How we collect, process and safeguard your data.

Overview

This policy explains how Public Sector Analytics Limited (trading as askKira, hereafter "askKira", "we", "us") collects, uses, processes and safeguards data submitted to AI Builder and the wider askKira platform. It is written to be understood by procurement teams, DPOs, governors, trustees and the staff who actually use the product.

askKira is registered with the Information Commissioner's Office under registration ZB622646. We operate from England and Wales; all data is processed and stored within the United Kingdom.

Controller and processor roles

For individual users signing up directly, askKira acts as data controller in respect of your account record. For users whose accounts are provisioned by a school, trust, charity or organisation, your organisation is the data controller and askKira operates as a data processor, acting on the organisation's documented instructions.

A UK GDPR Article 28 Data Processing Agreement governs the relationship in every case where askKira processes data on behalf of an organisation. A signed copy is available on request via dpo@askkira.com, typically within five working days.

What we collect

• Account data: name, email, organisation (optional), pbkdf2-sha256 hashed password, plan tier, account creation and last-sign-in timestamps.
• Project content: the text, frameworks, anti-patterns, interview answers and uploaded documents you enter or upload into AI Builder.
• Session metadata: session cookie, IP address at sign-in (for the audit log), browser user-agent.
• Audit log: security-relevant events — signup, sign-in (success, failure, lockout), sign-out, password changes, project create / delete / build / deploy, data export, account deletion. Stored separately from project content.
• Diagnostic logs: request paths, status codes, error traces — never including request bodies, passwords or session tokens.

How we use it

• To deliver the AI Builder service — synthesising your inputs into a system prompt, values list and hand-off bundle.
• To authenticate sessions, enforce per-user isolation, rate-limit abuse-prone endpoints and apply account lockout where required.
• To diagnose incidents, investigate misuse and respond to support enquiries.
• To meet our legal and regulatory obligations.

We do not use your data for advertising, ad targeting, third-party data sale, or to train AI models that benefit other customers.

AI training

This is the most asked question, so here is the canonical answer:

Foundation models that askKira calls (OpenAI, Anthropic, Google Gemini) are accessed via API under terms that explicitly prohibit training on customer data. The text of your prompts and any documents you choose to upload are sent only for the purpose of producing the response you asked for, and only when the feature actively requires it.

Sub-processors

askKira engages the following sub-processors to deliver the service. Each is bound by a written agreement aligned to UK GDPR Article 28 standards. We do not share your data with any party not listed here.

Data retention

• Project content: retained for the life of your account. Deleted immediately and irreversibly when you delete the project, or when your account is closed.
• Account record: retained while your account is active; deleted on account closure.
• Audit log: retained for 90 days then rotated. Never linked to project content.
• Backups: incremental, encrypted, retained for 30 days then overwritten.
• Statutory retention: records required by law (financial, regulatory) retained for the legally mandated period.

Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you. Self-serve via Account → Export.
• Rectification — correct inaccurate data. Edit any field on the dashboard.
• Erasure — delete an individual project from the dashboard, or your entire account at Account → Delete account. Wipe is immediate and irreversible.
• Restriction — pause processing in a defined scenario. Email dpo@askkira.com.
• Portability — the hand-off bundle and account export are standard ZIP / JSON / text. Re-usable anywhere.
• Objection — object to processing in a defined scenario. Email dpo@askkira.com.
• Complaint — lodge a complaint with the Information Commissioner's Office if you believe we have processed your data unlawfully.

Cookies

AI Builder uses the minimum number of cookies required to operate. We do not use advertising, tracking or behavioural-targeting cookies on this platform.

Breach notification

If a personal-data breach is detected, affected data controllers will be notified within 72 hours of discovery with the minimum context required to exercise their obligations under UK GDPR Article 33. Where individuals are directly affected, they will be notified without undue delay.

To report a suspected breach, email security@askkira.com.

Contact

We aim to respond to every enquiry within five working days.