1. Introduction
Kiaro ("we," "us," or "our") is a SaaS operating system built for independent consultants and small agencies. We provide tools for client management, project tracking, invoicing, document creation, and AI-powered assistance to help you run your consulting business.
This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website, application, and services (collectively, the "Service"). By using Kiaro, you agree to the collection and use of information in accordance with this policy.
Kiaro, Inc. is the data controller responsible for your personal information. If you have questions about how we process your data, please contact us at privacy@consultos.app.
2. Information We Collect
2.1 Account Information
When you register for Kiaro, we collect your name, email address, and a password (stored as a secure hash). If you create a workspace, we also collect your workspace name and organizational details you choose to provide.
2.2 Business Data You Provide
As you use the Service, you may provide information about your clients, projects, tasks, invoices, proposals, and other business data. This content is created and controlled by you. We process it solely to provide the Service to you.
2.3 Payment Information
Payment processing is handled entirely by Stripe. We do not store your full credit card number, CVV, or bank account details on our servers. We receive and store a limited set of information from Stripe, including the last four digits of your card, card brand, billing address, and subscription status.
2.4 AI Interaction Data
When you use AI-powered features (such as content generation, AI search, or AI-assisted document drafting), we send relevant context to our AI provider (Anthropic) to generate responses. This may include portions of your business data that are relevant to the specific request. See Section 6 for full details on AI data processing.
2.5 File Uploads
You may upload files (documents, images, attachments) to the Service. These files are stored securely on Cloudflare R2 and are associated with your account and workspace.
2.6 Usage Data
We automatically collect information about how you interact with the Service, including pages visited, features used, time spent, browser type, device information, IP address, and referring URLs. This data helps us improve the Service and diagnose issues.
2.7 Error & Performance Data
We use Sentry for error tracking and performance monitoring. When an error occurs, Sentry may collect technical information such as stack traces, browser details, and anonymized user identifiers to help us diagnose and fix issues.
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service — manage your account, workspace, clients, projects, invoices, and all core functionality.
- Power AI features — generate content, provide AI search results, and deliver AI-assisted recommendations based on your business data.
- Process payments — manage subscriptions, process invoices, handle credit pack purchases, and facilitate payments through Stripe.
- Send transactional communications — email you about account activity, invoice status changes, client portal notifications, and important service updates.
- Improve the Service — analyze usage patterns to fix bugs, optimize performance, and develop new features.
- Ensure security — detect and prevent fraud, abuse, and unauthorized access.
- Comply with legal obligations — respond to lawful requests and enforce our terms.
4. Legal Basis for Processing
We process your personal information under the following legal bases:
- Contract performance: Processing necessary to provide the Service you signed up for, including account management, data storage, and feature delivery.
- Legitimate interests: Processing necessary for our legitimate business interests, including improving the Service, ensuring security, preventing fraud, and conducting analytics. We balance these interests against your rights and freedoms.
- Consent: Where required, we obtain your consent before processing, such as for optional marketing communications. You may withdraw consent at any time.
- Legal obligation: Processing necessary to comply with applicable laws, regulations, or legal processes.
5. Data Sharing & Third Parties
We do not sell your personal information. We share data with third-party service providers only as necessary to operate the Service:
Stripe — Payment Processing
Processes subscription payments, credit pack purchases, and client invoice payments. Receives your billing information, payment method details, and transaction amounts.
Anthropic — AI Processing
Powers AI features including content generation, search, and document assistance. Receives relevant business context necessary to fulfill AI requests. See Section 6 for details.
Resend — Transactional Email
Delivers transactional emails such as invoice notifications, client portal links, password resets, and account alerts. Receives recipient email addresses and email content.
Cloudflare R2 — File Storage
Stores files you upload to the Service (documents, images, attachments). Files are stored encrypted at rest and are accessible only to authorized users within your workspace.
Sentry — Error Tracking
Monitors application errors and performance. Receives technical error data, anonymized user identifiers, and device/browser information. Does not receive your business data content.
Vercel — Hosting & Analytics
Hosts the Kiaro application and provides privacy-focused web analytics. Receives standard web traffic data including IP addresses (anonymized for analytics), page views, and performance metrics.
Neon — Database Hosting
Hosts our PostgreSQL database infrastructure in the EU. Stores all account, workspace, and business data. Data is encrypted at rest and in transit. Neon does not access your data except as required for infrastructure operations.
6. AI & Data Processing
Kiaro uses Anthropic's Claude API to power AI features. We want to be transparent about how your data is handled in this context:
- What is sent to Anthropic: When you use an AI feature, we send the minimum context necessary to fulfill your request. This may include relevant client names, project descriptions, document content, or other business data depending on the feature.
- Your data is NOT used for model training: We use Anthropic's API under commercial terms that explicitly prohibit the use of your data to train or improve AI models. Your business data remains yours.
- Data retention by Anthropic: Under Anthropic's commercial API terms, inputs and outputs may be temporarily retained for trust and safety purposes (up to 30 days) but are not used for training and are deleted afterward.
- Model selection: We use different AI models depending on the task (e.g., lighter models for search, larger models for content generation) to balance cost, performance, and the amount of data processed.
- Opting out: AI features are optional. You can use Kiaro without engaging any AI functionality, in which case no data is sent to Anthropic.
7. Data Storage & Security
We take the security of your data seriously:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Your data is encrypted at rest in our database (Neon) and file storage (Cloudflare R2).
- Access controls: We implement role-based access controls and multi-tenant isolation. Your data is logically separated from other customers' data using tenant-level access controls enforced at the database query level.
- Authentication security: Passwords are hashed using industry-standard algorithms. Session tokens are securely generated and managed.
- Provider compliance: Our infrastructure providers (Neon, Cloudflare, Vercel, Stripe) maintain SOC 2 Type II compliance and undergo regular independent security audits.
- Incident response: In the event of a data breach, we will notify affected users within 72 hours as required by applicable law.
8. Data Retention
We retain your personal information and business data for as long as your account is active and as needed to provide the Service.
- Active accounts: Your data is retained for the duration of your subscription. You may export or delete your data at any time.
- Account deletion: When you close your account, we initiate deletion of your personal and business data within 30 days. Some data may be retained for up to 90 days in encrypted backups before being permanently purged.
- Legal requirements: We may retain certain data for longer periods where required by law (e.g., invoice records for tax compliance, typically 7 years).
- Anonymized data: We may retain anonymized, aggregated usage statistics that cannot be used to identify you, for product improvement purposes.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
Under GDPR (European Economic Area)
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Receive your data in a structured, machine-readable format (CSV export is available).
- Right to object: Object to processing based on legitimate interests.
- Right to lodge a complaint: File a complaint with your local data protection authority.
Under CCPA (California)
- Right to know: Request information about what personal data we collect, use, and disclose.
- Right to delete: Request deletion of your personal information.
- Right to opt-out of sale: We do not sell personal information, so this right is automatically satisfied.
- Right to non-discrimination: We will not discriminate against you for exercising your rights.
To exercise any of these rights, contact us at privacy@consultos.app. We will respond within 30 days.
11. International Data Transfers
Our primary database is hosted in the European Union (Neon). However, some of our service providers operate in the United States. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with all sub-processors.
- Providers who participate in recognized data protection frameworks.
12. Children's Privacy
Kiaro is a business tool designed for professionals. The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@consultos.app.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you via email or an in-app notification for significant changes.
- Provide at least 30 days' notice before material changes take effect where required by law.
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy-related inquiries within 30 days.