Privacy
Policy

1. GDPR & AVG Compliance

Kiran is fully compliant with the General Data Protection Regulation (GDPR) and the Dutch implementation of the regulation, the Algemene verordening gegevensbescherming (AVG). We take your privacy seriously and are committed to protecting your personal data through transparent practices and robust security measures.

2. Who We Are

Kiran is a digital carbon footprint reduction platform based in Haarlem, the Netherlands. We provide desktop software and a web portal to help individuals and organisations reduce their digital environmental impact.

For privacy-related enquiries, you can reach our data protection contact at privacy@kiran.app.

3. What Data We Collect

• Account information: Your name and email address, collected during registration to create and manage your account.
• Scan metadata: File sizes, types, and counts from scans. We never access or store the contents of your files.
• Usage analytics: Features used, session duration, and general interaction patterns to help us improve the product.
• Payment information: Processed securely via Stripe. We never store your card details on our servers.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to deliver the services you have signed up for.
• Consent: Where you have given explicit consent, such as for marketing communications.
• Legitimate interest: To improve our services, prevent fraud, and ensure platform security.

5. How Long We Keep Data

• Account data: Retained until you delete your account.
• Scan history: Retained until you delete your account or request deletion.
• Payment records: 7 years, as required by Dutch tax law (fiscale bewaarplicht).
• Support conversations: 2 years after resolution.

6. Your Rights Under GDPR

Under the GDPR and AVG, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@kiran.app. We will respond within 30 days.

7. Data Sharing

We share data only with trusted service providers necessary to operate our platform:

• Supabase: Authentication and database services (EU hosted).
• Stripe: Secure payment processing.
• Vercel: Website hosting and delivery.
• Resend: Transactional email delivery.

We never sell your data to third parties. Your data is used solely to provide and improve our services.

8. International Data Transfers

Your data is primarily stored within the European Union. Where data is transferred to services based in the United States (such as Vercel and Stripe), these transfers are protected by Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) in compliance with GDPR requirements.

9. Cookies

We use only essential cookies required for the service to function:

• Authentication cookies: To keep you securely logged in.
• Preference cookies: To remember your settings such as language and theme.

We do not use tracking or advertising cookies. For more details, see our Cookie Policy.

10. How We Protect Your Data

• HTTPS/TLS: All data in transit is encrypted using industry-standard TLS encryption.
• Encryption at rest: Stored data is encrypted at rest.
• Secure authentication: We use Supabase Auth with secure session management.
• Regular security reviews: We conduct regular reviews of our security practices and infrastructure.

11. How to Complain

If you have concerns about how we handle your personal data, please contact us first at support@kiran.app. We will do our best to resolve your concern.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

12. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you via email or an in-app notification. The “Last updated” date at the top of this page reflects the most recent revision.