GDPR Compliance
Last Updated: June 4, 2026
At Kabiri, we are committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR and outlines the rights available to you as a data subject.
1. Data Controller & Data Protection Officer
Kabiri acts as the data controller for the personal data we collect through our website at kabiri.co and associated services. This means we determine the purposes and means of processing your personal data.
The data controller is [REGISTERED COMPANY NAME], a company registered in England and Wales (Company No. [COMPANY NUMBER]), with its registered office at [REGISTERED OFFICE ADDRESS]. We are registered with the Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER].
Our Data Protection Officer (DPO) can be contacted at privacy@kabiri.co for any data protection enquiries, subject access requests, or to exercise your rights under GDPR.
2. Lawful Basis for Processing
We process your personal data only when we have a lawful basis to do so under Article 6 of the GDPR. The bases we rely on include:
- Consent: Where you have given us clear, informed consent to process your personal data for a specific purpose (e.g. joining our waitlist, receiving marketing emails).
- Contractual Necessity: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g. providing the Service once you create an account).
- Legitimate Interests: Where processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms (e.g. improving our website, ensuring security).
- Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject.
3. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
- Right of Access: You have the right to request a copy of the personal data we hold about you.
- Right to Rectification: You have the right to request that we correct any personal data that is inaccurate or incomplete.
- Right to Erasure: You have the right to request that we delete your personal data, subject to certain conditions (also known as the "right to be forgotten").
- Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests as the lawful basis.
- Right to Withdraw Consent: Where we rely on consent as the lawful basis for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, please contact our Data Protection Officer at privacy@kabiri.co. We will respond to your request within 30 days.
4. Data We Collect
For a detailed breakdown of the personal data we collect and how we use it, please refer to our Privacy Policy. In summary, we may collect:
- Email address (when you join the waitlist or create an account)
- Name (when you register for the Service)
- Usage data (IP address, browser type, pages visited)
- Cookie data (see our Cookie Policy)
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:
- Waitlist data: Retained until the Service launches and you are invited, or until you request removal.
- Account data: Retained for the duration of your account. Upon account deletion, all associated personal data is permanently deleted within 30 days.
- Analytics data: Aggregated and anonymised data may be retained indefinitely for statistical purposes.
6. Data Transfers
Your personal data may be transferred to and processed in countries outside the EEA or the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision. The processors we rely on and the safeguards that apply are:
- Google Cloud Platform / Firebase (storage, authentication, infrastructure) — our application servers and database are pinned to the europe-west2 (UK) region. Any onward transfers are covered by Google's Standard Contractual Clauses and UK Addendum.
- Google Gemini API (Kabiri Assistant) — the Gemini API is a global Google endpoint, so individual requests may be processed on Google infrastructure outside the UK / EEA. These transfers are covered by Google's data processing terms and Standard Contractual Clauses, and the data is not used to train Google's models.
- Stripe (payment processing), SendGrid (transactional email), and DocuSign (electronic signatures, when you send a file for signature) — transfers are covered by Standard Contractual Clauses and the UK Addendum where data leaves the UK / EEA.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, and regular security reviews. For more details, see our Privacy Policy.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
9. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk.
10. Contact Us
If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact our Data Protection Officer at privacy@kabiri.co.