Privacy Policy & Data Processing Information

Kernel (kernel.eu.com) is a B2B software designed to help companies eliminate advertising waste by automatically excluding existing customers from acquisition campaigns on Google Ads, Meta, TikTok, and YouTube. Developed and managed by Kernel S.R.L, based in Treviglio, Italy, the platform also segments customer databases into distinct categories — active, at risk, dormant, and lost — to optimize marketing effectiveness and improve return on ad spend (ROAS).

Under the GDPR (EU Regulation 2016/679), roles are defined as follows:

• Data Controller: The customer using Kernel (e.g., Glovo, Spotify) who provides their users' data. They are responsible for the legality of the processing and the original data collection.
• Data Processor: Kernel, which processes data exclusively based on the Data Controller's instructions and for the purposes described in this document.

Kernel only processes data that the customer voluntarily transmits through configured integrations. The data typically processed includes:

• Email addresses
• Phone numbers
• First and last names (optional)
• Physical addresses (optional)
• Last Order Date
• Purchase Frequency
• Average Order Value (AOV)
• Lifetime Value (LTV)
• Operating System (iOS/Android)
• App Installation Status
• Internal User ID
• Subscription Status
• Loyalty Program Level
• Coupon and Discount Usage
• Original Acquisition Channel
• ZIP Code / Geographic Area
• Preferred Product Category
• Email and Push Notification Engagement

Kernel does not collect sensitive data (special categories under Art. 9 GDPR), banking data, data of minors, or end-user browsing data.

Data transmitted to Kernel is used exclusively to:

• identify and unify existing customer profiles (identity resolution);
• automatically update exclusion lists on authorized advertising platforms (Google Customer Match, Meta Custom Audiences, TikTok Audience API);
• measure and report generated advertising savings.

Data is never used for marketing, profiling, sale, or unauthorized third-party sharing.

Kernel employs a privacy-by-design approach. Before data is transmitted to ad platforms, all personal identifiers are hashed using the SHA-256 algorithm. Ad platforms never receive raw data. Hashing is irreversible. Original data remains on Kernel's servers and is never exported in plain text to third parties.

Data is stored for the duration of the active contract with Kernel. Upon contract termination, data is deleted within 30 days, unless legal obligations require otherwise. Customers may request immediate deletion at any time via privacy@kernel.eu.com.

While advertising platforms operate servers outside the EU, the transfer of hashed data complies with GDPR safeguards, specifically through Standard Contractual Clauses (SCC) approved by the European Commission.

As a Data Processor, Kernel has no direct relationship with the customer's end users. End-user requests (access, rectification, deletion, portability) must be directed to the Data Controller. Direct customer requests regarding their own account data can be sent to privacy@kernel.eu.com.

In the event of a personal data breach, Kernel commits to:

• notifying the Data Controller within 72 hours of discovery;
• providing necessary impact assessment information;
• assisting the customer in notifying the Privacy Authority if required.

Kernel provides a GDPR-compliant Data Processing Agreement (DPA) for enterprise clients. It is signed alongside the service contract and forms an integral part of the agreement. To request a DPA: legal@kernel.eu.com.

Kernel reserves the right to update this policy. Substantial changes will be communicated with at least 30 days' notice via email. The latest version is always at kernel.eu.com/privacy.

• General Privacy: privacy@kernel.eu.com
• Legal & DPA: legal@kernel.eu.com
• Website: kernel.eu.com