Legal — Privacy
Privacy policy
Last updated: 22 May 2026 · MUR Data Solutions S.L. trading as Kairos
1. Identity of the Controller
The data controller is MUR Data Solutions S.L. trading as Kairos, a company incorporated in Spain (CIF B19837715).
Registered address: Torrent de l'Olla 121, 1º 2ª, CP 08012 Barcelona, España.
Contact: patricio@kairos.rest
Where Kairos processes personal data on behalf of a client (e.g. staff records, guest reviews), Kairos acts as Processor and the client acts as Controller. Terms are in the Data Processing Agreement.
2. Categories of Personal Data
Where Kairos is Controller:
- Account holder info via Clerk (name, email, organisation)
- Subscriber and prospect email addresses
- Support ticket content and correspondence
Where Kairos is Processor (on behalf of clients):
- Staff names, employment contracts, salary data
- Guest review content including reviewer names — PII redacted before LLM processing
- Client contact information
Non-personal operational data:
Sales records (anonymised), inventory levels, recipe costs, reputation scores, and competitor pricing are not personal data under GDPR.
3. Purposes and Legal Basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Kairos platform | Art. 6(1)(b) — contract performance |
| Billing and invoicing | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation |
| Customer support | Art. 6(1)(b) — contract performance |
| Product analytics and improvement | Art. 6(1)(f) — legitimate interest |
| Security monitoring | Art. 6(1)(f) — legitimate interest |
| Marketing to prospects | Art. 6(1)(a) — consent; Art. 6(1)(f) for existing clients |
4. Sub-Processors
Full list at kairos.rest/subprocessors.
| Processor | Purpose | Data | Location |
|---|---|---|---|
| NAN (Qwen LLM) | LLM inference | PII-redacted prompts | EU |
| Clerk | Auth & RBAC | Emails, profile | US (DPF certified) |
| AWS S3 | PDF storage | Operational PDFs | EU (Frankfurt) |
| Sentry | Error monitoring | Traces (PII scrubbed) | US (DPF certified) |
| Upstash Redis | Cache & rate limit | Session tokens | EU (Ireland) |
| Prisma Postgres | App database | Full app data | EU |
| Outscraper | Reviews scraping | Public review data | US (SCCs) |
| Resend | Transactional email | Recipient address | EU |
| Vercel | Hosting & edge | Request logs | Global edge |
5. International Transfers
- EU-US Data Privacy Framework (DPF): Clerk and Sentry are DPF-certified.
- Standard Contractual Clauses (SCCs): For Outscraper and other US processors not covered by DPF, we rely on EU Commission SCCs (2021).
6. Retention Periods
| Data category | Retention |
|---|---|
| Operational data (as Processor) | Contract duration + 1 year |
| Staff data (as Processor) | Per labour law (Spain: 4 years post-termination) |
| Subscriber / prospect emails | Until unsubscribe + 30 days |
| Account data (as Controller) | Account duration + 90 days post-closure |
| Backups | 30 days rolling |
| Invoice and billing records | 7 years (Spanish tax law) |
7. Your Rights (GDPR)
- Access — obtain a copy of your data
- Rectification — correct inaccurate data
- Erasure — request deletion
- Portability — receive data in machine-readable format
- Object — object to legitimate-interest processing
- Restriction — restrict processing in certain cases
- Withdraw consent — where processing is consent-based
Email patricio@kairos.rest. We respond within 30 days. No fee for reasonable requests.
8. Cookies
- Necessary (always active): session and CSRF tokens required for platform security.
- Analytics (opt-in): Vercel Analytics — aggregate usage stats, no personal profiling.
- Marketing (opt-in): none currently. Reserved for future use.
Preferences stored in your browser under kairos:cookie-consent.
9. New York SHIELD Act
Where Kairos processes private information of New York residents, we implement reasonable administrative, technical, and physical safeguards including access controls, encryption at rest and in transit, and data handling training.
10. UAE Personal Data Protection Law (PDPL)
Where Kairos processes personal data of UAE residents, we comply with Federal Decree-Law No. 45/2021. UAE data subjects have equivalent rights to those in Section 7. Contact patricio@kairos.rest.
11. Changes to This Policy
Material changes notified by email at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.
12. Supervisory Authority
The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD) — www.aepd.es.
Contact us first at patricio@kairos.rest before lodging a complaint.