xx the EDPS, which you linked, deals with privacy violations by the European Government itself, not by private companies. GDPR violations by private companies have to be reported to your country's Data Protection Authority - and, unless the case directly involves your own data (ie. a company refuses to delete it), they're not even required to respond to your complaint. In reality I think the only way to have Kagi fined over this is for someone to take them directly to court - which is probably possible (though I'm not a lawyer), but that would require someone to be concerned about this enough to spend significant time and money on this.
I'm not saying that not having a proper privacy policy is acceptable, by the way. It's just not true to say this is a "lawsuit coming", because those laws are unfortunately barely enforced.
