Kantis — Privacy Policy

Last updated: April 2026

Legal entity. Kantis is the trading name of We Make Tech Ltd, a company registered in England and Wales (company number 16031474). Registered address: Office 38, Area 1/1 60 Tottenham Court Road, Fitzrovia, London, United Kingdom, W1T 2EW. References to "Kantis," "we," "us," or "our" in this Policy refer to We Make Tech Ltd trading as Kantis.

1. Who we are

Kantis ("Kantis," "we," "us," or "our") operates an AI-native compliance automation platform that helps B2B organisations achieve and maintain compliance with ISO 27001, UK GDPR, EU GDPR, SOC 2, and the EU AI Act. We provide automated evidence collection, AI-assisted policy generation, control mapping, and managed expert guidance.

Data controller contact details:

We Make Tech Ltd trading as Kantis
Company number: 16031474
Office 38, Area 1/1 60 Tottenham Court Road, Fitzrovia, London, United Kingdom, W1T 2EW
Email: support@getkantis.com
Web: https://getkantis.com

For all data protection enquiries, data subject rights requests, or complaints, please contact: support@getkantis.com

2. Scope of this Privacy Policy

2.1 This Privacy Policy explains how Kantis collects, uses, stores, shares, and protects personal data in connection with our website (https://getkantis.com), our Platform, and our Managed Services.

2.2 This Privacy Policy applies to the personal data of:

Visitors to our website
Prospective customers and business contacts
Customers and their Authorised Users who access the Platform
Individuals whose personal data is processed through the Platform on behalf of our customers (e.g., customer employees)

2.3 Our dual role — Data Controller and Data Processor. Kantis acts in two distinct capacities depending on the type of personal data involved:

Role	Data Type	Description
Data Controller	Account data, marketing data, website usage data, communications data, billing data	We determine the purposes and means of processing this data for our own business purposes — managing customer relationships, operating and improving our Platform, marketing, and complying with legal obligations.
Data Processor	Customer employee data, infrastructure configuration data, audit evidence containing personal data	We process this data on behalf of and under the instructions of our customers (who are the Data Controllers) solely to provide the Services. This processing is governed by our Terms of Service and, where applicable, a Data Processing Agreement (DPA).

2.4 Where Kantis acts as a Data Processor, our customers are responsible for ensuring there is a lawful basis for the processing and for informing their own employees and data subjects about the processing. If you are an individual whose data has been processed by Kantis on behalf of one of our customers, please direct any data protection enquiries to that customer in the first instance.

2.5 This Privacy Policy is intended to comply with both the UK General Data Protection Regulation (the "UK GDPR," being the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) and the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "EU GDPR"). Where we refer to "GDPR" without qualification, we mean both the UK GDPR and the EU GDPR as applicable.

3. What data we collect

We collect and process the following categories of personal data:

3.1 Account data (Controller)

When you register for the Platform or contact us, we collect:

Full name
Email address
Company name
Job title

This data is provided directly by you and is necessary for us to create and manage your account, communicate with you, and provide the Services.

3.2 Usage data (Controller)

We automatically collect data about how you interact with the Platform, including:

Platform interactions: pages visited, features used, buttons clicked, time spent on pages
Log data: IP address, browser type and version, operating system, device type, language preferences
Performance data: page load times, errors encountered, session duration

This data helps us operate, maintain, and improve the Platform and to identify and resolve issues.

3.3 Infrastructure credentials and cloud configuration data (Processor)

To perform automated compliance checks and evidence collection, we may collect and process:

Cloud provider access tokens (e.g., AWS, GCP, Azure access keys or OAuth tokens)
API keys for third-party services integrated by the customer
Cloud infrastructure configuration data (e.g., security group settings, IAM policies, encryption configurations, logging configurations)

This data is collected at the instruction of and on behalf of our customers to deliver the Services. Kantis acts as a Data Processor for this data. Access credentials are stored using encryption at rest and in transit, and are used only to perform read-level access to retrieve configuration metadata and evidence. We do not access the underlying data stored in customer cloud environments (e.g., database contents, storage bucket files) unless explicitly required to assess a specific compliance control and authorised by the customer.

3.4 Customer employee data (Processor)

As part of compliance control mapping (e.g., access control reviews, joiner/mover/leaver processes, security awareness training tracking for ISO 27001), we may process personal data about our customer's employees and contractors, including:

Names and email addresses
Job titles and roles
Department and team information
System access levels and permissions
Security training completion status
Employment start and end dates (relevant to access control lifecycle)

This data is provided to us by our customers or retrieved through authorised integrations with customer identity providers and HR systems. Kantis acts as a Data Processor for this data. We process it only to provide the Services and in accordance with our customer's instructions. Our customers are the Data Controllers and are responsible for providing notice to their employees and for establishing a lawful basis for the processing.

3.5 Audit evidence (Processor)

Customers may upload or the Platform may automatically collect audit evidence, including:

Screenshots of system configurations
Configuration exports and technical reports
Policy documents and procedural documentation
Access review records and approval logs

To the extent this evidence contains personal data, Kantis processes it as a Data Processor on behalf of the customer.

3.6 Communications data (Controller)

Through our Managed Services and general business interactions, we may collect:

Email correspondence between Customer and Kantis personnel
Meeting notes and summaries from advisory sessions
Records of support requests and responses

We process this data as a Data Controller for the purposes of delivering the Services, maintaining records of advice given, and improving our service quality.

3.7 Billing data (Controller)

Payment processing is handled by our third-party payment processor, Stripe. Kantis does not directly collect, store, or process credit card numbers, bank account details, or other payment instrument data. We receive from Stripe only:

Transaction records (amounts, dates, invoice numbers)
Billing contact information (name, email, company)
Payment status (successful, failed, refunded)

Stripe's processing of your payment data is governed by Stripe's Privacy Policy.

3.8 Marketing and website data (Controller)

If you visit our website, subscribe to our newsletter, or interact with our marketing content, we may collect:

Contact information you provide (name, email, company)
Cookie data and tracking information (see Section 12)
Referral source data (how you found us)

4. How we use your data

We use personal data for the following purposes:

Purpose	Data Categories	Legal Basis (see Section 5)
Providing and operating the Platform	Account data, usage data, infrastructure credentials, customer employee data, audit evidence	Contractual necessity (Art. 6(1)(b))
Performing automated compliance checks and evidence collection	Infrastructure credentials, cloud configuration data, customer employee data	Contractual necessity (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))
Delivering Managed Services (advisory, audit preparation)	Account data, communications data, audit evidence	Contractual necessity (Art. 6(1)(b))
Maintaining and improving the Platform	Usage data, aggregated performance data	Legitimate interests (Art. 6(1)(f))
Customer support and communication	Account data, communications data	Contractual necessity (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))
Billing and payment administration	Account data, billing data	Contractual necessity (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))
Marketing and business development	Marketing and website data, account data	Consent (Art. 6(1)(a)); Legitimate interests (Art. 6(1)(f))
Security monitoring and fraud prevention	Usage data, log data	Legitimate interests (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c))
Compliance with legal obligations (e.g., tax, regulatory)	Account data, billing data, communications data	Legal obligation (Art. 6(1)(c))
Producing aggregated, anonymised analytics to improve the Services	Usage data, platform performance data	Legitimate interests (Art. 6(1)(f))

5. Legal bases for processing under UK GDPR and EU GDPR

We rely on the following legal bases under both the UK GDPR and the EU GDPR:

5.1 Contractual necessity (Article 6(1)(b)). We process personal data where it is necessary for the performance of a contract with you or your organisation, or to take steps at your request prior to entering into a contract. This applies to:

Account creation and management
Providing the Platform and Managed Services
Processing infrastructure credentials and cloud configuration data to perform compliance checks on your behalf
Processing customer employee data for compliance control mapping (e.g., access reviews, joiner/mover/leaver processes)
Billing and payment processing

5.2 Legitimate interests (Article 6(1)(f)). We process personal data where it is necessary for our legitimate interests (or those of a third party) and those interests are not overridden by your rights and freedoms. We have conducted a balancing assessment for each of the following legitimate interests:

Maintaining and improving the Platform: We analyse usage patterns and platform performance data to identify issues, develop new features, and improve the user experience. We consider this proportionate because we use only usage metadata and aggregated data, not individual customer content.
Security and fraud prevention: We monitor for suspicious activity, potential threats, and unauthorised access to protect our Platform, our customers, and their data.
Business communications: We process contact information to respond to enquiries, provide support, and maintain business relationships.
Marketing to existing customers: We may send information about relevant products and services to existing customers (subject to your right to opt out at any time).

You have the right to object to processing based on legitimate interests. See Section 9 for details.

5.3 Consent (Article 6(1)(a)). Where required, we obtain your consent before processing personal data, particularly for:

Marketing communications to prospective customers
Non-essential cookies and tracking technologies

You may withdraw your consent at any time by contacting support@getkantis.com or using the unsubscribe mechanism in any marketing email. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5.4 Legal obligation (Article 6(1)(c)). We process personal data where necessary to comply with a legal obligation to which we are subject, including tax reporting, regulatory requirements, and responding to lawful requests from authorities.

6. Data sharing and sub-processors

6.1 We do not sell personal data. We share personal data only in the circumstances described below.

6.2 Sub-processors. We use a limited number of third-party service providers ("Sub-processors") who process personal data on our behalf to support the delivery of the Services. Our Sub-processors include providers of:

Cloud hosting and infrastructure (Vercel)
Payment processing (Stripe)
Analytics and product improvement (PostHog, Google Analytics, Vercel Analytics)
Email and communications (Brevo, formerly Sendinblue)
AI model providers (for AI-assisted features — see Section 6.5)

We maintain contracts with each Sub-processor that impose data protection obligations materially equivalent to those set out in this Privacy Policy and in accordance with Article 28 of the UK GDPR and EU GDPR. An up-to-date list of our Sub-processors is available on request by emailing support@getkantis.com. We will notify customers of any material changes to our Sub-processor list and provide an opportunity to object.

6.3 Professional advisers. We may share personal data with our legal, accounting, and other professional advisers where necessary for the provision of their services.

6.4 Law enforcement and regulators. We may disclose personal data where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, the rights of others, or to prevent harm.

6.5 AI and machine learning. Certain features of the Platform use artificial intelligence and machine learning models. Where AI features process personal data:

Customer Data (including infrastructure credentials and customer employee data) is not used to train general-purpose AI or machine learning models.
We may use aggregated, anonymised usage data and Feedback (as defined in our Terms of Service) to improve our AI features.
Where we use third-party AI model providers, such providers act as Sub-processors and are subject to the same data protection requirements described in Section 6.2.

6.6 Business transfers. In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, personal data may be transferred to the successor entity. We will notify you of any such transfer and any changes to the applicable privacy practices.

7. International data transfers

7.1 Kantis is based in the United Kingdom. Our customers are primarily located in the United Kingdom, the European Economic Area ("EEA"), and Japan.

7.2 UK to EEA transfers. The United Kingdom has recognised the EEA as providing an adequate level of data protection, and the European Commission has adopted an adequacy decision for the United Kingdom under Article 45 of the EU GDPR. Accordingly, transfers of personal data between the UK and EEA do not require additional safeguards.

7.3 Transfers to Japan. Both the European Commission and the United Kingdom have adopted adequacy decisions recognising Japan as providing an adequate level of data protection. Accordingly, transfers of personal data to Japan do not require additional safeguards beyond those provided under the adequacy framework.

7.4 Transfers outside the UK and EEA. Where we transfer personal data to countries outside the UK and EEA that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards in accordance with the UK GDPR and EU GDPR, including:

Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) of the EU GDPR
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018
Supplementary measures where necessary, following a transfer impact assessment

7.5 Our primary infrastructure is hosted in Frankfurt, Germany (EU) and Tokyo, Japan. Personal data is not routinely transferred to countries outside the UK, EEA, or Japan.

8. Data retention

8.1 We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our specific retention periods are as follows:

Data Category	Retention Period
Account data	Duration of the customer relationship, plus 2 years after termination to allow for contract queries and re-engagement
Usage data and logs	12 months from collection, then anonymised or deleted
Infrastructure credentials and cloud tokens	Duration of the active integration only. Credentials are deleted or revoked within 30 days of the customer disconnecting an integration or terminating the Services.
Customer employee data	Duration of the Services, plus 30 days post-termination to allow for data export. Deleted within 90 days of termination unless otherwise instructed by the customer.
Audit evidence	Duration of the Services, plus 30 days post-termination for data export. Deleted within 90 days of termination unless the customer requests earlier deletion or applicable law requires longer retention.
Communications data	3 years from the date of communication, for record-keeping and quality assurance purposes
Billing data	7 years from the date of the relevant transaction, as required by UK tax and accounting regulations
Marketing and website data	Until consent is withdrawn or the data is no longer needed, subject to a maximum of 2 years of inactivity

8.2 When personal data is no longer required, we will securely delete or anonymise it. Where immediate deletion is not technically feasible (e.g., data in backup archives), we will isolate the data and protect it from further processing until deletion is possible.

9. Your rights under UK GDPR and EU GDPR

9.1 Under both the UK GDPR and the EU GDPR, you have the following rights in relation to your personal data (subject to certain conditions and exceptions):

Right of access (Article 15). You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about the processing.

Right to rectification (Article 16). You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

Right to erasure (Article 17). You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where you object to processing and there are no overriding legitimate grounds.

Right to restriction of processing (Article 18). You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.

Right to data portability (Article 20). You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or contractual necessity and is carried out by automated means.

Right to object (Article 21). You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.

Right to withdraw consent. Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Right not to be subject to automated decision-making (Article 22). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Kantis does not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

9.2 How to exercise your rights. To exercise any of these rights, please contact us at support@getkantis.com. We will respond to your request within one (1) month. In certain circumstances, we may extend this period by up to two (2) additional months, in which case we will inform you of the extension and the reasons for it. We may ask you to verify your identity before acting on your request.

9.3 Right to lodge a complaint. If you are not satisfied with our response to your data protection enquiry, or if you believe that we are processing your personal data in violation of applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Website: https://ico.org.uk. Telephone: 0303 123 1113.
European Union: You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu.

10. Security measures

10.1 We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it from unauthorised access, loss, misuse, alteration, or destruction. Our security measures include:

Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent encryption. Infrastructure credentials and cloud tokens are subject to additional encryption and access controls.
Access controls: Access to personal data is restricted to authorised Kantis personnel on a need-to-know basis. We enforce multi-factor authentication and least-privilege access principles.
Infrastructure security: The Platform is hosted on secure cloud infrastructure in Frankfurt, Germany (EU) and Tokyo, Japan, with firewalls, intrusion detection, and regular vulnerability assessments.
Monitoring and logging: We maintain audit logs of access to the Platform and Customer Data, and we monitor for suspicious activity.
Employee obligations: All Kantis personnel with access to personal data are subject to contractual confidentiality obligations and receive data protection training.
Incident response: We maintain an incident response plan and will notify affected customers and supervisory authorities of qualifying personal data breaches in accordance with Articles 33 and 34 of the UK GDPR and EU GDPR.
Regular review: We regularly review and update our security measures in line with industry best practices and the requirements of ISO 27001.

10.2 While we implement strong security measures, no system is completely secure. We cannot guarantee the absolute security of personal data. If you become aware of any security vulnerability or incident affecting the Services, please contact us immediately at support@getkantis.com.

11. Data Processing Agreement

11.1 Where Kantis processes personal data on behalf of a customer as a Data Processor (as described in Section 2.3), the Kantis Data Processing Agreement ("DPA") applies and is incorporated into Kantis's Terms of Service by reference. It is deemed accepted by the customer upon first use of the Services. The DPA meets the requirements of Article 28 of the UK GDPR and EU GDPR.

11.2 The DPA covers, among other things:

The subject matter, duration, nature, and purpose of the processing
The types of personal data and categories of data subjects
The obligations and rights of the Data Controller (customer) and Data Processor (Kantis)
Sub-processor management, including 30-day prior notification of changes and objection rights
Technical and organisational security measures (Schedule 2 of the DPA)
Data subject rights assistance
Security incident notification to Customer within 48 hours
Data deletion or return upon termination
Annual audit rights

11.3 Where Customer Data includes personal data of individuals located in the EEA, the DPA incorporates the EU Standard Contractual Clauses (Module 2: Controller to Processor). Where Customer Data includes personal data of individuals located in the United Kingdom, the DPA incorporates the UK International Data Transfer Addendum to the EU SCCs. See the full DPA for details.

12. Cookies and tracking technologies

12.1 Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and support our marketing efforts.

12.2 We use the following types of cookies:

Strictly necessary cookies: Required for the website to function and cannot be disabled. These include session cookies and security cookies.
Analytics cookies: Help us understand how visitors interact with our website by collecting information anonymously. We use PostHog and Google Analytics for this purpose. These cookies are only placed with your consent.
Marketing cookies: Used to track visitors across websites to display relevant advertisements. These are only placed with your consent.

12.3 You can manage your cookie preferences through your browser settings or through the cookie consent banner displayed on the website. You may withdraw your consent at any time by clearing your browser cookies, after which the consent banner will reappear.

13. Children's data

The Services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

14. Changes to this Privacy Policy

14.1 We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post the updated Privacy Policy on our website and update the "Last updated" date at the top of this page.

14.2 Where changes are material, we will provide you with reasonable notice, such as by email or through a prominent notice on the Platform, before the changes take effect.

14.3 We encourage you to review this Privacy Policy periodically for any changes.

15. Contact us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us:

We Make Tech Ltd trading as Kantis
Company number: 16031474
Office 38, Area 1/1 60 Tottenham Court Road, Fitzrovia, London, United Kingdom, W1T 2EW
Email: support@getkantis.com
Web: https://getkantis.com

For complaints, you may also contact the UK Information Commissioner's Office (ICO) at https://ico.org.uk.