Legal

Privacy Policy

Last updated: 20 April 2026.

1. Who we are (Controller)

Carpathica Authentic Srl ("we", "us"), a Romanian company with CUI 36090691, is the data controller for personal data collected through Keelr (keelr.co). Contact: privacy@keelr.co.

2. Data we process

To operate Keelr we process the following categories of personal data:

  • Account data - name, email, company, role, hashed password, authentication factors
  • Billing data - company legal name, VAT ID, billing address, payment method identifiers (not card numbers - those are held by our payment processor)
  • Scope declarations - the assets you authorise for engagement (domains, IPs, asset groups)
  • Engagement data - findings, Code Artifacts, re-attack results, audit logs tied to your authorised scope
  • Service logs - portal access logs, API call logs, error traces (retained up to 90 days)
  • Communications - emails and support tickets you send us

We do not collect special categories of personal data (health, religion, political opinions) by design. If you include such data in a scope declaration or support message, please redact it before sending.

3. Why we process it (Lawful bases under GDPR)

  • Contract performance (Art. 6(1)(b)) - to deliver the service you subscribed to, meter usage, and bill accurately
  • Legal obligation (Art. 6(1)(c)) - to retain accounting records, respond to lawful requests, comply with tax law
  • Legitimate interests (Art. 6(1)(f)) - to secure the service, prevent abuse, improve reliability, and communicate operational updates. You can object; we will balance your objection against the purpose
  • Consent (Art. 6(1)(a)) - for non-essential cookies and optional marketing communications. You can withdraw consent at any time

4. Where your data is hosted

All production data resides on infrastructure located in the European Union. We use multiple EU regions for redundancy and resilience. All customer data is stored on EU-sovereign infrastructure, and Agent-layer reasoning runs on EU-hosted infrastructure. No transfers to third countries take place in the default service configuration.

If a future service configuration requires a transfer outside the EU/EEA, it will only occur under an adequacy decision, Standard Contractual Clauses, or another lawful mechanism - and you will be notified before the transfer begins.

5. Who we share it with (Processors)

We use a small number of processors to operate the service. Each is contractually bound by a Data Processing Agreement:

  • Infrastructure hosting inside the EU
  • Payment processing (EU-based) - they see billing data, not scope or engagement data
  • Transactional email delivery (EU-based) - they see message metadata and body of operational emails

We do not sell, rent, or trade your personal data. We do not use it for advertising. The full list of subprocessors is available on request.

6. How long we keep it

  • Account data - for the life of your account plus 6 years for accounting records (Romanian law)
  • Engagement data and Code Artifacts - for the lifetime of their Mission plus 90 days, then archived
  • Service logs - up to 90 days, then deleted
  • Audit logs (authorisation events) - 7 years in an append-only store, for your forensic and regulatory review
  • Support communications - 2 years, then archived or deleted on request

7. Your rights under GDPR

You have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and to data portability. Most of these can be exercised self-service from your portal (account export, account deletion, consent toggles). For anything you cannot do yourself, email privacy@keelr.co and we will respond within 30 days.

You have the right to lodge a complaint with a supervisory authority. In Romania this is the National Supervisory Authority for Personal Data Processing (ANSPDCP, dataprotection.ro). You may also contact the supervisory authority in your country of residence.

8. Cookies

See our Cookie Policy. Short version: strictly necessary cookies only by default. No analytics, no pixels, no third-party tags.

9. Changes to this Policy

We will update this Policy when our processing changes. Material changes are notified by email to your account address at least 30 days before they take effect.

10. Contact

Privacy questions: privacy@keelr.co.