Privacy Policy
Last updated 2026-04-26 · Effective from 2026-04-26
1. Introduction
This Privacy Policy explains how Kiseki ("we", "us") collects, uses, stores, and shares Personal Data when you use the Kiseki SaaS platform.
Kiseki is operated by MATRIXVISTA - FZCO (UAE). For full company information, see our Terms of Service.
This Policy applies to:
- Customers: businesses subscribing to Kiseki (you create an account at
app.thekiseki.app); - End-users: prospects / leads / contacts of Customers, whose data Customers process via Kiseki;
- Visitors: anyone visiting
thekiseki.appor related domains.
2. Data We Collect
2.1. From Customers (account holders)
- Identity: name, email, phone, business name, billing address;
- Payment: handled by our Merchant of Record (Polar.sh) — Kiseki receives only transaction confirmations, not full card data;
- Usage: features used, login history, IP addresses, browser/device info;
- Content: ad creative, brand assets, business specs, integrations configured.
2.2. From End-users (Customer's prospects), processed on Customer's behalf
- Identity: name, social media profile, contact info shared by prospect with Customer;
- Conversations: DM exchanges between AI agents and prospect;
- Engagement: clicks, opens, ad impressions, conversion events.
Customer is the Data Controller for End-user data; Kiseki is the Data Processor.
2.3. From Visitors (thekiseki.app marketing site)
- Cookies (analytics, preferences, marketing — see Cookie Policy);
- IP address, device type;
- Pages viewed, referral source;
- Sign-up form submissions (waitlist, contact).
3. How We Use Data
3.1. For Customer service delivery
- Operate the Service (authentication, billing, feature delivery);
- Run AI agents on Customer's behalf (advertising, prospect engagement, analytics);
- Provide support, communications, notifications.
3.2. For platform improvement
- Aggregate, anonymized analytics (NOT individual Customer behavior);
- Bug detection, security monitoring;
- Product research (no PII used in research without consent).
3.3. For marketing
Customers and Visitors only, never End-users:
- Newsletter (opt-in only);
- Product updates (related to your subscription tier);
- Customer success outreach.
3.4. For legal / compliance
- Tax filings (via Merchant of Record);
- Fraud detection, abuse prevention;
- Regulatory requests (with proper legal basis).
4. Legal Bases (GDPR Art. 6)
We process Personal Data under one or more bases:
- Contract: providing the Service you signed up for (Art. 6(1)(b));
- Legitimate interest: platform security, analytics, improvement (Art. 6(1)(f));
- Consent: marketing communications, optional features (Art. 6(1)(a));
- Legal obligation: tax records, regulatory compliance (Art. 6(1)(c)).
5. Sharing Data
5.1. We share data with the following categories of recipients:
- Sub-processors (see Sub-processors) for service delivery;
- Customer's authorized integrations (Meta, Instagram, WhatsApp, payment processors via MoR, etc.);
- Legal / regulatory authorities when required by law or court order;
- Business successors in case of merger, acquisition, or asset sale (notice provided).
5.2. We do not sell Personal Data.
5.3. We do not share End-user data across Customer accounts (multi-tenant isolation enforced).
6. International Transfers
Data may be transferred to / processed in:
- United States (most sub-processors);
- European Union — Germany (Hetzner servers).
Legal basis for transfers from EU/UK:
- Standard Contractual Clauses (SCCs) in sub-processor DPAs;
- Adequacy decisions where applicable;
- Encryption in transit (TLS 1.3) and at rest (AES-256).
7. Data Retention
| Data type | Retention period |
|---|---|
| Customer account data (active) | While account active + 90 days post-termination |
| Customer account data (archived) | 7 years post-termination (tax / legal compliance) |
| End-user prospect conversations | 90 days after Customer terminates, then deleted |
| Ad creative & campaign data | 12 months for analytics, then aggregated / anonymized |
| Payment transaction records | 7 years (handled by MoR per their policy) |
| Marketing newsletter subscribers | Until unsubscribe |
| Cookies | Per cookie type (see Cookie Policy) |
| Security logs | 12 months |
| Backups (encrypted) | 90 days rolling |
8. Your Rights
Under GDPR Art. 13–22 and similar regimes, you have the right to:
- Access your data (request copy via privacy@thekiseki.app);
- Rectify inaccurate data;
- Erase ("right to be forgotten") — with exceptions for legal obligations;
- Restrict processing in certain circumstances;
- Data portability (export in machine-readable format);
- Object to processing based on legitimate interest;
- Withdraw consent for consent-based processing;
- Complain to your supervisory authority (EU: your national DPA; UK: ICO).
To exercise these rights, contact privacy@thekiseki.app. We respond within 30 days.
9. Security
We implement technical and organizational measures including:
- Encryption at rest and in transit (TLS 1.3, AES-256);
- Access controls (least privilege, MFA for admin access);
- Audit logs of access to Customer data;
- Regular vulnerability scanning;
- Incident response procedures;
- Data breach notification within 72 hours per GDPR Art. 33.
No system is 100% secure. We continuously improve our security posture.
10. Children's Privacy
Kiseki is a B2B service for businesses. We do not knowingly collect data from anyone under 18 (or the applicable age of majority). If we discover such data, we delete it.
11. California Residents (CCPA / CPRA)
California residents have additional rights including:
- Right to know what Personal Data is collected;
- Right to delete (with exceptions);
- Right to opt-out of "sale" or "sharing" — Kiseki does not sell or share Personal Data for cross-context behavioral advertising.
12. UAE-Specific Notice
As a UAE-based company, Kiseki complies with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection. UAE residents have similar rights to access, correct, and erase Personal Data.
13. Changes to This Policy
We may update this Policy periodically. Material changes notified via email and 30 days' notice. Continued use after updates constitutes acceptance.
14. Contact
- Privacy questions: privacy@thekiseki.app
- Data subject rights: privacy@thekiseki.app
- Security / breach notifications: security@thekiseki.app
Postal:
MATRIXVISTA - FZCO (Kiseki) Attn: Data Protection 101 Building A2, Dubai Digital Park Dubai Silicon Oasis, Dubai 342001 United Arab Emirates