Skip to main content
Private Preview· Early access by invitation. Request access →
Kirimana.
Sign in Early access
Legal

Privacy policy

Status: living document. This policy applies to the kirimana.io website during Private Preview. We update it as the product evolves and as the regulatory landscape shifts. Last updated: 26 April 2026.

Who we are

Kirimana is an open-source data-platform project. The website kirimana.io is operated by the Kirimana project maintainers. For privacy questions, contact privacy@kirimana.io.

Where your data lives

  • The website + its database run on Fly.io, region arn (Stockholm, Sweden) — EU data residency by design.
  • Email delivery (verification + transactional) goes through Resend (sub-processor; see Trust center).
  • AI assistant calls (Kiri chat) route through Anthropic (sub-processor; classification-gated; see Trust center).

What we collect

We collect the minimum necessary, in three buckets:

1. Things you actively give us

  • Account data (when you sign up): email, password hash (Argon2id), optional name
  • Email verification token (one-time, 24h expiry, deleted on use)
  • Persona profile (when you complete the Kiri interview AND consent to personalization): role, stack, biggest pain, optional AI / analytics maturity
  • Early-access request (when you submit the form): email, role, stack, edition interest, free-text reason, dev-team-interest flag

2. Things that happen because the website works

  • Session cookie (HttpOnly, SameSite=Lax, signed) — required to keep you signed in
  • Persona-slug cookie (non-HttpOnly so the site can render personalised content; only set if you’ve granted Personalization consent in the cookie banner)
  • Server logs (IP, user-agent, request path, timestamp; rotated after 30 days; not used for tracking)

3. Things we DO NOT collect

  • We don’t run third-party analytics on the website (no Google Analytics, no Meta Pixel, no Hotjar). Server-side aggregate request counts only.
  • We don’t sell, trade, or share your data with marketing brokers.
  • We don’t track you across other websites.
  • We don’t read the contents of your conversations with Kiri to train external models. Kiri requests are sent to Anthropic for inference under their data-processing terms; Anthropic does not train on API traffic.

Cookie + storage categories

The cookie banner offers four categories:

CategoryDefaultWhat it does
Necessaryalways onSign-in session, security tokens. Cannot be turned off — required for the site to work.
PersonalizationoffRemembers your role from the Kiri interview so the site reorders to fit. localStorage + persona cookie.
Analyticsoff(Reserved for a future privacy-respecting analytics provider — currently unused.)
Marketingoff(Reserved for a future newsletter — currently unused.)

Revoke any category at any time via /cookies. Revoking clears the relevant storage immediately.

Your rights (GDPR)

You have the right to:

  1. Access your data — email privacy@kirimana.io; we respond within 30 days
  2. Correct inaccurate data — edit on your account page or email us
  3. Delete your account (Article 17) — initiate at /account/delete. We delete account, sessions, and persona profile. Audit-log entries tied to your activity are redacted (replaced with an anonymous marker) rather than hard-deleted, to comply with our DORA + EU AI Act obligations. Redaction is auditable and recorded in the audit log.
  4. Port your data — email us; we provide a JSON export
  5. Object to processing — email us
  6. Withdraw consent for personalization, analytics, or marketing at /cookies at any time
  7. Lodge a complaint with your supervisory authority — for Sweden, the Integritetsskyddsmyndigheten (IMY)

Retention

DataRetention
Active account datauntil you delete
Verification tokens24h max, deleted on use
Server logs30 days
Email-delivery logs (Resend)per Resend’s retention
Audit-log entries7 years (DORA-aligned), redacted on Art. 17 erasure
Early-access requests (unactioned)18 months, then archived

Sub-processors

Listed in detail at /trust. Summary:

  • Fly.io — hosting (EU region only)
  • Resend — transactional email
  • Anthropic — AI inference (Kiri chat)
  • GoDaddy — domain registrar (DNS only; no data flows)

Changes to this policy

We notify changes via the website and (if applicable) email. Substantive changes get 30 days’ notice for active users.

Contact

privacy@kirimana.io — privacy queries, deletion requests, exports, complaints. We respond within 30 days.