GDPR Compliance
Kairos Check is GDPR-compliant by design, not by policy. Here's the legal basis for each check type, the data you process, and how we help you meet your obligations to data subjects.
We are EU-hosted (Railway, Ireland data centre). No data leaves the EU. No US sub-processors for core functionality. No third-party analytics on our API endpoints.
Legal basis — Article 6
Fraud prevention checks fall under Article 6(1)(f) — legitimate interests. Your legitimate interest in preventing financial fraud outweighs the minimal privacy impact of checking a domain name or email address.
Domain names and email addresses are publicly available information (OSINT). We do not process special categories of data (Art. 9) under any circumstances.
Automated decision-making — Article 22
If you use a Kairos Check result to automatically reject a signup (fully automated decision), you are subject to Article 22 obligations. Our response includes a signals array specifically to enable human oversight:
- You can show users why a decision was made (Art. 22(3)).
- You can implement a "request human review" flow.
- The
reffield links every decision to your immutable audit trail.
We recommend using BLOCK verdicts as a trigger for your review queue rather than an automatic hard block, unless your legal team has confirmed Art. 22 compliance for your jurisdiction.
Data subject rights
| Right | Article | How Kairos Check helps |
|---|---|---|
| Right of access | Art. 15 | Export audit trail as CSV from your dashboard. Every check logged with ref, timestamp, verdict. |
| Right to erasure | Art. 17 | DELETE /api/erasure?query=[entity] removes the entity from your audit trail and the reputation graph entry for your tenant. |
| Right to object | Art. 21 | The REVIEW verdict + human oversight workflow implements this. |
| Data portability | Art. 20 | Full CSV export of your check history available on request. |
What data we store
| Data | How stored | Retention |
|---|---|---|
| API key | SHA-256 hash only — never plaintext | Until you delete your account |
| Check entity (domain/email) | Hashed in audit trail; plaintext in check-audit.jsonl for your access | 12 months, or until you delete |
| Check result (verdict, score) | Stored in your tenant partition only | 12 months |
| IP address of caller | Not stored. Cloudflare logs may retain for 24h per their policy. | Cloudflare: 24h |
DPA (Data Processing Agreement)
If your organisation requires a DPA, email privacy@kairoscheck.net. We use Standard Contractual Clauses (SCCs) where applicable.
For your legal team: Kairos Check processes only publicly available information (OSINT). No biometric data, no special categories, no children's data. The processing purpose is fraud prevention — a recognised legitimate interest under GDPR recital 47.