Privacy Policy

The data controller for personal data processed about visitors, account holders, and end-users of the Kaiday platform is:

• Kaiday, operated by Sophometrics, Netherlands
• Email: privacy@kaiday.com
• General contact: hello@kaiday.com

For most personal data that customers upload or import via connectors, Kaiday acts as a processor on behalf of the customer (the controller). Where Kaiday determines purposes and means — for example, for account management, billing, security, and product analytics — Kaiday acts as a controller.

2.1 Account & identity data

• Name, email, password hash, profile photo, role, language preference
• Workspace / organisation membership and permissions
• Authentication identifiers from social or single sign-on providers (e.g. Google, Microsoft, Meta)

2.2 Content data

• Files, documents, messages, notes, tasks, calendar events, contacts, and other content you create or upload
• Data you import from third-party services through connectors (see §6)

2.3 Usage & technical data

• Log data: IP address, user agent, device identifiers, timestamps, pages and features accessed
• Diagnostic, performance, and error data
• Cookies and similar technologies needed to keep you logged in and to remember your preferences

2.4 Communications

• Support tasks, in-app messages, feedback, and survey responses

2.5 Billing data

• Company name, billing address, VAT number, plan, invoice history
• Payment is handled by our payment processor (Stripe). We do not store full card numbers.

We process personal data for the purposes listed below, on the lawful bases indicated (Art. 6 GDPR).

• Provide the Service — create and authenticate accounts, run AI agents, sync connectors, deliver features you request. Basis: performance of a contract (Art. 6(1)(b)).
• Service operations & security — logging, abuse and fraud prevention, rate-limiting, backups, incident response. Basis: legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)).
• Billing and tax compliance — invoicing, accounting, statutory record-keeping. Basis: contract and legal obligation.
• Product analytics — aggregated usage metrics to improve features. Basis: legitimate interests; consent where required for non-essential cookies.
• Customer communications — service notices, security alerts, product updates. Basis: legitimate interests; consent for marketing emails, which you can withdraw at any time.
• AI model usage — we send your prompts and the relevant context to large-language-model providers strictly to generate the response you requested. The provider and processing region depend on the data-residency tier you choose at workspace creation (see §3.1). We do not permit any of these providers to use your content to train their general-purpose models. Basis: contract.

3.1 Data residency tiers

When you create a workspace you choose a data-residency tier. This determines which AI inference provider receives your prompts and the AWS region in which your account and content data is hosted. You can review your current tier in Settings → Workspace; changes apply to data processed after the change takes effect.

• Global (default). AI inference by DeepSeek (Hangzhou, People's Republic of China) under zero-retention API terms; account and content storage in AWS eu-central-1 (Frankfurt). Lowest cost; prompts are processed in the PRC and transferred there under the safeguards described in §8.
• EU / Compliance. AI inference via Amazon Bedrock in the European Union (eu-north-1 Stockholm or eu-west-2 London); account and content storage in AWS eu-central-1 (Frankfurt). All processing remains inside the European Economic Area, under the AWS Data Processing Addendum and the AWS Customer Agreement.
• US / Compliance. AI inference via Amazon Bedrock in the United States (us-east-1 N. Virginia or us-west-2 Oregon); account and content storage in AWS US East. Intended for customers with U.S. data-residency or sectoral compliance requirements.

Across all tiers, the inference provider operates under written terms that prohibit training their general models on customer content, and we use zero- or short-retention API modes wherever the provider supports them.

Kaiday uses Kai, an AI assistant, to draft messages, suggest next actions, and — where you have explicitly enabled it — execute tasks on your behalf. You can review, override, or undo any AI-generated action. Kaiday does not make decisions producing legal or similarly significant effects on data subjects without human review.

We use strictly necessary cookies to keep you logged in and remember workspace selection. With your consent we may use analytics cookies to measure feature usage. You can manage cookie preferences in your browser and, where presented, in the cookie banner.

Kaiday connects to a wide range of third-party services only at your direction, using OAuth or an API key you provide. When you authorise a connector:

• Kaiday reads, writes, and stores the data scopes you approve in the consent screen of the third party.
• The third party becomes an independent controller of any data they receive from us as a result of your use.
• You can revoke access at any time from Kaiday Settings → Connectors and from the third party's own console.

Categories of connectors currently supported include, without limitation:

• Identity & productivity: Google Workspace, Microsoft 365, Slack, Notion, Atlassian (Jira, Confluence), Asana, Trello, Linear, Discord
• Social & advertising: Meta (Facebook & Instagram), Meta Ads, Threads, LinkedIn (Social, Ads, Recruiter), TikTok Ads, Google Ads, Google Analytics, ManyChat
• Sales & CRM: HubSpot, Salesforce, Pipedrive, Apollo, Attio, Affinity, Clay, Clearbit
• Customer support: Intercom, Zendesk, Front, Crisp, Canny, Productboard
• Finance & payments: Stripe, Mercury, Brex, Ramp, Moneybird, QuickBooks, Xero, Pilot, Puzzle
• E-commerce: Shopify, Tiendanube, Webflow, Framer, Vercel
• HR & legal: Greenhouse, Lever, Ashby, Gem, Carta, Clerky, Common Paper, DocSend, DocuSign, Ironclad
• Analytics: Mixpanel, Amplitude, PostHog
• Scheduling: Cal.com, Calendly
• Automation: Make, Zapier, generic REST & webhook connectors

For each connector we maintain a written record of the data scopes used. A current list with retention details is available on request.

6.1 Meta Platforms (Facebook Login & Graph API)

When you sign in with Facebook or connect a Meta-owned account (Facebook Page, Instagram Business, Meta Ads, Threads), we receive only the scopes you approve in the Meta consent dialog. We use that data solely to operate the feature you requested (e.g. publishing posts, reading messages, fetching ad metrics). We do not sell Meta platform data and do not use it for any purpose not explicitly disclosed to you. You can disconnect at any time from Kaiday or by visiting Facebook Settings → Apps and Websites. To request deletion of data Kaiday holds about you that originated from Meta, follow the instructions on our Data deletion page.

Kaiday relies on the following categories of sub-processors. They process personal data only on our documented instructions and under written data-processing terms:

• Cloud infrastructure (EU / Global tiers): Amazon Web Services (eu-central-1, Frankfurt) for hosting, storage, email delivery (Amazon SES) and monitoring
• Cloud infrastructure (US / Compliance tier): Amazon Web Services (US East / US West) for hosting, storage and monitoring
• AI inference — Global tier: DeepSeek (Hangzhou, People's Republic of China) under a zero-retention API agreement; no general-model training on customer content
• AI inference — EU / Compliance tier: Amazon Web Services — Amazon Bedrock (eu-north-1 Stockholm or eu-west-2 London)
• AI inference — US / Compliance tier: Amazon Web Services — Amazon Bedrock (us-east-1 N. Virginia or us-west-2 Oregon)
• Payments: Stripe
• Customer support & product analytics: tools listed in our public sub-processor register

A current list of named sub-processors is available at privacy@kaiday.com. We notify customers in advance of material changes and offer a reasonable opportunity to object.

Where personal data is stored and processed depends on the data-residency tier you select for your workspace (see §3.1):

• EU / Compliance tier: all storage and AI inference remains inside the European Economic Area. No outside-EEA transfer is required to deliver the Service.
• US / Compliance tier: storage and AI inference take place in the United States. For data originating in the EEA we rely on the EU–U.S. Data Privacy Framework (where the recipient is certified) and/or the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914).
• Global tier: account and content storage is in AWS Frankfurt, but AI inference is provided by DeepSeek and prompts are transmitted to the People's Republic of China. The PRC is not the subject of a Commission adequacy decision; we rely on Standard Contractual Clauses with the provider and on the technical and organisational measures described in our security documentation, including a zero-retention API agreement. Customers who require prompts to remain inside the EEA should select the EU / Compliance tier.

For sub-processors located outside the EEA we additionally rely on the EU–U.S. Data Privacy Framework (where the recipient is certified) and/or the Standard Contractual Clauses (Decision 2021/914), supplemented by the technical and organisational measures described in our security documentation. You can request a copy of the relevant transfer mechanism by contacting us.

• Account data: for as long as your account is active, plus up to 90 days after closure.
• Customer content: until you delete it or until 30 days after subscription termination, after which it is purged from primary systems and within 90 days from backups.
• Connector data: retained until you disconnect the connector or delete the synced records.
• Logs and security events: typically up to 12 months.
• Invoicing and tax records: 7 years, as required by Dutch law (art. 52 AWR).

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Rectify inaccurate or incomplete data (Art. 16)
• Erase your data (Art. 17)
• Restrict processing (Art. 18)
• Receive your data in a portable format (Art. 20)
• Object to processing based on legitimate interests, including profiling (Art. 21)
• Withdraw consent at any time, without affecting prior lawful processing (Art. 7(3))

To exercise any of these rights, email privacy@kaiday.com. We will respond within one month (extendable by two months for complex requests). You can also file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or the supervisory authority of your EU member state.

Kaiday encrypts personal data in transit (TLS 1.2+) and at rest (AES-256). We apply role-based access controls, least-privilege engineering access, audit logging, vulnerability scanning, and continuous monitoring. We will notify affected customers and, where required, the supervisory authority within 72 hours of becoming aware of a personal-data breach (Art. 33-34 GDPR).

The Service is not directed to children under 16. We do not knowingly collect personal data from children under that age. If you believe a child has provided us personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will post the new version on this page and, for material changes, notify account holders by email or in-app notice at least 14 days before the change takes effect.

Questions, requests or complaints about privacy: privacy@kaiday.com.