Legal — Privacy

Privacy policy

Last updated: 22 May 2026 · MUR Data Solutions S.L. trading as Kairos

1. Identity of the Controller

The data controller is MUR Data Solutions S.L. trading as Kairos, a company incorporated in Spain (CIF B19837715).

Registered address: Torrent de l'Olla 121, 1º 2ª, CP 08012 Barcelona, España.

Contact: patricio@kairos.rest

Where Kairos processes personal data on behalf of a client (e.g. staff records, guest reviews), Kairos acts as Processor and the client acts as Controller. Terms are in the Data Processing Agreement.

2. Categories of Personal Data

Where Kairos is Controller:

  • Account holder info via Clerk (name, email, organisation)
  • Subscriber and prospect email addresses
  • Support ticket content and correspondence

Where Kairos is Processor (on behalf of clients):

  • Staff names, employment contracts, salary data
  • Guest review content including reviewer names — PII redacted before LLM processing
  • Client contact information

Non-personal operational data:

Sales records (anonymised), inventory levels, recipe costs, reputation scores, and competitor pricing are not personal data under GDPR.

3. Purposes and Legal Basis

PurposeLegal basis (GDPR Art. 6)
Provide the Kairos platformArt. 6(1)(b) — contract performance
Billing and invoicingArt. 6(1)(b) contract; Art. 6(1)(c) legal obligation
Customer supportArt. 6(1)(b) — contract performance
Product analytics and improvementArt. 6(1)(f) — legitimate interest
Security monitoringArt. 6(1)(f) — legitimate interest
Marketing to prospectsArt. 6(1)(a) — consent; Art. 6(1)(f) for existing clients

4. Sub-Processors

Full list at kairos.rest/subprocessors.

ProcessorPurposeDataLocation
NAN (Qwen LLM)LLM inferencePII-redacted promptsEU
ClerkAuth & RBACEmails, profileUS (DPF certified)
AWS S3PDF storageOperational PDFsEU (Frankfurt)
SentryError monitoringTraces (PII scrubbed)US (DPF certified)
Upstash RedisCache & rate limitSession tokensEU (Ireland)
Prisma PostgresApp databaseFull app dataEU
OutscraperReviews scrapingPublic review dataUS (SCCs)
ResendTransactional emailRecipient addressEU
VercelHosting & edgeRequest logsGlobal edge

5. International Transfers

  • EU-US Data Privacy Framework (DPF): Clerk and Sentry are DPF-certified.
  • Standard Contractual Clauses (SCCs): For Outscraper and other US processors not covered by DPF, we rely on EU Commission SCCs (2021).

6. Retention Periods

Data categoryRetention
Operational data (as Processor)Contract duration + 1 year
Staff data (as Processor)Per labour law (Spain: 4 years post-termination)
Subscriber / prospect emailsUntil unsubscribe + 30 days
Account data (as Controller)Account duration + 90 days post-closure
Backups30 days rolling
Invoice and billing records7 years (Spanish tax law)

7. Your Rights (GDPR)

  • Access — obtain a copy of your data
  • Rectification — correct inaccurate data
  • Erasure — request deletion
  • Portability — receive data in machine-readable format
  • Object — object to legitimate-interest processing
  • Restriction — restrict processing in certain cases
  • Withdraw consent — where processing is consent-based

Email patricio@kairos.rest. We respond within 30 days. No fee for reasonable requests.

8. Cookies

  • Necessary (always active): session and CSRF tokens required for platform security.
  • Analytics (opt-in): Vercel Analytics — aggregate usage stats, no personal profiling.
  • Marketing (opt-in): none currently. Reserved for future use.

Preferences stored in your browser under kairos:cookie-consent.

9. New York SHIELD Act

Where Kairos processes private information of New York residents, we implement reasonable administrative, technical, and physical safeguards including access controls, encryption at rest and in transit, and data handling training.

10. UAE Personal Data Protection Law (PDPL)

Where Kairos processes personal data of UAE residents, we comply with Federal Decree-Law No. 45/2021. UAE data subjects have equivalent rights to those in Section 7. Contact patricio@kairos.rest.

11. Changes to This Policy

Material changes notified by email at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

12. Supervisory Authority

The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD) www.aepd.es.

Contact us first at patricio@kairos.rest before lodging a complaint.