Privacy Policy
Last updated: April 2026
1. Data Controller
- Company name: [COMPANY_NAME]
- Tax ID: [TAX_ID]
- Address: [COMPANY_ADDRESS]
- DPO email: [DPO_EMAIL]
- Website: https://kernoia.com
2. Personal Data We Collect
Depending on how you use the Kerno platform, we may process the following categories of personal data:
- Registration data: name, email address, encrypted password.
- Tax identification data: tax ID (NIF/CIF), billing data, tax address.
- Billing and payroll data: invoices issued and received, payroll data processed through the platform's skills.
- User's client data: third-party information that the user enters or manages through Kerno (e.g., client data from an accounting firm).
- Messages and conversations: message history sent through WhatsApp, Telegram, or other connected channels.
- OAuth tokens: access credentials for third-party services (Gmail, Google Calendar, Slack, GitHub, etc.), stored encrypted in base64.
- Usage data: activity logs, skills used, usage frequency, device and browser.
- Technical data: IP address, User-Agent, essential session cookies.
3. Purpose of Processing
- Service delivery: execute the contracted functionalities (AI assistant, skills, automations, task management).
- Account management: authentication, authorization, configuration of preferences and OAuth connections.
- Billing and payments: invoice issuance, subscription management through Stripe.
- Legal compliance: retention of tax data in accordance with Spanish tax legislation (General Tax Law, Invoicing Regulation).
- Service improvement: aggregated and anonymized usage analysis to improve the platform.
- Security: fraud detection and prevention, unauthorized access and abuse.
- Service communications: transactional notifications related to platform usage (never marketing without consent).
4. Legal Basis for Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Service delivery | Art. 6(1)(b) - Performance of a contract |
| Billing and payments | Art. 6(1)(b) - Performance of a contract |
| Tax obligations | Art. 6(1)(c) - Compliance with a legal obligation |
| Third-party OAuth connections | Art. 6(1)(a) - Explicit consent of the data subject |
| Service improvement | Art. 6(1)(f) - Legitimate interest (anonymized usage) |
| Security and fraud prevention | Art. 6(1)(f) - Legitimate interest |
5. Recipients and Subprocessors
Kerno uses the following subprocessors to deliver the service. All have data processing agreements or Standard Contractual Clauses (SCCs) in place where applicable:
| Provider | Location | Purpose |
|---|---|---|
| Supabase | EU (Frankfurt, AWS eu-central-1) | Database, authentication, storage |
| Vercel | Global (CDN), US company | Application hosting and deployment |
| Anthropic (Claude API) | USA | AI engine for instruction processing |
| OpenAI | USA | Audio processing (transcription) and images |
| Groq | USA | Natural language processing (fast inference) |
| Cloudflare | Global | DNS, DDoS protection, CDN |
| Evolution API (Railway) | USA/EU | WhatsApp messaging gateway |
| Stripe | USA/EU | Payment processing and billing |
6. International Data Transfers
Some subprocessors are located in the United States. These transfers are carried out under:
- Standard Contractual Clauses (SCCs): approved by the European Commission (Decision 2021/914), executed with Anthropic, OpenAI, Groq, and Vercel.
- EU-US Data Privacy Framework: where the provider is certified under the framework.
- Supplementary measures: encryption in transit (TLS 1.3) and at rest, data minimization for AI providers.
Primary data (main database) is stored in Supabase, region eu-central-1 (Frankfurt, Germany), within the European Economic Area.
7. Data Retention
- Account data: for the duration of the contractual relationship. After account deletion, data is removed within a maximum of 30 days, unless legal retention obligations apply.
- Tax data (invoices, tax IDs, payroll): 6 years after the close of the fiscal year, in accordance with Article 30 of the Spanish Commercial Code and Article 66 of the General Tax Law.
- Conversation history: while the account is active. Deleted within 30 days after account closure.
- OAuth tokens: until the user revokes the connection or closes the account.
- Activity and security logs: 12 months.
8. Your Rights (GDPR Articles 15-22)
Under the GDPR (Articles 15 to 22) and the LOPDGDD, you have the right to:
- Access: obtain confirmation of whether we process your data and access a copy thereof.
- Rectification: request the correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request the deletion of your data when it is no longer necessary for the purpose for which it was collected.
- Portability: receive your data in a structured, commonly used and machine-readable format (JSON/CSV).
- Restriction of processing: request the restriction of processing under certain circumstances.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: where the legal basis is consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
9. How to Exercise Your Rights
You may exercise any of the above rights by sending an email to [DPO_EMAIL], indicating:
- Your full name and the email address associated with your account.
- The right you wish to exercise.
- A copy of your national ID or equivalent identification document.
We will respond to your request within a maximum of one month from receipt, extendable by two additional months for complex requests, with prior notification.
10. Right to Lodge a Complaint
If you believe that the processing of your personal data violates applicable regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):
- Website: www.aepd.es
- Address: C/ Jorge Juan, 6, 28001 Madrid
- Phone: 900 293 183
11. Cookies
Kerno uses only essential cookies necessary for the platform to function (session authentication, language preferences, cookie consent). We do not use marketing, advertising, or third-party tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| sb-*-auth-token | Authentication session (Supabase) | Session |
| kerno_cookies_accepted | Cookie consent record | 1 year |
| kerno_lang | Language preference | 1 year |
12. Security Measures
Kerno implements appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: all communications use TLS 1.3.
- Encryption at rest: the database (Supabase/PostgreSQL) uses AES-256 encryption at rest.
- Row Level Security (RLS): each tenant can only access their own data at the database level.
- Encrypted OAuth tokens: third-party access credentials are stored encrypted in base64 with server keys.
- Secure authentication: passwords hashed with bcrypt, multi-factor authentication support.
- Automatic backups: daily database backups with 30-day retention.
- Multi-tenant isolation: tenant_id-based isolation architecture across all tables.
- DDoS protection: Cloudflare as perimeter protection layer.
13. Updates to This Policy
We reserve the right to update this Privacy Policy to reflect changes in our practices or for legal reasons. In the event of material changes, we will notify you by email or through a visible notice on the platform at least 30 days in advance.