GDPR & Data

Last updated: April 2026 · Applies to all Kairo platform customers

1. Overview

The Kairo platform is built and operated within the European Union. PiirZ Digital Limited is registered in Malta, an EU member state. The General Data Protection Regulation (EU 2016/679) applies directly to our operations.

We treat data protection as an engineering requirement, not a compliance checkbox. This page explains how GDPR obligations are distributed between Kairo and our platform customers, and what commitments we make.

2. Controller and processor roles

The GDPR distinguishes between data controllers (who determine why and how data is processed) and data processors (who process data on a controller's behalf).

Context	Your organisation	Kairo / PiirZ Digital
Kairo platform (DMO / operator use)	Data controller	Data processor
Visitor interactions via your Kairo assistant	Data controller (your visitors are your data subjects)	Data processor
Kairo website (kairo.ai) and direct enquiries	—	Data controller
Kairo employee/contractor data	—	Data controller

As your data processor, we act only on your documented instructions and do not process personal data for our own purposes beyond what is necessary to deliver the service.

3. Data Processing Agreement (DPA)

All Kairo platform subscriptions include a Data Processing Agreement that satisfies Article 28 GDPR requirements. The DPA covers:

• Subject matter, duration, nature, and purpose of processing
• Categories of personal data processed and data subjects affected
• Obligations and rights of the controller (your organisation)
• Our commitments as processor: confidentiality, security, sub-processor management, assistance with data subject rights, deletion or return of data on contract end
• Standard Contractual Clauses for transfers outside the EEA, where applicable

The DPA is incorporated by reference into all Order Forms. To request a copy or propose amendments, contact legal@kairo.ai.

4. Sub-processors

We engage a limited set of sub-processors to deliver the platform. We assess each sub-processor's GDPR compliance before onboarding them and impose data protection obligations contractually.

Current sub-processor categories include cloud infrastructure, AI model APIs, transactional email, and analytics. We maintain a specific sub-processor list and will provide it on request.

We notify active customers of any material change to our sub-processor list at least 30 days in advance. Customers who object in writing within that window may terminate their contract without penalty.

5. Data location and transfers

Primary data processing occurs within the European Economic Area (EEA). Specifically:

• Platform data and customer content are stored in EEA data centres
• AI model APIs may involve transfers outside the EEA; these are covered by Standard Contractual Clauses and, where available, supplementary technical measures (encryption in transit and at rest)
• We do not transfer personal data to countries without an adequacy decision or appropriate safeguards

6. Security measures

We implement technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Access controls based on least-privilege principles; production access is logged and auditable
• Regular dependency and vulnerability scanning
• Employee data protection training and confidentiality obligations
• Incident response procedures with defined escalation timelines

7. Data subject requests

When your visitors or users exercise their GDPR rights (access, erasure, portability, objection) through you, we are required to assist you in fulfilling those requests. We commit to:

• Responding to documented requests for data extraction or deletion within 72 hours
• Providing self-serve tools in the platform where technically feasible
• Maintaining audit logs that support your response obligations

If an end visitor contacts us directly, we will redirect them to you as the relevant controller (except where we are acting as controller in our own right).

8. Breach notification

In the event of a personal data breach affecting your data:

• We will notify you without undue delay and within 36 hours of becoming aware of the breach
• Notification will include the nature of the breach, likely consequences, categories of data affected, and our initial mitigation measures
• We will provide ongoing updates as our investigation progresses

This enables you to meet your own 72-hour notification obligation to the supervisory authority under Article 33 GDPR.

9. DPIAs and consultations

If your use of the Kairo platform involves high-risk processing that triggers a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, we will provide the information reasonably necessary to complete that assessment, including our technical and organisational security measures and sub-processor details.

We do not currently consider standard Kairo platform use to constitute "high-risk" processing under the EDPB guidelines, but we recognise that this assessment depends on your specific configuration and use case.

10. Contact

For GDPR queries, DPA requests, or data subject assistance:

PiirZ Digital Limited — Data Protection
Malta
privacy@kairo.ai

Supervisory authority: Information and Data Protection Commissioner (IDPC), Malta