This Privacy Policy explains how KaneFilous Limited collects, uses, shares, and protects your personal data when you use the KF.Social website and the KF.Social mobile application. We are committed to protecting your privacy and being transparent about our data practices.
1. About This Policy
This Privacy Policy applies to the website kf.social and the KF.Social mobile application (together, the "Platform"). It describes what personal data we collect, why we collect it, how we use it, and your rights regarding your data.
KaneFilous Limited is the data controller responsible for your personal data. If you have any questions about this policy or our data practices, you can contact us at privacy@kf.social.
2. Data Controller
The data controller for your personal data is:
- Company: KaneFilous Limited
- Address: Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland
- Company Registration: 680584
- Data Protection Officer:dpo@kf.social
3. What Data We Collect and Why
We collect different types of personal data depending on how you use the Platform. The table below describes each category, its purpose, and our legal basis for processing under the GDPR.
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Email address | Account login (one-time passcode), notifications | Contract |
| Full name / display name | Profile, marketplace identity | Contract |
| Date of birth | Age verification (16+), professional identity verification | Legal obligation |
| Gender | Profile (optional) | Consent |
| City, country | Profile, marketplace matching | Contract + Legitimate interest |
| Precise location (GPS) | Professional work start verification, approximately 10-metre accuracy | Legitimate interest |
| Photos and videos | Posts, profile, marketplace gallery, work completion evidence | Contract |
| Audio | Voice messages, video and voice calls | Contract |
| Payment information | Marketplace bookings, tokenised via Stripe (never stored directly on our servers) | Contract |
| Device information | Push notification tokens, crash reporting, device model, OS version, app version | Legitimate interest |
| User-generated content | Posts, comments, reviews, messages, booking descriptions | Contract |
| Social connections | Friends, blocked users, reported users | Contract |
| Online presence | "Last seen" indicator (can be hidden in Settings) | Legitimate interest |
| Professional business data | Trading name, phone number | Contract + Legal obligation |
| Identity verification status | Synced from Stripe Connect; we do not store identity documents | Contract + Legal obligation |
| Certification evidence | For regulated trades, verified by our team | Legal obligation + Legitimate interest |
| Usage analytics | Product interactions, anonymised UUID only, PII scrubbed | Legitimate interest |
| Crash reports | App stability monitoring, no PII collected | Legitimate interest |
| Referral data | Invited email addresses, invitation link clicks, signup attribution | Consent |
| Booking descriptions | Service request text sent to AI for analysis | Contract |
4. Third-Party Services
We share data with the following service providers to operate the Platform. Each provider processes data only for the purposes described and is subject to their standard data processing terms.
| Provider | Purpose | Data Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, email delivery, content delivery | EU (Frankfurt) |
| Stripe | Payment processing, professional payouts, invoicing | Global (EU-US DPF certified) |
| PostHog | Product analytics | EU-hosted (eu.i.posthog.com). EU-US DPF certified. |
| Sentry | Crash and error reporting | US-hosted. EU-US DPF certified. |
| OpenAI | AI-assisted booking analysis and service recommendations | US-hosted. EU-US DPF certified. |
| Google Cloud AI | Automated service risk assessment | Global. EU-US DPF certified. |
| Google Maps Platform | Location search and autocomplete | US. EU-US DPF certified. |
| Apple Push Notification service | Push notifications to iOS devices | Apple infrastructure |
We also use automated content safety technology for image and video moderation, hosted in the EU (Ireland).
5. International Data Transfers
Your data is primarily stored in the EU (Frankfurt, Germany). Some services process data outside the EU:
- AI-assisted booking analysis (OpenAI): Booking descriptions (not personal information) processed in the US
- AI service risk assessment (Google Cloud): Service descriptions and country processed via global endpoints
- Payment processing (Stripe): Processed on Stripe's global infrastructure
- Crash reporting (Sentry): Processed in the US
For all US-based processors, we rely on the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs) as the legal mechanism for data transfers.
6. Cookies and Local Storage
Web Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| COOKIE_SEEN | Records cookie consent | 365 days |
| darkMode | Display preference | 365 days |
| REMEMBERED_USERNAME | Login convenience | 1 year |
| kf-login-token | Authentication session | 7 days |
| PostHog cookies | Analytics (only after cookie consent) | Per PostHog defaults |
Web localStorage
PostHog analytics state is stored in localStorage only after cookie consent is given.
Mobile App
- iOS Keychain: Session tokens and credentials (encrypted, biometric-protected)
- Local database: Cached profiles, posts, friends, and bookings for offline access
- App preferences: Notification settings, display preferences
- Offline queue: Queued actions for retry when network is unavailable
7. Email Communications
We send transactional emails that are necessary for the operation of your account, including login codes, booking confirmations, and account notifications.
We also send engagement emails to keep you informed about activity on the Platform, such as friend requests, likes, comments, and messages.
You can manage your email preferences in Settings, where you have 10 individual category controls and a master toggle. Every engagement email includes an unsubscribe link.
We track whether emails we send you are delivered and opened to maintain our email service quality and manage delivery issues. Email engagement data (delivery status, open events) is retained for 180 days.
We do not sell or share your email address for marketing purposes.
8. Automated Decision-Making and AI
We use the following automated systems as part of the Platform:
1. Content Moderation (Images)
Uploaded images are automatically scanned for prohibited content. GPS and camera metadata is stripped from photos before processing. This process is fully automated. You can appeal any content moderation decision via our support process.
2. Content Moderation (Videos)
Uploaded videos are screened for prohibited content. High-confidence violations are removed automatically. Borderline cases are reviewed by a human moderator before action is taken.
3. Identity Verification
Professional identity verification is handled by our payment processor (Stripe) through their regulated KYC process. For regulated trades, we additionally verify professional certifications against official registers. We store verification status, not identity documents.
4. Feed
The social feed is chronological. You can react to posts or use "show me less like this" to hide content you do not wish to see.
5. AI-Assisted Booking Analysis
When you create a booking, AI analyses your description to suggest relevant service categories, follow-up questions, and pricing context. Personal information is detected and blocked before AI processing.
6. Service Risk Classification
Professional services are classified by risk level. High-risk or regulated services may require additional verification before the professional can receive bookings.
7. Professional Rating Enforcement
Professionals whose average rating falls below 3.0 stars may be temporarily restricted from receiving new bookings.
If an automated decision affects your ability to use the Platform or earn income, you have the right to request a human review of that decision by contacting support@kf.social.
9. Referral and Invite Data
When you invite friends to KF.Social, we collect the email addresses you provide to send invitations on your behalf. We track whether invitations are accepted to credit referral rewards. Professional invitation tokens expire automatically after 72 hours.
10. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| User profile | 30 days after deletion request (grace period) |
| Transaction records | 7 years (tax and legal obligation) |
| Messages | 90 days after account deletion |
| Dispute records | 6 years |
| Communications history | 2 years |
| Name and handle change history | 24 months |
| Push notification tokens | Until app uninstall |
| Identity verification images | Temporary processing only |
| Analytics data | Per provider defaults |
| Invitation tokens | 72 hours |
| Email engagement data | 180 days |
| Email suppression list | Indefinite |
| Cookie consent | 365 days |
11. Your Rights
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data
- Right to data portability: Request your data in a structured, machine-readable format
- Right to restriction: Request that we limit how we process your data
- Right to object: Object to processing based on legitimate interest
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time
- Right to lodge a complaint: File a complaint with a supervisory authority
How to Exercise Your Rights
- Data export: Available in Settings
- Account deletion: Available in Settings (30-day grace period)
- Analytics opt-out: Contact privacy@kf.social
Supervisory Authority
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Irish Data Protection Commission:
- Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
- Phone: +353 1 765 0100
- Email:info@dataprotection.ie
12. Public Profile Data
Certain profile information is publicly visible on the Platform:
- Display name and username
- Profile photo
- Bio
- Verification status
- Post count
- User level
- Friend count
Privacy Controls
You can manage your visibility through the following privacy controls in Settings:
- Private posts: Create posts visible only to you
- Hide online presence: Turn off your "last seen" indicator
- Hide profile visitors: Prevent others from seeing that you visited their profile
- Disable read receipts: Turn off read receipts in messages
13. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, including:
- TLS 1.2+ required for all connections
- Certificate pinning on mobile
- Certificate transparency required
- iOS Keychain encryption for credentials
- Biometric app lock (Face ID / Touch ID, processed locally on your device)
- PII scrubbing on all analytics data
- Payment data handled by Stripe (never stored on our servers)
- Subresource integrity on web
- Input sanitisation (XSS prevention)
- Pre-signed URLs for file uploads
14. Children
The Platform is not intended for users under the age of 16. The professional marketplace requires users to be at least 18 years old. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@kf.social and we will take steps to delete it.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- Material changes require 30 days advance notice via email
- Minor changes require 14 days notice
The current version number and effective date are always shown at the top of this page.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, you can reach us through the following channels:
- Privacy inquiries:privacy@kf.social
- Data Protection Officer:dpo@kf.social
- Security:security@kf.social
- General support:support@kf.social
- Postal address: KaneFilous Limited, Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland
This document is maintained by the Legal & Compliance Department of KaneFilous Limited (Company Registration 680584). Privacy Policy version 2.0.0, effective 17 April 2026.