Privacy Policy

Privacy Policy

Effective Date: 25 January 2026
Last Updated: 25 January 2026

1. Introduction

Welcome to Keito (“we,” “our,” or “us”). Keito is a time tracking application that helps individuals and teams monitor work hours and productivity. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your data. By using Keito, you agree to the collection and use of information in accordance with this policy.

Data Controller:
Keito
Website: https://keito.ai/
Email: support@keito.ai

If you have any questions about this Privacy Policy or how we handle your data, please contact us at the details above.

2. Information We Collect

We collect and process several types of personal data to provide our time tracking services:

2.1 Account Information

  • Collected via: WorkOS authentication service
  • Data types: Full name, email address, profile information
  • Purpose: Account creation, authentication, and service provision

2.2 Time Tracking Data

  • Data types:
    • Work hours and time entries
    • Project names and descriptions
    • Task descriptions and categories
    • Timestamps and duration data
    • Client information (if provided)
  • Purpose: Core functionality of the time tracking service, reporting, and analytics

2.3 Billing and Payment Information

  • Collected via: Stripe payment processing
  • Data types:
    • Billing name and address
    • Payment card details (processed securely by Stripe; we do not store full card numbers)
    • Transaction history
    • Subscription details
  • Purpose: Payment processing, invoicing, and subscription management

2.4 Integration Data

  • Collected via: Xero integration (optional)
  • Data types:
    • Invoice data
    • Financial records related to time tracking
    • Client information synchronized with Xero
  • Purpose: Synchronization with your accounting software for invoicing and financial management

2.5 Technical and Usage Data

  • Data types:
    • IP address
    • Browser type and version
    • Device information
    • Operating system
    • Pages visited and features used
    • Usage patterns and session data
    • Cookies and similar tracking technologies
  • Purpose: Service improvement, security, troubleshooting, and analytics

2.6 Communications Data

  • Data types:
    • Support inquiries
    • Feedback and survey responses
    • Email correspondence
  • Purpose: Customer support, service improvement, and communication

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

3.1 Contract Performance (Article 6(1)(b) UK GDPR)

We process your account information, time tracking data, and billing information to fulfill our contractual obligations to provide you with the Keito service.

3.2 Legitimate Interests (Article 6(1)(f) UK GDPR)

We process technical and usage data for:

  • Service improvement and optimization
  • Security and fraud prevention
  • Technical troubleshooting
  • Understanding user behaviour to enhance features

We have assessed that these legitimate interests do not override your fundamental rights and freedoms.

3.3 Consent (Article 6(1)(a) UK GDPR)

For certain processing activities, such as:

  • Marketing communications (where you have opted in)
  • Optional integrations (e.g., Xero)
  • Non-essential cookies and analytics

You have the right to withdraw your consent at any time.

3.4 Legal Obligation (Article 6(1)(c) UK GDPR)

We may process data to comply with legal obligations, such as:

  • Tax and accounting requirements
  • Responding to lawful requests from authorities
  • Data breach notifications

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 Service Provision

  • Creating and managing your account
  • Enabling time tracking functionality
  • Generating reports and analytics
  • Processing payments and managing subscriptions
  • Synchronizing data with third-party integrations (e.g., Xero)

4.2 Communication

  • Sending service-related notifications
  • Responding to support inquiries
  • Providing updates about service changes or new features
  • Sending marketing communications (only with your consent)

4.3 Service Improvement

  • Analyzing usage patterns to improve functionality
  • Conducting research and development
  • Testing new features
  • Troubleshooting and fixing technical issues

4.4 Security and Compliance

  • Detecting and preventing fraud
  • Ensuring platform security
  • Complying with legal obligations
  • Enforcing our Terms of Service

5. Data Sharing and Third-Party Processors

We work with trusted third-party service providers to deliver our services. These providers act as data processors under our instruction and are bound by data protection agreements.

5.1 WorkOS (Authentication Services)

  • Purpose: User authentication and identity management
  • Data shared: Name, email address, authentication credentials
  • Location: United States (covered by Standard Contractual Clauses and Data Privacy Framework)
  • Compliance: GDPR compliant, SOC 2 Type 2 certified
  • More information: https://workos.com/legal/privacy

5.2 Stripe (Payment Processing)

  • Purpose: Payment processing and subscription billing
  • Data shared: Billing name, address, payment card information, transaction data
  • Location: United States and EU (covered by Standard Contractual Clauses and Data Privacy Framework)
  • Compliance: GDPR compliant, PCI DSS Level 1 certified
  • More information: https://stripe.com/privacy

5.3 Xero (Accounting Integration)

  • Purpose: Optional accounting and invoicing integration
  • Data shared: Time tracking data, invoice information, client details (only when you choose to integrate)
  • Location: Multiple data centres including New Zealand (EU adequacy decision) and United States
  • Compliance: GDPR compliant, ISO 27001, SOC 2 Type 2 certified
  • More information: https://www.xero.com/uk/legal/privacy/

5.4 Other Service Providers

We may also share data with:

  • Cloud hosting providers (for data storage and service infrastructure)
  • Email service providers (for transactional and marketing emails)
  • Analytics providers (for service improvement)
  • Customer support platforms

All third-party processors are carefully vetted, and we ensure they comply with UK GDPR requirements through data processing agreements.

We may disclose your personal data if required to:

  • Comply with legal obligations or lawful requests
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Enforce our Terms of Service

6. International Data Transfers

Some of our service providers are located outside the United Kingdom and European Economic Area (EEA). When we transfer your personal data internationally, we ensure appropriate safeguards are in place:

6.1 Transfer Mechanisms

  • Adequacy Decisions: Transfers to countries recognized by the UK as providing adequate data protection (e.g., New Zealand for Xero)
  • Standard Contractual Clauses (SCCs): Approved by the UK Information Commissioner’s Office for transfers to other countries
  • Data Privacy Framework: For transfers to the United States with certified organizations

6.2 Data Security

All international data transfers are encrypted in transit and at rest. Our processors maintain robust security measures that meet or exceed UK GDPR requirements.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with legal obligations.

7.1 Retention Periods

  • Account data: Retained while your account is active
  • Time tracking data: Retained while your account is active and for 7 years after account closure for financial and legal compliance purposes
  • Billing and transaction data: Retained for 7 years to comply with UK tax and accounting regulations
  • Technical logs: Retained for 90 days for security and troubleshooting purposes
  • Marketing data: Retained until you withdraw consent or request deletion

7.2 Account Deletion

When you delete your account, we will:

  • Immediately remove access to your data
  • Delete non-essential data within 30 days
  • Retain necessary data for legal compliance (e.g., financial records) for the required retention period
  • Anonymize or aggregate data used for analytics

8. Data Security

We implement robust technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration.

8.1 Technical Measures

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access controls: Role-based access with the principle of least privilege
  • Authentication: Secure authentication through WorkOS with support for multi-factor authentication (MFA)
  • Infrastructure security: Secure cloud hosting with regular security audits
  • Monitoring: Continuous monitoring for security threats and anomalies

8.2 Organizational Measures

  • Staff training: Regular data protection and security training for all personnel
  • Data protection policies: Comprehensive internal policies and procedures
  • Incident response: Documented procedures for handling security incidents and data breaches
  • Vendor management: Due diligence and contracts with all third-party processors

8.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the UK Information Commissioner’s Office (ICO) within 72 hours
  • Notify affected users without undue delay
  • Provide information about the nature of the breach and steps to mitigate harm

9. Your Data Protection Rights

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:

9.1 Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you. You can access most of your data directly through your Keito account dashboard.

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. You can update most of your information directly in your account settings.

9.3 Right to Erasure / “Right to be Forgotten” (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (where processing is based on consent)
  • You object to processing based on legitimate interests
  • The data has been unlawfully processed

Please note that we may retain certain data where required by law or for legitimate business purposes (e.g., financial records).

9.4 Right to Restrict Processing (Article 18)

You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can export your time tracking data from your account dashboard.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before the withdrawal.

9.8 Right to Complain

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe we have not handled your data properly.

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9.9 Exercising Your Rights

To exercise any of these rights, please contact us at:

We will respond to your request within 30 days. For complex requests, we may extend this period by an additional 60 days and will inform you of any such extension.

10. Data Protection Complaints Process

In accordance with the Data (Use and Access) Act 2025, we have established a formal process for handling data protection complaints:

10.1 How to Raise a Complaint

If you wish to raise a data protection complaint, please contact us at:

Please provide:

  • Your name and contact details
  • A description of your complaint
  • Any relevant supporting information

10.2 Our Response Process

  • Acknowledgment: We will acknowledge receipt of your complaint within 30 days
  • Investigation: We will investigate your complaint without undue delay
  • Resolution: We will inform you of the outcome and any actions taken
  • Escalation: If you are not satisfied with our response, you may escalate your complaint to the ICO

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and analyze usage patterns.

11.1 Types of Cookies We Use

Essential Cookies

  • Required for the operation of our service
  • Include authentication and security cookies
  • Cannot be disabled

Functional Cookies

  • Remember your preferences and settings
  • Enhance user experience
  • Can be controlled through your browser settings

Analytics Cookies

  • Help us understand how users interact with Keito
  • Used to improve our services
  • Can be disabled through cookie preferences

11.2 Managing Cookies

You can control and delete cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of Keito.

For more information about cookies and how to manage them, visit: https://www.aboutcookies.org/

12. Children’s Privacy

Keito is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that information promptly.

If you believe we have collected data from a child, please contact us immediately at support@keito.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

  • Update the “Last Updated” date at the top of this policy
  • Notify you of material changes via email or through a prominent notice in our service
  • In some cases, seek your consent for significant changes that affect how we process your data

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Data Protection Inquiries:
Email: support@keito.ai
Website: https://keito.ai/contact

Mailing Address:
Keito
[Your Physical Address - Required under UK GDPR]
United Kingdom

We aim to respond to all inquiries within 5 business days and to fulfill data subject requests within 30 days as required by UK GDPR.

15. Specific Information for Employees and Teams

15.1 Employer-Employee Relationships

If you are using Keito as part of a team or organization:

  • Data Controller: Your employer or organization administrator is the data controller for time tracking data
  • Our Role: Keito acts as a data processor on behalf of your employer
  • Employee Rights: You maintain all data protection rights under UK GDPR
  • Transparency: Your employer must inform you about time tracking and how your data is used
  • Legitimate Basis: Time tracking must be based on a lawful basis (typically legitimate business interests or contractual necessity)

15.2 Employer Responsibilities

Organizations using Keito for employee time tracking must:

  • Inform employees about data collection and processing
  • Have a legitimate business justification for time tracking
  • Implement appropriate security measures
  • Respect employee data protection rights
  • Comply with UK employment law and GDPR

15.3 Data Minimization

We encourage employers to:

  • Track only necessary information for business purposes
  • Avoid excessive monitoring
  • Implement transparent policies
  • Provide employees with access to their own time tracking data

16. Automated Decision-Making

Keito does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. All decisions regarding your account, billing, and service access involve human review where necessary.

17. Data Protection Officer (DPO)

While Keito is not currently required to appoint a Data Protection Officer under UK GDPR, we have designated a data protection lead responsible for overseeing compliance with data protection laws and handling data protection inquiries.

For data protection matters, please contact: support@keito.ai

Acknowledgment

By using Keito, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.

End of Privacy Policy