Privacy Policy
Last updated: June 29, 2026
Introduction
At Kyora International, we take the protection of your personal data very seriously. This privacy policy explains how we collect, use, share, and protect your information when you use our platform.
Data controller: Anthony Carayon, Entrepreneur individuel (micro-entreprise), trading as Kyora International, 66, Avenue des Champs-Élysées, 75008 Paris, France. Contact: contact@kyora-international.com — +33 6 72 49 45 05.
Our commitment: Kyora never sells your personal data to third parties for marketing purposes. Your contact details are shared with a real estate agent only when you voluntarily initiate first contact through the platform (strong signal) — creating a Kyora Introduction — or when the agent reveals your identity in their CRM after such an Introduction, within their monthly reveal quota.
Data collected
When you register and use Kyora, we collect the following information:
Identification data
- First and last name
- Email address
- Phone number (required) – used to connect you with agents and, where applicable, for account verification
Usage data
- Investment preferences and goals
- Custom scanners and filters you create
- Watchlists (tracked properties)
- Listing view history (weak signal — audit only, no contact sharing)
- Outbound contact signals (WhatsApp, email, phone, Telegram clicks) and expressed interest, recorded for evidentiary purposes
- Navigation data on the public site (pages visited, duration, clicks), subject to your cookie consent for analytics trackers
Payment data
Payments (agent subscriptions, commissions) are processed by Stripe. Kyora does not store full credit card numbers.
Why is a phone number required?
Your phone number allows us to:
- Enable introductions when you voluntarily initiate first contact through the platform (Kyora Introduction)
- Allow the agent to contact you after revealing your details in their CRM, within an existing Introduction
Use of data
We use your personal data for the following purposes:
- Personalize your experience: recommendations based on your preferences
- Improve matching: connect the right investors with the right agents
- Secure your account: authentication, fraud detection, session management
- Statistical analysis: measure public site performance (aggregated or anonymized data where possible)
- Communication: notify you of new listings matching your criteria, send transactional emails
- Billing: manage subscriptions and commissions via Stripe
Transparency: Kyora does not use your data for external targeted advertising. All recommendations are generated internally to improve your investment experience.
Legal bases and retention
Under the GDPR, each processing activity relies on a legal basis and a proportionate retention period:
| Purpose | Legal basis | Indicative retention |
|---|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b) GDPR) | Account lifetime + 3 years after closure |
| Connecting you with an agent (Kyora Introduction and CRM reveal) | Contract / pre-contractual steps | Account lifetime + 3 years after file closure |
| Evidentiary audit log (audit_events) | Contract performance and legitimate interest (circumvention prevention) | 3 years after introduction file closure |
| Agent subscriptions and commissions (billing) | Contract and legal accounting obligation | 10 years (accounting records) |
| Transactional emails and alerts | Contract / legitimate interest | Account lifetime |
| Marketing newsletter | Consent (Art. 6(1)(a)) | Until consent is withdrawn |
| General security and technical logs | Legitimate interest | Up to 12 months unless legally required longer |
| Audience statistics (public site) | Cookie consent | Up to 13 months (trackers) |
| Support and AI features (Gemini) | Legitimate interest / contract depending on use case | As long as needed for processing, no marketing resale |
Sub-processors
We use the following providers to operate the platform:
- Google Firebase / Google Cloud — authentication, database (Firestore), file storage
- Vercel Inc. — hosting, performance metrics (Analytics, Speed Insights)
- Stripe, Inc. — online payments
- Resend — transactional email delivery
- Sentry — application error monitoring (session replay not enabled by default)
- Microsoft Clarity — heatmaps on the public site (with consent)
- Umami — audience measurement (with consent)
- Google Analytics 4 — traffic statistics (with consent, if enabled)
- Google Gemini (Google Cloud) — drafting assistance and internal AI features, without resale of your data
Each sub-processor is selected for its security compliance. Where data is processed outside the European Union, Kyora relies on appropriate safeguards (standard contractual clauses, data processing agreements — DPAs) maintained internally and reviewed periodically.
Data security
Kyora implements technical and organizational measures to protect your data:
- Encryption: your data is encrypted in transit (HTTPS/TLS) and at rest with our hosting providers
- Authentication: email and password login, secure sessions via HttpOnly cookies
- Restricted access: only authorized personnel can access sensitive data
- Continuous monitoring: detection and prevention of unauthorized access attempts
- Regular audits: security testing and protocol updates
Introduction proof and audit log
A Kyora Introduction is created when an identified investor voluntarily initiates first contact with an agent through a communication channel offered by the platform (WhatsApp, email, phone, Telegram, or any equivalent means). This Introduction is the timestamped record of that introduction and may support commission obligations owed to Kyora under the applicable contract terms.
Data recorded (audit_events)
For this purpose, Kyora records server-side events in an append-only log separate from the agent CRM, including in particular: server timestamp, account and Introduction identifiers (e.g. KYR-XXXXXXXX), action type (outbound contact, expressed interest, CRM status change, sale declaration, etc.), IP address, user-agent, and a SHA-256 integrity hash computed server-side only. These records cannot be modified from the user interface.
Weak signals (no contact sharing)
Certain actions (listing view, watchlist add, agent profile view) generate audit events for statistical or supplementary evidentiary purposes only. They do not create a Kyora Introduction and do not trigger transmission of your contact details.
Legal basis: contract performance and Kyora's legitimate interest in preventing commission circumvention and establishing proof in disputes. Recommended retention: three (3) years after closure of the relevant introduction file or commercial relationship.
Retention period
We retain your data for as long as your account is active, then for the period required by legal obligations (accounting, disputes). Audit logs related to Kyora Introductions are kept for up to three (3) years after the relevant file is closed. Other technical logs and analytics data are kept for limited periods according to each tool's policies.
International transfers
Some sub-processors (Firebase, Vercel, Stripe, Microsoft, Google) may process data outside the European Union, including in the United States. These transfers are governed by appropriate safeguards (EU Standard Contractual Clauses, supplementary security measures).
Your rights
Under the GDPR and applicable regulations, you have the following rights:
- Right of access: view the data we hold about you
- Right to rectification: correct your personal information
- Right to erasure: request deletion of your data
- Right to portability: receive your data in a structured format
- Right to object: object to processing of your data
- Right to restriction: request limitation of processing
To exercise these rights, contact us at contact@kyora-international.com. You may also lodge a complaint with the CNIL (www.cnil.fr).
Contact us
For any questions about this privacy policy or the processing of your data:
Email: contact@kyora-international.com
Address: 66, Avenue des Champs-Élysées, 75008 Paris, France