Draft for review — binding terms will land before paid signup opens.
Privacy Policy
Last updated: 2026-05-20
This Privacy Policy describes how Kaias handles personal data. The structure below covers the substantive scope; the binding legal text is pending lawyer-final review and should not be relied upon until that review is complete.
Who controls your data
The data controller for personal data processed through Kaias is Kaias (the trading name; final legal entity name and commercial registration pending), with its principal place of business in the Kingdom of Saudi Arabia. Where the customer is an organisation using Kaias to process personal data about its own users (for example, an agency processing data about its client's audiences), the customer is the controller of that data and Kaias acts as a processor under the customer's instructions.
TODO: lawyer-final
Categories of data we collect
Kaias collects: account information (name, email, password hash, locale and timezone); content the customer uploads for training (brand documents, logos, past creative, voice samples); generation history (prompts, accepted and rejected outputs, ratings, edits); payment information (billing address, payment-method tokens issued by PayTabs — Kaias does not store full card numbers or CVV codes); product analytics where the customer has opted in (page views, feature usage); and operational telemetry (logs, error reports, performance metrics) that may incidentally contain personal data.
TODO: lawyer-final
Lawful bases for processing
Kaias processes personal data on the following bases: performance of the contract between Kaias and the customer (operating the service, processing payments, providing support); the customer's consent (optional product analytics and marketing communications); Kaias's legitimate interests (security, fraud prevention, service improvement, aggregate analytics in non-identifying form); and compliance with legal obligations (tax, accounting, response to lawful requests from authorities). Where consent is the basis, the customer may withdraw it at any time without affecting prior processing.
TODO: lawyer-final
Sub-processors
Kaias uses the following sub-processors to deliver the service: Anthropic (Claude foundation models for text generation); Supabase (database, authentication, file storage); OpenAI (text-embedding-3-small for vector embeddings); Flux and Runway (image and video generation media); PayTabs (payment processing for customers in the Kingdom of Saudi Arabia and the wider Gulf region); Vercel (frontend hosting and content delivery for kaias.ai); and Railway (backend application hosting). Kaias maintains a current sub-processor list in the customer dashboard and provides advance notice of material changes.
TODO: lawyer-final
International transfers
Kaias and several of its sub-processors operate infrastructure outside the Kingdom of Saudi Arabia, including in the European Union, the United Kingdom, and the United States. Where personal data is transferred outside the customer's jurisdiction, Kaias relies on the protections offered by the receiving country's data-protection regime, on standard contractual clauses with sub-processors where applicable, and on technical measures (encryption in transit and at rest). Customers requiring data residency in the Kingdom of Saudi Arabia can request a Phase 7+ deployment posture; that option is not yet generally available.
TODO: lawyer-final
Retention
Kaias retains account data and customer content for as long as the account is active. On account deletion, Kaias retains the data for a further ninety days to support recovery from accidental deletion and to satisfy outstanding contractual or legal obligations, after which the data is removed from active systems on a scheduled basis. Product activity events used for the in-product timeline are retained for twenty-four months from the event date. Administrative audit logs (the cp_audit_log surface used by Kaias staff and described in ADR-0204) are retained indefinitely as an append-only record for compliance, dispute resolution, and forensic purposes; rows are never deleted or amended. Backups are retained for thirty days on a rolling basis.
TODO: lawyer-final
Your rights
Subject to applicable law (including the Saudi Personal Data Protection Law and, where it applies, the EU General Data Protection Regulation), you have the right to access the personal data Kaias holds about you, to request correction or deletion, to object to processing based on legitimate interests, to withdraw consent for processing based on consent, to portability of your data in a structured format, and to lodge a complaint with the competent supervisory authority. To exercise these rights, contact privacy@kaias.ai from the email associated with your account. Kaias will respond within thirty days, subject to verification of identity and to legal exceptions.
TODO: lawyer-final
Contact
For privacy questions, to exercise the rights described above, or to report a suspected data incident, contact privacy@kaias.ai. Kaias aims to acknowledge new privacy requests within two business days. Final contact details, including the Data Protection Officer's name and address, will be added when those appointments are confirmed.
TODO: lawyer-final