Privacy Policy

Effective date: 21 May 2026 · Last reviewed: 21 May 2026

A note on accountability

Ki! is independently built and operated by Eduardo Trejos (Grenoble, France). There is no anonymous corporation behind this product. For a privacy tool, we believe named accountability is more trustworthy than a faceless entity — you always know exactly who is responsible. Privacy enquiries reach a real person: privacy@getki.ai.

1. Who we are

Data Controller
Eduardo Trejos, operating as Ki! (getki.ai)
Grenoble, France
privacy@getki.ai

2. What Ki! does — and does not — do with your data

Ki! is a local-first privacy proxy. All PII detection, masking, and vault storage runs entirely on your device. Prompt text, PII tokens, vault mappings, and audit logs never leave your machine and never reach Ki!'s servers.

The masked text that reaches your chosen LLM provider (Anthropic, OpenAI, Ollama, etc.) is processed under that provider's own privacy policy. Ki! has no visibility into it.

3. Website — what we collect

The getki.ai website sets no cookies, runs no analytics scripts, and collects no personally identifiable information from visitors. There are no tracking pixels or third-party analytics of any kind.

Cloudflare (our infrastructure provider) processes IP addresses in transit as part of standard DNS and CDN operation. Cloudflare acts as a data processor under a GDPR-compliant Data Processing Addendum. See Cloudflare's Privacy Policy.

4. Purchasing a Sovereign licence

When you purchase a Sovereign licence, the following data flows occur:

Stripe — payment processor. Collects your name, email address, and payment details. Ki! never receives or stores your card number. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
Ki! licence server (Cloudflare Worker) — receives your email address from Stripe's webhook solely to generate and sign your licence file. Ki! stores your email, a SHA-256 hash of your licence, and a last_seen timestamp from the 30-day soft-check. No other data is stored.
Resend — transactional email provider. Receives your email address solely to deliver your licence file. See Resend's Privacy Policy.

Retention: Your email address and licence record are deleted from Ki!'s systems within 30 days of subscription cancellation. Stripe retains payment records for the period required by applicable tax law.

5. Ki! desktop app — outbound contacts

The Ki! desktop application makes exactly two outbound contacts to Ki! infrastructure:

Licence check — api.getki.ai/v1/licence/check
Sent once every 30 days. Contains only a SHA-256 hash of your licence file. No email address, no IP-linked identifier, and no usage data is stored. If the server is unreachable, a 90-day grace period applies — you will never be locked out without warning.
Update check — getki.ai update endpoint
Contains only your current Ki! version string. No identity is sent or stored.

Both contacts can be blocked by a firewall without affecting Ki!'s core PII masking functionality.

6. Legal basis for processing (GDPR)

Email address + licence record — Article 6(1)(b): processing is necessary to perform the Sovereign licence contract.
Licence soft-check hash — Article 6(1)(f): legitimate interest in detecting revoked or over-shared licences, balanced against the minimal data involved (hash only, no identity linkage).

7. Your rights

If you are in the EU/EEA or UK, you have the following rights over any personal data Ki! holds (your email address and licence record):

Access — request a copy of the data we hold about you.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your data. We will delete your licence record and email. Note: erasure ends your active Sovereign subscription.
Restriction — request that we limit how we process your data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing relies on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@getki.ai. We will respond within 30 days.

8. Supervisory authority

The data controller is based in France. The lead supervisory authority is:

CNIL — Commission Nationale de l'Informatique et des Libertés
www.cnil.fr
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

You also have the right to lodge a complaint with the supervisory authority of the EU member state where you live or work.

9. Changes to this policy

If we make material changes, we will update the effective date above and post a notice on getki.ai. For changes that significantly affect your rights, we will notify Sovereign licence holders directly by email.

10. Contact

Privacy enquiries: privacy@getki.ai
We aim to respond within 5 business days.