Privacy Policy

Keiki Studio ("we", "us", "our") is the data controller responsible for your personal data processed through Corexi. Keiki Studio Passeig de Gràcia, 17b L'Eixample, 08007 Barcelona, Spain Contact: hola@keiki.studio

We collect the following categories of personal data: • Account data: name, email address, and authentication credentials when you create an account. • Product scan data: URLs you submit for analysis, screenshots captured during scans, and AI-generated findings and scores. • Analytics data: data from third-party analytics tools you connect (e.g., GA4, Mixpanel, Amplitude, Clarity, Firebase) to enrich scan results. We only access data you explicitly authorize. • Usage data: pages visited, features used, timestamps, browser type, device information, and IP address. • Billing data: payment method details are processed by Stripe and are not stored on our servers. • Communication data: messages you send through our contact form or email.

We process your personal data on the following legal bases under GDPR: • Contract performance (Art. 6(1)(b)): to provide the Corexi service, run scans, generate reports, and manage your account. • Legitimate interest (Art. 6(1)(f)): to improve our service, prevent fraud, and ensure security. • Consent (Art. 6(1)(a)): for optional analytics cookies and marketing communications. You can withdraw consent at any time. • Legal obligation (Art. 6(1)(c)): to comply with applicable laws, such as tax and accounting requirements.

We use your data to: • Provide, maintain, and improve the Corexi service. • Run AI-powered product experience scans and generate PX Scores. • Send transactional emails (account confirmations, scan results, billing receipts). • Respond to your inquiries and support requests. • Analyze usage patterns to improve features and user experience. • Detect and prevent fraudulent or abusive activity. • Comply with legal obligations.

We use the following third-party processors to deliver our service: • Supabase (database and authentication) — EU/US • Anthropic / OpenAI (AI analysis engine) — US • Stripe (payment processing) — US, PCI DSS compliant • SendGrid (transactional email) — US • Vercel (hosting and CDN) — Global All processors are bound by data processing agreements. Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions.

We retain your data for as long as your account is active or as needed to provide the service. • Account data: retained until you delete your account. • Scan data and reports: retained for 24 months after creation, then automatically deleted. • Usage and analytics data: retained for 12 months in aggregated form. • Billing records: retained for 7 years as required by Spanish tax law. You may request earlier deletion at any time (see Your Rights below).

Under GDPR, you have the following rights: • Access: request a copy of the personal data we hold about you. • Rectification: request correction of inaccurate or incomplete data. • Erasure: request deletion of your personal data ("right to be forgotten"). • Data portability: receive your data in a structured, machine-readable format. • Restriction: request restriction of processing in certain circumstances. • Objection: object to processing based on legitimate interest. • Withdraw consent: withdraw consent for optional processing at any time. To exercise any of these rights, contact us at hola@keiki.studio. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority.

We use cookies and similar technologies to operate and improve Corexi. For full details, please see our Cookie Policy. • Essential cookies: required for authentication and core functionality. Cannot be disabled. • Analytics cookies: help us understand how Corexi is used. Enabled only with your consent. • Preference cookies: remember your settings (e.g., language, theme). Enabled only with your consent.

Some of our processors operate outside the EU/EEA. When personal data is transferred internationally, we ensure appropriate safeguards are in place: • Standard Contractual Clauses (SCCs) approved by the European Commission. • Adequacy decisions where applicable. • Supplementary measures as needed based on transfer impact assessments.

We implement appropriate technical and organizational measures to protect your personal data, including: • Encryption in transit (TLS) and at rest. • Role-based access controls. • Regular security reviews. • Incident response procedures. No system is 100% secure. If a data breach occurs that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on our website at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

For any questions about this Privacy Policy or your personal data: Keiki Studio Passeig de Gràcia, 17b L'Eixample, 08007, Barcelona, Spain Email: hola@keiki.studio