// legal

Privacy Policy

Kaidn is built to see fraud without hoarding personal data. We collect the minimum needed to run the Service, we hash rather than store raw identifiers wherever we can, and we never ask your end users for things we do not need — there is deliberately no phone-number requirement. This policy explains what we process, why, and your rights.

Last updated: 10 July 2026

1. Who this policy covers

This policy applies to the Kaidn website and the Kaidn API and dashboard (the “Service”). It describes how we handle two different kinds of data:

  • Account & website data — information about you, our business customer and site visitors. For this data, Kaidn is the controller.
  • Event data — information you send us about your own end users so we can score it. For this data you are the controller and Kaidn is a processor acting on your instructions (see section 6 and our Terms).

2. What we collect

Account & billing. When you register we collect a name, work email, company name and a hashed password, plus records of your plan and usage. We store only a hash of each API key, never the key itself. Payments are handled by Paddle (see section 5); we receive limited billing metadata such as country, plan and the last four digits or card type — we never receive or store your full card number.

Event data you submit. To score an event you may send us signals such as an IP address, email address, device identifier, event type, timestamp and optional custom fields about one of your end users. Wherever a signal is used only to detect reuse or velocity, we store a hashed or derived value rather than the raw identifier, together with the resulting score and reason codes. Raw email addresses are not retained.

Technical & usage data. Like most services we process log data (such as request metadata and IP) for security, abuse-prevention and debugging. We use Cloudflare Turnstile to tell humans from bots on sign-up and demo forms. We use browser local storage (not tracking cookies) to remember your API key locally in your browser and your light/dark theme preference.

3. Why we process it, and our legal bases

Where UK/EU data-protection law applies, we rely on these bases:

  • Performance of a contract — to create your account, provide the Service and take payment.
  • Legitimate interests— to secure the Service, prevent fraud and abuse (fraud prevention is expressly recognised as a legitimate interest under GDPR Recital 47), and to improve and develop the Service, balanced against individuals’ rights.
  • Legal obligation — to comply with law, tax and lawful requests.
  • Consent — where we ask for it, for example certain marketing; you can withdraw it at any time.

For event data, you (the controller) are responsible for establishing the lawful basis and providing any notice to your end users for the processing you instruct us to perform.

4. AI-generated explanations

Kaidn can turn raw signals into plain-language “reasons”. By default this is done with our own templates. Where AI narration is enabled, a minimal, signal-level summary (such as reason codes and derived risk factors — not raw personal identifiers) may be sent to a third-party model provider (for example Anthropic or OpenAI) solely to generate the text. These providers act as our sub-processors, do not use the content to train their models under our configuration, and the outputs never make the scoring decision.

5. Who we share data with (sub-processors)

We do not sell personal data. We share data only with service providers who help us run the Service, under contracts that require them to protect it:

  • Paddle — Merchant of Record; payment processing, invoicing and tax.
  • Cloudflare — DNS, network security and Turnstile bot protection.
  • Hosting provider — our servers run on a dedicated European VPS (Contabo) that stores account and event data.
  • AI model providers — only where AI narration is enabled (see section 4).
  • Authorities — where required by law, or to establish, exercise or defend legal claims.

6. Processing on your behalf (data processing terms)

When we process event data as your processor, we: (a) process it only on your documented instructions to provide the Service and as permitted by law; (b) require our personnel and sub-processors to keep it confidential and secure; (c) assist you, taking into account the nature of processing, with data-subject requests and security obligations; and (d) delete or return it on termination, subject to retention required by law. A separate Data Processing Agreement is available to paid customers on request at support@kaidn.io.

7. International transfers

We and our sub-processors may process data in countries other than yours. Where we transfer personal data internationally, we rely on appropriate safeguards such as the UK/EU Standard Contractual Clauses or an adequacy decision.

8. How long we keep data

We keep account data while your account is active and for a reasonable period afterwards to meet legal, tax and accounting obligations and to resolve disputes. Event records are retained according to your plan’s retention window (for example up to 90 days on paid plans) and are then deleted or further aggregated. De-identified, aggregated signals used for our fraud graph may be kept longer because they no longer identify an individual.

9. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), hashing of API keys and sensitive identifiers, access controls, and a minimise-by-default approach to personal data. No system is perfectly secure; we cannot guarantee absolute security, and you are responsible for safeguarding your API keys and account credentials.

10. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, to object to processing based on legitimate interests, and to withdraw consent. To exercise a right relating to account or website data, email support@kaidn.io. If your request relates to event data we process for one of our customers, please contact that customer (the controller); we will assist them as their processor. You also have the right to complain to your local data-protection authority.

11. Children

The Service is for business use and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us data, contact us and we will delete it.

12. Changes and contact

We may update this policy from time to time and will change the “last updated” date above; material changes will be notified where required. For any privacy question or request, contact support@kaidn.io.

Questions about this document? Email support@kaidn.io. See also our Terms, Privacy Policy, and Refund Policy.