent obtained, provide clear links to full policy documents rather than inline text, avoid pre-checked acceptance boxes (GDPR requires affirmative action), and maintain acceptance records for regulatory examination.

Organization and Multi-Tenancy Security: For B2B applications using Kinde organizations, developers responsible for implementing appropriate tenant isolation including ensuring users cannot access data from organizations they do not belong to, implementing proper role checks before displaying features or data, validating organization membership on all API requests, using Kinde RBAC system correctly to prevent unauthorized access, monitoring cross-organization access attempts via audit logs, and regularly reviewing organization configurations and user assignments.

Poor tenant isolation creates data breach risk exposing organization data to unauthorized users—developers must architect applications with zero-trust principles verifying permissions on every request.

Workflow and Webhook Data Handling: When using Kinde workflows or webhooks to send data to external systems, developers responsible for security and privacy including only sending necessary data to external systems following data minimization, verifying external system security and privacy practices, implementing webhook signature verification preventing unauthorized requests, handling errors gracefully avoiding data loss or exposure, maintaining audit trail of external data sharing, and conducting Data Protection Impact Assessments for high-risk integrations.

Webhooks can expose end-user data to third parties—developers should carefully control what data sent and to which systems based on legitimate processing purposes and end-user expectations.

Monitoring and Incident Response: Developers should implement monitoring for security incidents and anomalous authentication patterns including reviewing Kinde audit logs regularly for suspicious activity, monitoring failed authentication attempts indicating potential attacks, investigating unusual permission changes or role assignments, establishing incident response procedures for data breaches, notifying affected end-users and regulators per breach notification requirements (GDPR 72 hours to supervisory authority, Australian NDB scheme prompt notification, CCPA without unreasonable delay), and maintaining incident documentation for regulatory examination.

Kinde provides audit logs supporting security monitoring—developers should actively use these logs rather than reactive incident response only.

Regulatory Change Monitoring: Developers should maintain awareness of authentication and privacy law developments including monitoring GDPR enforcement actions related to authentication services, reviewing Australian Privacy Act amendments (recent increases to breach penalties), staying informed about US state privacy law expansions (Virginia, Colorado, Connecticut, Utah laws effective, additional states considering), tracking ePrivacy Regulation developments (proposed EU update to cookie/tracking rules), and adapting authentication practices to evolving regulations in jurisdictions where end-users located.

Core Documentation:

Certifications:

IAF CertSearch: Search via iaf.nu for certificate verification

Product Information:

Contact:

This Privacy & Data Handling Profile provides overview of Kinde data processing practices as documented in Privacy Policy, GDPR guidance, compliance pages, and publicly available materials. Kinde represents Australian developer platform combining authentication, access management, billing, and feature management with focus on SaaS founders and product teams.

Critical understanding: Kinde acts as processor for end-user authentication data while developers are controllers. Customers are data controller; Kinde is data processor. Developers bear primary legal responsibility for GDPR, CCPA, Australian Privacy Act, and all applicable privacy law compliance including obtaining consents, providing privacy notices, implementing data subject rights, and ensuring lawful processing.

Privacy by Design embedded as core principle with explicit commitment to never sell customer data. Data minimization reflected in authentication typically collecting only email, first name, last name with some integrations collecting even less depending on social provider. This minimization approach reduces privacy obligations and compliance risks for both Kinde and developers.

ISO 27001:2022 certification by Compass Assurance Services provides independently audited security framework addressing Australian Privacy Act APP 11 requirements and demonstrating reasonable security safeguards. Public listing on JASANZ register enables verification. SOC 2 Type II in progress following typical SaaS compliance maturity trajectory. HIPAA compliance with BAA available addresses healthcare use cases.

DPA incorporating SCCs and UK IDTA available from [email protected] addressing GDPR Article 28 processor requirements and international transfer safeguards. However, specific SCC version not disclosed publicly—developers should request DPA to verify current mechanisms. Absence of EU adequacy decision for Australia means SCCs essential for legitimizing EU-to-Australia transfers.

Subprocessor transparency significantly limited compared to enterprise B2B SaaS—no public comprehensive subprocessor list found despite extensive research. AWS infrastructure inferred from AWS Marketplace presence but not explicitly confirmed. Stripe Connect confirmed for customer billing features. Developers requiring detailed subprocessor documentation should request from [email protected] for procurement compliance and vendor assessments.

No regional data residency controls—all processing flows through Kinde infrastructure regardless of developer or end-user jurisdiction. Developers with strict data localization mandates requiring EU-only or jurisdiction-specific processing should evaluate compatibility before adoption. SCCs and appropriate safeguards enable international transfers but cannot substitute for hard data residency requirements where legally mandated.

Free plan generosity notable—10,500 MAU with no credit card required including comprehensive authentication, organizations, feature flags, workflows, audit logs. Most competitors charge for features Kinde includes free or limit MAU significantly (Auth0 free tier 25,000 MAU but required credit card historically, Clerk $25/month, Firebase Authentication free but tied to Firebase ecosystem). No-double-dipping policy preventing paid customers counting toward MAU further enhances value proposition.

Platform strengths include unified developer experience eliminating multiple vendor integrations, Privacy by Design with data minimization reducing compliance burden, Australian jurisdiction providing alternative to US/EU providers, comprehensive free tier enabling startup adoption, B2B-first features (organizations, RBAC, SAML) included rather than expensive add-ons, workflows and feature flags integrated with auth eliminating separate vendors, and legendary support across email, live chat, Slack, Discord with global team.

Platform considerations include limited public subprocessor transparency requiring direct requests, no regional data residency for strict localization requirements, SOC 2 in progress rather than completed (though ISO 27001 completed), Australian jurisdiction unfamiliar to some enterprises preferring US/EU providers, and smaller ecosystem compared to Auth0/Firebase/Cognito though growing rapidly.

The information presented derives from Kinde Privacy Policy, GDPR guidance, compliance documentation, and public materials as of May 2026. Kinde rapidly evolving—workflows system launched, custom pages enhanced, billing features integrated. Developers should monitor documentation updates and consider subscribing to product announcements tracking feature launches affecting authentication flows or privacy practices.

Document Prepared: May 2026

Primary Sources: Kinde Privacy Policy, GDPR Guidance, Compliance Pages

Intended Use: Educational purposes for developers implementing authentication

Not Legal Advice: Consult legal counsel specializing in data protection and authentication