Draft — this document is under legal review and will be finalised before the public beta. It reflects how the alpha actually works today.

Privacy policy

Draft — last updated July 2026

Who we are

Keiyais operated from the United Kingdom, and UK GDPR applies to everything we do with personal data. During the alpha the product runs under Ardena; the final operating entity will be confirmed in this policy before billing goes live. We are the data controller for the platform; when you publish proposals containing your clients’ details, you are the controller of that content and we process it on your behalf.

What we collect

  • Account data — your email address and workspace name, used to sign you in and run your workspace.
  • Proposal and RFP content — the documents you publish, including any client names, pricing, and files they contain.
  • Recipient identities on comments — when someone comments on a proposal, we collect the name and (optionally) email they provide, only for that thread. No account is created for them.
  • Page views — when a proposal page is opened, we record basic view data (time, approximate device info) so senders can see that their proposal was viewed.
  • Files — attachments uploaded to proposals and RFP responses, stored so they can be shared with the other side of the deal.
  • Feedback reports— if you use “Report a problem”, we store your description, the page you were on, and basic technical context (browser, screen size), plus your email if you choose to leave it.

Why we can process it (lawful basis)

We process account and content data because it is necessary to provide the service you signed up for (contract). We process error logs, view records, and feedback under legitimate interests: keeping the service working, secure, and improving. Where consent is the right basis (for example, optional emails), we ask for it.

How long we keep it

Account data and content are kept while your account is active. If you delete your account, your workspace data is deleted. Recipient comment identities live as long as the thread they belong to. Error logs and feedback reports are kept only as long as needed to diagnose and fix problems.

Who processes data for us

We use a small set of processors to run the platform. Hosting regions are being confirmed and will be listed precisely before public beta:

ProcessorPurposeRegion
SupabaseDatabase, authentication, and file storageRegion TBD
NetlifyApplication hosting and deliveryRegion TBD
ResendTransactional email (sign-in links, notifications, reminders)Region TBD
StripePayments and billing (once billing is switched on)Region TBD
SentryError monitoring so we can find and fix breakagesRegion TBD
PostHogProduct analytics and session replay. Anything you type is masked in recordings, and public proposal and RFP pages are never recorded — your clients’ business content stays out of itRegion TBD

Cookies and analytics

The alpha uses essential cookies (the ones that keep you signed in) plus PostHog analytics, which stores an identifier in your browser so we can understand how the product is used. No advertising or cross-site tracking. Session replay records how screens are used, never what you type (all inputs are masked), and never runs on public proposal or RFP pages.

Your rights

Under UK GDPR you can ask for a copy of your data, ask us to correct it, or ask us to delete it. Data export and account deletion are built into the product; for anything else, contact us and we will handle it directly. You also have the right to complain to the ICO (ico.org.uk).

Contact

Privacy questions and requests: contact us through your dashboard, or via the “Report a problem” button on any page. A dedicated contact address will be listed here before public beta.