Aegis – Privacy Policy

As of: March 27, 2026

1. Controller

Kaino GmbH
Grabenweg 68, 4th Floor E5_2
6020 Innsbruck, Austria

VAT ID: ATU77867578
Commercial Register No.: 573644w

Phone: +43 512 411012
Email: aegis@kaino.io
Website: https://kaino.io

Authorized Managing Directors: Pius Fischer, Florian Köllich

Data Protection Officer: Not appointed. Kaino GmbH's core business activity consists of anonymizing personal data, not in the extensive processing of special categories of data (Art. 9 GDPR) or the systematic monitoring of individuals. Therefore, the conditions of Art. 37 para. 1 GDPR are not met.

2. Scope

This privacy policy applies to the Chrome extension Aegis by Kaino GmbH, the associated API at aegis.kaino.io, and the demo function ("Try It") on the Aegis product page (Section 3.4). It provides information, pursuant to Art. 13 and 14 GDPR, about the personal data processed.

Aegis identifies and anonymizes personal data in documents before they are transmitted to AI chat platforms (such as ChatGPT, Claude, or Gemini). The transmission of anonymized data to the respective platform is exclusively initiated by an active action of the user — Aegis only performs the anonymization.

3. Data Processing by Plan

3.1 Aegis FREE

In the FREE plan, no data collection or processing by Kaino GmbH takes place. All processing occurs exclusively locally in the user's browser. No data is transmitted to Kaino GmbH servers or third parties.

Data processed locally in the browser (without access by Kaino GmbH):

  • Document content (supported file formats can be found on the Aegis product page)
  • Recognized personal data (names, email addresses, phone numbers, dates of birth, addresses)
  • Mapping table (placeholder ↔ original data), stored locally (automatic deletion after 30 days)

In the FREE plan, Kaino GmbH is neither a controller (Art. 4 No. 7 GDPR) nor a processor (Art. 4 No. 8 GDPR) for the locally processed data, as Kaino GmbH never has access to this data, does not receive it, and does not decide on the purposes of processing. The extension merely provides the user with a software tool for local use — comparable to a word processor or PDF reader. The user is solely responsible for the processing of personal data within the scope of local use and for compliance with the GDPR in relation to this data.

No usage tracking takes place.

3.2 Aegis PLUS and Aegis PRO

For both plans, document contents are transmitted encrypted (HTTPS) to Kaino GmbH. AI-assisted anonymization is performed on EU infrastructure via the sub-processors OVHCloud SAS (France) and Scaleway SAS (France). Data processing is identical — the plans differ in usage limits and feature scope.

Supported file formats can be viewed on the Aegis product page. Image files are transmitted as binary data to aegis.kaino.io. Embedded metadata is removed server-side. OCR (Optical Character Recognition) processing is performed server-side to extract text from scanned documents and images.

Data flow:

  1. Document is read into the browser as a binary file
  2. The complete file is transmitted via HTTPS to aegis.kaino.io
  3. Kaino GmbH performs server-side, rules-based pre-processing in which already detected personal data is replaced with placeholders (data minimization).
  4. The pre-processed file is anonymized using AI on EU infrastructure (Hetzner, Germany; OVHCloud, France; Scaleway, France) — for image files, embedded metadata is removed beforehand and OCR processing is performed.
  5. Anonymized text and placeholder mapping are returned; file name, file type, and document content are processed exclusively in RAM and are not logged or stored server-side

Additionally processed data:

Processing Activity Data Legal Basis
Product Key Issuance Email address, name, company name — stored encrypted (Encryption-at-Rest) Art. 6 para. 1 lit. b GDPR (Contract performance)
Subscription Management Subscription status, usage statistics (number of processed documents) Art. 6 para. 1 lit. b GDPR (Contract performance)
Subscription validation Daily check of subscription status via aegis.kaino.io Art. 6 para. 1 lit. b GDPR (performance of contract)
Payment Processing Email address, payment information (via Stripe as an independent controller) Art. 6 para. 1 lit. b GDPR (Contract performance)
Document Anonymization Document content (text or binary file), file name, file type Art. 6 para. 1 lit. b GDPR (contract performance — anonymization as a contractual service to the user). For third-party data in documents: see Section 5.
API Communication Browser language Art. 6 para. 1 lit. b GDPR (Contract performance — communication with the user in their preferred language)
Server Access Logs IP address, timestamp, user agent, requested URL, HTTP status code, browser language Art. 6 para. 1 lit. f GDPR (legitimate interest: operational security and troubleshooting)

Kaino GmbH does not store document contents after processing. Document contents are processed exclusively by the processors mentioned in Section 7 within the EU — no transfer to other third parties takes place.

Legal Basis: Art. 6 para. 1 lit. b GDPR (contract performance), Art. 6 para. 1 lit. c GDPR (legal obligation — tax and commercial retention obligations according to § 132 BAO, § 212 UGB), Art. 6 para. 1 lit. f GDPR (legitimate interest: server access logs).

The processing of third-party data in documents is carried out within the framework of commissioned processing in accordance with Art. 28 GDPR (see Section 5). The details are regulated in the Data Processing Agreement (DPA), which comes into effect upon subscription.

Balancing of interests for server access logs (Art. 6 para. 1 lit. f GDPR): The legitimate interest of Kaino GmbH in processing server access logs (IP address, timestamp, user agent, requested URL, HTTP status code, browser language) consists of ensuring IT security, detecting and preventing attacks and misuse, troubleshooting and ensuring system availability, and legal prosecution in case of unauthorized access. The storage period is limited to 30 days. The interests of the data subjects are protected by the short storage period and the exclusively security-related use. A right to object exists according to Art. 21 GDPR (see Section 10).

3.3 Aegis ENTERPRISE

ENTERPRISE is an individually agreed-upon solution. By default, Kaino GmbH offers self-hosted AI on servers in Germany. Customers may also use other services depending on the agreement — in this case, the data protection provisions of the respective service apply.

Features (self-hosted version):

  • AI processing on German servers operated by Kaino GmbH
  • Zero-retention
  • No data sharing with third parties
  • Processor Agreement (DPA) according to Art. 28 GDPR
  • Development considering the transparency and documentation requirements of the AI Regulation (EU) 2024/1689

The Data Processing Agreement (DPA) serves as the basis. Supplementary or deviating conditions are agreed upon individually.

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of contract), Art. 28 GDPR (DPA).

3.4 Website Demo ("Try It")

On the Aegis product page, visitors can test the AI-powered document anonymization free of charge. Uploaded documents are processed using the same infrastructure and technical measures as in the PLUS/PRO plan (Section 3.2).

Roles: The visitor who uploads a document via the demo is the controller (Art. 4 No. 7 GDPR) for the personal data contained in their document. Kaino GmbH processes this data as a processor (Art. 28 GDPR). By using the demo, the visitor accepts the data processing agreement (DPA), which applies for the duration of the respective processing.

Data flow:

  1. The visitor uploads a document via the Aegis product page
  2. The file is transmitted via HTTPS to the web server (Raidboxes GmbH, Germany)
  3. The web server forwards the file via HTTPS to aegis.kaino.io
  4. AI-assisted anonymization is performed on EU infrastructure (Hetzner, Germany; OVHCloud, France; Scaleway, France).
  5. Only a preview of the anonymized text is returned to the visitor — the complete anonymized document is not provided
  6. Document contents are not stored after processing (transient processing in RAM)

Supported File Formats: Identical to PLUS/PRO (see Aegis product page).

Rate Limiting: The demo is limited to 5 uses per IP address per day. To enforce this, the visitor's IP address is stored as a salted hash (SHA-256) in a temporary counter (valid for 24 hours).

Processed data:

Processing Activity Data Legal Basis
Document Anonymization (Demo) Document content (text or binary file), file name, file type Art. 6 para. 1 lit. b GDPR (performance of contract — anonymization as a contractual service to the user). For third-party data in documents: see below.
Usage Limitation IP address (hashed with salt), counter Art. 6 para. 1 lit. f GDPR (legitimate interest: abuse prevention)
Server Access Logs IP address, timestamp, user agent, requested URL, HTTP status code, browser language Art. 6 para. 1 lit. f GDPR (legitimate interest: operational security)

Personal data of third parties in documents: As the controller, the visitor is responsible for ensuring that they have an appropriate legal basis for transmitting documents containing personal data of third parties (e.g., Art. 6 para. 1 lit. f GDPR — legitimate interest in anonymization). Kaino GmbH processes such data exclusively as a processor on behalf of the visitor for the purpose of anonymization. Details are regulated in the DPA.

Storage duration: Document contents are not stored after processing. Data for rate limiting (hashed IP address) is automatically deleted after 24 hours. Server access logs are stored for 30 days.

4. Additional Features

Download Restoration: When downloading files from supported AI chat platforms, placeholders are automatically replaced with original data. The extension monitors download processes on the respective platform pages and replaces recognized placeholders in the downloaded text. This processing occurs exclusively locally in the browser.

Clipboard Restoration: When copying text from responses on supported AI chat platforms, placeholders in the clipboard are automatically replaced with original data. For this purpose, the extension registers an event listener for copy events within the respective platform page. This processing occurs exclusively locally in the browser.

Placeholder View: Overview page for viewing the mapping of placeholders ↔ original data. Stored locally, accessible only within the extension.

Legal basis for all local functions: Art. 6 para. 1 lit. b GDPR (performance of contract).

5. Processing of Third-Party Data in Documents (Art. 14 GDPR)

Documents that users process via Aegis may contain personal data of third parties (e.g., employees, customers, patients, business partners).

Roles:

  • The user is the controller (Art. 4 No. 7 GDPR) for the personal data of third parties contained in their documents.
  • Kaino GmbH processes this data exclusively as a processor (Art. 28 GDPR) on behalf of the user for the purpose of anonymization. The details are regulated in the Data Processing Agreement (DPA).

Note to Users: As the controller, you bear sole responsibility for having an appropriate legal basis for processing third-party personal data (e.g., legitimate interest, consent, or contractual basis). This includes, in particular, the obligation to independently check the admissibility of processing before transmitting it to Aegis and to assess the risks for affected third parties. As the controller, you are obliged to inform affected third parties about the processing in accordance with Art. 14 GDPR, unless an exception under Art. 14 para. 5 GDPR applies. Kaino GmbH is not liable for unlawful transmission of documents by the user. Insofar as documents contain special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data, data on religious beliefs), the user is responsible for ensuring that an exception under Art. 9 para. 2 GDPR exists. Further details are regulated in the Data Processing Agreement (DPA), § 3.1.

Art. 14 para. 5 lit. b GDPR: Insofar as Kaino GmbH processes third-party data as a processor, direct information of the affected third parties by Kaino GmbH is not possible, as Kaino GmbH has no knowledge of the identity of the affected individuals nor does it have contact details. The obligation to inform affected third parties lies with the user as the controller.

6. Obligation to Provide Data (Art. 13 para. 2 lit. e GDPR)

Aegis FREE: No personal data is required for use. All processing takes place locally.

Paid Plans (PLUS, PRO, ENTERPRISE): The provision of name, company name, email address, and payment information is a contractual prerequisite for use. Without this data, no subscription can be concluded.

Document Processing: Uploading documents is voluntary. Aegis only becomes active if the user uploads a file for anonymization on a supported AI chat platform.

7. Processors and Other Recipients

OVHCloud (AI Processing — PLUS, PRO, and Demo)

AI-powered document anonymization and OCR processing.

  • OVHCloud SAS, Roubaix, France
  • Purpose: Sub-processor for AI-powered anonymization and OCR processing of document content
  • Server location: EU (France)
  • DPA concluded according to Art. 28 GDPR
  • Zero Data Retention: Document content is not stored by OVHCloud after processing (transient processing in RAM)
  • Transmitted document content is not used by OVHCloud for training or improving AI models
  • Data Minimization: Before transmission for AI processing, Kaino GmbH performs server-side rule-based pre-processing, where already recognized personal data is replaced by placeholders. The content transmitted for AI processing is therefore already partially anonymized.
  • Data Protection: ovhcloud.com/de/personal-data-protection

Scaleway (AI processing — PLUS, PRO and demo)

AI-powered document anonymization and OCR processing.

  • Scaleway SAS, Paris, France
  • Purpose: Sub-processor for AI-powered anonymization and OCR processing of document content
  • Server location: EU (France)
  • DPA concluded according to Art. 28 GDPR
  • Zero Data Retention: Document contents are not stored by Scaleway after processing (transient in-memory processing).
  • Transmitted document contents are not used by Scaleway to train or improve AI models.
  • Data Minimization: Before transmission for AI processing, Kaino GmbH performs server-side rule-based pre-processing, where already recognized personal data is replaced by placeholders. The content transmitted for AI processing is therefore already partially anonymized.
  • Privacy: scaleway.com/en/privacy-policy

Hetzner Online (Infrastructure — PLUS, PRO, ENTERPRISE, and Demo)

Hosting of Kaino servers and API infrastructure.

  • Hetzner Online GmbH, Gunzenhausen, Germany
  • Purpose: Server hosting and infrastructure for aegis.kaino.io
  • Server location: Germany
  • DPA concluded according to Art. 28 GDPR
  • Privacy: hetzner.com/de/legal/privacy-policy

Raidboxes GmbH (Website Hosting — Demo)

Hosting of the Aegis product page including the demo function.

  • Raidboxes GmbH, Münster, Germany
  • Purpose: Website hosting and processing of demo document uploads
  • Server location: Germany
  • DPA concluded according to Art. 28 GDPR
  • Data protection: raidboxes.io/datenschutzerklaerung

Stripe (Paid Plans) — Independent Controller

Payment processing via Stripe Checkout and Stripe Billing Portal. The user is redirected to Stripe's hosted checkout page for payment processing and enters their payment data directly with Stripe there. Stripe processes this data under its own data protection responsibility in accordance with Art. 4 No. 7 GDPR — not as a processor for Kaino GmbH. Only billing data is transmitted to Stripe; document content is never passed on to Stripe.

  • Stripe Payments Europe, Ltd., Dublin, Ireland
  • Processed data: Payment information, email address, billing data
  • Kaino GmbH has no access to full credit card data
  • Legal basis for transmission to Stripe: Art. 6 para. 1 lit. b GDPR (contract performance — payment processing)
  • Privacy: stripe.com/de/privacy

Tax Advisor (Paid Plans) — Independent Controller

To fulfill tax and commercial retention obligations (§ 132 BAO, § 212 UGB), billing data is passed on to Kaino GmbH's tax advisor. The tax advisor processes the data under their own data protection responsibility (Art. 4 No. 7 GDPR) and is subject to professional confidentiality (§ 80 WTBG).

  • Purpose: Accounting and tax retention
  • Data transferred: Name, company name, email address, billing data
  • Retention period: 7 years according to § 132 BAO, § 212 UGB
  • Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation)

Hetzner Online GmbH, OVHCloud SAS, Scaleway SAS and Raidboxes GmbH are contractually bound as processors in accordance with Art. 28 GDPR. Stripe Payments Europe, Ltd. processes payment data as an independent controller. The tax advisor processes billing data as an independent controller to comply with statutory retention obligations. Personal data is not disclosed to third parties beyond this unless required to fulfill legal obligations (Art. 6(1)(c) GDPR).

8. Data Transfer to Third Countries

FREE: No data transfer. All processing takes place locally in the browser.

PLUS and PRO: All document data is processed exclusively within the EU (Hetzner, Germany; OVHCloud, France; Scaleway, France). No document contents are transferred to third countries.

ENTERPRISE (Self-Hosted): Processing exclusively in Germany.

Stripe: Stripe Payments Europe, Ltd. (Ireland) processes billing data exclusively as an independent controller within the EU. Document content is never transmitted to Stripe. Stripe may transmit billing data to affiliated companies in the USA (Stripe, Inc.), secured by the European Commission's adequacy decision for the EU-US Data Privacy Framework (Art. 45 GDPR) and additionally by Standard Contractual Clauses in accordance with Art. 46 para. 2 lit. c GDPR. Further information can be found in Stripe's Privacy Policy.

9. Storage Duration

Data Category Storage Period Storage Location
Mapping Table (Placeholders ↔ Original Data) Automatic deletion after 30 days or manual deletion by the user Local Browser Storage
Product Key (API Key) Until uninstallation or manual deletion Chrome Extension Storage
Email Address, Name, Company Name Until termination of the subscription; irreversible anonymization at Kaino GmbH within 30 days after termination. Tax-relevant billing data is retained by the tax advisor for 7 years (§ 132 BAO, § 212 UGB) and by Stripe as an independent controller according to its retention obligations (see Section 7). Kaino GmbH (encrypted, Encryption-at-Rest)
Subscription Status For the duration of the subscription; anonymization together with customer master data within 30 days after termination Kaino GmbH Server (Hetzner, DE)
Usage Statistics (Number of Processed Documents) For the duration of the subscription. After termination, customer master data is irreversibly anonymized (see above). The remaining usage statistics contain exclusively aggregated counters (number of documents, number of recognized categories per processing) without personal reference and do not constitute personal data within the meaning of Art. 4 No. 1 GDPR (cf. Recital 26). Kaino GmbH Server (Hetzner, DE)
Document Content (Kaino) No storage after processing Kaino GmbH Server
Usage Limitation Demo (Hashed IP Address) 24 hours (automatic deletion) Website Server (Raidboxes, DE)
Server Access Logs 30 days Kaino GmbH Server (Hetzner, DE)
Payment Data Stripe processes payment data as an independent controller; the storage period is determined by Stripe's Privacy Policy Stripe Payments Europe, Ltd.

Upon uninstallation of the extension, all locally stored data is automatically deleted by Chrome.

10. Your Rights (Art. 15–22 GDPR)

You have the following rights regarding your personal data vis-à-vis Kaino GmbH:

  • Right of Access (Art. 15): Information about processed data
  • Right to Rectification (Art. 16): Correction of inaccurate data
  • Right to Erasure (Art. 17): Deletion of your data. Local data can be deleted at any time via the extension or by uninstallation.
  • Right to Restriction of Processing (Art. 18): Restriction of processing
  • Right to Data Portability (Art. 20): Right to data portability

Requests will be answered without undue delay, and in any case within one month of receipt (Art. 12 para. 3 GDPR). In complex cases, the deadline may be extended by a further two months, of which you will be informed within the first month.

Data processing by Aegis is based exclusively on Art. 6 para. 1 lit. b GDPR (performance of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest). Consent is not obtained; therefore, there is no right of withdrawal according to Art. 7 para. 3 GDPR.

Right to object (Art. 21 GDPR)

Insofar as Kaino GmbH processes personal data on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR) — this exclusively concerns server access logs — you have the right to object to this processing at any time for reasons arising from your particular situation.

In the event of an objection, Kaino GmbH will no longer process the data concerned, unless there are compelling legitimate grounds that override your interests, or the processing serves the assertion, exercise, or defense of legal claims. The use of paid Aegis services is voluntary — you can stop using them or cancel your subscription at any time.

Contact for all inquiries and objections: aegis@kaino.io

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. You can contact the supervisory authority of your place of residence, your workplace, or the place of the alleged infringement.

Competent Authority of the Controller:
Austrian Data Protection Authority
Barichgasse 40–42, 1030 Vienna
dsb@dsb.gv.at · https://www.dsb.gv.at

A list of all EU data protection supervisory authorities can be found at: edpb.europa.eu/about-edpb/about-edpb/members

11. Automated Decision-Making (Art. 22 GDPR)

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place. Anonymization does not constitute a decision with legal effect, as it does not evaluate personal aspects of the data subjects, but exclusively serves pattern recognition for data protection improvement.

12. Data Security

  • All data transfers via HTTPS/TLS
  • API access only with a valid product key
  • Customer master data (email address, name, company name) stored encrypted (Encryption-at-Rest)
  • Document processing exclusively on EU infrastructure (Hetzner, Germany; OVHCloud, France; Scaleway, France)
  • No storage of document content after processing (transient processing in RAM)

A detailed description of the technical and organizational measures in accordance with Art. 32 GDPR is documented in the Data Processing Agreement (DPA), Annex 1.

Kaino GmbH does not permanently store document content — processing takes place exclusively via the infrastructure of the processors mentioned in Section 7. For the technical and organizational measures of the infrastructure providers, we refer to their data protection and security documentation:

13. Cookies and Tracking

The extension does not use cookies or usage tracking.

14. No Sale of Personal Data

Personal data is neither sold by Kaino GmbH nor passed on to third parties for remuneration.

15. Changes

This privacy policy may be adjusted as needed. Changes that significantly affect data processing will be announced by email at least 30 days before they come into effect and will be published in advance at https://kaino.io/aegis/privacy.

16. Chrome Web Store — Limited Use

The use of information received from Google APIs complies with the Chrome Web Store User Data Policy, including the Limited Use requirements.

The extension:

  • uses data exclusively for the stated purpose (anonymization of personal data)
  • transmits document contents exclusively to contractually bound processors within the EU (PLUS/PRO: AI analysis via OVHCloud SAS and Scaleway SAS on EU infrastructure)
  • does not use data for advertising purposes
  • does not sell user data
  • does not allow human access to user data, except with explicit consent, for security reasons, or to comply with legal regulations

Kaino GmbH

Legal

© 2026 Kaino GmbH