Privacy Policy
The Short Version
- We collect what we need to run the service. Nothing more.
- Your data is yours. We don't sell it. We don't trade it.
- We don't train AI models on your data.
- Everything is encrypted at rest and in transit.
- You can access, export, or delete your data at any time.
- We comply with GDPR and treat all users to the same high standard, regardless of where you are.
If you want the details, read on.
Who We Are
KerrOS is operated by KerrOS Sweden AB, a company registered in Sweden.
We are the data controller for the personal data we collect through the KerrOS service. That means we decide what data is collected and why, and we're accountable for protecting it.
For data processing questions: privacy+v20260325@kerros.com
What We Collect
| Data Type | What It Includes | Why |
|---|---|---|
| Account data | Email address, name, password (hashed, never stored in plain text) | To create and manage your account |
| Usage data | Feature usage, page visits, error logs | To improve the service and fix bugs |
| Payment data | Processed by Stripe. We see transaction amounts and last 4 digits — never your full card number | To bill you |
| API traffic metadata | Provider used, token count, timestamps, model selected | To meter usage and generate invoices |
| API content | Prompts and responses when using KerrOS-provided keys | Passed through to AI providers. Not stored unless you enable logging |
| Support communications | Emails, chat messages with our team | To help you |
| Device & browser info | IP address, browser type, OS, language preference | Security, analytics, and localization |
What we explicitly do NOT collect
- We do not read or store your prompts when you use your own API keys.
- We do not collect biometric data.
- We do not buy data about you from third parties.
Why We Process Your Data
We always have a legal basis for processing. Here's how it maps:
| Legal Basis | What It Covers |
|---|---|
| Contract performance | Account management, service delivery, billing, support |
| Legitimate interest | Service improvement, security monitoring, fraud prevention, analytics |
| Consent | Marketing emails, optional analytics cookies, beta features |
| Legal obligation | Tax records (Bokföringslagen), law enforcement requests, regulatory compliance |
You can withdraw consent at any time. This doesn't affect processing that happened before you withdrew.
Third Parties
We work with a limited set of trusted partners:
| Partner | Purpose | Location |
|---|---|---|
| AWS | Cloud hosting & infrastructure | EU (eu-west-1) |
| Stripe | Payment processing | US/EU (PCI DSS compliant) |
| AI Providers | AI model access (KerrOS keys only) | Varies by provider |
All partners are bound by data processing agreements that meet GDPR requirements.
We never sell your data. We never share it for advertising. Full stop.
Encryption & Security
- At rest: All data encrypted with AES-256 on AWS infrastructure.
- In transit: All connections use TLS 1.2 or higher.
- Secrets: API keys and sensitive credentials are encrypted at the application layer before being stored in the database.
- Access control: Role-based access. Only the people who need access to support you have it.
- Monitoring: We monitor for unauthorized access, anomalies, and threats.
- Backups: Encrypted backups, regularly tested for integrity.
No system is 100% secure. We design ours to make breaches as unlikely and as limited as possible.
International Transfers
KerrOS is based in Sweden (EU). Some of our partners operate outside the EU.
When data leaves the EU/EEA, we protect it through:
- EU-US Data Privacy Framework where the recipient is certified.
- Standard Contractual Clauses (SCCs) approved by the European Commission, as a fallback for all other transfers.
- Supplementary measures (encryption in transit and at rest) in line with EDPB guidance.
You can request a copy of the relevant SCCs by emailing privacy+v20260325@kerros.com.
Your Rights
Under GDPR (and similar laws), you have the right to:
- Access: Get a copy of all personal data we hold about you.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Restriction: Limit how we process your data.
- Portability: Receive your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interest.
- Withdraw consent: Revoke consent at any time for consent-based processing.
- Complain: Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.
How to exercise your rights
- Email: privacy+v20260325@kerros.com
- In-app: Account Settings > Privacy
- We respond within 30 days (or sooner).
We will never discriminate against you for exercising your rights.
Data Retention
We keep data only as long as we need it:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your account + 30 days after deletion |
| Usage logs | 90 days |
| Payment & billing records | 7 years (required by Swedish Bokföringslagen) |
| Support communications | 2 years after resolution |
| Backups containing your data | Purged within 30 days of a deletion request |
| API traffic metadata | 90 days |
After retention periods expire, data is permanently deleted or anonymized.
Breach Notification
If we discover a personal data breach that poses a risk to your rights:
- We notify the supervisory authority (IMY) within 48 hours.
- We notify affected users within 72 hours via email.
- The notification will include: what happened, what data was affected, what we're doing about it, and what you can do.
Children
KerrOS is not designed for anyone under the age of 16. We do not knowingly collect personal data from children. If we learn that we have, we'll delete it promptly.
Cookies
We use a small number of cookies to make the service work. For the full details, see our Cookie Policy.
The short version: essential cookies are always on. Everything else is opt-in.
Changes to This Policy
We may update this policy when our practices change or when regulations require it. Material changes are communicated via email and/or in-app notification. We'll give at least 30 days notice before significant changes take effect.
Contact
- Privacy inquiries: privacy+v20260325@kerros.com
- Data protection officer: dpo@kerros.com
- Supervisory authority: Integritetsskyddsmyndigheten (IMY), imy.se
KerrOS Sweden AB
Org. nr 559501-8960
Stockholm, Sweden
Postal address: Kivra: 559501-8960, 106 31 Stockholm
Last updated: March 30, 2026