A customer data platform touches the most sensitive data a company holds. Here is exactly how Kilden handles it under the GDPR and Chile's Ley 21.719 — with the controls that already ship, and honest notes on what is still on the way.
Access, erasure, portability and objection are not a promise on a page — each maps to real tooling that scrubs or exports data across every store: Postgres, ClickHouse and the replay object storage.
A structured JSON export of everything stored about a person — profile traits, identifiers, full event history, campaign messages and chat — in a commonly used, machine-readable format (GDPR art. 20; Chile arts. 5 and 9).
A person is deleted from every store at once, following merged identities, keeping only the email suppression that stops us writing to them again (GDPR art. 17; Chile art. 7).
Traits are corrected on request; opt-out suppresses future processing. Any browser can also stop all capture instantly with the SDK controls below.
Closing an account purges the entire project — config, people, events, recordings and messages — within 60 days, honoring the terms.
You (or an end user of a site that uses Kilden, through that site's operator) email [email protected]. We commit to responding within 30 days — meeting the GDPR's one-month deadline (which it may extend for complex requests) and Ley 21.719's 30 calendar days.
Each category has a defined retention rule — event data is deleted automatically on a fixed window; profiles and suppression records live only as long as they are needed. These match our privacy policy exactly.
| Data | Retention |
|---|---|
| Events (End-User Data) | Auto-deleted after the project's window — 12 months on Free, 24 months on paid plans by default |
| Profiles (End-User Data) | While the project is active, or until the customer deletes them |
| Session recordings | 30 days in the primary store; backup copies expire within a further 15 days |
| Messaging logs | Up to 24 months |
| Pipeline buffers (queues) | 3–14 days |
| Account data | Deleted within 60 days of account deletion |
| Web server logs | Up to 30 days |
| Email suppression lists | Kept as long as needed to honor unsubscribe and bounce suppression — retained through an erasure so we do not email the person again |
Event retention is enforced daily by an automated job, not by hand.
The full list, kept in step with our privacy policy — no hidden analytics or ad networks. We do not sell personal data and do not train models on it.
| Provider | Purpose |
|---|---|
| DigitalOcean | Cloud infrastructure (compute, managed databases) |
| Resend | Email delivery (transactional email and customer campaigns) |
| S3-compatible object storage | Storage of session replay recordings |
| Polar | Payment processing and subscription billing |
| GitHub / Google | OAuth sign-in, only if you choose it |
We are based in Chile; infrastructure and subprocessors may sit in the US or the EU. Chile does not hold an EU adequacy decision, so where the law requires it we rely on the European Commission's standard contractual clauses with our providers.
Privacy is not a setting a developer has to remember — the defaults are private, and the escape hatches are one attribute or one call away.
Session replay masks everything typed into inputs, and passwords are always masked. Nothing sensitive is captured unless a customer opts a field back in.
Add data-kilden-mask to redact an element, or data-kilden-no-capture to drop it from capture and replay entirely.
Calling kilden.optOut() stops all capture and transmission on that browser, including replay, and remembers the choice.
The SDK can run on localStorage alone, setting no cookies at all — useful where a consent banner has not fired yet.
A full end-user consent flow (consent mode, Global Privacy Control) is on the roadmap; until then these are the controls the site operator wires up.
The Ley 21.719 takes effect on December 1, 2026. As a Chilean company processing personal data, we treat it as a hard deadline — and most of the machinery is already in production.
Access, deletion and portability are answered within 30 calendar days, the term the law sets.
A documented runbook and an internal breach register are in place: incidents are notified to the Agency without undue delay, and to affected people when the law requires it.
For the data our customers send us we are the processor and they are the controller; for accounts on kilden.io we are the controller. Each is handled accordingly.
The marketing page is the summary. The binding documents live here.
Kilden gives you the tooling and terms to run a GDPR-compliant deployment: enforced retention, real access/erasure/portability, a signed data processing agreement on request, and a disclosed subprocessor list. As the controller, you decide what you collect and on what basis; we process it on your instructions.
Email [email protected]. If you are an end user of a site that uses Kilden, contact that site's operator — they are the controller of your data, and we support them in fulfilling the request.
Yes, on request — built on the European Commission's standard contractual clauses. Email [email protected].
On infrastructure in the US or the EU, operated by the subprocessors listed above. We are based in Chile and rely on standard contractual clauses for transfers. We do not currently offer region selection or EU-only residency.
No. We do not sell personal data, run ads, or use your data or your customers' data to train machine-learning models.
Data protection officers and security teams: email us and we'll walk through the details, the DPA, and your specific requirements.