Legal · Privacy Policy v1.0

Privacy Policy.

Last updated: 12 May 2026 · Policy version: kye-privacy-v1.0-2026-05-12 · Version hash: b21d7af5e6c0339a

1. Data controller

For personal data collected through this website and the KYE™ Audit Pilot programme, the data controller is KYE Protocol™ Ltd, a company registered in England and Wales. Registered office: to be confirmed; please contact info@kyeprotocol.com. For Customer Data we process on behalf of pilot customers, KYE™ acts as a data processor; see the Data Processing Agreement.

2. Data we collect

  • Marketing and contact data — name, work email, phone number, company, role and message body when you contact us through the contact form or the pilot-apply form.
  • Pilot application data — on top of marketing data: company size, industry, regulatory regime(s), the AI workflow you want to observe, urgency and how you heard about us.
  • Technical data — IP address (hashed at submission time), user-agent (hashed), referer, language, request timestamp. We do not run third-party analytics scripts on this site.
  • Consent records — a signed kye.consent.acceptance.v1 record emitted whenever you accept the Terms, Privacy Policy, AUP and Authority clauses through the pilot-apply form.

3. Lawful basis

We rely on the following lawful bases under UK GDPR / EU GDPR:

  • Article 6(1)(b) — performance of a contract for handling pilot applications and providing the Services.
  • Article 6(1)(f) — legitimate interests for security logging (hashed IPs / UAs) and for responding to general enquiries. Our legitimate interests are running a B2B SaaS business safely and lawfully; we balance them against your rights and freedoms.
  • Article 6(1)(c) — legal obligation for record-keeping required by applicable accounting, tax and financial-services regulation.

4. Purposes

We process personal data to: qualify pilot applications; deliver the Services; communicate about the Services; comply with legal obligations; protect the security of the Services; and, with separately-obtained consent, send periodic product updates. We do not sell personal data, and we do not use it to train any machine-learning model.

5. Retention

  • Marketing contact data: 24 months from last interaction.
  • Pilot application data and consent records: for the lifetime of any resulting engagement plus 7 years (banking-record horizon).
  • Technical data: 13 months rolling, in line with the analytics-plane TTL locked in constitution doc 20.
  • Customer Data processed on a pilot customer's behalf: per the Data Processing Agreement; returned or deleted within 30 days of termination.

6. Third-party processors and sub-processors

The current list of sub-processors is at /legal/sub-processors. We notify customers of changes through that page; material additions are announced at least 30 days in advance.

7. Data subject rights

If your personal data is in our records, you have the right to: (a) access it (Art. 15); (b) rectify it (Art. 16); (c) erase it (Art. 17, subject to legal-obligation carve-outs); (d) restrict processing (Art. 18); (e) port it (Art. 20); (f) object to processing based on legitimate interests (Art. 21); and (g) not be subject to a decision based solely on automated processing that produces legal effects concerning you (Art. 22). To exercise any of these rights, email info@kyeprotocol.com; we will respond within 30 days.

8. International transfers

We host on Cloudflare and may transfer personal data outside the UK / EEA. Where we do, transfers are protected by the UK International Data Transfer Addendum and / or the EU Standard Contractual Clauses (Module 2 or 3 as applicable). The current SCCs are incorporated into the DPA.

9. Children

The Services are not directed to people under 16 and we do not knowingly collect personal data from anyone under 16.

10. DPO contact

For data-protection enquiries, including subject-access requests, contact info@kyeprotocol.com with subject “Privacy — [your request]”. We will route to the appropriate person.

11. Supervisory authority

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk. In the EU, the supervisory authority in your member state.

12. Changes

If we make material changes to this Privacy Policy we will increment the policy version and update the version hash at the top of the page; consent records pin to specific policy versions so historical acceptances remain meaningful.

Contact: info@kyeprotocol.com