Privacy Policy
Effective 27 May 2026
This Privacy Policy describes how Kirtonic Ltd (“Kirtonic”, “we”, “our”) collects, uses, and discloses personal data when you use the Kirtonic platform (the “Service”). Kirtonic is the data controller for personal data we collect from website visitors and account holders; we act as a data processor for content you submit to the Service through your workspace.
For the purposes of the UK GDPR and EU GDPR, the controller is Kirtonic Ltd (company number 16693710), registered in England and Wales at Guildhall Place, Market Hill, Cambridge, CB2 3QJ, United Kingdom. Contact: hello@kirtonic.io.
1. Information we collect
Information you provide directly
- Account information: name, email address, password hash, workspace name.
- Billing information: collected by Stripe on our behalf. We receive the last four digits of the card, the expiry month, and a tokenised customer identifier. We do not see or store full payment card numbers.
- Provider credentials: API keys for connected AI providers, encrypted at rest using authenticated symmetric encryption.
- Workspace content: prompts submitted, model outputs, governance decisions, audit log entries, and any metadata you choose to attach.
Information collected automatically
- Usage data: pages visited, features used, request timestamps, API endpoint identifiers, classification statistics.
- Device and connection: IP address (stored as a one-way hash), browser type, operating system. We do not use third-party advertising or cross-site tracking cookies.
- Operational telemetry: error reports and performance metrics for the purpose of service reliability.
2. Purposes and legal bases
| Purpose | Legal basis (UK / EU GDPR) |
|---|---|
| Providing the Service to you | Performance of a contract (Art. 6(1)(b)) |
| Billing, fraud prevention, account security | Legitimate interests (Art. 6(1)(f)) |
| Service reliability monitoring and error reporting | Legitimate interests (Art. 6(1)(f)) |
| Compliance with regulatory and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Sending product-update emails to workspace owners | Legitimate interests, with opt-out (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)), opt-in only |
3. Sharing and disclosure
We share personal data only with the categories of recipients set out below:
- Service providers (sub-processors): the suppliers that help us operate the Service, including infrastructure, authentication, payment processing, and email delivery. A current list is available on request from hello@kirtonic.io.
- Connected AI providers: when you submit a prompt in “Live AI session” mode, the prompt is forwarded under your own provider credentials. Each provider has its own data-handling policy.
- Legal authorities: where compelled by law, and only to the minimum extent necessary.
- Successors: in the event of a merger, acquisition, or sale of assets, with notice to affected customers.
We do not sell personal data. We do not share personal data with advertising networks.
4. International transfers
Kirtonic stores primary workspace data within the United Kingdom and the European Economic Area. Where data is transferred to a sub-processor outside the UK/EEA, the transfer is governed by the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, as applicable.
Customers on Enterprise plans may pin data residency to UK-only or EU-only storage. Configure this in Workspace settings → Data residency.
5. Retention
- Audit log entries: 7 days on Sandbox, 30 days on Solo, 90 days on Team, 1 year on Growth, and per-contract on Enterprise.
- Workspace content and configuration: for the lifetime of the workspace plus 30 days following deletion, after which it is removed.
- Billing records: 7 years to satisfy HMRC retention requirements.
- Operational logs: 30 days.
6. Your rights
If you are in the UK or EEA you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure (subject to legal-retention exceptions).
- Object to or restrict processing.
- Receive your data in a portable format.
- Withdraw consent at any time for processing based on consent.
- Lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office).
To exercise any of these rights, email hello@kirtonic.io. We respond within 30 days.
7. Cookies and similar technologies
Kirtonic uses strictly necessary cookies and similar technologies for session authentication, CSRF protection, and remembering UI preferences (sidebar state, welcome-tour completion). We do not use third-party advertising, analytics, or social-media tracking cookies on the platform itself. The public marketing site may include first-party analytics for aggregated visitor statistics.
8. Shadow-AI Discovery (browser-extension telemetry)
The Kirtonic browser extension includes an optional “Shadow-AI Discovery” feature that helps workspace administrators understand which generative-AI tools their organisation is using. This section sets out exactly how it works, what data is processed, and what is deliberately not processed.
8.1 When the feature is active
Discovery is off by default. It activates only when both of the following are true:
- A workspace administrator has minted an API key carrying the
extension:discoveryscope and provisioned it to the extension; and - The end user has ticked “Enable shadow-AI discovery on this browser” in the extension settings page.
Removing either condition stops the collection immediately. The end user may switch the feature off at any time.
8.2 What is processed
For each browser navigation that matches our published catalogue of AI-tool hostnames, the extension reports to Kirtonic the following fields and nothing else:
- Matched hostname: the host portion of the visited URL (for example,
chat.openai.com), where the host equals, or is a subdomain of, an entry in the catalogue. The path, query string, and fragment of the URL are discarded before any data leaves the browser. - Visit count: an integer of matched navigations within the reporting window (default 5 minutes).
- First-seen and last-seen timestamps for the batch.
- Installation hash: a SHA-256 hash of a random installation identifier salted with the workspace API token. The hash is not reversible to the underlying installation identifier, and is workspace-scoped so the same browser across two workspaces produces two unlinkable hashes.
8.3 What is not processed
The extension does not, under this feature, process or transmit any of the following:
- Prompt content, response content, or any text typed into an AI tool. (Prompt content classification is a separate, distinct feature gated by a separate scope:
extension:verdict.) - The full URL of any visited page, including the path, query string, or fragment.
- Visits to any website outside the catalogue. Visits to email services, internal applications, news sites, banking, social media, and the rest of the web are dropped by the catalogue matcher inside the user's browser and never reach Kirtonic.
- Cookies, HTTP headers, localStorage values, or any other content from the visited site.
- Browser history beyond the active
webNavigation.onCommittedevent. - Keystrokes, clipboard, microphone, or camera input.
- Personally-identifying user information, including name, email, IP address, directory identifier, or any other identity attribute.
8.4 Catalogue of monitored hostnames
The catalogue covers approximately 40 publicly-available generative-AI tools across the following categories: general-purpose chat, coding assistants, image and video generation, search and answer engines, voice and audio, model platforms, agent platforms, AI companions, and specialised tools. The current authoritative list is served live from <site>/api/extension/discovery/catalog and is also rendered in full on the Discovery dashboard inside the platform. Changes to the list propagate to extension installations within fifteen minutes; no extension re-install is required.
8.5 Lawful basis and retention
The lawful basis for the workspace's processing of Discovery telemetry is legitimate interest under Article 6(1)(f) UK GDPR and EU GDPR, namely the interest of the workspace controller in understanding the deployment of generative-AI tools within its perimeter. The end user's explicit opt-in at the extension level constitutes an additional layer of consent under Article 6(1)(a). Telemetry is retained for the lifetime of the workspace and removed on workspace deletion. Workspace administrators may request earlier deletion by writing to hello@kirtonic.io.
8.6 Data-subject rights
Because Discovery does not store any directly-identifying user attribute, an access or erasure request from an individual end user cannot be fulfilled by Kirtonic alone; we would need the requester to provide their installation hash, which they can find on the extension's settings page. End users who wish to stop further collection can do so unilaterally by un-ticking the feature in the extension settings.
9. Security
We apply commercially reasonable technical and organisational measures, including encryption at rest and in transit (TLS 1.2 or higher), role-based access control on workspace data, append-only audit logging, and regular security review. No system is perfectly secure. In the event of a personal-data breach affecting you, we will notify the relevant supervisory authority and you, as required by law.
10. Children
The Service is not intended for children under 18. We do not knowingly collect personal data from children under 18.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to the workspace owner's registered email at least 30 days before they take effect.
12. Contact
Privacy enquiries: hello@kirtonic.io. Postal: Kirtonic Ltd, Guildhall Place, Market Hill, Cambridge, CB2 3QJ, United Kingdom. Company number 16693710 (registered in England and Wales).