This page explains what personal data Kirality collects, why, who we share it with, and what controls you have. Plain-language summary first, full detail after.
Summary
- We collect what we need to run your account: email, name, billing data, your tenant's content.
- We never sell your data.
- We share with sub-processors only as required (Stripe for billing, Anthropic / OpenAI for AI calls you initiate, Sentry for error tracking).
- You can export or delete everything at any time. Contact privacy@kirality.com.
1. What we collect
Account data
- Email, password (hashed with bcrypt — we never see the plaintext), display name
- Tenant (workspace) name, plan tier, billing cadence
- Stripe customer + subscription IDs (we don't store card numbers — Stripe does)
Workspace data
- Org-tree nodes, agents, consultants, skills, pipelines, runs, OKRs, kanban items, CRM contacts
- Documents and files you upload or generate
- Connected integration credentials (Slack tokens, Anthropic API key, etc.) — encrypted at rest
Usage data
- Server access logs (IP, path, status, timestamp) — retained 30 days
- Application errors via Sentry (sampled, scrubbed of secrets)
- LLM usage ledger (token counts, cost) — kept for billing accuracy
2. Why we collect it
- Provide the service — running your agents, billing your subscription, supporting tickets
- Keep it secure — rate limiting, fraud detection, abuse prevention
- Improve the product — aggregated, de-identified usage patterns only. We do not train models on your content.
3. Sub-processors
The third parties that may receive your data when you use specific features:
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, name, card (held by Stripe), subscription metadata |
| Anthropic | Claude API calls | Prompts you submit + results — only when you trigger them |
| OpenAI | GPT API calls | Same as above, only if you opt into OpenAI |
| Drive Intelligence integration | OAuth token + file metadata, only if you connect Drive | |
| Sentry | Error tracking | Stack traces, scrubbed request context |
| Resend | Transactional email | Email address + message content |
4. Your rights (GDPR / CCPA)
Regardless of where you live, you can:
- Access — request a copy of all data we hold on you
- Delete — request permanent deletion of your account and tenant
- Export — get your tenant data as JSON / SQL
- Object — opt out of any processing not strictly required for the service
Contact privacy@kirality.com with your request. We respond within 30 days.
5. How long we keep data
- Active accounts: indefinitely while you have an active subscription
- After cancellation: 30 days, then permanent delete
- Pipeline run history: 90 days rolling
- Server access logs: 30 days
- Webhook delivery logs: 30 days
- Stripe records: 7 years (legal requirement)
6. Security
- Passwords hashed with bcrypt (cost factor 12)
- Tenant API keys + skill bodies encrypted at rest with HKDF-derived per-tenant keys
- HTTPS everywhere; HSTS enforced
- CSRF protection on all mutating requests
- Rate limits per IP and per endpoint
- Postgres at rest is encrypted at the volume layer (managed Supabase / RDS / etc. depending on deployment)
7. Cookies
We use a small number of cookies, all classified by purpose. See our cookie banner for category-level consent, or scroll down for the per-cookie list.
Cookie list
| Name | Purpose | Category | Lifetime |
|---|---|---|---|
session | Auth session | Strictly necessary | 30 days |
csrf | CSRF token | Strictly necessary | 30 days |
kirality.cookie_consent | Records your consent choice | Strictly necessary | 1 year |
kirality.tutorial.dismissed | Hides the in-app onboarding overlay after dismissal | Functional | indefinite (localStorage) |
We do not run analytics or advertising cookies.
8. Children
Kirality is not directed at children under 16. We don't knowingly collect data from minors.
9. Changes
If we make material changes we'll email account owners and update the date at the top of this page. Continued use of the service after changes means you accept the new terms.
10. Contact
Privacy questions: privacy@kirality.com
Data Protection Officer: same address.