1. Who we are
KAIRO is operated by a Plainview, New York based team. Reach the data protection contact through the Contact page. For EU and UK residents, you may also use these contact channels to exercise your rights under GDPR and UK GDPR.
2. Information we collect
Information you provide
- Account information: name, email, organization, role.
- Billing information: payment method details, billing address, tax identifiers (processed by Stripe; KAIRO does not store full card numbers).
- Content you submit to the platform: domains, company names, prompts, files, and data uploaded for tool runs.
- Communications: support messages, scheduling requests, and feedback.
Information collected automatically
- Usage data: tool runs, timestamps, tier, and structured audit-log events.
- Device and connection: IP address, browser type, operating system, referrer URL.
- Cookies and similar technologies: see Section 7.
Information from third parties
Public web data, public records, and licensed datasets that the platform synthesizes. This data may include limited personal information about individuals who are public figures, business contacts at companies, or otherwise publicly identified.
3. How we use information
- To provide, secure, and improve the platform.
- To authenticate accounts and enforce subscription terms.
- To send service announcements, security alerts, and required commercial notices (auto-renewal reminders, billing receipts).
- To respond to support requests and customer communications.
- To detect, prevent, and address fraud, abuse, and security incidents.
- To meet legal and regulatory obligations.
- To analyze aggregate, de-identified usage trends so we can improve the product.
We do not sell personal information. We do not use personal data to train foundation AI models. Customer content submitted to tool runs is not used to train any third-party AI model under our control.
4. Legal bases (GDPR)
For EU and UK customers, our legal bases for processing personal data are:
- Contract: processing necessary to deliver the platform under your subscription.
- Legitimate interests: securing and improving the service, preventing fraud, and conducting business communications.
- Consent: for cookies that are not strictly necessary, and for marketing communications where required.
- Legal obligation: compliance with tax, accounting, and regulatory requirements.
5. How we share information
We share personal data only as needed and only with parties that have appropriate safeguards in place:
- Service providers: hosting, payment processing, email delivery, error monitoring, and analytics, each bound by data protection commitments.
- Compliance and safety: when required by law, court order, or to protect against fraud or harm.
- Business transfers: in the event of a merger, acquisition, or sale of assets, subject to confidentiality.
The current list of subprocessors used to deliver the platform is on the Trust Center page and is updated as the stack evolves.
6. International data transfers
We may transfer, store, and process personal data in the United States and other countries where our service providers operate. For transfers out of the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses as a transfer mechanism. EU customers can also execute our Data Processing Addendum for additional contractual safeguards.
7. Cookies
We use cookies and similar technologies for authentication, security, preferences, and limited analytics. Strictly necessary cookies are always on. Other categories require your consent in jurisdictions where the law requires it. You can manage your preferences through the cookie banner or your browser settings.
8. Data retention
We retain personal data for as long as your account is active and as needed to provide the service. After account closure, we retain limited data for legal, accounting, and dispute resolution purposes, typically for up to seven (7) years. Customer content submitted to tool runs is retained for thirty (30) days after account closure to allow export, then deleted.
9. Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing or withdraw consent. To exercise these rights, contact us through the Contact page.
California residents (CCPA / CPRA)
You have the right to know what personal information we collect, to delete personal information we hold about you, to correct inaccuracies, to opt out of any sale or sharing of personal information (we do not sell or share), and to limit use of sensitive personal information. We will not discriminate against you for exercising these rights.
EU and UK residents (GDPR)
In addition to the rights above, you may lodge a complaint with your local data protection authority. You may also use our Data Processing Addendum where KAIRO acts as a processor on your behalf.
10. Security
We maintain technical and organizational measures designed to protect personal data: row-level security on databases, server-side admin gates, rate limiting, input sanitization, JWT-backed sessions, and structured audit logging. The current security posture is described on the Security page.
11. Children
The platform is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn we have collected such data, we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated through the platform with at least thirty (30) days notice. The effective date at the top of this page indicates when the policy was last updated.
This Privacy Policy was generated as a template starting point. Before serving real customers under this policy, have it reviewed by qualified privacy counsel familiar with GDPR, CCPA, and CPRA.