Skip to main content
Private Preview·Early access by invitation.Request access →
Kirimana.
Legal

Privacy policy

Status: living document. This policy applies to the kirimana.io website during Private Preview. We update it as the product evolves and as the regulatory landscape shifts. Last updated: 26 April 2026.

Who we are

Kirimana is an open-source data-platform project. The website kirimana.io is operated by the Kirimana project maintainers. For privacy questions, contact privacy@kirimana.io.

Where your data lives

  • The website + its database run on Fly.io, region arn (Stockholm, Sweden), EU data residency by design.
  • Email delivery (verification + transactional) goes through Resend (sub-processor; see Trust center).
  • AI assistant calls (Kiri chat) route through Anthropic (sub-processor; classification-gated; see Trust center).

What we collect

We collect the minimum necessary, in three buckets:

1. Things you actively give us

  • Account data (when you sign up): email, password hash (Argon2id), optional name
  • Email verification token (one-time, 24h expiry, deleted on use)
  • Persona profile (when you complete the Kiri interview AND consent to personalization): role, stack, biggest pain, optional AI / analytics maturity
  • Early-access request (when you submit the form): email, role, platform context, solution-path interest, free-text reason, dev-team-interest flag
  • Stored Kiri conversation (only when you tick “let Kirimana store this conversation” on the Meet Kiri chat panel): the transcript, your email, the role you selected, a Kiri-authored summary, and a daily IP-hash (SHA-256 of ip|date, never the raw IP). Used only for product research — understanding which roles ask what and where the docs fall short. Storage is opt-in and independent from the email-summary feature; you can withdraw at any time via the one-click link in the summary email.

2. Things that happen because the website works

  • Session cookie (HttpOnly, SameSite=Lax, signed), required to keep you signed in
  • Persona-slug cookie (non-HttpOnly so the site can render personalised content; only set if you’ve granted Personalization consent in the cookie banner)
  • Server logs (IP, user-agent, request path, timestamp; rotated after 30 days; not used for tracking)

3. Things we DO NOT collect

  • We don’t run third-party analytics on the website (no Google Analytics, no Meta Pixel, no Hotjar). Server-side aggregate request counts only.
  • We don’t sell, trade, or share your data with marketing brokers.
  • We don’t track you across other websites.
  • We don’t read the contents of your conversations with Kiri to train external models. Kiri requests (your messages and the generated context such as your AI-maturity answers) are sent to Anthropic for inference under their published Data Processing Addendum; Anthropic does not train its models on API traffic.

Cookie + storage categories

The cookie banner offers four categories:

CategoryDefaultWhat it does
Necessaryalways onSign-in session, security tokens. Cannot be turned off, required for the site to work.
PersonalizationoffRemembers your role from the Kiri interview so the site reorders to fit. localStorage + persona cookie.
Analyticsoff(Reserved for a future privacy-respecting analytics provider, currently unused.)
Marketingoff(Reserved for a future newsletter, currently unused.)

Revoke any category at any time via /cookies. Revoking clears the relevant storage immediately.

Your rights (GDPR)

You have the right to:

  1. Access your data, email privacy@kirimana.io; we respond within 30 days
  2. Correct inaccurate data, edit on your account page or email us
  3. Delete your account (Article 17), initiate at /account/delete. We delete account, sessions, and persona profile. Audit-log entries tied to your activity are redacted (replaced with an anonymous marker) rather than hard-deleted, to comply with our DORA + EU AI Act obligations. Redaction is auditable and recorded in the audit log.
  4. Port your data, email us; we provide a JSON export
  5. Object to processing, email us
  6. Withdraw consent for personalization, analytics, or marketing at /cookies at any time
  7. Lodge a complaint with your supervisory authority, for Sweden, the Integritetsskyddsmyndigheten (IMY)

Retention

DataRetention
Active account datauntil you delete
Verification tokens24h max, deleted on use
Server logs30 days
Email-delivery logs (Resend)per Resend’s retention
Audit-log entries7 years (DORA-aligned), redacted on Art. 17 erasure
Early-access requests (unactioned)18 months, then archived
Stored Kiri conversations (opt-in)24 months from chat date, or until you withdraw via the summary-email link

Sub-processors

Listed in detail at /trust. Summary:

  • Fly.io, hosting (EU region only)
  • Resend, transactional email
  • Anthropic, AI inference (Kiri chat)
  • GoDaddy, domain registrar (DNS only; no data flows)

Changes to this policy

We notify changes via the website and (if applicable) email. Substantive changes get 30 days’ notice for active users.

Contact

privacy@kirimana.io, privacy queries, deletion requests, exports, complaints. We respond within 30 days.