Privacy & compliance

Compliance built into the pipeline, not bolted on.

A customer data platform touches the most sensitive data a company holds. Here is exactly how Kilden handles it under the GDPR and Chile's Ley 21.719 — with the controls that already ship, and honest notes on what is still on the way.

GDPR Ley 21.719 · Chile Processor & controller
Data-subject rights

Every right, actually honored.

Access, erasure, portability and objection are not a promise on a page — each maps to real tooling that scrubs or exports data across every store: Postgres, ClickHouse and the replay object storage.

Access & portability

A structured JSON export of everything stored about a person — profile traits, identifiers, full event history, campaign messages and chat — in a commonly used, machine-readable format (GDPR art. 20; Chile arts. 5 and 9).

Erasure

A person is deleted from every store at once, following merged identities, keeping only the email suppression that stops us writing to them again (GDPR art. 17; Chile art. 7).

Rectification & objection

Traits are corrected on request; opt-out suppresses future processing. Any browser can also stop all capture instantly with the SDK controls below.

Deletion of a whole workspace

Closing an account purges the entire project — config, people, events, recordings and messages — within 60 days, honoring the terms.

How to exercise a right

You (or an end user of a site that uses Kilden, through that site's operator) email [email protected]. We commit to responding within 30 days — meeting the GDPR's one-month deadline (which it may extend for complex requests) and Ley 21.719's 30 calendar days.

Retention

Data does not live forever.

Each category has a defined retention rule — event data is deleted automatically on a fixed window; profiles and suppression records live only as long as they are needed. These match our privacy policy exactly.

Data Retention
Events (End-User Data) Auto-deleted after the project's window — 12 months on Free, 24 months on paid plans by default
Profiles (End-User Data) While the project is active, or until the customer deletes them
Session recordings 30 days in the primary store; backup copies expire within a further 15 days
Messaging logs Up to 24 months
Pipeline buffers (queues) 3–14 days
Account data Deleted within 60 days of account deletion
Web server logs Up to 30 days
Email suppression lists Kept as long as needed to honor unsubscribe and bounce suppression — retained through an erasure so we do not email the person again

Event retention is enforced daily by an automated job, not by hand.

Subprocessors

Who else touches the data.

The full list, kept in step with our privacy policy — no hidden analytics or ad networks. We do not sell personal data and do not train models on it.

Provider Purpose
DigitalOcean Cloud infrastructure (compute, managed databases)
Resend Email delivery (transactional email and customer campaigns)
S3-compatible object storage Storage of session replay recordings
Polar Payment processing and subscription billing
GitHub / Google OAuth sign-in, only if you choose it
International transfers

We are based in Chile; infrastructure and subprocessors may sit in the US or the EU. Chile does not hold an EU adequacy decision, so where the law requires it we rely on the European Commission's standard contractual clauses with our providers.

Privacy by default

The controls are in the SDK, on by default.

Privacy is not a setting a developer has to remember — the defaults are private, and the escape hatches are one attribute or one call away.

Inputs masked by default

Session replay masks everything typed into inputs, and passwords are always masked. Nothing sensitive is captured unless a customer opts a field back in.

Mask or exclude any element

Add data-kilden-mask to redact an element, or data-kilden-no-capture to drop it from capture and replay entirely.

One-call opt-out

Calling kilden.optOut() stops all capture and transmission on that browser, including replay, and remembers the choice.

Cookieless mode

The SDK can run on localStorage alone, setting no cookies at all — useful where a consent banner has not fired yet.

A full end-user consent flow (consent mode, Global Privacy Control) is on the roadmap; until then these are the controls the site operator wires up.

Chile · Ley 21.719

Ready for Chile's new data-protection law.

The Ley 21.719 takes effect on December 1, 2026. As a Chilean company processing personal data, we treat it as a hard deadline — and most of the machinery is already in production.

Rights within the legal window

Access, deletion and portability are answered within 30 calendar days, the term the law sets.

Breach register & notification

A documented runbook and an internal breach register are in place: incidents are notified to the Agency without undue delay, and to affected people when the law requires it.

Honest about roles

For the data our customers send us we are the processor and they are the controller; for accounts on kilden.io we are the controller. Each is handled accordingly.

The fine print, in full.

The marketing page is the summary. The binding documents live here.

Privacy Policy

What we collect, why, and every retention window.

Terms of Service

The contract, including data deletion on termination.

FAQ

Straight answers.

Questions a page can't answer?

Data protection officers and security teams: email us and we'll walk through the details, the DPA, and your specific requirements.

Email [email protected] Read the privacy policy