Privacy Policy

We built Kirigami for researchers. Your manuscripts and your personal data are confidential, and we treat them that way. This notice explains what we collect, why we collect it, how we keep it safe, and the rights you have.

1. 1 - Who we are (controller)

   • 1.1 - Company: Kirigami Paper, Lda. (“Kirigami”, “we”, “us”).
   • 1.2 - Address: Rua Pedro Nunes, Edifício C, Alto de São João, 3030-199 Coimbra, Portugal.
   • 1.3 - Contact: Privacy & support: support@kirigami.ai.
   • 1.4 - Supervisory authority: Portugal: CNPD (Comissão Nacional de Proteção de Dados).

2. 2 - Scope

   • 2.1 - Coverage: This policy applies to our website, app, and services where it is linked.
   • 2.2 - Content vs personal data: “User content” (your manuscripts/files) and “personal data” (information that identifies you) are handled as described below.

3. 3 - Key definitions

   • 3.1 - “Service”: The Kirigami web application and related features.
   • 3.2 - “User content”: The files you upload (e.g., manuscripts) and generated reports.
   • 3.3 - “Sub-processor”: A third party we use to help deliver the Service (e.g., cloud hosting).
   • 3.4 - “Merchant of Record (MoR)”: Paddle.com Market Limited (“Paddle”), which processes your purchase as seller of record.

4. 4 - Roles

   • 4.1 - Kirigami as controller: We are the controller for account, support, and Service operations data.
   • 4.2 - Paddle as independent controller: For payments, taxes, refunds, and chargebacks, Paddle acts as Merchant of Record and an independent controller. Paddle issues invoices/receipts, calculates/collects taxes, and processes refunds/chargebacks. See the Paddle Privacy Policy.
   • 4.3 - Sub-processors: We use carefully selected sub-processors (e.g., cloud hosting, email) under written contracts.

5. 5 - What we collect

   • 5.1 - Account & contact: Name, email, password (hashed), support messages.
   • 5.2 - Transaction data (via Paddle): Order ID, payment status, tax/VAT data, invoice details. We do not store payment card details.
   • 5.3 - User content & reports: Files you upload and the resulting reports (maturity score, issues, guidance).
   • 5.4 - Technical & usage: IP address, device/browser info, timestamps, feature usage, diagnostic/crash logs, security events.
   • 5.5 - Cookies: Essential cookies to run the Service; optional analytics/marketing cookies only with your consent (see §12).

6. 6 - Why we use data (purposes & lawful bases)

   • 6.1 - Provide the Service (contract): Create/manage your account, run analyses, deliver reports, send essential notices.
   • 6.2 - Security (legitimate interests / legal obligation): Prevent abuse/fraud, maintain logs, detect and respond to incidents.
   • 6.3 - Improve the Service (legitimate interests): Product analytics, troubleshooting, and quality assurance (aggregated/minimised).
   • 6.4 - Payments & taxes (contract / legal obligation): Coordinate purchases, invoicing, and tax handling with Paddle as Merchant of Record. For how Paddle processes buyer data, see the Paddle Privacy Policy.
   • 6.5 - Support (contract / legitimate interests): Respond to requests and resolve issues.
   • 6.6 - Marketing (consent): If you opt in; you can withdraw consent at any time.
   • 6.7 - Legal obligations (legal obligation): Comply with applicable laws and respond to valid legal requests (e.g., court orders, law-enforcement, regulators).
   • 6.8 - Defend rights & prevent harm (legitimate interests): Establish, exercise, or defend legal claims; investigate suspected fraud, security incidents, or abuse.

7. 7 - How we handle your user content

   • 7.1 - Ownership: You own your content and your reports.
   • 7.2 - Purpose limitation: We process content only to provide your analysis/report.
   • 7.3 - Human access: Not permitted unless:
     • a - you authorise it for support;
     • b - there are strong indications of serious violations/unlawfulness; or
     • c - we are legally required.
     Any such access is logged and audited.
   • 7.4 - Model training: We do not use your content or reports to train our models or any third-party models.
   • 7.5 - Model providers: We may use third-party model providers to process content for your analysis. Where applicable, we configure them so your content is not used for training.
   • 7.6 - Deletions: If you delete a file/report, we remove it from active systems immediately and purge backups within 30 days.

8. 8 - Sharing your data

   • 8.1 - With Paddle (payments): Paddle acts as MoR and independent controller for payment/tax/refund processing.
   • 8.2 - With sub-processors: Cloud hosting, storage/CDN, email delivery, monitoring, security tools — only as needed to run the Service.
   • 8.3 - Legal & safety: We may disclose data if required by law, court order, law-enforcement request, or regulatory authority, or to protect the rights, safety, or security of users and the Service.
   • 8.4 - No selling: We do not sell your personal data.

9. 9 - International transfers

   • 9.1 - Mechanisms: Where data is transferred outside the EEA/UK (including to the US), we use Standard Contractual Clauses and appropriate safeguards.
   • 9.2 - Information: Contact us if you want details of current transfer mechanisms.

10. 10 - Retention

    • 10.1 - User content: As long as your account needs it; when you delete a file/report we remove it from active systems immediately and purge backups within 30 days.
    • 10.2 - Account profile & settings: Kept while your account is active. After you close your account, we retain minimal identifiers and consent records for up to 24 months to prevent fraud, manage disputes/chargebacks, and maintain audit trails, unless a longer period is required by law.
    • 10.3 - Security and diagnostic logs: Retained for up to 24 months on a rolling basis (shorter where feasible), to ensure security, investigate incidents, and improve reliability.
    • 10.4 - Support records: Retained for up to 24 months from your last interaction to help with follow-up requests and quality assurance, unless a longer period is required by law.
    • 10.5 - Billing/invoicing: Retained for the legal retention period (e.g., up to 10 years for tax and accounting).
    • 10.6 - Litigation hold: Where necessary to establish, exercise, or defend legal claims, we may retain specific records beyond the periods above, for as long as needed for that purpose.

11. 11 - Your rights

    Subject to conditions/exceptions in law, you can:

    • 11.1 - Access your data.
    • 11.2 - Rectify inaccuracies.
    • 11.3 - Erase data.
    • 11.4 - Restrict or object to processing.
    • 11.5 - Port your data (where applicable).
    • 11.6 - Withdraw consent (for anything based on consent).
    • 11.7 - How to exercise: Email support@kirigami.ai. We will respond as required by law.
    • 11.8 - Complaints: You may complain to your local authority; in Portugal, CNPD.

12. 12 - Cookies & similar technologies

    • 12.1 - Essential cookies: Needed to run the Service and keep you signed in.
    • 12.2 - Optional cookies: Analytics/marketing cookies only with your consent; you can change preferences anytime.
    • 12.3 - Banner: We show a consent banner where required and provide cookie settings (when available).

13. 13 - Security

    • 13.1 - Measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access, segmentation, monitoring, audit logs.
    • 13.2 - Incidents: If a significant security incident occurs, we will notify affected users without undue delay and, where applicable, notify authorities within 72 hours.

14. 14 - Children

    • 14.1 - Minimum age: The Service is for users 16+.
    • 14.2 - No knowing collection: We do not knowingly collect personal data from children under 16.

15. 15 - Sub-processors list

    • 15.1 - Public list: We maintain a list of current sub-processors (roles and regions) at /legal/sub-processors.
    • 15.2 - Updates: We will update that page for material changes and indicate the effective date.

16. 16 - Third-party links

    Links to other services have their own privacy practices; please review their policies.

17. 17 - Changes to this policy

    We will update this policy when needed. If changes are material, we’ll notify you (email and/or in-product) at least 14 days before they take effect.

18. 18 - Contact

    Questions or requests? Email support@kirigami.ai.