01Who we are
Kaiva is a trading name of SLATEAI LIMITED, a company registered in England & Wales (Company No. 16601902), with registered office at Suite RA01, 195-197 Wood Street, London, E17 3NU. We are controller for our website and marketing; processor for customer data routed through the product. Contact: [email protected].
02What we collect
a. Account information
When you create an account, we collect:
- Email address (used for authentication)
- Account preferences and settings
- Name, work email, role, and company (where provided)
b. Usage data
To provide and improve our services, we collect:
- Conversation history and AI interactions
- Provider usage patterns and preferences
- AI usage and consumption metrics
- Feature usage and engagement analytics
- Error logs and performance data
- Agent-action receipts (who, what, when, which rule, which outcome)
c. Technical information
We automatically collect technical data including:
- IP address for maintaining platform security
- Authentication events (time, IP, user agent, SSO claims)
d. Billing
We use Stripe to process payments. We do not store card numbers on Kaiva systems.
e. Cookies and tracking technologies
We use cookies and similar tracking technologies to collect information about your browsing activities. Only strictly-necessary cookies are set by default; Analytics and Marketing cookies require opt-in via our consent banner. With your consent, we use:
- Google Analytics: To understand website usage, user behaviour, and improve our services
- Google Ads: To measure advertising effectiveness and show relevant advertisements
- Essential cookies: Required for authentication, security, and basic website functionality
You can manage your cookie preferences through our cookie consent banner, or via the “Cookie settings” link in the footer. Essential cookies cannot be disabled as they are necessary for the website to function. Short-lived cookies (under 10 minutes) set during SSO / OAuth sign-in flows are not listed individually; they exist only during the redirect and are cleared automatically.
Strictly necessary (always on)
auth · session · geo · consent state
| Name | Provider | Expires |
|---|---|---|
| access_token | kaiv.ai | 2h |
| refresh_token | kaiv.ai | 7d |
| kaiva_authenticated | kaiv.ai | 2h |
| _geo_consent | kaiv.ai | 24h |
Analytics (opt-in)
product usage · page timing · google analytics
| Name | Provider | Expires |
|---|---|---|
| _ga | google-analytics.com | 13mo |
| _ga_* | google-analytics.com | 13mo |
Marketing (opt-in)
google ads · bing uet · ad attribution
| Name | Provider | Expires |
|---|---|---|
| _gcl_au | google.com | 90d |
| MUID | bing.com | 13mo |
| _uetsid | bing.com | 1d |
03Why we collect it
Service provision
- Route requests to appropriate AI providers
- Monitor usage limits and manage subscriptions
- Ensure service availability and performance
Analytics and improvement
- Understand user preferences and optimise provider selection
- Improve platform performance and reliability
- Develop new features and capabilities
- Identify and fix technical issues
Communication
- Send important service updates and notifications
- Provide customer support and technical assistance
- Share new features and platform improvements
04Our role
For data you route through the product, you are controller, we are processor. For our website and direct marketing, we are controller. Where a specific data-processing agreement applies between us, its terms govern.
05Legal bases
We process personal data on the following lawful bases under GDPR Art. 6:
| Processing activity | Purpose | Lawful basis |
|---|---|---|
| Customer Data | Deliver the Service per contract | Art. 6(1)(b) Contract |
| Account data | Operate, secure, and support the Service | Art. 6(1)(b) Contract / Art. 6(1)(f) Legitimate interest |
| Security & audit logs | Fraud prevention, abuse detection, regulatory defence | Art. 6(1)(f) Legitimate interest / Art. 6(1)(c) Legal obligation |
| Marketing communications | Newsletters, invitations, respond to enquiries | Art. 6(1)(a) Consent |
| Billing records | Invoicing, accounting, tax | Art. 6(1)(b) Contract / Art. 6(1)(c) Legal obligation |
06Sub-processors
§ On models. Kaiva does not use customer data to train foundation models. Where enterprise options are available from our model providers, we prefer no-training configurations. Each provider's own data-handling policy continues to apply to data routed through them.
AI provider integration
When you use Kaiva, your inputs and conversations are sent to third-party AI providers including:
- OpenAI: Subject to OpenAI's Privacy Policy and Terms of Service
- Anthropic: Subject to Anthropic's Privacy Policy and Terms of Service
- Google Gemini: Subject to Google Gemini's Privacy Policy and Terms of Service
- xAI (Grok): Subject to xAI's Privacy Policy and Terms of Service
- Other AI providers: Subject to their respective privacy policies
The following data is transmitted to AI providers to generate responses:
- Your conversation messages and prompts
- Context from previous messages in the conversation
- System prompts and configuration data
- File uploads (when using file analysis features)
Important notes about AI provider data handling:
- OpenAI's current API policy states that API data is not used to train their models
- Anthropic has committed to not training on user conversations
- Each provider may have different data retention and deletion policies
- You should review each provider's privacy policy for complete details
Other third-party services
- Google Analytics: Collects anonymised usage data to help us improve our website. We use Google Analytics with IP anonymisation enabled. Data is retained for 26 months. You can opt-out at tools.google.com/dlpage/gaoptout
- Google Ads: Used for conversion tracking and remarketing. Subject to Google's Advertising Privacy Policy. Manage your ad preferences at adssettings.google.com
- Microsoft Bing Ads (Enhanced Conversions): Tracks conversions and enables targeted advertising. When you sign up or complete a purchase, your email address is shared with Microsoft in a normalised format (lowercase, whitespace removed, special characters handled per Microsoft's requirements) for conversion attribution and marketing purposes. Subject to Microsoft's Privacy Statement.
- Stripe: Processes payments securely according to their privacy policy.
- Cloudflare Web Analytics: We use Cloudflare's privacy-first analytics to understand website traffic. This tool is cookieless, sets no cookies, stores no IP addresses, and collects no personally identifiable information. Only aggregate data (page views, country, browser type, referrer) is recorded. No consent is required as no personal data is processed.
These services only collect data when you provide consent through our cookie banner, except for essential cookies and cookieless analytics required for website functionality.
A current list of sub-processors is available on request to [email protected]. We aim to provide reasonable advance notice of material changes.
07International transfers
Kaiva operates globally, and your data may be transferred to and processed in countries other than your own. Where personal data is transferred outside the UK or EEA, we rely on one of the following safeguards, depending on the destination:
- an adequacy decision (including, for UK transfers, the UK extension to the EU–US Data Privacy Framework where applicable);
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- the EU Standard Contractual Clauses 2021/914 where a transfer is EEA-originating;
- another lawful transfer mechanism recognised under the UK and EU data protection regimes.
We also maintain strong encryption for all data in transit and comply with local data protection laws.
08Retention
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law.
| Data category | Retention window | Basis |
|---|---|---|
| Customer Data | Per customer contract / MSA | Contract (Art. 6(1)(b)) |
| Agent-action receipts | Per customer contract | Audit / Contract |
| Account & authentication data | Duration of account + 90 days | Contract / legitimate interest |
| Security and access logs | As necessary for security, typically up to 24 months | Legitimate interest (Art. 6(1)(f)) |
| Marketing contacts | Until unsubscribe + 30 days | Consent (Art. 6(1)(a)) |
| Billing and financial records | 7 years | UK tax and companies law |
We honour reasonable requests to shorten retention where no overriding legal or security obligation applies.
09Your rights
Under the UK GDPR, EU GDPR, and applicable US state privacy laws, you have the right to:
- Access — request a copy of personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion, subject to legal retention obligations and security holds.
- Restriction — request restriction of processing.
- Object — to processing on the basis of legitimate interest or for direct marketing.
- Portability — where applicable.
- Withdraw consent — at any time. This does not affect the lawfulness of processing carried out before withdrawal.
- Lodge a complaint — with your supervisory authority. In the UK this is the Information Commissioner's Office (ico.org.uk); in the EU, your national data protection authority.
To exercise these rights, email [email protected]. We respond within 30 days (extendable by a further 60 days for complex requests, in which case we will notify you).
10Security
Security measures
We protect your data through:
- TLS 1.3 for data in transit; AES-256 for data at rest
- Encrypted storage of sensitive information
- Secure API key management and rotation
- Least-privilege access controls and audit-logged changes
- Regular security reviews
Data breach response
In the event of a data security incident:
- We will investigate and contain the incident immediately
- Affected users will be notified within 72 hours where feasible
- We will cooperate with relevant authorities as required
- We will take steps to prevent similar incidents
Data minimisation
We only store data that is necessary for the functioning of the Kaiva platform. All user data is handled in accordance with industry-standard security practices.
Report security issues: [email protected].
11Children
Kaiva is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it immediately. Users between 13 and 18 require parental consent to use our Service.
12Changes & contact
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you via email or platform notification
- We will update the “Updated” date above
- We will highlight significant changes where practical
- Continued use constitutes acceptance of changes
Questions about this Policy or to exercise your rights: [email protected].
By using Kaiva, you acknowledge that you have read, understood, and agree to this Privacy Policy and the processing of your data as described herein.