Privacy Policy
Last updated: 7 March 2026This Privacy Policy describes how Kaiilu ("we", "the platform") processes the personal data of users who create an account, apply to become creators, consume content, or use payment services. Kaiilu acts as the data controller for the data described in this document.
Processing is governed by the EU General Data Protection Regulation 2016/679 (GDPR), the Estonian Personal Data Protection Act (PDPA, 2019), and Directive 2002/58/EC (ePrivacy). Where the GDPR conflicts with Estonian national law, the GDPR prevails.
If you do not agree to this Policy, please do not use the platform.
Guiding principles: Kaiilu's data processing is governed by privacy by design and by default (Art. 25 GDPR). We apply the principles of data minimisation (Art. 5.1.c), purpose limitation (Art. 5.1.b), and transparency (Art. 5.1.a).
1. Data Controller
The data controller is the entity operating Kaiilu, established in the Republic of Estonia. For any privacy-related enquiries:
Data Protection Officer (DPO): Kaiilu, as a growing platform, is not currently required to designate a DPO under Art. 37 GDPR. The privacy contact point is [email protected]. We review this position periodically as the platform grows.
2. Data We Collect
We collect only the data strictly necessary for each feature you use:
Account data
- Email address, name, username, country, and language.
- Phone number, if provided voluntarily.
- Access credentials in encrypted form (we never store passwords in plain text).
- Date of birth, to verify that you meet the minimum age requirement.
- Profile photo, if uploaded voluntarily.
Social login data
- If you sign in with Google or Apple, we receive the data you authorise in the OAuth flow: typically name, email address, and profile photo. We do not receive or store your password from those providers.
Creator application data
- Information submitted in the application form and the status of the review process.
- Identity verification documentation, if requested during the process.
Payment data
- Customer, session, and payment identifiers generated by Stripe. Kaiilu does not store card data; this is managed directly by Stripe under PCI-DSS Level 1.
- Purchase history for Passes and Kaiilu Coins (KC), amounts, and dates.
- Billing country, for tax purposes.
Wallet and KC transactions
- Kaiilu Coins balance, movements, content unlocks, donations, and chat actions involving KC.
Usage and interaction data
- Viewing and playback history (for "Continue Watching" and recommendations).
- Messages sent in public space chats.
- Content or user reports submitted by you.
- Interactions with polls, votes, and events.
- Notification preferences and account privacy settings.
Technical and network data
- IP address, inferred country, and time zone.
- Browser type, operating system, device type, and screen resolution.
- Access logs: date, time, pages visited, session duration, and referral URL.
- Connection quality data (bandwidth, latency, buffering events) during playback, for technical diagnostics.
- Anonymous session identifiers for access control and security.
Communications with us
- Content of emails or messages you send us via support, including your email address and subject.
3. Data We Do Not Collect
To avoid ambiguity, Kaiilu does not collect or process:
- Special categories of data (Art. 9 GDPR): health, biometric, genetic, religious, political, trade-union data, or sexual orientation.
- Device fingerprinting: we do not use browser or device fingerprinting techniques.
- Cross-device tracking: we do not link your activity across different devices unless you link them yourself via your account.
- Behavioural advertising: we do not build profiles for advertising purposes or share data with advertising networks.
- Precise geolocation data: we only infer the country from your IP address; we do not request or use GPS coordinates.
4. Purposes and Legal Bases
We process your data for the following purposes, with the indicated legal basis:
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and managing your account and secure access. | Contract (Art. 6.1.b) |
| Processing creator applications, managing spaces and publications. | Contract (Art. 6.1.b) |
| Processing Pass and KC payments; recording transactions in the ledger. | Contract (Art. 6.1.b) |
| Enabling access to and playback of content, including KC unlocks. | Contract (Art. 6.1.b) |
| Providing support and handling enquiries or complaints. | Contract / Legitimate interest (Art. 6.1.b / 6.1.f) |
| Verifying the minimum age of use. | Legal obligation / Legitimate interest (Art. 6.1.c / 6.1.f) |
| Fraud prevention, abuse prevention, and platform security. | Legitimate interest (Art. 6.1.f) |
| Compliance with tax and accounting obligations. | Legal obligation (Art. 6.1.c) |
| Content moderation in compliance with the DSA. | Legal obligation / Legitimate interest (Art. 6.1.c / 6.1.f) |
| Service communications (changes, security alerts, important updates). | Contract (Art. 6.1.b) |
| Promotional communications and newsletters. | Consent (Art. 6.1.a) — revocable at any time |
| Aggregated and anonymised usage metrics to improve the platform. | Legitimate interest (Art. 6.1.f) |
| Defence against legal claims. | Legitimate interest (Art. 6.1.f) |
Where processing is based on legitimate interests, we have carried out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request further information by writing to [email protected].
5. Automated Decisions and Profiling
Kaiilu uses automated systems for the following limited purposes:
- Content moderation: Kaiilu's AI systems analyse published content to detect violations of the Content Policy. Decisions involving significant sanctions are reviewed by the human moderation team.
- Fraud and abuse detection: unusual usage patterns may trigger automated security reviews.
- Content recommendations: your viewing history may be used to sort the content displayed to you within the platform.
We do not make decisions with significant legal effects on you based solely on automated processing (Art. 22 GDPR). Any suspension or serious sanction involves human review. If you believe an automated decision has incorrectly affected you, you may request human review by writing to [email protected].
6. Third-Party Login Services
If you use "Sign in with Google" or "Sign in with Apple", those providers act as independent controllers for the data they manage in their own systems. Kaiilu only stores the data they transmit to us with your authorisation, and uses it solely to create or link your account.
You may unlink your social account from Kaiilu account settings at any time.
7. Sharing with Third Parties
Kaiilu does not sell your personal data. We share data only in the following circumstances, under data processing agreements or as independent controllers:
| Provider / Category | Purpose | GDPR Role |
|---|---|---|
| Stripe, Inc. | Payment processing (Passes, KC). PCI-DSS compliance, AML/KYC. | Independent controller |
| Google LLC / Apple Inc. | OAuth authentication (social login), if used. | Independent controller |
| Infrastructure and hosting providers | Servers, databases, network. We sign a DPA with each provider. | Data processor |
| Transactional email provider | Sending verification emails, alerts, and service communications. | Data processor |
| Cloudflare, Inc. | Bot protection (Turnstile) and perimeter network security. | Data processor |
| Public authorities and bodies | When required by law, court order, or to protect Kaiilu's or third parties' legitimate rights. Includes mandatory CSAM reporting. | Required legal recipient |
We do not share data with advertising networks or use it for behavioural advertising.
8. International Data Transfers
Several of our providers process data outside the European Economic Area (EEA). We ensure adequate protection for all transfers using mechanisms approved by the European Commission:
| Provider | Country | Transfer mechanism |
|---|---|---|
| Stripe, Inc. | USA | SCCs (Decision 2021/914) + EU–US Data Privacy Framework |
| Google LLC | USA | SCCs + EU–US Data Privacy Framework |
| Apple Inc. | USA | SCCs + EU–US Data Privacy Framework |
| Cloudflare, Inc. | USA | SCCs + EU–US Data Privacy Framework |
You may request a copy of the applicable Standard Contractual Clauses (SCCs) by writing to [email protected].
9. Data Retention
We retain data for the minimum time necessary for the purpose for which it was collected:
| Data category | Period | Justification |
|---|---|---|
| Account data (profile, credentials) | While account is active + 30 days | Service provision |
| Payment records and invoices | 7 years from transaction | Accounting and tax obligation |
| KC transactions and wallet ledger | 5 years from transaction | Audit and system integrity |
| Creator application history | Until resolution + 1 year | Defence against claims |
| Technical access logs (IP, session) | 12 months | Security and abuse detection |
| Chat messages | 12 months, unless actively reported (until closure + 2 years) | Moderation and DSA compliance |
| Content or user reports | Until case closure + 2 years | Legal DSA compliance / defence |
| Social login tokens | Until unlinking or account deletion | Authentication functionality |
| Support communications | 2 years from case closure | Defence against claims |
| Moderation data (decisions, reasons) | 3 years | DSA Art. 17 obligation / transparency |
| Cookie consent data | 12 months or until withdrawn | Proof of consent (ePrivacy) |
After these periods, data is securely deleted or irreversibly anonymised.
10. Minors
The minimum age to use Kaiilu is 16 years, in accordance with Art. 8 GDPR and Estonian law (PDPA Art. 8). We do not knowingly collect personal data from individuals under 16. If we detect that a user is under this age, we will delete their account and data without delay.
If you are a parent or guardian and believe a minor has created an account, please contact us at [email protected].
11. Your GDPR Rights
Under the GDPR, you have the following rights regarding your personal data:
| Right | Article | Description |
|---|---|---|
| Access | Art. 15 | Obtain confirmation of whether we process your data and receive a readable copy. |
| Rectification | Art. 16 | Correct inaccurate data or complete incomplete data. |
| Erasure ("right to be forgotten") | Art. 17 | Request deletion when data is no longer necessary or you withdraw consent. |
| Portability | Art. 20 | Receive your data in structured format (JSON/CSV) and transfer it to another controller. |
| Restriction of processing | Art. 18 | Request that we restrict processing while accuracy is verified or an objection is resolved. |
| Objection | Art. 21 | Object to processing based on legitimate interests. |
| Not to be subject to automated decisions | Art. 22 | Not to be subject to decisions based solely on automated processing with significant legal effects. |
| Withdrawal of consent | Art. 7.3 | Withdraw any consent given at any time, without retroactive effect. |
You may exercise these rights from your account settings or by writing to [email protected] with sufficient identification. We will respond within a maximum of 30 calendar days.
12. Security and Breach Notification
We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR:
- Encryption in transit (TLS 1.2+) for all communications.
- Encrypted credentials at rest (bcrypt/argon2).
- Role-based access control and least-privilege principle.
- Periodic security reviews and penetration testing.
- Separate environments for development, staging, and production.
- Two-factor authentication (2FA) available for creator and admin accounts.
In the event of a security breach posing a risk to your rights and freedoms, we will notify the Andmekaitse Inspektsioon (AKI) within 72 hours (Art. 33 GDPR) and notify you "without undue delay" if the breach poses a high risk (Art. 34 GDPR).
13. Cookies and Similar Technologies
Kaiilu uses essential first-party cookies for the platform to function and, with your consent, optional preference cookies. We do not use behavioural advertising cookies. For full details, see our Cookie Policy.
14. Suggestions and Feedback
If you send us suggestions, ideas, or comments about the platform, you agree that we may use them freely to improve the Service without any obligation to compensate or maintain confidentiality towards you.
15. Changes to This Policy
We may update this Policy. When changes are material, we will notify you by email or prominent notice on the platform at least 15 days in advance. Previous versions are available upon request at [email protected].
16. Contact and Right to Complain
For any enquiry or request related to this Policy: [email protected]
If you consider that the processing of your data infringes the GDPR or the Estonian PDPA, you have the right to lodge a complaint with the competent supervisory authority: the Andmekaitse Inspektsioon (AKI): www.aki.ee. If you reside in another EU Member State, you may also contact the supervisory authority in your country of habitual residence (Art. 77 GDPR).