Privacy Policy

KirinAI ("we", "us", "our") is the data controller for personal data collected through this website, the KirinAI product, and any associated APIs. For privacy matters, contact privacy@kirinai.com.

We collect the following categories of personal data:

• Account data — email, password hash (managed by AWS Cognito), first and last name, country, phone number, birthdate, preferred use case.
• Billing data — payment token, billing address, invoice history. Card numbers are tokenised by our payment processor (FIUU) and never stored on our own servers.
• Usage data — product events, token counts, credits consumed, error logs, session metadata such as IP address and user agent.
• Customer content — documents, prompts, datasets, and conversations you send to the service.

Each category of data has a defined purpose:

• Account data — to authenticate you and provision your tenant.
• Billing data — to charge your subscription and satisfy tax obligations.
• Usage data — to operate the service, detect abuse, and improve performance.
• Customer content — to generate the responses you asked for; we do not use it to train public models.

Where GDPR applies, we rely on the following lawful bases:

• Contract — processing necessary to provide the service you subscribed to.
• Legitimate interest — for abuse prevention, security logging, and product analytics.
• Legal obligation — tax, accounting, and regulatory record-keeping.
• Consent — for non-essential cookies and optional marketing communications.

We share personal data only with the following categories of recipient, and only as needed to deliver the service:

• Cloud infrastructure providers (AWS, Supabase, Redis Cloud).
• Payment processors (FIUU Malaysia).
• Error monitoring and analytics tools (aggregated / pseudonymised where possible).
• Law-enforcement or regulators where legally compelled.

We do not sell your personal data. A full list of active sub-processors is available on request from privacy@kirinai.com.

• Account data — for as long as your account is active, plus 30 days post-deletion.
• Billing records — 7 years, to satisfy tax law.
• Audit and security logs — 180 days.
• Customer content — until you delete it, then purged within 30 days.

Depending on your jurisdiction, you may have the right to access, rectify, delete, port, or object to processing of your personal data. Exercise these rights by emailing privacy@kirinai.com. We respond within 30 days.

We protect personal data with TLS in transit, encrypted storage at rest, role-based access control, and quarterly penetration tests. No system is perfectly secure, but we strive to detect and notify affected users of any material breach within 72 hours.

Our infrastructure is primarily hosted in the Asia-Pacific region (Singapore). If your data is transferred outside your home jurisdiction, we rely on standard contractual clauses or equivalent safeguards.

KirinAI is not intended for children under the age of 18. If you believe we have collected data from a child without parental consent, email privacy@kirinai.com and we will delete it.

We bump the document version and "Last updated" date when this policy changes. Material changes will prompt re-consent on next sign-in.