Privacy Policy
The Short Version
- We collect what we need to run the service. Nothing more.
- Your data is yours. We don't sell it. We don't trade it.
- We don't train AI models on your data — and that commitment specifically includes data we receive from Google APIs.
- Everything is encrypted at rest and in transit.
- You can access, export, or delete your data at any time.
- We comply with GDPR and treat all users to the same high standard, regardless of where you are.
If you want the details, read on.
Who We Are
KerrOS is operated by KerrOS Sweden AB, a company registered in Sweden (Org. nr 559501-8960).
We are the data controller for the personal data we collect through the KerrOS service. That means we decide what data is collected and why, and we're accountable for protecting it.
For data processing questions: privacy+v20260514@kerros.com
What We Collect
| Data Type | What It Includes | Why |
|---|---|---|
| Account data | Email address, name, password (hashed, never stored in plain text) | To create and manage your account |
| Usage data | Feature usage, page visits, error logs | To improve the service and fix bugs |
| Payment data | Processed by Stripe. We see transaction amounts and last 4 digits — never your full card number | To bill you |
| API traffic metadata | Provider used, token count, timestamps, model selected | To meter usage and generate invoices |
| API content | Prompts and responses when using KerrOS-provided keys | Passed through to AI providers. Not stored unless you enable logging |
| Support communications | Emails, chat messages with our team | To help you |
| Device & browser info | IP address, browser type, OS, language preference | Security, analytics, and localization |
What we explicitly do NOT collect
- We do not read or store your prompts when you use your own API keys.
- We do not collect biometric data.
- We do not buy data about you from third parties.
Google User Data
When you connect a Google account to KerrOS, you authorize us to access specific data from your Google account through the Google APIs. We only request the scopes needed for the connector you enable, and we ask Google to enforce the same limits we describe here.
The use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
This disclosure is also surfaced in-product the moment you connect a Google account, so you can review it without leaving the consent flow.
What we access
Per Google connector, the data we read or write through the OAuth scopes you grant:
| Connector | OAuth scope(s) | Data accessed | Read / write |
|---|---|---|---|
| Gmail | mail.google.com/ (or the granular variants gmail.readonly + gmail.send + gmail.modify) | Messages: subject, body, attachments, labels, threads | Read + write |
| Drive | drive (or the granular variants drive.readonly + drive.file) | Files you own or that are shared with you: documents, sheets, slides, attachments | Read + write |
| Calendar | calendar (or calendar.events) | Calendar events: title, time, attendees, location, description | Read + write |
| Chat | chat.spaces.readonly, chat.memberships.readonly, chat.messages, chat.messages.reactions.readonly | Chat spaces you belong to, memberships, messages, reactions | Read + write (messages only) |
| Meet | meetings.space.created, meetings.space.readonly, calendar.events, contacts.readonly, contacts.other.readonly | Meet spaces you create, Meet space metadata, your calendar events, your primary and “other” contacts | Read + write (Meet spaces only) |
| All connectors | userinfo.email, userinfo.profile | Your Google account email address and basic profile | Read |
How we use it
The data above is used only to provide the user-facing KerrOS features you have explicitly enabled: synchronising your data into your own KerrOS volume so the KerrOS AI can reason over it, and providing cross-channel communication tools that let you read, reply to, schedule, and share across Gmail, Chat, Calendar, Meet, and Drive from a single surface.
Limited Use — what we will not do with your Google data
- We will not use, transfer, or sell your Google user data for serving, targeting, measuring, or personalising advertising (including retargeting and interest-based advertising).
- We will not transfer your Google user data to third parties except (a) as necessary to provide the user-facing features described above and prominently disclosed in this policy, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets where the recipient is bound by an equivalent commitment and you receive prior notice.
- We will not allow any human at KerrOS to read your Google user data, except: when you have explicitly asked us to (for example, support troubleshooting on a specific message), when it is required for security purposes, when it is required by law, or when the data has been aggregated and anonymised for internal operations and no individual user can be re-identified.
See also the AI/ML Training and Google User Data section below for our position on training models with Google user data.
AI/ML Training and Google User Data
KerrOS does not use data received from Google APIs — Gmail content, Drive files, Calendar events, Chat or Meet content, Contacts data, or profile information — to develop, improve, or train any generalised or user-specific AI/ML model. This is consistent with the Google Workspace API user data and developer policy.
When you invoke an AI feature in KerrOS that requires sending data to a third-party AI provider (for example, asking the in-product AI to summarise an email), the relevant data is sent to that provider only to fulfil the specific request you made. Every provider that may receive Google user data is named in the Third Parties section below and is bound by a data processing agreement that prohibits training on customer data without explicit consent.
Why We Process Your Data
We always have a legal basis for processing. Here's how it maps:
| Legal Basis | What It Covers |
|---|---|
| Contract performance | Account management, service delivery, billing, support |
| Legitimate interest | Service improvement, security monitoring, fraud prevention, analytics |
| Consent | Marketing emails, optional analytics cookies, beta features |
| Legal obligation | Tax records (Bokföringslagen), law enforcement requests, regulatory compliance |
You can withdraw consent at any time. This doesn't affect processing that happened before you withdrew.
Third Parties
We work with a limited set of trusted partners. Every partner is bound by a data processing agreement that meets GDPR requirements.
| Partner | Purpose | Receives Google user data? | Location | DPA |
|---|---|---|---|---|
| AWS | Cloud hosting & infrastructure | Indirect (storage of your encrypted volume; AWS cannot decrypt) | EU (eu-west-1) | Yes |
| Stripe | Payment processing | No | US / EU (PCI DSS compliant) | Yes |
| OpenAI | AI inference when you invoke KerrOS-key AI features | Only the content you submit in the request | US | Yes |
| Anthropic | AI inference when you invoke KerrOS-key AI features | Only the content you submit in the request | US | Yes |
We will update this list before we add or change any provider that may receive Google user data, and we will notify you in-app at least 30 days before the change takes effect.
We never sell your data. We never share it for advertising. Full stop.
Encryption & Security
- At rest: All data encrypted with AES-256 on AWS infrastructure.
- In transit: All connections use TLS 1.2 or higher.
- Secrets: API keys and sensitive credentials are encrypted at the application layer before being stored in the database.
- Access control: Role-based access. Only the people who need access to support you have it.
- Monitoring: We monitor for unauthorized access, anomalies, and threats.
- Backups: Encrypted backups, regularly tested for integrity.
No system is 100% secure. We design ours to make breaches as unlikely and as limited as possible.
International Transfers
KerrOS is based in Sweden (EU). Some of our partners operate outside the EU.
When data leaves the EU/EEA, we protect it through:
- EU-US Data Privacy Framework where the recipient is certified.
- Standard Contractual Clauses (SCCs) approved by the European Commission, as a fallback for all other transfers.
- Supplementary measures (encryption in transit and at rest) in line with EDPB guidance.
You can request a copy of the relevant SCCs by emailing privacy+v20260514@kerros.com.
Your Rights
Under GDPR (and similar laws), you have the right to:
- Access: Get a copy of all personal data we hold about you.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Restriction: Limit how we process your data.
- Portability: Receive your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interest.
- Withdraw consent: Revoke consent at any time for consent-based processing.
- Complain: Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.
How to exercise your rights
- Email: privacy+v20260514@kerros.com
- In-app: Account Settings > Privacy
- We respond within 30 days (or sooner).
We will never discriminate against you for exercising your rights.
Data Retention
We keep data only as long as we need it:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your account + 30 days after deletion |
| Usage logs | 90 days |
| Payment & billing records | 7 years (required by Swedish Bokföringslagen) |
| Support communications | 2 years after resolution |
| Backups containing your data | Purged within 30 days of a deletion request |
| API traffic metadata | 90 days |
After retention periods expire, data is permanently deleted or anonymized.
Google user data — retention and deletion
Because data synced from Google sits on your own KerrOS volume rather than in a shared KerrOS-controlled store, retention is mostly under your control. The table below describes what happens at each trigger:
| Trigger | What happens | Time-to-effect |
|---|---|---|
| Connector is active | Data synced from Google sits on your own KerrOS volume (LUKS-encrypted, accessible only to you). KerrOS staff cannot decrypt it. | N/A — you control retention |
| You disconnect the connector in KerrOS | KerrOS stops syncing new data from Google. Data already on your volume remains there until you delete it. You are prompted at the moment of disconnect to choose between keeping the data on your volume or deleting it. | Immediate stop of sync; deletion is your choice at the prompt |
| You revoke KerrOS in your Google Account permissions page | Same as above. KerrOS receives the revocation signal from Google, stops sync, and prompts you on next session. | Within 1 hour of Google's revocation signal reaching KerrOS |
| You close your KerrOS account | Your KerrOS volume is deprovisioned per our Terms of Service. You can export Google-sourced data first; once the volume is destroyed and the keys discarded it cannot be recovered. | Within 30 days of account closure, including backups |
This model reflects KerrOS's architecture: each user has their own LUKS-encrypted volume, and your data — including data synced from Google — lives on your volume rather than in a shared KerrOS-controlled store. KerrOS does not operate a general-purpose admin view that would let staff read user data.
Breach Notification
If we discover a personal data breach that poses a risk to your rights:
- We notify the supervisory authority (IMY) within 48 hours.
- We notify affected users within 72 hours via email.
The notification will include: what happened, what data was affected, what we're doing about it, and what you can do.
Children
KerrOS is not designed for users under the minimum digital-consent age applicable in their jurisdiction — 16 in the European Economic Area and the United Kingdom, 13 in the United States under the Children's Online Privacy Protection Act (COPPA), and the locally applicable equivalent elsewhere. We do not knowingly collect personal data from users below the applicable minimum age. If we learn that we have, we will delete it promptly.
Cookies
For details, see our Cookie Policy.
Changes to This Policy
We may update this policy when our practices change or when regulations require it. Material changes are communicated via email and/or in-app notification. We'll give at least 30 days notice before significant changes take effect.
Contact
- Privacy inquiries: privacy+v20260514@kerros.com
- Data protection officer: dpo@kerros.com
- Supervisory authority: Integritetsskyddsmyndigheten (IMY), imy.se
KerrOS Sweden AB
Org. nr 559501-8960
Stockholm, Sweden
Postal address: Kivra: 559501-8960, 106 31 Stockholm
Last updated: May 19, 2026