Privacy Policy
Effective date: 1 April 2026
This Privacy Policy explains how Kardu Technologies S.L., Spain(“Kardu”, “we”, “us”) collects, uses, and protects personal data when you use the Kardu platform. We are committed to processing your data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679).
1. Data controller
The data controller is Kardu Technologies S.L., Spain. For data protection enquiries, contact privacy@kardu.eu.
2. Data we collect
Account data: Full name, work email address, company name, sector, and employee count collected at registration.
Authentication data: Encrypted passwords, multi-factor authentication credentials (TOTP factor IDs, hashed backup codes), and session tokens. We never store plaintext passwords or TOTP secrets beyond enrollment.
Profile preferences: Display name format, theme preference, notification preferences, and emphasis colour selection stored in your profile.
Compliance content: Controls, evidence files, risk register entries, tasks, assets, and ISMS scope information that you enter into the platform. This content may include personal data relating to your employees (e.g. task owners, risk owners). You are the controller of this content; Kardu processes it as a processor under our Data Processing Agreement.
Usage data: Anonymised analytics events (compliance score updates, feature usage) collected via PostHog (EU). We do not collect email addresses or personal names in analytics. See Section 5 for data processors.
Audit log: An immutable record of significant actions (logins, data changes, billing events) linked to your user and organisation. Retained for compliance purposes.
Payment data: Billing information is processed entirely by Stripe. Kardu stores only a Stripe customer ID and subscription status — no card numbers or payment credentials are stored on Kardu infrastructure.
3. Legal basis for processing
We process your personal data under the following legal bases (GDPR Art. 6):
- Contract performance (Art. 6(1)(b)): Account data and compliance content are necessary to provide the Service.
- Legitimate interests (Art. 6(1)(f)): Usage analytics and security monitoring to improve the Service and detect abuse. These interests do not override your fundamental rights.
- Legal obligation (Art. 6(1)(c)): Audit logs and billing records required for tax and regulatory compliance.
- Consent (Art. 6(1)(a)): Optional analytics cookies. You may withdraw consent at any time via the cookie banner or by contacting us.
4. Data retention
Active account: Data is retained for as long as your account is active.
Account deletion: When you delete your account, personal data and compliance content are deleted immediately. Compliance content belonging to your organisation is purged within 30 days of account deletion.
Audit logs: Audit log records are retained in active storage for 24 months. Records older than 24 months are moved to cold-storage archive. Records older than 60 months (5 years) are permanently deleted. This implements the storage limitation principle under GDPR Art. 5(1)(e) and ISO 27001 A.8.15.
Billing records: Payment records are retained for 7 years as required by Spanish and EU tax law.
5. Data processors
We share data only with the following processors under written Data Processing Agreements. All processors are required to maintain EU data residency for compliance content.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, storage, authentication | EU (Frankfurt) |
| Vercel | Application hosting | EU (Frankfurt, fra1) |
| Brevo | Transactional email | EU (GDPR DPA) |
| Stripe | Payment processing (payment data only) | Global (SCCs) |
| PostHog | Anonymous product analytics | EU cloud (eu.posthog.com) |
| AppSignal | Error monitoring and performance | EU |
| Upstash | Rate limiting (no personal data stored) | EU |
6. Your rights under GDPR
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16): Correct inaccurate data via your account settings.
- Erasure (Art. 17): Delete your account and all associated data from Settings → Security → Delete account.
- Portability (Art. 20): Export your compliance data in CSV/PDF format from Settings → Export.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Restriction (Art. 18): Request restriction of processing in certain circumstances.
To exercise any of these rights, contact privacy@kardu.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es.
7. Cookies
We use strictly necessary cookies for authentication (Supabase session tokens) and optional analytics cookies (PostHog). You can manage your cookie preferences via the banner shown on first visit or by contacting us.
8. DPA
If you use Kardu to process personal data on behalf of your organisation, our Data Processing Agreement governs that processing under GDPR Art. 28.
9. Contact
Data protection enquiries: privacy@kardu.eu