Privacy Policy

This notice is written to satisfy, simultaneously:

• UK GDPR + Data Protection Act 2018
• EU GDPR (Regulation 2016/679) + ePrivacy Directive 2002/58/EC
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA
• Brazil Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018)
• Canada PIPEDA + Quebec Law 25 (Act respecting the protection of personal information in the private sector)
• Australia Privacy Act 1988 + Australian Privacy Principles
• Switzerland revised Federal Act on Data Protection (nFADP)
• South Africa Protection of Personal Information Act (POPIA)
• China PIPL. note: Kauzio does not transfer personal data to or from mainland China.

Account data. Name, work email, password (Argon2/bcrypt-hashed), company, plan, and the product surface you signed up for (Business / Decide / Developers).

Business data you upload. Retail CSVs (sales, inventory, returns, transfers, supplier orders), forecasts, decisions, signals. This is your data; Kauzio processes it solely to deliver the service you requested.

Chat & decision content. Messages you send to the Kauzio AI agents (Business chat, Decide agents). These are stored against your account for history and replay.

Usage telemetry. Pages visited, features used, API endpoints called, error logs, request IDs, anonymised latency metrics. Used for billing, debugging, and product improvement.

Device & network. IP address (for rate-limiting and security), user-agent, approximate region inferred from timezone.

Cookies. See the Cookie Policy for the full inventory.

Sensitive personal information. Kauzio does not knowingly collect health, biometric, precise geolocation, sexual orientation, religion, union membership or other special-category data. Do not upload such data into the platform.

• Contract (Art. 6(1)(b)). to deliver the service you signed up for.
• Legitimate interests (Art. 6(1)(f)). security, fraud prevention, abuse detection, infrastructure logging, anonymous product analytics where consent is not required.
• Consent (Art. 6(1)(a)). optional analytics & marketing cookies, newsletter, marketing emails. Withdrawable at any time without detriment.
• Legal obligation (Art. 6(1)(c)). tax records, accounting, response to lawful authority requests.

• Operate the Decision OS (forecasting, causal explanations, decisions, signals).
• Run AI inference against your prompts and data, on your instruction.
• Billing and fraud prevention.
• Customer support and service emails.
• Security: rate-limiting, CSRF/abuse detection, audit logging.
• Product improvement on aggregate, non-identifying telemetry.

• Account data. for the life of the account, plus 30 days post-deletion for billing reconciliation, then erased.
• Uploaded business data. deleted within 7 days of dataset deletion or account closure; backups purged within 30 days.
• AI chat history. kept until you delete it; bulk-erased on account closure.
• Server logs. 30 days, then aggregated or deleted.
• Billing / accounting records. 7 years (UK statutory requirement).
• Backups. encrypted, rolling 30-day retention.

We share personal data only with vetted processors who help us deliver the service. The current sub-processor list is published and versioned at /legal/dpa. As of the "last updated" date above:

• Amazon Web Services (AWS), eu-west-2 (London). primary hosting, database, object storage.
• Render. managed application hosting (current deployment target).
• Anthropic. Claude AI inference for chat and agent reasoning. Prompts & context are transmitted; raw datasets are not.
• OpenAI. model inference for selected agents. Same scope as Anthropic.
• Groq. low-latency inference for selected agents.
• Stripe. payment processing when paid plans are enabled.
• Plausible Analytics. privacy-friendly first-party analytics (no third-party cookies, EU-hosted).
• Email delivery (transactional). SendGrid or equivalent for password resets & service emails.

We do not sell personal data, share it for cross-context behavioural advertising, or use it to train third-party foundation models.

Primary processing is in the UK / EU (AWS eu-west-2). Some sub-processors (Anthropic, OpenAI, Groq, Stripe) process data in the United States. For these transfers we rely on:

• EU Commission Standard Contractual Clauses (Module 2. controller-to-processor).
• UK International Data Transfer Addendum to the SCCs.
• EU–US Data Privacy Framework where the recipient is certified.
• Transfer Impact Assessments on file for each material US sub-processor.

Under UK GDPR and EU GDPR you have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time. Exercise via [email protected] or in-app at Settings → Data & Privacy → Export / Delete.

You can lodge a complaint with your supervisory authority. in the UK, the Information Commissioner's Office (ICO). EU residents may complain to their national authority (e.g. CNIL in France, Garante in Italy, AEPD in Spain, BfDI in Germany, DPC in Ireland. Kauzio's EU lead authority for one-stop-shop purposes will be designated upon EU establishment).

California residents have the right to know, delete, correct, and limit the use of sensitive personal information; to opt out of sale/sharing; and to non-discrimination. We do not sell or share personal information for cross-context behavioural advertising, but you can still file a request via /legal/do-not-sell or by sending a Global Privacy Control signal. we honour it automatically.

Categories collected in the last 12 months (CCPA §1798.130): identifiers, customer records, commercial information, internet activity, geolocation (approximate, from IP/timezone), inferences. Sources: directly from you, your browser, your uploaded data, and sub-processors above.

Residents of VA (VCDPA), CO (CPA), CT (CTDPA) and UT (UCPA) have rights to access, delete, correct (except UT), portability, and to opt out of targeted advertising, sale, and profiling with legal/significant effects. We do not engage in any of those activities. Appeal rights are honoured under each state's statute; appeal to [email protected] with subject "Appeal".

Under Lei 13.709/2018 you have the right to confirmation, access, correction, anonymisation/blocking/deletion of unnecessary data, portability, information about sharing, and revocation of consent. ANPD is the supervisory authority. Contact our DPO at [email protected].

You may access and request correction of your personal information. Quebec residents additionally have rights to data portability, to be informed when automated decisions are made (we do not make solely automated decisions producing legal effects), and to file complaints with the Commission d'accès à l'information du Québec. Federal complaints: Office of the Privacy Commissioner of Canada.

Australia (Privacy Act / APPs). access & correction rights; complaints to the OAIC.

Switzerland (nFADP). access, correction, deletion, objection rights; complaints to the FDPIC.

South Africa (POPIA). access, correction, deletion rights; complaints to the Information Regulator.

Kauzio surfaces AI-generated recommendations (forecasts, decisions, signals). These are decision-support, not solely automated decisions producing legal or similarly significant effects on you. A human is always in the loop. You can ask us to review or explain any AI output at any time.

TLS 1.3 in transit. AES-256 at rest on AWS. Passwords hashed with bcrypt/Argon2. CSRF protection on every mutating request. Strict CSP, HSTS, frame-ancestors none. Rate-limiting and per-tenant isolation at the API. Optional two-factor authentication on every account. Audit logging on admin actions. Annual penetration test as we grow. Disclose vulnerabilities to [email protected].

Kauzio is a B2B service. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided data, contact [email protected] and we will delete it.

Kauzio respects the Sec-GPC header and the browser-level Do-Not-Track signal. When either is set we default analytics and marketing to off and treat that as a valid opt-out under CCPA/CPRA §1798.135.

Data controller: Kauzio Ltd, registered in England & Wales.
Privacy & rights requests: [email protected]
DPO: [email protected]
Security: [email protected]

EU representative under Art. 27 GDPR and UK representative will be appointed and listed here when EU/EEA establishment is formalised. Until then, EU/EEA residents may direct complaints to their national DPA.

Material changes are versioned. The cookie banner re-prompts when the consent version changes, so your choices are revisited. The current cookie consent version is logged in your browser's localStorage under kauzio-cookie-consent.