Last updated: April 2026 · Effective date: 1 April 2026
1. Who we are
PiirZ Digital Limited is a company registered in Malta. We operate the Kairo platform — a destination intelligence service for tourism organisations (DMOs) and hospitality operators.
For the purposes of the EU General Data Protection Regulation (GDPR) and the Data Protection Act (Chapter 586 of the Laws of Malta), PiirZ Digital Limited is the data controller for personal data collected through this website and the Kairo platform.
2. Data we collect
2.1 Website visitors
When you visit kairo.ai or any associated subdomain, we may collect:
- IP address and approximate geographic location (country / city level)
- Browser type, device type, and operating system
- Pages visited, referrer URL, and session duration
- Any data you submit via contact or enquiry forms (name, email, organisation, message)
2.2 Platform users (DMO and operator accounts)
If you use the Kairo platform under a contract with us, we collect:
- Account registration data: name, work email, organisation name, role
- Usage data: log-ins, feature usage, API call metadata
- Content you upload or configure within the platform (destination knowledge, operator profiles)
- Support correspondence
2.3 End visitors (conversational interactions)
When a tourist or end visitor interacts with a Kairo-powered assistant on behalf of a destination or operator, we process conversational inputs to generate responses. We do not link these inputs to named individuals unless the visitor voluntarily provides their name. Conversation logs are used to improve accuracy and are subject to the retention periods in Section 6.
3. How we use your data
- Delivering the service — providing platform functionality, processing queries, returning responses
- Account management — creating and maintaining user accounts, billing, support
- Communications — responding to enquiries, sending service-related notifications, and (where consented) product updates
- Security and fraud prevention — monitoring for abuse, protecting platform integrity
- Analytics and improvement — understanding how the platform is used so we can improve it
- Legal compliance — meeting obligations under applicable law
We do not sell personal data to third parties. We do not use personal data for behavioural advertising.
4. Legal basis (GDPR)
We process personal data on one or more of the following legal bases:
- Contract (Art. 6(1)(b)) — processing necessary to perform a contract with you or your organisation
- Legitimate interests (Art. 6(1)(f)) — analytics, security monitoring, and product improvement, where these are not overridden by your interests or rights
- Legal obligation (Art. 6(1)(c)) — compliance with applicable law
- Consent (Art. 6(1)(a)) — where we explicitly ask for and receive consent (e.g. marketing emails)
5. Sharing and processors
We share data only where necessary. Our sub-processors and categories of recipient include:
- Cloud infrastructure — hosting and database providers operating in the EEA or with adequate safeguards
- AI model providers — large language model APIs used to power conversational responses (data minimised; no training on customer data without explicit agreement)
- Email delivery — transactional email services for account notifications
- Analytics — privacy-first analytics tools (no third-party advertising trackers)
- Legal, regulatory, and safety disclosures — where required by law or to protect rights
We maintain a current sub-processor list and notify platform customers of material changes with at least 30 days notice.
6. Retention
- Website enquiry data — 24 months from last contact, unless a contract arises
- Platform account data — for the duration of the contract plus 24 months, unless a longer period is required by law
- Conversational logs — 12 months rolling, after which logs are aggregated and anonymised
- Billing records — 7 years (legal obligation under Maltese company law)
7. Your rights
Under the GDPR, you have the right to:
- Access — obtain a copy of personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data in certain circumstances
- Restriction — ask us to limit processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time, where processing is based on consent
To exercise any right, email privacy@kairo.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) of Malta.
8. Cookies
We use a minimal set of cookies:
- Strictly necessary — session management, CSRF protection. No consent required.
- Analytics — privacy-first, cookieless analytics where possible. Where cookies are used, consent is requested on first visit.
We do not use advertising cookies or third-party tracking pixels.
9. International transfers
We aim to process data within the European Economic Area (EEA). Where we use sub-processors outside the EEA, we ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms.
10. Changes to this policy
We may update this policy as our practices evolve. Material changes will be communicated to platform customers by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
For any privacy-related query or to exercise a right:
PiirZ Digital Limited
Malta
privacy@kairo.ai