Privacy Policy

This Privacy Policy describes how kiro ("we," "us," "our") collects, uses, and protects information when you use our product and website at thekiroapp.com.

What we collect

Account information. Name, email address, hashed password, and authentication provider identifiers when you sign in with Google. We use this to identify you and let you log in.

Workspace and canvas content. URLs, files (images, PDFs, video, audio), comments, annotations, and metadata you create or upload. This is your data and we treat it as such.

Usage data. IP address, browser type, operating system, request paths, and timestamps. We use this for security, abuse prevention, and improving the product.

Billing data. If you subscribe to a paid plan, Stripe handles your card. We never see your card number. We receive a Stripe customer ID and subscription status.

Where we store it

Account, workspace, and comment data is stored in PostgreSQL hosted on Railway in the United States. Uploaded files (images, PDFs, video, audio) are stored on Cloudflare R2. All connections use TLS 1.2 or higher. Passwords are hashed with bcrypt.

Third parties we use

Stripe — payment processing. Resend / SMTP — transactional email (notifications, invites, password resets). Cloudflare — CDN, WAF, and R2 object storage. Sentry — error monitoring. Anthropic Claude — Kiro AI features (auto-review, chat, accessibility audits, brand checks). When you use Kiro AI, the canvas content needed for the request is sent to Anthropic for inference. Anthropic does not train on this data per their API terms.

Your rights (GDPR / CCPA)

You can request a copy of your data, correct any inaccuracies, or delete your account and all associated data at any time. Contact privacy@thekiroapp.com and we will respond within 30 days. You can also delete your account from the workspace settings page directly — this purges your workspace, canvases, comments, and uploaded files.

Cookies

We use a session cookie to keep you logged in. We do not use third-party advertising cookies. We use first-party analytics to understand how the product is used in aggregate; this can be disabled in your account settings.

Data retention

Active accounts: data retained as long as the account exists. Cancelled paid accounts: data retained for 30 days, then permanently deleted. Free accounts inactive for 12 months: emailed first, then deleted if no response. Server logs: 90 days. Stripe receipts: 7 years (required for tax purposes).

Children

kiro is not directed to children under 13. We do not knowingly collect data from children under 13.

Changes to this policy

If we make material changes to this policy, we will notify active users by email at least 14 days before the change takes effect.

Contact

Questions about this policy or our data practices: privacy@thekiroapp.com.