Privacy Notice

Effective 10 July 2026

1. Who is responsible for your data

The data controller for personal data processed through Kept is Mirjoran AB ("Mirjoran", "we"), a limited company registered in Sweden, organisation number 559010-8725. You can reach us via our contact form.

2. What data we collect and why

We process the following categories of personal data:

  • Account data — name, email address, password hash, authentication provider (e.g. Google). Used to create your account, authenticate you, and send auth emails such as sign-up confirmation and password reset. Legal basis: performance of our contract with you.
  • Contract content you upload — PDF files and the fields extracted from them (counterparty, price, dates, notes). Used to provide the register and reminder features. Legal basis: performance of our contract with you.
  • Reminder preferences — your reminder windows and email opt-in. Used to send renewal and cancellation reminders. Legal basis: performance of our contract with you.
  • Subscription and billing data — plan, status, customer ID from our payments provider. Payment card and billing address are collected and stored by Paddle (see section 4); we do not receive or store card numbers.
  • Support and communications — messages you send us and our replies. Used to respond and improve the service. Legal basis: legitimate interest in providing customer support.
  • Technical and usage data — IP address, device and browser type, timestamps, error logs, feature usage. Used to operate, secure and improve the service and prevent fraud or abuse. Legal basis: legitimate interest.

3. How long we keep it

Account and contract data are kept for as long as your account is active. When you delete your account we remove your account and contract data within 30 days, except where we are required by law to keep records longer (for example, billing records that our payments provider retains for tax purposes).

Technical logs are kept for up to 90 days. Support conversations are kept for up to 24 months.

4. Who we share data with (subprocessors)

We share personal data only with service providers who help us run Kept, and only to the extent necessary. Our current subprocessors:

  • Lovable Cloud (Supabase) — database, file storage and authentication hosting (EU region).
  • Paddle.com Market Ltd — Merchant of Record for all sales. Paddle handles payment processing, tax compliance, invoicing and subscription billing, and is a data controller for that data.
  • Lovable — application hosting, email delivery, and AI-assisted contract extraction gateway.
  • Professional advisers — accountants and legal advisers where reasonably necessary.
  • Authorities — where required by law or in response to a valid legal request.

We do not sell your personal data and do not use it for third-party advertising.

5. International transfers

Our primary hosting is in the EU. Some subprocessors (in particular the AI extraction gateway and payment infrastructure) may process data outside the EU/EEA. When that happens we rely on adequacy decisions or Standard Contractual Clauses approved by the European Commission as our transfer safeguard.

6. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest for uploaded files and the database, row-level access controls that scope data to the owning account, hashed passwords, and least-privilege access for our staff. No system is perfectly secure — if you become aware of a suspected incident please contact us.

7. Your rights

Under the EU GDPR and the Swedish Data Protection Act you have the right to access, correct, delete, restrict, and port your personal data, to object to certain processing, and to withdraw consent where processing is based on consent. You can exercise most of these rights directly in your account page. For anything you cannot do yourself, contact us via the contact form; we will respond within one month.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or the data protection authority in your country of residence.

8. Cookies

Kept uses only essential cookies and local storage needed to run the app — authentication session, security tokens, and remembering your preferences. We do not use analytics or advertising cookies. You can clear these at any time from your browser settings.

9. Changes to this notice

We may update this notice from time to time. Material changes will be announced by email or in-app. The effective date at the top of this page always reflects the current version.