1. Who this policy covers
This policy applies to the Kaidn website and the Kaidn API and dashboard (the “Service”). It describes how we handle two different kinds of data:
- Account & website data — information about you, our business customer and site visitors. For this data, Kaidn is the controller.
- Event data — information you send us about your own end users so we can score it. For this data you are the controller and Kaidn is a processor acting on your instructions (see section 6 and our Terms).
2. What we collect
Account & billing. When you register we collect a name, work email, company name and a hashed password, plus records of your plan and usage. We store only a hash of each API key, never the key itself. Payments are handled by Paddle (see section 5); we receive limited billing metadata such as country, plan and the last four digits or card type — we never receive or store your full card number.
Event data you submit. To score an event you may send us signals such as an IP address, email address, device identifier, event type, timestamp and optional custom fields about one of your end users. Wherever a signal is used only to detect reuse or velocity, we store a hashed or derived value rather than the raw identifier, together with the resulting score and reason codes. Raw email addresses are not retained.
Technical & usage data. Like most services we process log data (such as request metadata and IP) for security, abuse-prevention and debugging. We use Cloudflare Turnstile to tell humans from bots on sign-up and demo forms. We use browser local storage (not tracking cookies) to remember your API key locally in your browser and your light/dark theme preference.
3. Why we process it, and our legal bases
Where UK/EU data-protection law applies, we rely on these bases:
- Performance of a contract — to create your account, provide the Service and take payment.
- Legitimate interests— to secure the Service, prevent fraud and abuse (fraud prevention is expressly recognised as a legitimate interest under GDPR Recital 47), and to improve and develop the Service, balanced against individuals’ rights.
- Legal obligation — to comply with law, tax and lawful requests.
- Consent — where we ask for it, for example certain marketing; you can withdraw it at any time.
For event data, you (the controller) are responsible for establishing the lawful basis and providing any notice to your end users for the processing you instruct us to perform.
4. AI-generated explanations
Kaidn can turn raw signals into plain-language “reasons”. By default this is done with our own templates. Where AI narration is enabled, a minimal, signal-level summary (such as reason codes and derived risk factors — not raw personal identifiers) may be sent to a third-party model provider (for example Anthropic or OpenAI) solely to generate the text. These providers act as our sub-processors, do not use the content to train their models under our configuration, and the outputs never make the scoring decision.
6. Processing on your behalf (data processing terms)
When we process event data as your processor, we: (a) process it only on your documented instructions to provide the Service and as permitted by law; (b) require our personnel and sub-processors to keep it confidential and secure; (c) assist you, taking into account the nature of processing, with data-subject requests and security obligations; and (d) delete or return it on termination, subject to retention required by law. A separate Data Processing Agreement is available to paid customers on request at support@kaidn.io.
7. International transfers
We and our sub-processors may process data in countries other than yours. Where we transfer personal data internationally, we rely on appropriate safeguards such as the UK/EU Standard Contractual Clauses or an adequacy decision.
8. How long we keep data
We keep account data while your account is active and for a reasonable period afterwards to meet legal, tax and accounting obligations and to resolve disputes. Event records are retained according to your plan’s retention window (for example up to 90 days on paid plans) and are then deleted or further aggregated. De-identified, aggregated signals used for our fraud graph may be kept longer because they no longer identify an individual.
9. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), hashing of API keys and sensitive identifiers, access controls, and a minimise-by-default approach to personal data. No system is perfectly secure; we cannot guarantee absolute security, and you are responsible for safeguarding your API keys and account credentials.
10. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, to object to processing based on legitimate interests, and to withdraw consent. To exercise a right relating to account or website data, email support@kaidn.io. If your request relates to event data we process for one of our customers, please contact that customer (the controller); we will assist them as their processor. You also have the right to complain to your local data-protection authority.
11. Children
The Service is for business use and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us data, contact us and we will delete it.
12. Changes and contact
We may update this policy from time to time and will change the “last updated” date above; material changes will be notified where required. For any privacy question or request, contact support@kaidn.io.