Privacy Policy
Effective: April 2026 · Version 1.0
1. Data Controller
Keptt is operated by Keptt Limited (CRO registration pending), with its registered office at 56 Boroimhe Aspen, Fosterstown North, Swords, Co. Dublin, K67 Y381, Ireland. This Privacy Policy explains how we collect, use, store, and protect personal data of UK users in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. We act as data controller for personal data we collect about you.
2. Personal Data We Collect
We collect the following categories of personal data:
Account Data
Full name, email address, hashed password, country, and language preference — provided at registration.
Organization Data
Restaurant/business name, country, and locale — provided during setup.
Session & Technical Data
IP address, user agent, and session tokens (HTTP-only session cookies) — logged during authentication.
Operational HACCP Data
All operational data linked to your user ID and organization: temperature logs, lot records, cleaning completions, non-conformity incidents, preparations, training records, cooking logs, calibration logs, pest control records, supplier records, and product records.
AI Interaction Data
Label images sent to AI for data extraction (processed ephemerally, not stored by the AI provider). Chat conversations stored in your organization's database. AI scan usage counts for quota enforcement.
Payment Data
Stripe customer ID, subscription ID, price ID, and subscription status stored locally. Card details are handled entirely by Stripe and never touch Keptt servers.
Push Notification Data
Browser push subscription endpoint URL and encryption keys, stored server-side and linked to your user ID.
Audit Logs
Action type, entity type and ID, change snapshot (JSON), timestamp, and user ID. Audit logs are append-only and immutable.
3. How We Use Your Data
We process your data for specific purposes with clear legal bases:
| Purpose | Legal Basis |
|---|---|
| Provide the Keptt service | Contract performance (Art. 6(1)(b)) |
| Process payments via Stripe | Contract performance (Art. 6(1)(b)) |
| AI label scanning and chat assistant | Contract performance (Art. 6(1)(b)) |
| Transactional emails (invites, password resets) | Contract performance (Art. 6(1)(b)) |
| Push notifications (task reminders, alerts) | Consent (Art. 6(1)(a)) |
| Maintain audit trail for compliance | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
We do not use your data for advertising, marketing profiling, selling to third parties, training AI models, or behavioral tracking.
4. Third-Party Processors
We share data with the following processors, each bound by data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude AI) | Label extraction, chat assistant (ephemeral processing) | United States |
| Stripe | Payment processing, subscription management | United States / EU |
| Resend | Transactional email delivery | United States |
| OAuth authentication (optional) | United States | |
| DigitalOcean | Server infrastructure, database hosting (encrypted) | Amsterdam, Netherlands (EU) |
5. International Data Transfers
UK personal data may be transferred to processors located in the United States and other third countries. These transfers are protected by the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses, plus supplementary measures where required, ensuring compliance with UK GDPR Chapter V. A copy of the IDTA / Addendum is available on request.
6. Data Retention
We retain your data according to the following schedule:
| Data Type | Retention Period |
|---|---|
| Account and operational data | While account is active; deleted upon request |
| Audit logs | While account is active (regulatory compliance) |
| AI chat conversations | While account is active; deleted with account |
| Payment records | 7–10 years (tax/accounting regulations) |
| Push notification subscriptions | Deleted on unsubscribe or account deletion |
7. Your Rights (GDPR)
As an EU/UK data subject, you have the following rights under GDPR Articles 15–22:
- Access (Art. 15) — Request a copy of your personal data
- Rectification (Art. 16) — Correct inaccurate personal data
- Erasure (Art. 17) — Delete your personal data
- Restriction (Art. 18) — Limit processing of your data
- Portability (Art. 20) — Receive data in machine-readable format
- Objection (Art. 21) — Object to processing based on legitimate interest
- Automated decisions (Art. 22) — Not be subject to solely automated decision-making
To exercise your rights, contact our data protection team. We will respond within 30 days as required by GDPR.
8. Cookies & Session Management
Keptt uses a single HTTP-only session cookie for authentication. No analytics cookies, tracking pixels, or third-party advertising cookies. See our Cookie Policy for full details.
9. Data Security
We implement encryption in transit (TLS 1.3), encryption at rest, cryptographic password hashing, multi-tenant data isolation, role-based access control, Zod input validation, parameterized queries via Prisma ORM, Stripe webhook signature verification, and immutable audit trails.
10. Children
Keptt is a business service not directed at children under 16. We do not knowingly collect data from children under 16.
11. Changes to This Policy
Material changes will be notified via email with at least 30 days' notice. Continued use after the effective date constitutes acceptance.
12. Contact Us
For privacy questions or data-subject requests, contact our data-protection team at [email protected]. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/, or by post at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.