Privacy Policy
Last updated 5 June 2026
1. Who we are
Kerdour is an operating-intelligence platform. This policy explains how Kerdour (“we”, “us”) handles personal data. For data our customers load into the platform about their own deals, counterparties and contacts, the customer is the data controller and Kerdour acts as a data processor on their instructions — governed by our Data Processing Addendum.
2. The data we process
- Account data — name, work email, organisation, role, authentication credentials (stored only as salted hashes).
- Customer content — the deals, documents, messages, contacts and notes a customer creates or uploads. Processed on the customer’s behalf.
- Usage & technical data — log and audit records (who did what, when), needed for security and to operate the service.
3. How we use it & lawful basis
- To provide and secure the service — lawful basis: performance of a contract and our legitimate interests in operating it securely.
- To process customer content strictly per the customer’s instructions — lawful basis: the customer’s, as controller, under the DPA.
- We do not sell personal data. We do not use customer content to train third-party models, and we do not use it to improve Kerdour across customers without explicit opt-in. The AI reading your data to answer your questions is use, not training — your content is not absorbed into a model.
4. AI processing
Some features use AI models (see our subprocessor list on the Trust Center). Content sent for inference is not retained by the provider to train models. Every document the AI reads is wrapped in a trust boundary to neutralise instructions hidden in third-party files.
5. Where data is held & transfers
Data is hosted in the European Union (France). Where a subprocessor is outside the EEA/UK, transfers are covered by appropriate safeguards (e.g. Standard Contractual Clauses / UK Addendum). The current list of subprocessors and their regions is published on the Trust Center.
6. Retention
Customer content is retained for the life of the customer’s account and deleted or returned on termination per the DPA. Security and audit logs are kept for a limited period proportionate to their purpose.
7. Security
Encryption in transit and at rest, per-organisation isolation, least-privilege access, append-only audit logging, and consented + logged break-glass for any content access. Full detail on the Trust Center.
8. Your rights
Subject to applicable law, you may request access to, correction of, export of, or erasure of your personal data, and may object to or restrict certain processing. Where Kerdour processes data on a customer’s behalf, we will refer such requests to that customer (the controller) or assist them in responding. To exercise a right, email privacy@kerdour.com. Customers can also export their organisation’s data themselves from within the platform.
9. Breach notification
On confirmation of a material personal-data breach, we will notify affected customers without undue delay, with what we know and the steps we are taking.
10. Contact
Privacy enquiries: privacy@kerdour.com. Security matters: security@kerdour.com.
This policy is provided for transparency and is subject to legal review. It does not override the terms of any signed agreement between Kerdour and a customer.