As a European it is mind-boggling that Kagi has not adressed the non-compliance with the GDPR yet. Considering Kagi promotes itself as a privacy friendly service, GDPR compliance is not only legally mandatory but should be of utmost priority.
I would like to stress that the issue here is not "simply" adding some text to the privacy policy but bringing kagi in compliance with all GDPR requirements. Unlike some of the previous comments suggest this cannot be treated as a mere "legal" or "transparency" issue as the GDPR affects all phases of the service, including planning, design and operation of data processing, and is not limited to notice and choice. Failure to comply with transparency obligations raises doubt regarding the compliance with other principles of the GDPR.
Ironically, Kagi's "privacy pass" feature would be considered a great example of a measure as set out by Art. 25 GDPR (data protection by design) which could reduce the fine in case of a failure to comply otherwise (cf. Art. 83 (1) lit. d GDPR). Again, this shows how GDPR compliance is not just some bureaucratic obligation but can help privacy-oriented services to increase privacy while preventing fines.
Imho, Kagi should not only consult highly experienced GDPR lawyers but also ensure an interdisciplinary approach to continiously work towards the highest possible level of data protection and privacy. Non compliance or mere compliance is not sufficient considering the label of "privacy as a feature".
Lastly, it should be stressed that Kagi falls under the scope of the GDPR as it processes personal data of EU data subjects while offering a (paid) service to them (Art. 3 (2) GDPR). Hence, the obvious failure to comply lead to substantial fines. Reputational damage would be critical in light of Kagi's self-proclaimed privacy approach.
