Kiori Logo

📄 KIORI — PRIVACY POLICY

Last Updated: 05.12.2025 (You can add a version number if desired.)

Kiori (“we”, “us”, “our”) is a knowledge management and AI assistant platform operated by Crowd Wisdom SL/SLU. We help users retrieve, organize, and augment information using document indexing, search, RAG (Retrieval-Augmented Generation), and agentic AI workflows.

We are committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR), DSGVO, and all applicable EU privacy laws.

If you have any questions about this Privacy Policy, you may contact us at: gab@crowd-wisdom.com

1. Data Controller

Crowd Wisdom SL/SLU (Registered in Spain) Email: gab@crowd-wisdom.com

For all data processed within the Kiori platform, Crowd Wisdom acts as the Data Controller.

For integrations where users connect their own accounts (e.g., Google Drive, OneDrive), those providers act as independent controllers.

2. Types of Personal Data We Process

2.1 Account & Authentication Data

  • Email address
  • Password (hashed) if signing up via Email & Password
  • Google OAuth identifier, email, and optional name/profile picture

Legal Basis: Art. 6(1)(b) GDPR — performance of contract.

2.2 Usage Data & System Logs

We collect limited metadata for security, debugging, and operational purposes:

  • IP address
  • User agent
  • Timestamp & timezone
  • Session identifiers
  • Request metadata
  • Audit logs
  • Security logs

Legal Basis:

  • Art. 6(1)(f) GDPR — legitimate interests (security & fraud prevention)
  • Art. 6(1)(c) GDPR — compliance with legal obligations

2.3 Chat Data, AI Assistant Inputs & Outputs

To enable RAG retrieval, context memory, and agentic workflows, we process:

  • User chat messages
  • AI assistant responses
  • Agentic tool call traces (iterations, actions taken, intermediate queries)
  • Search queries
  • Document snippets retrieved via RAG

These are stored so that:

  • RAG can retrieve past content
  • You can view your chat history
  • Models can provide consistent context

Legal Basis: Art. 6(1)(b) — performance of contract.

2.4 User-Uploaded Documents & Workspace Data

We store copies of:

  • Files you upload
  • Extracted text for embeddings
  • Embeddings generated for retrieval
  • File metadata

We also store original documents to allow reprocessing after platform upgrades, which is essential for proper functioning of a knowledge platform.

Legal Basis:

  • Art. 6(1)(b) GDPR — performance of contract
  • Art. 6(1)(f) GDPR — legitimate interest in maintaining service integrity and improving retrieval quality

2.5 Potentially Sensitive Data

We do not intentionally process special category data. However, because users may upload arbitrary files, incidental processing may occur.

We employ a PII detection module to flag sensitive elements internally to improve safety and handling. This module may detect:

  • Personal identifiers
  • Financial data
  • Sensitive text snippets

Legal Basis: Art. 6(1)(b) GDPR — performance of contract Art. 6(1)(f) GDPR — legitimate interests (risk reduction & system safety)

We do not profile or analyze users based on sensitive data.

2.6 Payment & Subscription Data

Handled by Stripe:

  • Email
  • Plan type
  • Payment method details
  • Billing history
  • VAT-relevant info (if applicable)

Stripe acts as processor/sub-processor.

Legal Basis: Art. 6(1)(b) — performance of contract Art. 6(1)(c) — tax & accounting compliance

2.7 Analytics

Depending on configuration:

  • Google Analytics
  • Firebase Analytics

Collected data includes:

  • Page views
  • Device data
  • Session stats
  • Event tracking

Analytics are anonymized or pseudonymized whenever possible.

Legal Basis: Art. 6(1)(a) — consent (via cookie banner) Art. 6(1)(f) — legitimate interest (improving service)

3. How We Use Your Data

We use personal data for the following purposes:

  1. Operating the Kiori platform
  2. Authentication & account management
  3. Enabling RAG retrieval & agentic workflows
  4. Providing AI chat & document search functionality
  5. File storage and reprocessing for service improvements
  6. Payment processing & subscription management
  7. Security, auditing, and fraud prevention
  8. Analytics, usage insights, and performance monitoring
  9. System upgrades that require re-indexing or re-embedding your documents
  10. Customer support and troubleshooting

We do not sell personal data.

4. Legal Bases for Processing

PurposeLegal Basis
Operating core app featuresArt. 6(1)(b)
AI processing & RAGArt. 6(1)(b)
System logs & securityArt. 6(1)(f), Art. 6(1)(c)
Analytics & cookiesArt. 6(1)(a)
PaymentsArt. 6(1)(b), Art. 6(1)(c)
IntegrationsArt. 6(1)(b)

5. Data Sharing & Subprocessors

5.1 Subprocessors (LLM & AI Services)

Used for embeddings, generation, reranking, or agentic workflows:

  • OpenAI (US/EU)
  • Anthropic (US/EU)
  • Google Gemini (EU/Global)
  • Groq (US)
  • Fireworks AI (US/EU)
  • Fireworks Reranker & Embeddings

These providers operate under GDPR Standard Contractual Clauses (SCCs) when transferring data outside the EEA.

We send the minimal required data for the requested operation (e.g., prompt text, context snippets).

5.2 Hosting & Infrastructure

  • Google Cloud Platform — Netherlands (europe-west-4) (servers, storage, networking)

  • Qdrant Cloud — vector storage & similarity search (region dependent)

  • Firebase (GCP) — auth, analytics, cloud functions

5.3 Payment Provider

  • Stripe Payments Europe Ltd.

5.4 Email Delivery

  • Zoho Mail connected to Firebase Auth

5.5 Integrations — Independent Controllers

When a user connects external services, these providers become separate Data Controllers:

  • Google Drive
  • Microsoft OneDrive

Kiori does not control their data policies; users authorize access directly.

6. International Data Transfers

Because some LLM vendors operate globally, data may be transferred to the United States.

Transfers rely on:

  • Standard Contractual Clauses (SCCs)
  • Vendor DPA commitments
  • Additional safeguards where applicable

We choose EU endpoints when supported but cannot guarantee data always remains in the EU.

7. Cookies

7.1 Cookie Banner

Because analytics may be used (e.g., Google Analytics), we operate a GDPR-compliant cookie consent banner.

7.2 Types of Cookies

  • Necessary cookies — authentication, session management
  • Preference cookies — optional
  • Analytics cookies — only with consent

We do not use marketing cookies.

8. Data Retention

Data TypeRetentionNotes
Account dataUntil deletion + 7 daysGrace period for recovery
Uploaded filesUntil account/workspace deletionAuto-cleanup
Audit logs365 daysSecurity & compliance
PII detection logs90 daysRotated automatically
Security session logs90 daysAuto-deleted
Subscription/payment dataLegal retention (up to 10 years)Tax compliance
Chat historyUntil user deletes or account deletedEssential for RAG
Agentic tracesUntil deletion or account deletedSupports explainability

Backups may persist up to 30–90 days.

9. Your Rights (GDPR)

Users have the right to:

  • Access personal data
  • Rectify personal data
  • Delete personal data (“right to be forgotten”)
  • Export personal data (portability)
  • Object to processing
  • Withdraw consent (for analytics/cookies)
  • Lodge a complaint with a supervisory authority

We respond to all requests within 30 days.

10. Automated Decision-Making & AI Transparency

Kiori uses:

  • LLMs for text generation
  • Embeddings for document search
  • Agentic workflows for multi-step reasoning

We do not use AI for automated decision-making that produces legal or significant personal effects (Art. 22 GDPR).

Users can always:

  • delete data
  • override AI responses
  • request human assistance

Kiori does not train its models on user data.

11. Data Security

We employ:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest
  • Strict IAM roles
  • Audit logs
  • Secure sandboxing for AI tools
  • Isolation between tenant workspaces
  • Regular security reviews

12. Data Deletion

Users can:

  • Delete chats
  • Delete documents
  • Delete their entire account
  • Export their data before deletion

Once deletion is initiated:

  • Workspace & documents are removed
  • Logs tied to identity are anonymized or purged per retention schedule
  • Backups expire within normal rotation cycles

13. Changes to This Policy

We will update this Privacy Policy as needed. Users will be notified of material changes.

14. Contact

Crowd Wisdom SL/SLU Email: gab@crowd-wisdom.com

Kiori - Never Lose the Thread Again