Privacy Policy
Last Updated: April 2026
Kabware Services Ltd ("Kabware", "we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our platform and services.
1. Information We Collect
1.1 Personal Data You Provide
When you register for an account or use our services, we collect:
- (a) Account information: name, email address, company name, job title
- (b) Billing information: payment card details (processed by Stripe; we do not store full card numbers)
- (c) Communications: support requests, feedback, and correspondence with us
- (d) Content you upload: files, documents, assistant configurations, and prompts
1.2 Usage Data (Automatically Collected)
We automatically collect certain information when you use our platform:
- (a) Device information: IP address, browser type and version, operating system
- (b) Usage patterns: pages visited, features used, session duration, timestamps
- (c) Conversation data: messages exchanged with digital assistants (for service delivery)
- (d) Performance data: error logs, response times, API usage metrics
1.3 Guest User Data
If you interact with an assistant as a guest user, we collect your email address (for OTP verification), IP address, user agent, and conversation data. Guest conversation history may be stored based on the assistant's configuration.
2. How We Use Your Information
We process your personal data only where we have a lawful basis under the UK GDPR. The table below sets out our purposes and the corresponding legal basis:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of contract (Art. 6(1)(b)) |
| Sending service notifications and updates | Legitimate interest (Art. 6(1)(f)) |
| Improving platform performance and features | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and ensuring security | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) |
3. Cookies and Tracking Technologies
3.1 What Are Cookies
Cookies are small text files stored on your device when you visit our platform. We use cookies and similar technologies to operate our services, remember your preferences, and understand how you use our platform.
3.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security (e.g., anti-forgery tokens). These cannot be disabled. | Session |
| Functional | Remembering your preferences such as language and theme settings. | Up to 1 year |
| Analytics | Understanding how users interact with the platform (Azure Application Insights). Data is anonymised. | Up to 2 years |
3.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling strictly necessary cookies may prevent the platform from functioning correctly.
We do not use advertising or third-party tracking cookies. We do not participate in cross-site tracking or sell data derived from cookies.
4. Data Sharing and Third Parties
We do not sell your personal data. We share data with the following categories of third-party processors, each bound by data processing agreements:
| Provider | Purpose | Data Shared | Processing Location |
|---|---|---|---|
| Microsoft Azure | Cloud hosting, database, storage, application monitoring | All platform data (encrypted at rest and in transit) | United Kingdom (UK South region) |
| OpenAI | AI model inference for digital assistant responses and embeddings | Conversation messages, uploaded documents for context | United States |
| Stripe | Payment processing and subscription billing | Billing contact details, payment method tokens | United States / Ireland |
| Microsoft 365 | Transactional email delivery (OTP codes, notifications) | Recipient email address, email content | United Kingdom / European Union |
We may also disclose your data where required by law, regulation, or court order, or to protect our rights, property, or safety.
5. International Data Transfers
5.1 Where Your Data Is Stored
Our primary infrastructure is hosted on Microsoft Azure in the UK South region. Your data is stored and processed within the United Kingdom by default.
5.2 Transfers Outside the UK
Two of our sub-processors process data in the United States today: OpenAI (for AI model inference and embeddings — every chat message and every uploaded document passes through OpenAI's US infrastructure) and Stripe (for payment processing, using only billing-related data, not conversation content). Where data is transferred outside the UK, we rely on the following safeguards:
- (a) UK-US Data Bridge (extension of the EU-US Data Privacy Framework covering UK-origin transfers) — for transfers to UK-US Data Bridge certified US organisations
- (b) EU-US Data Privacy Framework — for transfers to DPF-certified US organisations
- (c) Standard Contractual Clauses (SCCs) approved by the ICO, incorporated into sub-processor agreements where applicable
OpenAI does not use API data to train their models. Under OpenAI's standard API data usage policy, API data is retained for up to 30 days for abuse monitoring and then deleted, unless a Zero Data Retention (ZDR) agreement removes that retention window for specific customers.
6. Data Retention
We retain your data only for as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Conversation history (authenticated users) | Duration of account + 30 days after deletion |
| Conversation history (guest users) | 90 days (or as configured by the assistant owner) |
| Billing and payment records | 7 years (UK tax and accounting requirements) |
| Security logs and audit trails | 12 months |
| OTP verification codes | 10 minutes (automatically deleted after expiry) |
| Analytics data (anonymised) | 24 months |
When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be associated with you.
7. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at privacy@kabware.co.uk.
- (a) Right of access - request a copy of the personal data we hold about you
- (b) Right to rectification - request correction of inaccurate or incomplete data
- (c) Right to erasure - request deletion of your personal data ("right to be forgotten")
- (d) Right to restriction - request that we limit how we use your data
- (e) Right to data portability - receive your data in a structured, machine-readable format (JSON)
- (f) Right to object - object to processing based on legitimate interests or direct marketing
- (g) Right to withdraw consent - where processing is based on consent, withdraw it at any time
- (h) Right to lodge a complaint - complain to the Information Commissioner's Office (ICO) at ico.org.uk
We will respond to your request within one month. In complex cases, we may extend this by a further two months, and we will inform you if this is necessary.
8. Children's Privacy
Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
If you believe a child under 16 has provided us with personal data, please contact us at privacy@kabware.co.uk.
9. Security Measures
We implement appropriate technical and organisational measures to protect your data:
- (a) Encryption in transit (TLS 1.3) and at rest (AES-256)
- (b) Role-based access controls and multi-tenant data isolation
- (c) OTP codes stored as SHA-256 hashes (never in plain text)
- (d) JWT tokens with short expiry and automatic rotation
- (e) Regular security audits and vulnerability assessments
- (f) Automated backups and disaster recovery procedures
- (g) Content Security Policy (CSP) headers to prevent XSS attacks
- (h) Input sanitisation and request size limiting
While we take every reasonable precaution, no system is completely secure. We encourage you to use strong passwords and keep your account credentials confidential.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last Updated" date at the top of this page.
We encourage you to review this policy periodically. Your continued use of the platform after changes have been notified constitutes acceptance of the updated policy.
11. Contact and Data Protection
11.1 Data Controller
Kabware Services Ltd is the data controller responsible for your personal data.
- Company: Kabware Services Ltd (Company No. 14097615)
- Address: 128 City Road, London, EC1V 2NX
- Email: privacy@kabware.co.uk
- Website: kabware.co.uk
11.2 Data Protection Officer
For data protection enquiries or to exercise your rights, contact our Data Protection Officer:
- Email: dpo@kabware.co.uk
11.3 Supervisory Authority
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113