Legal

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how we collect, use, and protect personal data when you use the Kiara API and related websites, dashboards, and SDKs (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Dutch law. Read this together with our Cookie Policy and our Sub-processors disclosure.

1. Data controller

The Kiara API is operated by Kiara Intelligence, which is the controller responsible for your personal data. You can reach our privacy team at any time:

We have not appointed a statutory Data Protection Officer where one is not legally required; the privacy contact above handles all data-protection enquiries.

2. Personal data we process

We do not intentionally collect special categories of data (Art. 9 GDPR). Do not submit such data unless strictly necessary and lawful; you are responsible for the Inputs you provide.

3. Purposes and legal bases

PurposeData usedLegal basis (GDPR Art. 6)
Provide the Service — create accounts, mint keys, run generations, manage credits, supportAccount data, inputs/outputs, usage, payment metadata, communicationsPerformance of a contract — Art. 6(1)(b)
Secure the Service, prevent abuse & fraud, keep request logs, improve reliabilityUsage & logs, security/device dataLegitimate interests, balanced against your rights — Art. 6(1)(f)
Comply with accounting, tax (VAT/BTW), and other statutory dutiesPayment / invoice metadata, account dataLegal obligation — Art. 6(1)(c)
Set non-essential cookies (none today)Cookie / device dataConsent, withdrawable at any time — Art. 6(1)(a)
Respond to legal claims and protect rights, safety, and securityAs relevant to the matterLegitimate interests / legal obligation — Art. 6(1)(f)/(c)

4. Categories of recipients (processors)

We share personal data only with service providers acting as our processors under data-processing agreements, and only as needed to run the Service. We disclose categories of recipients rather than individual names:

A fuller description is in our Sub-processors disclosure. We may also disclose data where required by law or to protect the rights, safety, and security of the Service and its users. We do not sell personal data.

5. International transfers

Some of our processors may process data outside the European Economic Area (EEA). Where that happens, we rely on appropriate safeguards under the GDPR — principally the European Commission’s Standard Contractual Clauses (SCCs), together with supplementary measures where appropriate, or an adequacy decision — to ensure your data receives an equivalent level of protection. You can request more information about these safeguards using the privacy contact below.

6. Retention

7. Your rights

Subject to the conditions in the GDPR, you have the right to:

8. How to exercise your rights

To exercise any of these rights, email privacy@kiara-api.com. We may need to verify your identity before acting. We will respond within the timeframes required by the GDPR (normally within one month, extendable by up to two further months for complex requests). Exercising your rights is free unless a request is manifestly unfounded or excessive.

9. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing within the meaning of Art. 22 GDPR. We do use automated systems for safety, moderation, abuse detection, and rate limiting; where such a system flags activity, material enforcement decisions involve human review.

10. Right to complain

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority in your EU country of residence. We would appreciate the chance to address your concerns first.

11. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, hashed/secret API keys, access controls and the principle of least privilege, row-level authorization so data is scoped to your account, and limited log retention. No system is perfectly secure, but we work to protect your data against unauthorised access, loss, or misuse, and we maintain processes to respond to data-protection incidents.

12. Children

The Service is strictly for adults. You must be at least 18 years old to use it. We do not knowingly process personal data of anyone under 18. If we learn we have done so, we will delete it.

13. Cookies

For details on the cookies and similar technologies we use, and how to manage them, see our Cookie Policy.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, where required, notify you of material changes.

15. Contact

Privacy questions and data-subject requests: privacy@kiara-api.com.