Privacy Policy
Last Updated: February 2026
Kabware Services Ltd ("Kabware", "we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our platform and services.
1. Information We Collect
1.1 Personal Data You Provide
When you register for an account or use our services, we collect:
- (a) Account information: name, email address, company name, job title
- (b) Billing information: payment card details (processed by Stripe; we do not store full card numbers)
- (c) Communications: support requests, feedback, and correspondence with us
- (d) Content you upload: files, documents, assistant configurations, and prompts
1.2 Usage Data (Automatically Collected)
We automatically collect certain information when you use our platform:
- (a) Device information: IP address, browser type and version, operating system
- (b) Usage patterns: pages visited, features used, session duration, timestamps
- (c) Conversation data: messages exchanged with digital assistants (for service delivery)
- (d) Performance data: error logs, response times, API usage metrics
1.3 Guest User Data
If you interact with an assistant as a guest user, we collect your email address (for OTP verification), IP address, user agent, and conversation data. Guest conversation history may be stored based on the assistant's configuration.
2. How We Use Your Information
We process your personal data only where we have a lawful basis under the UK GDPR. The table below sets out our purposes and the corresponding legal basis:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of contract (Art. 6(1)(b)) |
| Sending service notifications and updates | Legitimate interest (Art. 6(1)(f)) |
| Improving platform performance and features | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and ensuring security | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) |
3. Cookies and Tracking Technologies
3.1 What Are Cookies
Cookies are small text files stored on your device when you visit our platform. We use cookies and similar technologies to operate our services, remember your preferences, and understand how you use our platform.
3.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security (e.g., anti-forgery tokens). These cannot be disabled. | Session |
| Functional | Remembering your preferences such as language and theme settings. | Up to 1 year |
| Analytics | Understanding how users interact with the platform (Azure Application Insights). Data is anonymised. | Up to 2 years |
3.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling strictly necessary cookies may prevent the platform from functioning correctly.
We do not use advertising or third-party tracking cookies. We do not participate in cross-site tracking or sell data derived from cookies.
4. Data Sharing and Third Parties
We do not sell your personal data. We share data with the following categories of third-party processors, each bound by data processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Microsoft Azure | Cloud hosting, database, storage, application monitoring | All platform data (encrypted at rest and in transit) |
| OpenAI | AI model inference for digital assistant responses | Conversation messages, uploaded documents for context |
| Stripe | Payment processing and subscription billing | Billing contact details, payment method tokens |
| Microsoft 365 | Transactional email delivery (OTP codes, notifications) | Recipient email address, email content |
We may also disclose your data where required by law, regulation, or court order, or to protect our rights, property, or safety.
5. International Data Transfers
5.1 Where Your Data Is Stored
Our primary infrastructure is hosted on Microsoft Azure in the UK South region. Your data is stored and processed within the United Kingdom by default.
5.2 Transfers Outside the UK
Some of our third-party processors (OpenAI, Stripe) may process data in the United States. Where data is transferred outside the UK, we ensure adequate safeguards are in place:
- (a) EU-US Data Privacy Framework (where the recipient is certified)
- (b) Standard Contractual Clauses (SCCs) approved by the ICO
- (c) Binding Corporate Rules where applicable
OpenAI's API data processing operates under their enterprise terms, which prohibit using customer data for model training.
6. Data Retention
We retain your data only for as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Conversation history (authenticated users) | Duration of account + 30 days after deletion |
| Conversation history (guest users) | 90 days (or as configured by the assistant owner) |
| Billing and payment records | 7 years (UK tax and accounting requirements) |
| Security logs and audit trails | 12 months |
| OTP verification codes | 10 minutes (automatically deleted after expiry) |
| Analytics data (anonymised) | 24 months |
When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be associated with you.
7. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at privacy@kabware.co.uk.
- (a) Right of access — request a copy of the personal data we hold about you
- (b) Right to rectification — request correction of inaccurate or incomplete data
- (c) Right to erasure — request deletion of your personal data ("right to be forgotten")
- (d) Right to restriction — request that we limit how we use your data
- (e) Right to data portability — receive your data in a structured, machine-readable format (JSON)
- (f) Right to object — object to processing based on legitimate interests or direct marketing
- (g) Right to withdraw consent — where processing is based on consent, withdraw it at any time
- (h) Right to lodge a complaint — complain to the Information Commissioner's Office (ICO) at ico.org.uk
We will respond to your request within one month. In complex cases, we may extend this by a further two months, and we will inform you if this is necessary.
8. Children's Privacy
Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
If you believe a child under 16 has provided us with personal data, please contact us at privacy@kabware.co.uk.
9. Security Measures
We implement appropriate technical and organisational measures to protect your data:
- (a) Encryption in transit (TLS 1.3) and at rest (AES-256)
- (b) Role-based access controls and multi-tenant data isolation
- (c) OTP codes stored as SHA-256 hashes (never in plain text)
- (d) JWT tokens with short expiry and automatic rotation
- (e) Regular security audits and vulnerability assessments
- (f) Automated backups and disaster recovery procedures
- (g) Content Security Policy (CSP) headers to prevent XSS attacks
- (h) Input sanitisation and request size limiting
While we take every reasonable precaution, no system is completely secure. We encourage you to use strong passwords and keep your account credentials confidential.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last Updated" date at the top of this page.
We encourage you to review this policy periodically. Your continued use of the platform after changes have been notified constitutes acceptance of the updated policy.
11. Contact and Data Protection
11.1 Data Controller
Kabware Services Ltd is the data controller responsible for your personal data.
- Company: Kabware Services Ltd (Company No. 14097615)
- Address: 128 City Road, London, EC1V 2NX
- Email: privacy@kabware.co.uk
- Website: kabware.co.uk
11.2 Data Protection Officer
For data protection enquiries or to exercise your rights, contact our Data Protection Officer:
- Email: dpo@kabware.co.uk
11.3 Supervisory Authority
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113