Privacy policy · v0.1 · pending legal review

Privacy Policy

Last updated: 24 May 2026. Effective date: 24 May 2026.

This is a v0.1 privacy policy authored to make our data-handling posture concrete and contestable. It has not yet been reviewed by external legal counsel; that review is gated before non-named users from the EU sign up self-serve at scale. Concerns or questions: privacy@kiff.dev.

1. Who we are

KIFF Cloud is operated by Kiff Agents OÜ, a private limited company incorporated in Estonia. Registry information:

  • Registry code: 17372313 (Estonian e-Business Register)
  • VAT number: EE102924327
  • Registered address: Tööstuse tn 75-71, Põhja-Tallinna linnaosa, Tallinn 10416, Estonia
  • Privacy contact: privacy@kiff.dev
  • Formal legal notices: legal@grouhub.co

Because Kiff Agents OÜ is established in the European Union, the EU General Data Protection Regulation (GDPR) applies natively to our processing. We do not require an Article 27 EU Representative.

2. Scope of this policy

This policy covers personal data we process when you interact with:

  • kiff.dev — our marketing site, this policy page, and the public receipt-rendering surface.
  • app.kiff.dev — our authenticated dashboard.
  • api.kiff.dev — our HTTP API.

This policy does not cover the open-source kiffhq/kiff framework you may run yourself. When you run the framework on your own infrastructure, you are the controller of any data it processes, and Kiff Agents OÜ is not involved in that processing.

3. Our roles under GDPR

We act in two capacities depending on the data:

  • Controller for account and sign-in metadata, billing data (when billing is active), marketing communications you opt into, and the operational telemetry of our own service.
  • Processor for the audit data, action records, decision receipts, and other content that flows through the runtime on behalf of our customers. Customers (the tenants) are controllers of that data; they instruct us via their account settings and domain configuration. The Data Processing Agreement (DPA) governs that relationship; see the DPA template for the published terms.

This policy primarily addresses our controller-side processing. Where we mention processor-side data, the DPA is the more specific document.

4. Categories of personal data we process

The categories below are aligned with the technical inventory at /security#data-we-process. Where the two diverge, the technical page is the source of truth and we update this section to match.

  • Account identifiers — your upstream authentication subject (issued by our identity provider) and the email address you sign in with. Stored verbatim today; hashed-at-rest is planned.
  • Tenant metadata — tenant id, slug, display name, creation timestamp.
  • API credentials — opaque API key records (we store hashes, never the plaintext).
  • Session cookie data — an HMAC-signed session cookie set after sign-in. See the cookies section below.
  • HTTP request metadata — IP address, user agent, request path, response status, latency. Held in our reverse proxy's access logs for a limited retention window for security and abuse prevention.
  • Tenant-controlled content — the parameters, actor, and entity data you send to the runtime. We hold this as processor on the customer's behalf; the customer is responsible for what reaches the wire. Per-domain redaction config is planned.
  • Communications — emails you send to our support, sales, security, or privacy mailboxes.

5. Lawful bases for processing

Under Article 6 of the GDPR, we rely on the following lawful bases:

  • Performance of a contract (Article 6(1)(b)) — for account creation, authentication, operating the runtime on your behalf, billing (when active), and the core service surfaces.
  • Legitimate interests (Article 6(1)(f)) — for security, fraud prevention, abuse detection, operational telemetry, and protecting the service. We balance our interests against your rights and will tell you on request what that balancing test produced.
  • Consent (Article 6(1)(a)) — for any future analytics cookies, optional marketing communications, or any new processing that materially expands our use of your data. As of v0.1, we do not rely on consent for any processing because we run no analytics, no advertising, and no non-essential tracking.
  • Legal obligation (Article 6(1)(c)) — for tax records (Estonian Accounting Act §12, 7 years), responses to lawful authority requests, and retention required by anti-money-laundering rules where applicable.

6. Sub-processors

We engage a small set of vendors to deliver the service. The full, current list lives at /security#subprocessors; that page is updated within 30 days of any change. We require each sub-processor to provide protections equivalent to ours under written agreements, including the EU Standard Contractual Clauses where personal data leaves the EU.

Material additions to or replacements of sub-processors that affect personal data are notified to active customers in advance, with a right to object.

7. International transfers

Some of our sub-processors are established outside the European Economic Area, primarily in the United States. For each such transfer we rely on at least one of the following safeguards:

  • EU–US Data Privacy Framework — for US sub-processors that have certified to the Framework. Adequacy decision in force as of mid-2023; we monitor for any change in its status.
  • Standard Contractual Clauses — module 2 (controller-to-processor) for our direct sub-processors and module 3 (processor-to-sub-processor) where chained processors apply. We use the 2021 Commission-approved SCCs.
  • Supplementary measures — where the risk assessment indicates additional safeguards are warranted (encryption in transit and at rest, access logging, data minimization).

You can request the specific transfer instrument applicable to a given sub-processor by emailing privacy@kiff.dev.

8. Retention

We retain personal data for the shortest period consistent with the purposes for which we process it and any applicable legal obligation.

  • Account and sign-in metadata — until you delete your account, plus a 30-day grace window for restoration on request.
  • API key records — until revoked, or until account deletion, whichever is sooner.
  • Session cookies — until expiry (24 hours by default) or until you sign out.
  • Reverse-proxy access logs — up to 90 days, then aggregated or deleted.
  • Tenant audit data — held as processor per the customer's tenant configuration. Default: retained for the lifetime of the tenant; deleted on tenant deletion. See /security#deletion.
  • Billing records — 7 years from the end of the financial year (Estonian Accounting Act §12).
  • Support correspondence — 3 years from the last interaction, then deleted.

9. Your rights

Under the GDPR you have the following rights with respect to your personal data:

  • Access (Article 15) — confirmation of whether we process your data, and a copy of it.
  • Rectification (Article 16) — correction of inaccurate or incomplete data.
  • Erasure (Article 17) — deletion of your data, subject to legal-retention exceptions.
  • Restriction (Article 18) — pause processing while a dispute is resolved.
  • Portability (Article 20) — a machine-readable export of data you provided.
  • Objection (Article 21) — to processing based on legitimate interests; we stop unless we can show overriding grounds.
  • Withdraw consent (Article 7(3)) — for any processing based on consent. Withdrawal does not affect prior lawful processing.

To exercise any of these rights, email privacy@kiff.dev. We respond within one month per Article 12(3); we may extend by up to two further months for complex requests and will tell you if we do.

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). You may also complain to the supervisory authority in your member state of residence.

10. Cookies

We set one cookie on the dashboard surface:

  • __kiff_session — an HMAC-signed session cookie carrying your authenticated subject, email, and a short-lived bearer token. HttpOnly, Secure, SameSite=Lax, scoped to .kiff.dev. Default lifetime: 24 hours. This cookie is strictly necessary to operate the authenticated dashboard; under EU ePrivacy rules it does not require consent. We disclose it here so you know it exists.

We do not use analytics cookies, advertising cookies, or any third-party trackers. If we ever add any, we will present a consent banner before the cookie is set, in line with ePrivacy and the EDPB's 2023 guidance on tracking technologies.

If you sign in via Clerk (our authentication sub-processor), Clerk also sets cookies on its own frontend domain (clerk.kiff.dev). Those cookies are necessary for Clerk to recognize you across its sign-in flow and are governed by Clerk's privacy policy as well as ours. See the sub-processor list for details.

11. Security

Our technical and organisational security measures are documented at /security. They include tenant isolation at the database layer, TLS 1.2+ in transit, encryption at rest via the managed provider's defaults, and access controls based on the principle of least privilege.

We notify affected customers of a personal data breach without undue delay and within 72 hours of confirmation, consistent with Article 33 GDPR. Notice includes the nature of the breach, categories and approximate numbers of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

12. Children

KIFF Cloud is a developer infrastructure product not directed at children. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact privacy@kiff.dev and we will delete it.

13. Automated decision-making

KIFF Cloud's runtime makes deterministic policy decisions on data sent by our customers. These are not decisions about you that produce legal or similarly significant effects in the sense of Article 22 GDPR; they are decisions about the customer's actions (refunds, orders, messages, and so on) executed under the customer's own policy.

Customers who use KIFF Cloud to make decisions affecting their own end users are themselves responsible for Article 22 compliance. Our governance receipts are designed to give those customers the audit trail they need to demonstrate human oversight, but the legal obligation to provide that oversight rests with the customer.

14. Changes to this policy

We may update this policy from time to time. Material changes are notified by email to active customers and by a prominent banner on this page for at least 30 days. Non-material changes are posted with a new "last updated" date.

15. Contact us

Privacy questions and rights requests: privacy@kiff.dev.

Formal legal notices to Kiff Agents OÜ: legal@grouhub.co, or by post to Tööstuse tn 75-71, Põhja-Tallinna linnaosa, Tallinn 10416, Estonia.

Lead supervisory authority for complaints: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Document version: v0.1.
Status: pending external legal review.
Source of truth: this page is rendered from apps/web/internal/pages/privacy.templ. History is in git.