Kiori Logo

πŸ“„ KIORI β€” PRIVACY POLICY

Last Updated: 04.02.2026

Kiori (β€œwe”, β€œus”, β€œour”) is a knowledge management and AI assistant platform operated by Crowd Wisdom SL/SLU. We help users retrieve, organize, and augment information using document indexing, search, RAG (Retrieval-Augmented Generation), and agentic AI workflows.

We are committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR), the UK GDPR, DSGVO, and all applicable EU and UK privacy laws.

If you have any questions about this Privacy Policy, you may contact us at: privacy@crowd-wisdom.com

1. Data Controller

Crowd Wisdom SL/SLU (Registered in Spain) Email: privacy@crowd-wisdom.com

For all data processed within the Kiori platform, Crowd Wisdom acts as the Data Controller.

For integrations where users connect their own accounts (e.g., Google Drive, OneDrive), those providers act as independent controllers.

1a. Data Protection Officer (DPO)

Gabriel Michels Crowd Wisdom SL/SLU Email: privacy@crowd-wisdom.com

You may contact the DPO directly for any questions relating to the processing of your personal data or your rights under the GDPR.

2. Types of Personal Data We Process

2.1 Account & Authentication Data

  • Email address
  • Password (hashed) if signing up via Email & Password
  • Google OAuth identifier, email, and optional name/profile picture

Legal Basis: Art. 6(1)(b) GDPR β€” performance of contract.

2.2 Usage Data & System Logs

We collect limited metadata for security, debugging, and operational purposes:

  • IP address
  • User agent
  • Timestamp & timezone
  • Session identifiers
  • Request metadata
  • Audit logs
  • Security logs

Legal Basis:

  • Art. 6(1)(f) GDPR β€” legitimate interests (security & fraud prevention)
  • Art. 6(1)(c) GDPR β€” compliance with legal obligations

2.3 Chat Data, AI Assistant Inputs & Outputs

To enable RAG retrieval, context memory, and agentic workflows, we process:

  • User chat messages
  • AI assistant responses
  • Agentic tool call traces (iterations, actions taken, intermediate queries)
  • Search queries
  • Document snippets retrieved via RAG

These are stored so that:

  • RAG can retrieve past content
  • You can view your chat history
  • Models can provide consistent context

Legal Basis: Art. 6(1)(b) β€” performance of contract.

2.3a User Memory & Chat Memory

To improve the quality and continuity of AI interactions, Kiori extracts and stores contextual memories from your conversations. This enables:

  • Cross-thread context: The assistant remembers relevant information across different conversations, so you don't have to repeat yourself
  • Findability: Important decisions, preferences, and facts from past conversations can be recalled when needed
  • Personalized responses: The assistant adapts to your communication style, domain expertise, and preferences over time
  • Team alignment: Shared workspace context keeps team members on the same page

Memories are organized at three levels:

  • Chat memory (thread-scoped): Decisions, constraints, and facts from a specific conversation β€” enabling continuity within and across threads
  • User memory (user-scoped): Personal preferences and facts (e.g., preferred language, role, expertise) β€” enabling personalized assistance across all your conversations
  • Workspace memory (workspace-scoped): Shared team context (e.g., project conventions, naming standards) β€” enabling consistent assistance for all workspace members

How it works:

  • Memories are extracted using AI language models (see Β§5.1 for providers)
  • Stored as vector embeddings in our vector database (Qdrant)
  • Recalled semantically when relevant to your current query

User control:

  • You can view your stored memories in the application settings
  • You can delete individual memories or clear all memories at any time
  • Memory extraction can be disabled per workspace or user preference
  • Deleting a conversation does not automatically delete extracted memories β€” these must be managed separately

Temporary agent execution context (short-term memory) is held in memory for up to 5 minutes during active sessions and is automatically discarded.

Legal Basis: Art. 6(1)(b) β€” performance of contract (enabling personalized AI assistance).

2.4 User-Uploaded Documents & Workspace Data

We store copies of:

  • Files you upload
  • Extracted text for embeddings
  • Embeddings generated for retrieval
  • File metadata

We also store original documents to allow reprocessing after platform upgrades, which is essential for proper functioning of a knowledge platform.

Legal Basis:

  • Art. 6(1)(b) GDPR β€” performance of contract
  • Art. 6(1)(f) GDPR β€” legitimate interest in maintaining service integrity and improving retrieval quality

2.5 Potentially Sensitive Data

We do not intentionally process special category data. However, because users may upload arbitrary files, incidental processing may occur.

We employ a PII detection module to flag sensitive elements internally to improve safety and handling. This module may detect:

  • Personal identifiers
  • Financial data
  • Sensitive text snippets

Legal Basis: Art. 6(1)(b) GDPR β€” performance of contract Art. 6(1)(f) GDPR β€” legitimate interests (risk reduction & system safety)

We do not profile or analyze users based on sensitive data.

2.6 Payment & Subscription Data

Handled by Stripe:

  • Email
  • Plan type
  • Payment method details
  • Billing history
  • VAT-relevant info (if applicable)

Stripe acts as processor/sub-processor.

Legal Basis: Art. 6(1)(b) β€” performance of contract Art. 6(1)(c) β€” tax & accounting compliance

2.7 Analytics & Product Insights

We use the following analytics services to understand how users interact with Kiori and to improve the platform:

PostHog

Our primary product analytics tool. PostHog collects:

  • Page views and navigation events
  • Signup funnel events (plan selection, account creation, checkout)
  • Feature usage events (manually tracked, no autocapture)
  • Cross-subdomain user identification (between www.kiori.co and app.kiori.co)
  • Exception/error capture

PostHog is configured in identified-only mode (no anonymous person profiles). Data is routed through our proxy endpoint and stored in the EU (eu.posthog.com).

Google Analytics 4 (GA4)

Website analytics including:

  • Page views
  • Device and browser data
  • Session statistics
  • Signup and conversion events

IP anonymization is enabled.

Vercel Analytics

Performance monitoring on our marketing website, including:

  • Core Web Vitals
  • Page load performance metrics

Firebase Analytics

Usage analytics and performance insights for the application.

Analytics are anonymized or pseudonymized whenever possible.

Legal Basis: Art. 6(1)(a) β€” consent (via cookie banner) for analytics cookies Art. 6(1)(f) β€” legitimate interest (improving service)

2.8 Advertising (Currently Disabled)

Kiori has integrated Google AdSense to support free public workspaces through advertising. This feature is currently disabled but may be activated in the future.

When enabled, Google AdSense may:

  • Display banner and interstitial ads to free-tier users on public workspaces
  • Collect device information, IP address, and browsing context for ad personalization
  • Set advertising-related cookies (ad_storage)

Paid-tier users are never shown ads.

Legal Basis: Art. 6(1)(a) β€” consent (ads will only be shown with user consent via cookie/consent mechanisms)

3. How We Use Your Data

We use personal data for the following purposes:

  1. Operating the Kiori platform
  2. Authentication & account management
  3. Enabling RAG retrieval & agentic workflows
  4. Providing AI chat & document search functionality
  5. File storage and reprocessing for service improvements
  6. Payment processing & subscription management
  7. Security, auditing, and fraud prevention
  8. Analytics, usage insights, and performance monitoring
  9. System upgrades that require re-indexing or re-embedding your documents
  10. Customer support and troubleshooting

We do not sell personal data.

4. Legal Bases for Processing

PurposeLegal Basis
Operating core app featuresArt. 6(1)(b)
AI processing & RAGArt. 6(1)(b)
System logs & securityArt. 6(1)(f), Art. 6(1)(c)
Analytics & cookiesArt. 6(1)(a)
PaymentsArt. 6(1)(b), Art. 6(1)(c)
IntegrationsArt. 6(1)(b)

5. Data Sharing & Subprocessors

5.1 Subprocessors (LLM & AI Services)

Used for embeddings, generation, reranking, memory extraction, or agentic workflows:

  • OpenAI (US/EU) β€” text generation, embeddings
  • Anthropic (US/EU) β€” text generation
  • Google Gemini (EU/Global) β€” text generation, embeddings
  • Groq (US) β€” fast inference, memory extraction
  • Fireworks AI (US/EU) β€” reranking, embeddings

These providers operate under GDPR Standard Contractual Clauses (SCCs) when transferring data outside the EEA.

We send the minimal required data for the requested operation (e.g., prompt text, context snippets). LLM providers may change over time as we optimize for quality, speed, and cost. The current list reflects providers actively in use.

5.1a Subprocessors (Web Search & Content Retrieval)

As part of agentic AI workflows, Kiori may access external content on your behalf:

  • Brave Search (US) β€” web search queries for agent tool calls
  • Tavily (US) β€” AI-optimized web search for agent tool calls
  • Firecrawl (US) β€” web page scraping and content extraction
  • Browserbase (US) β€” cloud browser sessions for web data collection (e.g., YouTube transcript extraction)

These services receive only the search queries or URLs relevant to the task. No personal user data is shared beyond what is necessary for the request.

5.2 Hosting & Infrastructure

  • Google Cloud Platform β€” Netherlands (europe-west-4) Servers, storage, networking, and the following GCP sub-services:

    • Cloud KMS β€” encryption key management for securing user integration tokens
    • Document AI β€” OCR and PDF text extraction
    • Google Translate β€” system prompt translation (not applied to user content)
    • Secret Manager β€” secure storage of platform secrets

  • Qdrant Cloud β€” vector storage & similarity search (region dependent)

  • Firebase (GCP) β€” authentication, analytics, cloud functions

  • Vercel β€” hosting for marketing website, performance analytics

  • Cloudflare Turnstile β€” bot protection and CAPTCHA verification (collects IP address, browser fingerprint)

5.3 Payment Provider

  • Stripe Payments Europe Ltd.

5.4 Email Delivery

  • Zoho Mail connected to Firebase Auth

5.4a Advertising (Currently Disabled)

  • Google AdSense (Google Ireland Ltd) β€” display and interstitial advertising for free-tier users on public workspaces. Currently disabled but infrastructure is integrated.

5.5 Analytics Providers

  • PostHog (EU) β€” product analytics, event tracking, cross-subdomain user identification
  • Vercel Analytics β€” web performance monitoring
  • Google Analytics 4 (Google Ireland Ltd) β€” website analytics
  • Firebase Analytics (Google Ireland Ltd) β€” app usage analytics

5.6 Integrations β€” Independent Controllers

When a user connects external services, these providers become separate Data Controllers:

  • Google Drive
  • Microsoft OneDrive / SharePoint (via Microsoft Graph API β€” accesses files, folders, and metadata with user-authorized scopes)
  • Notion (via Notion API β€” accesses pages, databases, and file attachments with user-authorized permissions)

Kiori does not control their data policies; users authorize access directly.

6. International Data Transfers

Because some LLM vendors operate globally, data may be transferred to the United States.

Transfers rely on:

  • Standard Contractual Clauses (SCCs)
  • Vendor DPA commitments
  • Additional safeguards where applicable

We choose EU endpoints when supported but cannot guarantee data always remains in the EU.

7. Cookies

7.1 Cookie Banner

Because analytics may be used (e.g., Google Analytics), we operate a GDPR-compliant cookie consent banner.

7.2 Types of Cookies

  • Necessary cookies β€” authentication, session management, bot protection (Cloudflare Turnstile)
  • Preference cookies β€” optional
  • Analytics cookies β€” PostHog, Google Analytics 4, Firebase Analytics (only with consent)
  • Advertising cookies β€” Google AdSense (currently disabled; only with consent when enabled)

See our Cookie Policy for a detailed list of cookies used.

8. Data Retention

8.1 Retention Table

Data TypeRetentionNotes
Account dataUntil deletion + 7 daysGrace period for recovery
Uploaded filesUntil account/workspace deletionAuto-cleanup
Audit logs365 daysSecurity & compliance
PII detection logs90 daysRotated automatically
Security session logs90 daysAuto-deleted
Subscription/payment dataLegal retention (up to 10 years)Tax compliance
Chat historyUntil user deletes or account deletedEssential for RAG
User & chat memoriesUntil user deletes or account deletedPersonalization & context
Short-term agent memoryUp to 5 minutesAuto-discarded
Agentic tracesUntil deletion or account deletedSupports explainability

Backups may persist up to 30–90 days.

8.2 Reports, Abuse Notices & Legal Requests

Reports, abuse notices, and legal requests submitted through Kiori’s reporting mechanisms may contain personal data such as names, email addresses, organizational affiliation, and supporting documentation. We process this data solely for the purpose of reviewing, responding to, and documenting the reported issue, including compliance with applicable legal obligations. Such data is retained only for as long as necessary to:

  • investigate and resolve the report,
  • comply with legal and regulatory obligations,
  • establish, exercise, or defend legal claims.

Unless a longer retention period is required due to ongoing legal proceedings, report-related data is typically retained for up to 24 months and then securely deleted or anonymized.

9. Your Rights (GDPR)

Users have the right to:

  • Access personal data
  • Rectify personal data
  • Delete personal data (β€œright to be forgotten”)
  • Export personal data (portability)
  • Object to processing
  • Withdraw consent (for analytics/cookies)
  • Lodge a complaint with a supervisory authority

We respond to all requests within 30 days.

10. Automated Decision-Making & AI Transparency

Kiori uses:

  • LLMs for text generation
  • Embeddings for document search
  • Agentic workflows for multi-step reasoning

We do not use AI for automated decision-making that produces legal or significant personal effects (Art. 22 GDPR).

Users can always:

  • delete data
  • override AI responses
  • request human assistance

Kiori does not train its models on user data.

11. Data Security

We employ:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest
  • Strict IAM roles
  • Audit logs
  • Secure sandboxing for AI tools
  • Isolation between tenant workspaces
  • Regular security reviews

12. Data Deletion

Users can:

  • Delete chats
  • Delete documents
  • Delete their entire account
  • Export their data before deletion

Once deletion is initiated:

  • Workspace & documents are removed
  • Logs tied to identity are anonymized or purged per retention schedule
  • Backups expire within normal rotation cycles

13. Changes to This Policy

We will update this Privacy Policy as needed. Users will be notified of material changes.

14. Contact

Crowd Wisdom SL/SLU Email: privacy@crowd-wisdom.com

Privacy Policy | Kiori