top of page

Privacy Policy

Data Controller

  • Publisher: Matthieu Guillon EI (sole trader)

  • SIRET: 990 721 490 00029

  • GDPR contact: support@kairoproject.com

  • version: 1.1

  • date: 2026-04-27

Purpose of This Policy

This policy explains what data is processed by KairoProject, for what purposes, on what legal bases, with which sub-processors, for how long, and what rights are available to data subjects.

KairoProject is a SaaS project management platform. Application data is hosted on a Firebase / Google Cloud infrastructure, in particular Firestore for the primary database.

Purposes and Legal Bases

 

 

 

 

 

 

 

Categories of Data Processed

Depending on usage, KairoProject may process the following categories of data:

  • Identification and contact data: first name, last name, email address, technical account identifiers.

  • Access and rights data: roles, workspace membership, member statuses, technical claims, session preferences.

  • Business data: portfolios, projects, tasks, resources, teams, calendars, history, project settings, prompt parameters where used.

  • Billing data: subscribed plan, subscription status, payment references and billing information managed via Stripe.

  • GDPR export, deletion and evidence data: request identifiers, job statuses, timestamps, subject identifiers, DSAR logs.

  • Technical and security data: error logs, operational logs, monitoring events, rate-limiting records, technical identifiers necessary for operations.

  • AI and ML data:

    • content entered by the user when requesting an AI assistance feature;

    • structural prediction variables;

    • reconstructed application exports for custom model training;

    • training import files provided by the customer;

    • data from a scope contributing to the global model where global contribution has been explicitly enabled.

Hosting, Access and Confidentiality

  • Application data is hosted within the Firebase / Google Cloud infrastructure used by KairoProject.

  • Access between personal workspaces and organisations is separated by application-level and database-level access controls.

  • Other customers have no access to a company's data beyond the rights explicitly granted to them.

  • The publisher retains governed technical administrator access for legitimate support, maintenance, security, abuse prevention, and legal compliance purposes.

  • Sensitive operations such as exports, deletions, and GDPR audit logging are processed server-side and are not exposed as direct write access from the web client.

Sub-processors and Recipients

KairoProject relies in particular on the following categories of sub-processors:

  • Firebase / Google Cloud: authentication, database, server functions, storage, and associated infrastructure.

  • Vercel: web application hosting and execution.

  • Stripe: payment processing and subscription management.

  • OpenAI: certain assistance, generation, or explanation features requested by the user.

  • Other technical providers: email provider or monitoring tooling, as applicable.

A detailed list of sub-processors can be provided to the customer upon request or as part of the applicable contractual documentation.

Use of OpenAI and the Internal ML Service

OpenAI

Certain assistance features use OpenAI via KairoProject server-side routes.

Depending on the feature used, the following data may be transmitted to OpenAI:

  • a brief entered by the user to generate a project or plan overview;

  • contextual information such as domain, constraints, team size, or project objective;

  • task names or structural elements required for generation;

  • for delay analysis, a structured project summary, reported issues, resource usage history, and a prediction block already computed by the ML engine.

OpenAI calls are not made directly from the user's browser to the provider. They pass through KairoProject server-side routes, with input validation, rate limiting, and filtering of permitted models.

Internal ML Service

KairoProject also uses an internal prediction and training service.

This service may receive:

  • structural prediction variables;

  • reconstructed exports from a given workspace to train a custom model;

  • training import files provided by the customer;

  • for the global model, data from workspaces that have enabled global contribution.

A custom model remains tied to its corresponding scope. It is not reused for another customer.

Global Model

Where global contribution has been explicitly enabled by the administrator of the relevant workspace, certain data from that workspace may feed the internal training pipeline for the global model.

In the current state of the service, this contribution is not limited to purely numerical, already-anonymised statistics. It may include names, descriptions, project structures, business variables, and import files useful for training, depending on the data present in the workspace.

However:

  • other customers do not gain access to this data in plain form within the application;

  • passwords, authentication secrets, Stripe data, and GDPR logs are not used in this global training pipeline.

Retention Periods

The main retention periods currently applied are as follows:

  • Active account and project data: retained for as long as the account, organisation, or associated content exists.

  • User account deletion: purge of associated active data is triggered automatically upon account deletion, without intentional delay.

  • Organisation export jobs: technical retention of 7 days.

  • Signed export download links: valid for 24 hours.

  • Organisation deletion jobs: technical retention of 90 days.

  • DSAR logs: retained for 12 months.

  • Organisation deletion logs: retained for 12 months.

  • Accounting documents and associated legal obligations: retained in accordance with applicable legal requirements.

Backup and Restoration

  • The backup and restoration of the data infrastructure relies primarily on the capabilities and services operated on Firebase / Google Cloud.

  • KairoProject implements reasonable operational, verification, and restoration procedures in light of its architecture.

  • This does not constitute a guarantee of instantaneous recovery or a perfect restoration to the exact state preceding any incident.

  • Where export features are available, they allow the customer to retain their own working or archival copies.

Security

KairoProject implements reasonable security measures adapted to its architecture, including:

  • encryption in transit and at rest via the infrastructure used;

  • access controls and workspace separation;

  • rate limiting on certain exposed routes;

  • audit logging of sensitive operations;

  • technical monitoring and security event surveillance;

  • administrator access restricted to named, governed accounts.

Data Subject Rights

In accordance with the GDPR, data subjects may exercise their rights under the conditions provided by applicable legislation:

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restriction of processing

  • Right to data portability

  • Right to object, where applicable

Requests may be submitted to: support@kairoproject.com

A complaint may also be lodged with the CNIL (French data protection authority).

Cookies and Trackers

  • KairoProject does not enable non-essential trackers by default in the current state of the service.

  • Strictly necessary cookies for service operation, session management, and interface preferences may be used without prior consent where they are genuinely necessary.

  • Should audience measurement or marketing trackers be added in the future, KairoProject intends to implement an appropriate consent mechanism prior to their loading.

Updates

This policy may be amended in the event of legal, contractual, technical, or operational developments.

The date of the latest update appears at the top of this document.

bottom of page