LEGAL

Privacy Policy

Last updated: April 26, 2026

This Privacy Policy explains how KAOS collects, uses, shares, and protects personal data when you use our website, the KAI platform, and our manual offensive security services. We have written it in plain English so you can understand it without a lawyer.

1. Who is the data controller

Two KAOS legal entities may act as data controller, depending on the relationship:

  • KAOS S.L.U(Andorra) — Registry L-720087-H — Avda Francesc Cairat, 22, 1-1, AD600, Sant Julia de Loria, Andorra. Primary commercial entity for global customers.
  • KAOS AI SECURITY, S.L.(Spain) — NIF Provisional B24966996 — C/ Concilio de Trento, 213, 4a Pta. 2, 08020 Barcelona, Spain. This is the EU data controller for the purposes of the GDPR.

You can reach our privacy team at privacy@kaos.ad.

2. What personal data we collect

  • Account data: name, business email, organization, hashed password, role.
  • Billing data: billing address, VAT number, payment method metadata (handled by our payment processor; we never store full card numbers).
  • Usage data: log entries, IP address, user agent, feature usage, audit trail.
  • Engagement data: targets, scopes, findings and reports you generate using the platform or that we generate on your behalf during a manual engagement.
  • Communications: support tickets, sales conversations, contract correspondence.
  • Cookies and similar technologies: see our Cookie Policy.

3. Lawful bases (GDPR Art. 6)

  • Contract— to provide the platform and services you subscribe to.
  • Legitimate interests— to secure our services, prevent abuse, improve the product, and run our business.
  • Legal obligation— tax, accounting, and compliance.
  • Consent— for optional analytics cookies and marketing communications. You can withdraw consent at any time.

4. How long we keep data

  • Account data: while your account is active and up to 12 months after closure.
  • Billing and tax records: 6 years (Spain) and 10 years (Andorra) as required by law.
  • Engagement data and findings: for the duration of your subscription, then deleted or returned per the Data Processing Agreement.
  • Logs and audit trail: up to 13 months.

5. Who we share data with

We share personal data only with carefully selected sub-processors that support our operations (cloud hosting, payments, AI inference, customer support tooling, analytics). A current list is available in the Data Processing Agreement. We do not sell personal data and we do not share it for advertising.

6. International transfers

Personal data may be processed in the European Economic Area, in Andorra, and in third countries through our sub-processors. Andorra benefits from a European Commission adequacy decision adopted in 2010, which means transfers between the EEA and Andorra are recognised as providing an adequate level of protection.

For transfers to other third countries, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, additional safeguards.

7. Your rights as a data subject

Under the GDPR you have the right to:

  • Access your personal data and obtain a copy.
  • Have inaccurate data rectified.
  • Have your data erased (right to be forgotten).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD, aepd.es) or with the supervisory authority of your country of residence.

8. How to exercise your rights

Send an email to privacy@kaos.ad with your request. We may need to verify your identity before responding. We will reply within 30 days (extendable by 60 additional days for complex requests, with notice).

9. Cookies

We use a small number of essential cookies and, where you opt in, privacy-respecting analytics cookies. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for details.

10. Security

As an offensive security company, we hold ourselves to a higher standard. Encryption in transit and at rest, multi-factor authentication, least-privilege access, centralised audit logging, and regular third-party assessments are all part of how we operate. Read more on our Trust & Security page.

11. Changes to this policy

We may update this policy. Material changes will be communicated by email or in-product notice at least 14 days before they take effect.

12. Contact

Questions? Contact privacy@kaos.ad.