Legal

Privacy Policy

Pro-Motion Labs·Last Updated: June 2026·Version 2.0

This policy is designed to be legally defensible and genuinely protective of your rights. We process data lawfully, minimize collection, separate consent from legitimate business needs, and give you meaningful control.

1. Introduction

Pro-Motion Labs (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access and use our website, platforms (including Rainure and Kizuna), and related services (collectively, “Services”).

We process personal data lawfully, fairly, and transparently. We minimize data collection, separate consent-based processing from legitimate business needs, and give you meaningful control.

Please read this Privacy Policy carefully. If you do not agree with our data practices, please do not use our Services.

2. Definitions

Personal DataInformation that identifies you or makes you identifiable, including name, email, phone number, IP address, payment information, location data, and behavioral data.
Sensitive DataPersonal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, or sex life.
ProcessingAny operation performed on Personal Data (collection, storage, use, analysis, disclosure, deletion).
Data ControllerThe entity that determines the purposes and means of processing. Pro-Motion Labs is the controller for most processing.
Data ProcessorA third party that processes data on our behalf under a contract.
Data SubjectThe individual to whom Personal Data relates.

3. Information We Collect

3.1 Information You Provide Directly

Account Registration

  • Name, email address, phone number
  • Company name and industry
  • Billing address and payment information
  • Username and password

Service Usage

  • Content you upload, create, or input
  • Messages, communications, and support requests
  • Feedback, surveys, and preferences

Rainure (Events)

  • Event registrations: name, email, ticket type
  • Ticket purchases and transaction history
  • Communication preferences

Kizuna (Insurance)

  • Policy details and claims information
  • Underwriting data
  • Agent and broker information

3.2 Information Collected Automatically (Minimized)

We limit automatic collection to what is strictly necessary. We collect:

  • IP address (for security only, not tracking)
  • Browser type and operating system
  • Pages visited (landing page, checkout page only)
  • Referral sources (for marketing attribution only)
  • Session cookies (for security and functionality)
  • General location derived from IP (not precise; deleted after 30 days)

We do NOT collect:

  • Unique device identifiers or fingerprinting
  • Precise GPS location (unless you explicitly opt in)
  • Individual session behavior for profiling
  • Search queries (deleted after 24 hours)

3.3 Information from Third Parties

We receive Personal Data from payment processors (for transaction verification only) and analytics providers (anonymized usage insights). We do not buy, sell, or receive data from data brokers.

3.4 Sensitive Data (Strict Handling)

Rainure: Events Platform

  • Health/disability: Only if voluntarily provided for accessibility accommodations
  • Dietary preferences: Only if provided for event catering
  • Retention: Deleted 1 year post-event
  • Deletion: You can request deletion anytime

Kizuna: Insurance Platform

  • Health information: Medical history, health claims (inherent to insurance underwriting)
  • Financial information: Income, credit history (insurance underwriting)
  • Retention: Per insurance regulations (typically 10+ years); cannot be deleted due to legal requirements
  • Safeguards: Enhanced encryption, access restrictions, full audit logging

We strictly prohibit:

  • Using sensitive data for marketing, analytics, or profiling
  • Sharing sensitive data with non-essential third parties
  • Retaining sensitive data longer than legally required
  • Training AI/ML models on sensitive data

4. Legal Basis for Processing

Your Explicit Consent
  • Promotional emails about products and offers
  • Google Analytics, Hotjar, Mixpanel tracking
  • Facebook Pixel, Google Ads retargeting
  • Behavioural profiling and personalisation
  • SMS/Text message marketing

You can withdraw consent at any time. We stop processing within 2 business days.

Contractual Necessity
  • Account creation and management
  • Processing transactions and payments
  • Delivering platform features (Rainure, Kizuna)
  • Transactional emails (order confirmations, security alerts)
  • Technical support and troubleshooting

You cannot opt out of these without closing your account, as they are essential to the service.

Legal Obligation
  • Retaining transaction records for 7 years (tax law)
  • Insurance claims retention 10+ years (insurance regulations)
  • Responding to court orders, subpoenas, and legal processes
  • PCI DSS compliance for payment data

Required by law. We cannot avoid these obligations.

4.4 Legitimate Interests (Narrowly Defined)

We only claim legitimate interest after a balancing test and only for narrow technical purposes:

  • Fraud prevention and security monitoring (security logs deleted after 90 days)
  • Platform stability and bug identification (aggregate metrics only; anonymized after 30 days)
  • Enforcing Terms of Service and protecting legal rights

We do NOT claim legitimate interest for:

  • Marketing (requires explicit consent)
  • Behavioural profiling (requires explicit consent)
  • AI/ML training (requires explicit consent)
  • Selling data or insights
  • Cross-site tracking (requires explicit consent)
  • Predictive modeling (requires explicit consent)

5. How We Use Your Information

5.1 Service Delivery (No Choice Required)

  • Creating and managing your Account
  • Processing transactions and payments
  • Delivering platform features and functionality
  • Providing customer support
  • Sending transactional emails and service announcements

5.2 Service Improvement (Limited & Transparent)

  • Analysing aggregate usage patterns (how many users access a feature, not individual behaviour)
  • Identifying technical bugs (error rates, crashes, timeouts)
  • Measuring platform performance (page load times, uptime)

What we do NOT do:

  • Train AI/ML models on user data without separate consent
  • Create detailed user behaviour profiles
  • Track individual users across sessions
  • Combine data across platforms to understand behaviour
  • Sell insights to third parties

5.3 Communication

Transactional (No consent required)

  • • Order confirmations and receipts
  • • Account security alerts
  • • Password reset requests
  • • Service updates and notices
  • • Support responses

Promotional (Consent-based)

  • • Product updates and new features
  • • Special offers and discounts
  • • Newsletter and insights
  • • Requires explicit opt-in (not pre-checked)
  • • Unsubscribe anytime

6. Data Sharing & Disclosure

We do not sell, rent, or share your Personal Data with third parties for marketing, advertising, or profit. Period.

6.1 Service Providers We Use

All service providers are bound by Data Processing Agreements (DPAs) that restrict how they use your data. They cannot use it for their own purposes.

Vercel

Website and application hosting

Account data, usage analytics, content you create

Amazon Web Services

Backup and disaster recovery

Encrypted backups; deleted after 30 days

Stripe

Payment processing

Credit card, billing address (we store no full card numbers)

Google Analytics

Website traffic analytics (anonymized)

Page views, click patterns; data deleted after 26 months

Hotjar

Session recording and heatmaps (with consent)

Recordings deleted after 90 days

SendGrid

Transactional and marketing emails

Email address and message content only

6.2 Legal Compliance & Government Requests

We disclose Personal Data only when required by valid court orders, subpoenas, or legal processes. We disclose only the minimum data required, challenge overbroad requests, and will notify you unless legally prohibited.

6.3 Business Transfers

If Pro-Motion Labs is involved in a merger, acquisition, or asset sale, we will provide 30 days' notice, allow you to request data deletion, and require the acquiring entity to honour this Privacy Policy.

6.4 We Do NOT Share With:

  • Advertising networks (Facebook, Google, etc.) for ad targeting
  • Data brokers or data aggregators
  • Marketing automation platforms (without your explicit consent)
  • Competitors or third-party analytics firms
  • Any party for their own marketing purposes

7. Data Retention

We retain Personal Data only as long as necessary to provide Services or comply with specific legal requirements. We delete data once these purposes expire.

Data TypeRetention PeriodLegal Basis
Account Data3 years after account closureDispute resolution, tax law
Transactional Data7 yearsTax and accounting requirements
Payment/Card Data3 yearsPCI DSS compliance, fraud prevention
Support Tickets/Emails3 yearsDispute resolution, customer service
Login/Security Logs90 daysSecurity and intrusion detection
Website Analytics26 months (anonymized after 13 months)Service improvement
Marketing ListsUntil unsubscribe (then permanent suppression)Compliance with opt-out
Event Data (Rainure)2 years post-eventEvent history and attendee records
Insurance Data (Kizuna)10+ yearsInsurance regulatory requirements
Backup Data30 days after deletionDisaster recovery only
Session CookiesUntil browser closesSecurity and authentication
Preference Cookies1 yearUser preference storage

7.1 Deletion Upon Your Request

We delete your data within 30 days of a valid deletion request. If legal obligations require us to retain specific data, we will:

  • Inform you of the specific legal requirement (tax law, insurance regulation, etc.)
  • Provide an estimated deletion date
  • Restrict processing to that legal obligation only
  • Delete data immediately when the obligation expires
  • Confirm deletion in writing within 30 days

8. Your Rights & Choices

8.1 GDPR Rights (EU/EEA Residents)

Right of Access

Request a copy of all Personal Data we hold about you in portable, machine-readable format (CSV/JSON).

30 days

Right to Rectification

Correct inaccurate or incomplete Personal Data directly in your account or by emailing us.

7 days

Right to Erasure

Request deletion of your Personal Data. Exceptions apply for legal retention obligations, which we will specify.

30 days

Right to Restrict Processing

Request we limit how we use your data while a dispute is under investigation.

7 days

Right to Data Portability

Receive your data in portable format (CSV or JSON). Covers all data you have provided.

30 days

Right to Object

Object to processing based on legitimate interests. We stop within 7 days unless compelling legal reasons override.

7 days

Right to Withdraw Consent

Withdraw consent for any permission-based processing (marketing, analytics, profiling). We stop within 2 business days.

2 business days

Automated Decision Review

Request human review of any automated decision that affects you. No penalty for requesting.

5 business days

8.2 California Rights (CCPA/CPRA)

Right to Know

Request all Personal Data collected in the past 12 months. Response within 45 days.

Right to Delete

Request deletion of Personal Data, subject to legal exceptions. Response within 45 days.

Right to Opt-Out

We do NOT sell Personal Data under CCPA. You can opt out of analytics data sharing.

Non-Discrimination

We do not discriminate against California residents for exercising their rights.

8.3 Exercising Your Rights

Email[email protected]
Subject line“[Right Type] Request: [Your Name]”
ResponseAcknowledged within 24 hours; resolved within 30 days

9. Cookies & Tracking Technologies

Essential Cookies

Always Active

Strictly necessary for basic website functionality. Disabling these breaks the service.

CookiePurposeDuration
Session IDMaintains login stateSession
CSRF TokenPrevents cross-site attacksSession
Security FlagDetects suspicious access30 days
Language PreferenceStores your language choice1 year

Analytics Cookies

Requires Consent

Track aggregate usage of our website. Only activated with your consent.

CookiePurposeDuration
Google AnalyticsPage views and traffic patterns (anonymized)26 months
HotjarSession recording and heatmaps (click/scroll only)90 days
MixpanelFeature usage analytics (anonymized)13 months

Marketing Cookies

Requires Consent

Enable retargeting ads on other websites. Only activated with explicit consent.

CookiePurposeDuration
Facebook PixelAd retargeting on Facebook/InstagramUntil opt-out
Google AdsAd retargeting across Google propertiesUntil opt-out

How consent works

A cookie banner appears before any non-essential cookies are set. No boxes are pre-checked. You choose exactly which categories to enable. You can update or withdraw your preferences at any time via the Manage Preferences link in the footer.

10. Data Security & Breach Notification

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest
  • All backups encrypted

Access Controls

  • Role-based access control
  • Multi-factor authentication for all staff
  • VPN required for remote access

Monitoring

  • Real-time security monitoring
  • Automated anomaly detection
  • Regular penetration testing

Compliance

  • PCI DSS for payment data
  • Annual security audits
  • Employee privacy training

10.1 Data Breach Notification Timelines

High-Risk Breach

(Payment data, credentials, health info, >1,000 records)

You: Notified within 24 hours

Regulators: Notified within 72 hours

Via: Email or phone call

Low-Risk Breach

(Non-sensitive data, small number of records)

You: Notified within 7 days

Regulators: Notified within 72 hours

Via: Email

11. International Data Transfers

Our primary data hosting is in the United States (Vercel). We use legally approved mechanisms to transfer EU personal data, including Standard Contractual Clauses (SCCs) with Schrems II supplementary safeguards executed with all processors handling EU data.

All EU data is encrypted in transit (TLS 1.3) and at rest (AES-256). If transfer rules change, we will assess compliance within 30 days and cease transfers immediately if they become prohibited, offering EU-only data storage where feasible.

You can request restriction of processing in non-EU locations or request EU-only data storage by contacting [email protected].

12. Sensitive Data & Industry-Specific Use Cases

Sensitive data is handled with strict additional controls depending on the platform and the nature of the data.

Rainure: Events

Health/disability and dietary information may be collected if voluntarily provided for accessibility or catering. This data is encrypted, restricted to event organizers, never used for marketing, and deleted 1 year after the event. You can request deletion at any time.

Kizuna: Insurance

Health information, financial data, and (where applicable) genetic data are inherent to insurance underwriting and claims processing. This data is retained per insurance regulations (typically 10+ years), subject to enhanced encryption and access restrictions, and cannot be deleted due to legal requirements. You have the right to access, correct, and request portability.

Custom Development Projects

Projects involving sensitive data require a separate Data Processing Agreement (DPA), explicit written consent from the authorized data controller, and project-specific security measures in a fully isolated environment.

13. Automated Decision-Making & Profiling

We use automated systems in three areas:

Fraud Detection

Impact: Low-Medium

Analyses login and transaction patterns to flag suspicious activity. May temporarily restrict account access.

Your Rights: Request human review within 48 hours. Account restored immediately if wrongly flagged.

Content Moderation (Rainure)

Impact: Low

Flags potential spam, harassment, or Terms of Service violations in event listings.

Your Rights: Request human review within 7 days. Content restored within 48 hours if wrongly flagged.

Insurance Underwriting (Kizuna)

Impact: High

Risk model analyses health, financial, and lifestyle data for insurance approval, premium, and coverage decisions.

Your Rights: Right to request human review, explanation of algorithmic logic, and reconsideration with additional information. Human review within 5 business days. Cannot be subject to purely automated decision without human oversight.

14. Children's Privacy

Our Services are not intended for children under 13 (or the applicable age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect Personal Data from children, market to children, or use profiling directed at children.

If we discover a child has provided data, we delete it immediately and notify the parent or guardian. If you believe your child has provided data, contact [email protected] immediately.

15. Third-Party Links & Services

Our Services may contain links to third-party websites and services. We are not responsible for the availability, accuracy, or privacy practices of third-party content or services. Use of third-party services is at your own risk and subject to their own terms and privacy policies.

16. Modifications to This Privacy Policy

We may modify this Privacy Policy by posting the updated version with an updated “Last Updated” date. For material changes, we will provide notice via email or a prominent banner and request reaffirmation of consent where required.

We will NOT:

  • Weaken your privacy protections without consent
  • Expand sensitive data collection without notification
  • Change how we share your data without opt-in

17. Contact Us & Your Rights

Privacy Requests

Email: [email protected]

Acknowledged: Within 24 hours

Resolved: Within 30 days (GDPR) / 45 days (CCPA)

Data Protection Officer

Email: [email protected]

Response: Within 5 business days

Escalate: Contact DPO if unsatisfied with initial response

17.1 Complaints & Appeals

01

Contact Us First

Email [email protected]. We investigate and respond within 30 days.

02

Escalate to DPO

Email [email protected]. The DPO reviews independently and responds within 5 business days.

03

Lodge a Complaint

You have the right to complain to your local data protection authority (e.g., ICO in UK, CNIL in France, California AG, ANPD in Brazil). We cannot restrict this right.

Pro-Motion Labs · Privacy Policy v2.0 · Last Updated June 2026

Terms of ServiceContact Us