Legal
Privacy Policy
Last updated: June 2026
This Privacy Policy explains how we collect, use, and protect personal data when you use the Kiara API and related websites, dashboards, and SDKs (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Dutch law. Read this together with our Cookie Policy and our Sub-processors disclosure.
1. Data controller
The Kiara API is operated by Kiara Intelligence, which is the controller responsible for your personal data. You can reach our privacy team at any time:
- Operator: Kiara Intelligence
- Privacy contact: privacy@kiara-api.com
- General support: support@kiara-api.com
We have not appointed a statutory Data Protection Officer where one is not legally required; the privacy contact above handles all data-protection enquiries.
2. Personal data we process
- Account data — the email address you sign up with and basic account settings.
- API usage & logs — for each call: method, path, response code, latency, API key id, and the calling IP address and user agent.
- Payment metadata — the invoice identifier and the credit amount applied to your balance. We do not store full payment instrument details (see recipients below).
- Generated content & inputs — the prompts you submit, any images or files you upload as inputs, and the assets generated through the Service.
- Security / device data — IP address and device/browser information used to secure the Service, detect abuse, and prevent fraud.
- Communications — the content of support requests and other messages you send us.
We do not intentionally collect special categories of data (Art. 9 GDPR). Do not submit such data unless strictly necessary and lawful; you are responsible for the Inputs you provide.
3. Purposes and legal bases
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Provide the Service — create accounts, mint keys, run generations, manage credits, support | Account data, inputs/outputs, usage, payment metadata, communications | Performance of a contract — Art. 6(1)(b) |
| Secure the Service, prevent abuse & fraud, keep request logs, improve reliability | Usage & logs, security/device data | Legitimate interests, balanced against your rights — Art. 6(1)(f) |
| Comply with accounting, tax (VAT/BTW), and other statutory duties | Payment / invoice metadata, account data | Legal obligation — Art. 6(1)(c) |
| Set non-essential cookies (none today) | Cookie / device data | Consent, withdrawable at any time — Art. 6(1)(a) |
| Respond to legal claims and protect rights, safety, and security | As relevant to the matter | Legitimate interests / legal obligation — Art. 6(1)(f)/(c) |
4. Categories of recipients (processors)
We share personal data only with service providers acting as our processors under data-processing agreements, and only as needed to run the Service. We disclose categories of recipients rather than individual names:
- Cloud hosting & CDN — to host our database, authentication, generated assets, and to deliver the website.
- Payment processor — to process top-up payments. The processor handles payment details under its own privacy terms; we receive only invoice and credit metadata.
- AI compute providers — to run image and video generation on the prompts and inputs you submit.
- Email / communications provider — to deliver transactional emails such as magic-link sign-in.
A fuller description is in our Sub-processors disclosure. We may also disclose data where required by law or to protect the rights, safety, and security of the Service and its users. We do not sell personal data.
5. International transfers
Some of our processors may process data outside the European Economic Area (EEA). Where that happens, we rely on appropriate safeguards under the GDPR — principally the European Commission’s Standard Contractual Clauses (SCCs), together with supplementary measures where appropriate, or an adequacy decision — to ensure your data receives an equivalent level of protection. You can request more information about these safeguards using the privacy contact below.
6. Retention
- Account data — kept while your account is active; deleted or anonymised after closure, subject to legal retention obligations.
- Generated assets & inputs — retained per the asset lifecycle (currently up to 90 days on object storage) unless you delete them sooner.
- Request logs — retained for a limited period (currently up to 30 days) for security and troubleshooting, then aged out.
- Payment / invoice metadata — retained for the period required by accounting and tax law (in the Netherlands, generally seven years).
- Support communications — retained as long as needed to handle the request and for a reasonable period thereafter.
7. Your rights
Subject to the conditions in the GDPR, you have the right to:
- Access — obtain a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — have your data deleted (“right to be forgotten”).
- Restriction — limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
8. How to exercise your rights
To exercise any of these rights, email privacy@kiara-api.com. We may need to verify your identity before acting. We will respond within the timeframes required by the GDPR (normally within one month, extendable by up to two further months for complex requests). Exercising your rights is free unless a request is manifestly unfounded or excessive.
9. Automated decision-making
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing within the meaning of Art. 22 GDPR. We do use automated systems for safety, moderation, abuse detection, and rate limiting; where such a system flags activity, material enforcement decisions involve human review.
10. Right to complain
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority in your EU country of residence. We would appreciate the chance to address your concerns first.
11. Security
We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, hashed/secret API keys, access controls and the principle of least privilege, row-level authorization so data is scoped to your account, and limited log retention. No system is perfectly secure, but we work to protect your data against unauthorised access, loss, or misuse, and we maintain processes to respond to data-protection incidents.
12. Children
The Service is strictly for adults. You must be at least 18 years old to use it. We do not knowingly process personal data of anyone under 18. If we learn we have done so, we will delete it.
13. Cookies
For details on the cookies and similar technologies we use, and how to manage them, see our Cookie Policy.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, where required, notify you of material changes.
15. Contact
Privacy questions and data-subject requests: privacy@kiara-api.com.