Privacy · GDPR

Privacy Policy

Last updated: May 25, 2026  ·  Version 1.0

This Privacy Policy describes how OB2 (trading as: Kalyos) collects, uses, stores, and protects your personal data when you use the Kalyos platform, accessible at kalyos.ai. It is drafted in compliance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the amended French Data Protection Act (loi Informatique et Libertés).

1. Data Controller

The data controller for personal data collected through the Service is:

Field Information
Legal name OB2 (trading as: Kalyos)
Legal form SARL with share capital of EUR 2,000
SIREN 104 413 349
SIRET 104 413 349 00010
Registered office 85 Chemin de la Fontaine, 01800 Villieu-Loyes-Mollon, France
Date of incorporation 23 April 2026
Privacy contact privacy@kalyos.ai

2. Data Collected

2.1 Account data

When you create your account and use the Service, we collect the following data:

  • Email address (required for account creation).
  • Username or chosen display name.
  • Third-party authentication information (Google ID, GitHub ID, etc.) if you choose that sign-in method.
  • Billing information (name, country of tax residence) processed by our payment provider.
  • Account preferences and settings (language, default model, etc.).

2.2 Usage data

  • Conversation history and requests submitted to the Service.
  • Files and documents uploaded for processing by AI models.
  • Aggregated usage statistics (number of requests, models used, etc.).
  • Agent and workflow configuration preferences.

2.3 Technical data

  • IP address (anonymised after 30 days).
  • Browser type and operating system.
  • Pages visited and actions taken on the Service (navigation logs).
  • Connection and usage timestamps.

2.4 What we do not collect

Kalyos does not collect and does not seek to collect:

  • Special category data within the meaning of article 9 of the GDPR (racial or ethnic origin, political opinions, health data, biometric data, etc.), unless you voluntarily provide such data in the course of a conversation, in which case it is not stored separately.
  • Your full payment card details (managed exclusively by our payment provider).
  • Your precise location data (GPS).
  • The content of your conversations for advertising purposes or for resale to third parties.

3. UUID Anonymisation of AI Requests

Kalyos applies a UUID (Universally Unique Identifier) based anonymisation technique to requests transmitted to third-party AI models. Here is how it works:

How UUID anonymisation works:
When you submit a request to a third-party AI model (OpenAI, Anthropic, Google, etc.), Kalyos does not transmit your account identifier or email address to the model provider. Instead, a random, non-persistent UUID is generated for each session or request. This UUID cannot be re-linked to your identity by the model provider. Your real identity remains known only to Kalyos and is never disclosed to third-party model providers.

This approach protects your privacy while allowing model providers to implement their own abuse detection mechanisms on the basis of these anonymised technical identifiers.

The content of your conversations (the text of your requests) is transmitted to model providers to enable the generation of responses. This content is subject to the privacy policies of the relevant providers. We encourage you not to include sensitive personal information in your requests if you wish to minimise their exposure.

4. Purposes and Legal Bases for Processing

Purpose Legal basis (GDPR) Details
Account creation and management Performance of a contract (art. 6.1.b) Necessary to provide you with access to the Service
Provision of the AI Service Performance of a contract (art. 6.1.b) Processing requests and generating responses
Billing and payment Performance of a contract (art. 6.1.b) Management of subscriptions and transactions
Legal and accounting obligations Legal obligation (art. 6.1.c) Retention of invoices, tax compliance
Security and fraud prevention Legitimate interest (art. 6.1.f) Abuse detection, protection of the Service
Service improvement Legitimate interest (art. 6.1.f) Performance analysis (anonymised or aggregated data only)
Marketing communications Consent (art. 6.1.a) Only if you have explicitly agreed to receive our communications
Customer support Performance of a contract (art. 6.1.b) Processing your support requests

5. Hosting and Data Transfers

5.1 Primary hosting

Your account data and conversation history are hosted on servers located within the European Economic Area (EEA), primarily in France or another EU member state, with certified providers.

5.2 Transfers outside the EEA

The use of AI models from non-European providers (OpenAI in the United States, Anthropic in the United States, Google in the United States, etc.) involves transmitting the content of your requests to servers located outside the EEA. These transfers are governed by:

  • The Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • The appropriate safeguards put in place by each provider (certifications, data processing agreements).
  • In certain cases, the adequacy decisions of the European Commission (notably the Data Privacy Framework for transfers to the United States).
Please note: requests transmitted to third-party models are anonymised via our UUID mechanism (see section 3). No directly identifying data (name, email) is transmitted to model providers outside the EEA.

You may obtain the full list of model providers and associated safeguards by contacting privacy@kalyos.ai.

6. Sharing with Third Parties

Kalyos does not sell your personal data. We share your data only in the following cases:

Processor / Third party Category Data transmitted Location
Stripe (or equivalent) Payment Billing information, amounts United States / EU (SCCs)
OpenAI, Anthropic, Google, Mistral, etc. AI model providers Request content (UUID anonymised) Varies by provider
Cloud host (OVH, Scaleway or EEA equivalent) Infrastructure Account data, conversations, logs France / EU
Analytics tool (anonymised, no third-party cookies) Analytics Aggregated and anonymised navigation data EU (GDPR-compliant)
Judicial or administrative authorities Legal obligation Any data required by legal order France / EU

Each processor is bound to Kalyos by a data processing agreement compliant with article 28 of the GDPR.

7. Retention Periods

Data category Retention period Reason
Account data (email, preferences) Duration of account + 90 days after closure To allow reactivation, then deletion
Conversation history Duration of account + 90 days after closure Service continuity, then deletion
Billing data and invoices 10 years Legal accounting and tax obligation
Connection and security logs 12 months Abuse detection, legal compliance
IP address (full form) 30 days, then anonymisation Security, then privacy protection
Customer support data 3 years after ticket closure Service quality monitoring
Marketing consents 3 years after last active contact Proof of consent

At the end of these periods, your data is either permanently deleted or irreversibly anonymised.

8. Cookies and Trackers

Kalyos uses cookies and tracking technologies that are strictly necessary for the operation of the Service:

  • Session cookies: maintaining your login and user session. These cookies are essential and cannot be disabled.
  • Preference cookies: remembering your settings (language, theme, default model). Can be disabled in account settings.
  • Security cookies: protection against CSRF attacks and other threats. Essential.

Kalyos does not use advertising cookies, cross-site behavioural tracking, or third-party cookies for targeted advertising.

If we use a traffic analytics tool, it is configured in "privacy-first" mode (IP anonymisation, no sharing with third parties, hosted in the EU) and does not require prior consent under the CNIL (French Data Protection Authority) exemption for audience measurement tools.

You can manage your cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the operation of the Service.

9. Your GDPR Rights

As a data subject whose personal data is being processed, the GDPR grants you the following rights, which you may exercise at any time with Kalyos:

Right of access (art. 15) Obtain confirmation that data concerning you is being processed and receive a copy of it.
Right to rectification (art. 16) Have inaccurate or incomplete data concerning you corrected.
Right to erasure (art. 17) Obtain the deletion of your data in the cases provided for by the GDPR (right to be forgotten).
Right to restriction (art. 18) Request the temporary suspension of the processing of your data in certain situations.
Right to data portability (art. 20) Receive your data in a structured, machine-readable format in order to transfer it to another service.
Right to object (art. 21) Object to the processing of your data based on legitimate interest, in particular for prospecting purposes.
Right to withdraw consent (art. 7) Withdraw your consent at any time for processing that depends on it (e.g. marketing communications).
Right to lodge a complaint (art. 77) File a complaint with the CNIL (French Data Protection Authority) (cnil.fr) if you believe your rights are not being respected.

To exercise these rights, contact us at privacy@kalyos.ai, specifying your identity and the nature of your request. We will respond within a maximum of one month (extendable to three months for complex requests, with prior notice).

Certain rights (in particular erasure) may be limited by our legal retention obligations (accounting, tax obligations, etc.).

10. Security

Kalyos implements appropriate technical and organisational measures to protect your personal data against loss, destruction, alteration, unauthorised disclosure, or unauthorised access:

  • Encryption of data in transit (TLS 1.2 minimum) and at rest.
  • Strong authentication for access to internal systems.
  • Access controls based on the principle of least privilege.
  • Logging and monitoring of access to sensitive data.
  • Security incident management process compliant with GDPR requirements (notification to the CNIL within 72 hours in the event of a breach likely to result in a high risk).
  • Regular staff awareness training on security best practices.

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, you will be informed as soon as possible in accordance with article 34 of the GDPR.

If you identify a security vulnerability, please report it to us responsibly at privacy@kalyos.ai.

11. Amendments

Kalyos may update this Privacy Policy to reflect changes in our practices, regulatory developments, or modifications to the Service. The date of the last update appears at the top of the page.

In the event of substantive changes affecting your rights or the way we process your data, you will be informed by email at least 15 days before the changes take effect. For minor changes (editorial clarifications, contact updates), only the update date will be revised.

We encourage you to consult this page regularly. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact and DPO

For any questions relating to this Privacy Policy, the exercise of your GDPR rights, or the management of your personal data, you may contact us:

  • By email: privacy@kalyos.ai
  • By post: OB2 (Kalyos), Attn: Data Protection Officer, 85 Chemin de la Fontaine, 01800 Villieu-Loyes-Mollon, France

Kalyos has appointed a Data Protection Officer (DPO). Any request relating to personal data protection should be addressed to privacy@kalyos.ai.

If your request is not handled to your satisfaction, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL — French Data Protection Authority):

  • Online: cnil.fr/fr/plaintes
  • By post: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France