Privacy Policy
1. Who we are
Kairos Check operates at kairoscheck.net and provides a fraud detection API service. When this policy refers to "we", "us", or "our", it means Kairos Check. When it refers to "you", it means any user of our website or API.
2. What data we collect
2.1 API usage data
When you use the /api/check endpoint, we process the value you submit (domain, email, phone, or IBAN) to score it for fraud risk. We do not store the raw submitted value in our audit trail — it is pseudonymized on ingestion using a salted one-way hash. We store: the request type, the fraud score, the verdict, and a timestamp.
2.2 Account and billing data
When you subscribe to a paid plan, Stripe collects your email address, card details, and billing address. We receive from Stripe: your email address, your Stripe customer ID, and your subscription status. We do not receive or store your card number or billing address.
2.3 API key data
We store a SHA-256 hash of your API key (never the key itself), your Stripe customer and subscription IDs, your tier, your quota, and your subscription status.
2.4 Technical logs
Our server logs contain: HTTP method, URL path (without query parameters containing personal data), response status code, and response time. Logs are retained for 30 days and then automatically deleted.
2.5 Cookies
We use no tracking cookies. We use no analytics. The only session-state on our site is a short-lived browser memory reference used to display your API key once on the /success page — this is never written to a cookie or localStorage.
3. Lawful basis for processing
| Processing activity | Lawful basis |
|---|---|
| Providing the API service | Contract (GDPR Art. 6(1)(b)) |
| Billing and invoicing | Contract + Legal obligation (Art. 6(1)(b) and (c)) |
| Fraud detection on submitted entities | Legitimate interest (Art. 6(1)(f)) — improving the accuracy of our scoring model |
| Security logs | Legitimate interest (Art. 6(1)(f)) — protecting service integrity |
4. Retention periods
| Data type | Retention |
|---|---|
| API audit records (pseudonymized) | 12 months from creation |
| Billing records | 7 years (legal obligation, Portuguese tax law) |
| Server logs | 30 days |
| API key hash | Duration of subscription + 30 days after cancellation |
5. Your rights under GDPR
If you are in the European Economic Area, you have the following rights:
- Access (Art. 15): Request a copy of all personal data we hold about you.
- Rectification (Art. 16): Ask us to correct inaccurate data.
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
- Portability (Art. 20): Receive your data in a machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Restriction (Art. 18): Ask us to restrict processing while a dispute is resolved.
To exercise any right, email privacy@kairoscheck.net. We respond within 30 days. API customers may also use the GET /gdpr/export and POST /gdpr/erase endpoints with their pseudonymized subject reference.
6. Data residency
All Kairos Check infrastructure runs on Railway in the EU region. No personal data is transferred outside the EU in the ordinary course of business.
7. Sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing and billing | United States | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Railway, Inc. | Infrastructure hosting | EU | EU-hosted, no transfer |
We do not share your data with any other third parties for marketing, analytics, or advertising purposes.
8. Security
We apply the following security measures: HTTPS enforced on all endpoints; API keys stored as SHA-256 hashes only; audit trail protected by a cryptographic hash chain; HTTP security headers on all responses (HSTS, CSP, X-Frame-Options, Referrer-Policy).
9. Automated decision-making
Our fraud scoring (GDPR Art. 22) is informational. We return a score and verdict to your application — we do not take any automated decisions that produce legal or similarly significant effects on individuals. Your application maintains full control and human oversight over what action to take based on our scores.
10. Changes to this policy
We may update this policy when our practices change. Material changes will be communicated via email to active subscribers at least 14 days in advance. The "Last updated" date at the top of this page always reflects the current version.
11. Contact and complaints
For privacy questions: privacy@kairoscheck.net.
You have the right to lodge a complaint with your national data protection authority. In Portugal, this is the CNPD (Comissão Nacional de Proteção de Dados) at cnpd.pt.