The questions we get repeatedly from data-protection reviewers, in plain English. If your DPO needs to share this with governors or trustees, this page is designed to be linkable.
It depends. For individuals signing up directly to a personal Founder OS instance, askKira is the data controller in respect of the founder's account. For users provisioned by an organisation, the organisation is the data controller and askKira is the data processor, acting on documented instructions per UK GDPR Article 28.
Legitimate interest for B2B operations (with balancing test documented). Contract performance for paid customers. Legal obligation for the audit log under Article 32 (security of processing).
(1) Foundation model calls anonymise user identifiers before sending. (2) Agents only persist the minimum fields required to track outreach state. (3) Once a contact is added to the do-not-contact list, agents refuse to recontact and historical drafts to that contact are not regenerated.
User identifiers (founder email, name) are removed from prompts sent to foundation models. Internal storage retains identifiers because the founder needs to know who they're emailing. Audit log records security events with IP but not request bodies.
Only with the explicit sub-processors listed in the Privacy Policy, each bound by UK GDPR equivalent terms. No data sale, no analytics resale, no marketing partner sharing.
Primary hosting is UK (AWS eu-west-2). Anthropic and Brave Search are accessed via API endpoints that may route through US infrastructure; transfers are protected by Standard Contractual Clauses or UK equivalents.
Project state and contacts: retained while the account is active, deleted on closure. Audit log: 90 days then rotated. Backups: 30 days encrypted then overwritten. Do-not-contact list: retained indefinitely (we cannot honour opt-out without remembering it). Statutory records: held for the legally required period.
"There is no transfer of intellectual property when content is submitted to askKira. The original author or organisation retains full rights over any content submitted."
The interaction is "akin to a teacher reading a piece of work" — askKira processes the content to provide the service but acquires no rights over it.
Self-serve: delete an agent, or delete your whole account. The agent's directory and every file under it is wiped immediately. The do-not-contact list survives deletion (we cannot honour opt-out without remembering it). For complete removal of audit-log references too, email dpo@askkira.com.
Detection through automated monitoring of access logs, sub-processor incident feeds, and internal review. Notification within 72 hours of discovery to affected data controllers per UK GDPR Article 33. Where individuals are directly affected, they are notified without undue delay.
askKira may be under a legal obligation to disclose information to relevant authorities where there is risk of danger to self or others, or where required by law. This applies particularly to the askKira education platform; Founder OS itself is a personal cockpit and the obligation rarely engages.
Built to ISO 27001 information security principles. Cyber Essentials certified. Penetration testing on the askKira platform. UK Government Data & AI Ethics Framework alignment. See the Security & Infrastructure Statement for technical details.
Public Liability £2,000,000. Professional Indemnity £2,000,000. Employers' Liability £10,000,000. Certificates available on request for procurement and compliance teams. See Insurance Cover Summary.
Founder OS uses only strictly-necessary cookies — a session cookie (signed) and the CSRF token (stored inside the session). No analytics, no advertising, no behavioural tracking. See Cookie Policy.
Founder OS targets WCAG 2.1 AA in its public-facing pages (privacy hub, login, FAQ, policies). The internal dashboard is a working cockpit for the founder and is not yet WCAG-audited; this is on the roadmap.
Yes. Email compliance@askkira.com. Signed copies are typically returned within five working days.