Privacy Policy
Last updated: April 14, 2026
This policy describes how KRP (hereinafter "we") processes personal data in connection with the Service ward-ai.io, in accordance with Regulation (EU) 2016/679 ("GDPR") and the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, "PDPO").
1. Data Controller
KRP, Hong Kong, privacy@ward-ai.io.
For data processed on behalf of our enterprise clients (questions submitted by their users, documents analyzed), we act as a data processor within the meaning of Article 28 GDPR. A Data Processing Agreement (DPA) is available upon request.
2. Data Collected
| Category | Data | Legal Basis | Retention |
|---|---|---|---|
| User account | Email, hashed password (Argon2id), encrypted 2FA secret, role, language | Performance of contract (Art. 6.1.b) | Duration of account + 1 year |
| Authentication | IP, user agent, session timestamps, JTI | Legitimate interest — security (Art. 6.1.f) | 6 months |
| Billing | Company name, address, VAT number, payment transactions | Legal obligation (Art. 6.1.c) | 7 years (HK IRD accounting obligations) |
| Usage | Number of requests, tokens, cost, timestamps | Performance of contract (Art. 6.1.b) | 12 months |
| Queries | Content of messages sent to the AI | Performance of contract (Art. 6.1.b) | Not stored permanently — technical log for 7 days |
| Uploaded documents | PDF/image files for analysis | Performance of contract (Art. 6.1.b) | Configurable by the client — retained for the duration chosen in settings, then automatically deleted |
| Audit log | Administrative actions (HMAC-SHA256 chain) | Legal obligation / legitimate interest | 2 years — accessible and exportable (CSV) by the client at any time |
| Contact form | Email, company, message | Pre-contractual measures (Art. 6.1.b) | 12 months |
3. Recipients and Sub-processors
We use the following sub-processors, all located within the EU:
- Hetzner Online GmbH (Germany) — infrastructure hosting
- Mistral AI SAS (France) — language models and OCR; data transmitted is not used to train models (zero-retention mode)
- Stripe, Inc. — payment processing and billing
All infrastructure and AI processing remain within the EU. The data controller (KRP) is established in Hong Kong. This international transfer from the EU to Hong Kong is governed by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914). A copy is available on request.
4. International Data Transfers
Your data is processed and stored exclusively on servers located in the EU (Germany). The data controller operates from Hong Kong. To ensure adequate protection of personal data transferred outside the EU, we rely on:
- Standard Contractual Clauses (SCCs) between the EU-based infrastructure and the HK-based controller
- Technical safeguards: all data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM); encryption keys are managed within the EU infrastructure
5. Cookies
We only use strictly necessary cookies (authentication session, language preference). No advertising or third-party tracking cookies are used.
6. Your Rights
In accordance with Articles 15 to 22 of the GDPR and the PDPO, you have the following rights:
- Right of access, rectification, and erasure
- Right to restriction of processing and right to object
- Right to data portability
- Right to set post-mortem directives
- Right to lodge a complaint with a supervisory authority (PCPD Hong Kong / CNIL France for French residents / relevant EU DPA)
To exercise these rights: privacy@ward-ai.io. We will respond within one month.
7. Security
- Encryption in transit: TLS 1.2/1.3, preloaded HSTS
- Encryption at rest: AES-256-GCM for application secrets
- Passwords: Argon2id hashing
- Two-factor authentication (TOTP)
- Chain-signed audit log (HMAC-SHA256)
- Encrypted backups (Restic) with 30-day retention
8. Data Breach Notification
In the event of a personal data breach likely to pose a risk to the rights and freedoms of data subjects, we will notify the supervisory authority within 72 hours (Art. 33 GDPR) and, where applicable, the affected data subjects (Art. 34 GDPR).
9. Service Discontinuation
In the event that the Service is discontinued ("wind-down"):
- All registered users will be notified by email at least 30 days before the shutdown date
- During this notice period, users may export their data (documents, conversation history, configuration) via the application or by request to privacy@ward-ai.io
- Within 30 days after shutdown, all personal data — including accounts, uploaded documents, vectors, and backups — will be permanently and irreversibly deleted from all systems
- Exception: billing records and invoices required by law will be retained for the applicable statutory period (up to 10 years for accounting obligations), then destroyed
10. Changes
Any material change to this policy will be notified to registered users by email with 30 days' prior notice.