v1.3.0

Privacy Policy for KMM Client Application

Last Updated: April 28, 2026

1. Introduction

This Privacy Policy describes how Kuori (“we”, “us”, or “our”), collects, uses, and protects personal data in connection with our Enterprise Mobility Management solution, KMM and KMM Client application (the “App”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Finnish data protection laws.

2. Data Controller

Kuori
2684703-1
Linnoitustie 6 A, 02600 Espoo
Finland

3. Categories of Personal Data

3.1 User information

  • Name
  • Email address

3.2 Device information

  • Device identifiers (e.g. IMEI, serial number, Android ID where applicable, including identifiers accessed via KMM Client app and Security Service app where necessary)
  • Device model and manufacturer
  • Operating system version
  • Device status and compliance information (e.g. encryption status, security patch level)
  • Local Network information (e.g. Wi-Fi when configured)
  • Device location exclusively for fleet management purposes and to determine physical location
  • Device may receive configuration files, images, and other media files from Kuori’s secure servers to the device. These files are used solely for operational or configuration purposes within the managed environment and do not contain any personal or user-specific information.

3.3 Management and Audit Data

  • Device configuration policies
  • Installed applications
  • Security and compliance logs
  • Administrative and audit log events

4. Device Management Scope

KMM supports only:

  • Fully Managed Devices (corporate-owned, fully controlled)
  • Dedicated devices (single-use, kiosk mode)
  • Android version 6.0 (with very limited functionality) and above
  • Only Android devices. KMM does not support iOS, Windows, or other platforms.

5. KMM Client and Security Service Applications

KMM may include a companion KMM Client application and a Security Service application installed on managed devices.

5.1 Purpose of KMM Client App

The KMM Client application extends device configuration capabilities beyond those currently available through the Android Management API (AMAPI).

Limited to:

  • Device online status information
  • Installing third party applications from Kuori’s secure servers to the device, which may include configuration files, images, and other media files used solely for operational or configuration purposes within the managed environment. These files are intended for operational or configuration purposes and are not intended to contain personal data. Any personal data contained in such files remains the responsibility of the customer.

5.2 Purpose of Security Service App

The Security Service application is used to grant specific elevated permissions required by the KMM Client to perform certain configuration actions.

Limited to:

  • Gesture mode setting
  • Grant permission to set background image on the device
  • Accessing device identifiers such as the Android serial number (for device management purposes only)

5.3 Data Processing Scope

The KMM Client app and Security Service app:

  • Do not collect user personal data such as names, email addresses, or user-generated content
  • Operate solely for device configuration and management purposes
  • Process only the minimum technical data required to perform their functions

Any device identifiers accessed are used exclusively for:

  • Device identification
  • Management and configuration within KMM

5.4 Data Minimization and Purpose Limitation

We design these components in accordance with GDPR principles, including:

  • Data minimization: Only strictly necessary data is accessed
  • Purpose limitation: Data is solely used for device management
  • Security: Permissions are restricted to required functionality

6. Purpose of Processing

We process personal data (specifically name and email address) for the following purposes:

  • User account management, authentication and access control:
    Enabling secure login to the KMM service and verifying user identity
  • Audit trails and accountability:
    Recording administrative actions and system events to ensure traceability and accountability
  • Service administration and support:
    Managing user accounts and providing technical support where necessary
  • Security and misuse prevention:
    Detecting, preventing, and investigating unauthorized access or misuse of the service
  • Service operation and maintenance:
    Ensuring the proper functioning, reliability, and security of the KMM platform

7. Legal Basis for Processing

Our legal bases under the GDPR include:

Contract Performance (Article 6(1)(b)):
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  • User authentication and account management
  • Operation of administrative and management features

Legitimate interest (Article 6(1)(f)):
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;

  • Ensuring system security and integrity
  • Maintaining audit logs and accountability
  • Preventing misuse and unauthorized access

We ensure that these interests are balanced against the rights and freedoms of users.

Legal obligations (Article 6(1)(c)):
processing is necessary for compliance with a legal obligation to which the controller is subject;

  • Statutory requirements
  • Regulatory or audit obligations

8. Use of Android Management API (AMAPI)

KMM uses Android Management API (AMAPI) provided by Google to manage Android Enterprise devices.

Through AMAPI:

  • Devices are enrolled as fully managed or dedicated
  • Policies and restrictions are enforced
  • Applications are installed and controlled
  • Device status and compliance information is collected

Google acts as an independent controller for data processed through its services and may process such data in accordance with its own privacy policies.

9. Data Retention

We apply the following retention principles:

9.1 User Data

User personal data (name, email) is retained only while the user is active in the system. When a user is deactivated, their personal data is deleted after the audit log retention period expires.

9.2 Audit Logs

Audit and administrative logs are retained for up to one (1) year. These logs may contain references to user identifiers necessary for accountability and traceability.

9.3 Device Data

Device-related data is retained for as long as the device is enrolled and managed. When a device is unenrolled, associated device data is deleted or anonymized without undue delay.

However, certain limited device identifiers (such as the device serial number) may be retained as part of audit logs for accountability and traceability purposes. Such data is retained only for the duration of the audit log retention period (up to one (1) year).

10. Data Sharing and Transfers

We do not sell, rent, or otherwise disclose personal data to third parties for their own purposes.

Personal data is processed only as necessary to provide the KMM service.

10.1 Service Providers

We use trusted service providers (such as cloud and infrastructure providers) to host and operate the KMM platform.

These providers:

  • Process data only on our behalf and under our instructions
  • Are subject to contractual obligations, including data protection requirements

10.2 Google Authentication

KMM supports authentication via Google (OAuth).

In this process:

  • User authentication is performed by Google
  • Basic account information (such as name and email address) is provided by Google to KMM
  • We do not disclose user personal data to Google beyond what is required for authentication

10.3 Customer Access

Customer organizations (acting as data controllers) can access personal data within the KMM service as part of their device management and administrative responsibilities.

10.4 International Data Transfers

Where personal data is processed outside the EU/EEA (for example, by infrastructure providers), we ensure appropriate safeguards are in place, such as:

  • European Commission Standard Contractual Clauses (SCCs)

11. Application Management and Third-Party Applications

11.1 Customer-Provided Applications and Files

KMM enables customers to upload, store, and distribute content to managed devices, including:

  • Application packages (APKs)
  • Media files (e.g. images for device backgrounds)
  • Other files required for device configuration and operation

These applications and files may be developed by the customer or provided by third parties, including distribution outside official app stores. We do not claim ownership of such content.

11.2 Storage and Processing

Customer-provided applications and files are stored on infrastructure controlled by Kuori and are processed solely for the purpose of:

  • Enabling distribution to managed devices
  • Supporting device configuration and management

We do not access or use the content of such files except where necessary to provide the service or for support and maintenance purposes.

11.3 Data Processing by Applications

Applications deployed via KMM may independently collect and process personal data. Such processing is:

  • Determined by the application provider (customer or third party)
  • Subject to the application provider’s own privacy policies

We are not responsible for the data processing practices of third-party applications.

11.4 Customer Responsibility

Customers are responsible for:

  • The content, legality, and origin of uploaded applications and files
  • Ensuring they have the necessary rights to upload and distribute such content
  • Ensuring compliance with applicable data protection and intellectual property laws

11.5 Data Minimization

We do not intentionally process personal data contained within customer-provided applications or files.

Any such data remains under the control and responsibility of the customer.

11.6 Role of KMM

Within the context of application and file management, our role is limited to:

  • Secure storage of customer-provided applications (APKs) and related files
  • Distribution of applications and files to managed devices
  • Enabling installation and configuration via device management policies

KMM does not access, analyze, or control the internal behavior of applications beyond what is required to enable their distribution and installation.

12. Data Security

We implement appropriate technical and organizational measures, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Role-based access control (RBAC)
  • Logging and monitoring

Access to KMM management systems is restricted to authorized personnel strictly for operational and maintenance purposes.

13. Role of Customer (Employers)

The customer organization (e.g. employer) acts as the data controller, determining the purposes and means of processing personal data within the KMM service.

Kuori acts as a data processor, processing personal data on behalf of the customer and in accordance with their instructions.

Kuori may also acts as an independent data controller for limited purposes such as service security, account management, and legal compliance.

This includes, but is not limited to:

  • Managing user accounts and access rights
  • Configuring and enforcing device management policies
  • Deploying applications and files to managed devices
  • Defining monitoring practices and audit requirements

End users (such as employees) should contact their employer regarding:

  • Monitoring practices and device usage policies
  • Internal policies related to device management
  • Requests related to their personal data (e.g. access, correction, or deletion)

We assist customers in fulfilling their data protection obligations where required, in accordance with applicable agreements.

14. Children's Data

KMM is designed for use by organizations in managing corporate-owned devices and is not intended for use by individuals under the age of 16.

We do not knowingly collect or process personal data relating to children.

In the event that we become aware that personal data of a minor has been processed in connection with the service, we will take appropriate steps to delete such data without undue delay.

15. User Privacy and Device Data Scope

KMM is designed to manage corporate-owned devices and does not process personal content of device users.

KMM does not access or collect personal content such as:

  • Contacts
  • Messages
  • Photos or media files
  • Other user-generated content

Personal data processed by KMM is limited to user identification data (such as name and email address) for authentication and audit purposes, as well as technical device information required for device management.

16. Changes to this Policy

Kuori may update this Privacy Policy periodically. Any changes will be communicated through appropriate channels or reflected in an updated version of this page. Continued use of the App after such changes indicates acceptance of the updated terms.

17. Contact

If you have any questions or concerns regarding this Privacy Policy or the handling of device information, please contact:

Kuori Support

Email: support@kuori.tech

Website: https://www.kuori.tech

You have the right to lodge a complaint with the Finnish supervisory authority:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: https://tietosuoja.fi/en/organisations