Privacy policy

How Kiavi processes personal data, in line with GDPR.

Last updated: 2026-05-08

This privacy notice explains how Kiavi processes personal data. Kiavi is operated by Kiavi B.V., a company registered in the Netherlands under Chamber of Commerce (KvK) number 42042433 (“Kiavi”, “we”, “us”, “our”). For the personal data described in this notice, we are the data controller within the meaning of Art. 4(7) GDPR, except where we expressly state otherwise.

1. Scope of this notice

This notice covers personal data we process about three groups of people:

  • Visitors to our marketing website at kiavi.eu and its localised paths;
  • Customers: account holders, billing contacts, support contacts, and personnel of organisations that have signed up to use the Kiavi service;
  • End users: people who authenticate into a customer’s application using the Kiavi service. For end users, we act as a processor on behalf of the customer that operates the application. This notice describes that processing only at a high level; the controlling terms are in the data processing agreement between Kiavi and the customer, and the customer’s own privacy notice governs how end users’ data is collected and used.

If you are an end user and you want to know what data is held about you, why, and how to exercise your rights, please contact the operator of the application you signed in to. We will assist them where required by law.

2. What we collect

From visitors

  • Information you submit through the contact form or by email: your name, email address, organisation, and the content of your message;
  • Strictly necessary technical data needed to deliver the site: IP address, user-agent, requested URL, and HTTP status, recorded transiently in server logs and CDN logs to operate, secure, and protect the site against abuse. We do not run analytics, advertising, or behavioural tracking on the marketing site.

From customers

  • Account data: name, work email address, organisation name, role, and authentication credentials for the management dashboard (passkeys and email one-time codes);
  • Billing data: billing email, billing address, VAT number where applicable, and tokenised payment-method references provided by our payment processor (we do not store full card numbers);
  • Usage and product-telemetry data needed to operate and bill the service: tenant identifiers, configuration choices, daily and monthly active user counts per tenant, API request metadata, and audit-log entries for actions taken in the management dashboard;
  • Support and communications data: the content of support requests, in-product messages, and email correspondence with us.

From end users (as processor)

On behalf of our customers we process the categories of personal data set out in Annex 1 of the data processing agreement: identifiers (email, phone where enabled, display name, OAuth provider identifiers and tokens), authentication credentials and verifiers (WebAuthn public keys, hashed recovery codes, one-time codes), session and device metadata (session identifiers, IP address, user-agent, country code derived in the EEA), authentication event records, and any custom user fields the customer configures. We do not store user passwords. We do not knowingly process special categories of personal data within the meaning of Art. 9 GDPR.

3. How we collect it

  • Directly from you: when you fill in a form, send us an email, sign up for an account, or use the management dashboard;
  • Automatically: when your browser, device, or application interacts with our website or the service, we receive technical data such as IP address, user-agent, and request metadata;
  • From our customers: end-user data is provided to us by the customer that operates the application, including data the customer’s end users provide directly to that application.

We process personal data on the legal bases set out in Art. 6(1) GDPR. The table below maps purposes to bases.

Performance of a contract — Art. 6(1)(b)

  • Creating and operating customer accounts, providing the management dashboard, executing API requests, issuing invoices, processing payments, and providing customer support;
  • For end-user data, performance of the contract between the customer and its end user, with Kiavi acting as a processor on documented instructions of the customer.

Compliance with a legal obligation — Art. 6(1)(c)

  • Retaining accounting records, invoices, and tax documents for the period required by Dutch law (currently seven years for fiscal records);
  • Responding to lawful requests from competent authorities and exercising or defending legal claims.

Legitimate interests — Art. 6(1)(f)

  • Securing our website and service against abuse, credential stuffing, brute-force attempts, and other attacks (our interest: information security; balancing test: minimal data, short retention, no profiling);
  • Maintaining server and application logs and error monitoring needed to keep the service running and diagnose incidents;
  • Sending service-related communications to customers (incident notices, security advisories, material changes to terms);
  • Limited business-to-business outreach to a named work contact at an organisation that has expressed interest in Kiavi, in line with the GDPR’s transparency and objection rights.

Consent — Art. 6(1)(a)

  • Where we ask for consent (for example, to receive the Kiavi product newsletter), we rely on Art. 6(1)(a) and you can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We do not sell personal data, we do not use end-user data to train artificial-intelligence or machine-learning models, and we do not engage in cross-context behavioural advertising.

5. How long we keep it

  • Contact-form messages: kept for up to 24 months after the last interaction, unless they relate to an active customer relationship;
  • Server and CDN logs: retained for up to 30 days for security and operational purposes, then deleted or rotated;
  • Customer account data: retained for the lifetime of the account, then deleted within 30 days of account closure, except where law (in particular Dutch fiscal law) requires longer retention of specific records (for example invoices: seven years);
  • Billing records: retained for seven years from the end of the relevant fiscal year, in line with Dutch tax law;
  • Audit-log entries in the management dashboard: retained for the lifetime of the account and deleted on the same schedule as account data;
  • End-user data processed on behalf of customers: retained for the lifetime of the customer’s tenant and deleted within 30 days after termination of the customer agreement, with encrypted backups overwritten on the normal rotation cycle (no later than 90 days). The full schedule is set out in section 12 of the data processing agreement.

Backups are encrypted and rotate on a fixed schedule; data within them is not actively used and is overwritten in the normal course of the backup cycle.

6. Who we share it with

We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes set out in section 4:

  • Subprocessors and service providers we engage to deliver the service. The current list, including the location of processing and the purpose of each engagement, is published on the subprocessors page and is incorporated into the data processing agreement by reference;
  • Professional advisers (lawyers, auditors, accountants) under a duty of confidentiality, where necessary to obtain advice or comply with a legal obligation;
  • Competent public authorities, where we are required by law to disclose personal data, and only to the extent of that obligation;
  • An acquirer or successor entity in the event of a merger, acquisition, reorganisation, or sale of assets, subject to confidentiality obligations and continued application of this notice.

We do not share personal data for cross-context behavioural advertising, ad-network targeting, or list-broker resale.

7. Where it lives and international transfers

All personal data is stored within the European Economic Area (“EEA”). Authentication instances, databases, and per-tenant signing keys are hosted in Scaleway data centres in Paris (fr-par). Static assets are served from EEA edge locations of Bunny.net only.

We will not transfer personal data to a country outside the EEA, nor permit any subprocessor to do so, without first putting in place an appropriate transfer mechanism under Chapter V of the GDPR (in particular an adequacy decision under Art. 45 GDPR or appropriate safeguards under Art. 46 GDPR, including the European Commission’s standard contractual clauses). The current subprocessor list and the locations of processing are published on the subprocessors page.

8. How we protect it

We implement appropriate technical and organisational measures to protect personal data, in accordance with Art. 32 GDPR. These measures are described in detail on the security page and in Annex 2 of the data processing agreement, and include strict per-tenant isolation (dedicated container, dedicated database, dedicated signing keys), TLS in transit, encryption at rest, hashed credentials, rate limiting on public authentication endpoints, structured audit logging, secrets managed in Scaleway Secret Manager, role-based access on a need-to-know basis, automated tests as part of the change-management process, and an incident response process.

9. Your rights

Subject to the conditions and exceptions in the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15);
  • Rectify personal data that is inaccurate or incomplete (Art. 16);
  • Erase personal data (“right to be forgotten”, Art. 17), where one of the grounds in that article applies;
  • Restrict processing in the cases described in Art. 18;
  • Data portability: receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20), where the processing is based on consent or contract and carried out by automated means;
  • Object to processing based on our legitimate interests, including profiling (Art. 21). Where you object, we will stop processing the personal data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims;
  • Withdraw consent at any time, where the processing is based on consent (Art. 7(3)). Withdrawal does not affect the lawfulness of processing before withdrawal.

If you are a customer, the management dashboard and the public APIs let you view, export, correct, and delete account data and end-user records directly. To exercise any other right, email privacy@kiavi.eu. We will respond within one month of receiving your request, and we will identify you only to the extent necessary to act on the request.

If you are an end user of an application that uses Kiavi, please direct your request to the operator of that application; we will assist them as required by law.

10. Cookies and similar technologies

The Kiavi marketing website uses only strictly necessary cookies and equivalent local storage to deliver the page (for example, language preference and basic security). The hosted authentication pages use session cookies that are essential to the authentication flow itself. We do not use analytics, advertising, or behavioural-tracking cookies on either surface.

Because we do not place non-essential cookies, no consent banner is required under Art. 5(3) of the ePrivacy Directive (as transposed in the Netherlands by Art. 11.7a of the Telecommunicatiewet). If this changes, we will update this notice and ask for your consent before placing any non-essential cookies.

11. Automated decision-making and profiling

We do not subject you to decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR. Limited automated risk signals (for example, rate limiting and anomaly detection on authentication attempts) are used to protect the service and do not by themselves determine outcomes for individual end users without human review where the consequence is significant.

12. Children

Kiavi is sold to organisations and is not directed at children. We do not knowingly process personal data of children under the age of 16 in connection with the marketing website or the management dashboard. Customers that operate applications for children are responsible for compliance with applicable rules on consent (including Art. 8 GDPR) and for configuring the service accordingly.

13. Changes to this notice

We may update this notice from time to time to reflect changes in how we operate, in the law, or in the services we offer. The “last updated” date at the top of this page indicates the most recent change. Material changes will be communicated to customers by email at least 30 days before they take effect; immaterial changes (for example, clarifying drafting or formatting) take effect on publication.

14. Contact and complaints

If you have questions about this notice or about how we process personal data, or if you want to exercise your rights, email us at privacy@kiavi.eu.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The supervisory authority for Kiavi in the Netherlands is the Autoriteit Persoonsgegevens. A directory of EEA supervisory authorities is available on the list of EEA supervisory authorities. We would, however, appreciate the opportunity to address your concerns directly first.

This notice forms part of the terms of service for customers and applies in addition to the data processing agreement for end-user processing.