Privacy Policy

2. Personal Data We Collect

We collect personal data that you and other users provide or that is generated through your use of Kenneth AI. This includes:

2.1. Account and Contact Information: When you register or contact us, we collect information such as your name, professional email address, phone number, job title, organisation name, and billing details. This is used to create and manage your account and subscriptions.

2.2. Case and Content Data: As an insolvency/restructuring platform, Kenneth AI allows you to upload and manage case-related documents and data. This may include financial records, legal documents, identification documents, and other information about companies or individuals involved in cases. You should only upload personal data that you are authorised to use. Any personal data contained in case files (e.g. details of debtors, creditors, employees, or other stakeholders) is collected as part of providing our services to you. We treat all such case data as confidential.

2.3. Communications: If you contact us via web forms (e.g. a contact or support form) or email, we will collect the information you provide, such as your name, contact details, and the content of your message. We use this to respond to inquiries and provide support.

2.4. Usage Data and Analytics: When you use our website or platform, we automatically collect certain technical data through cookies and similar technologies (see Clause 7 below). This includes your IP address, browser type, device information, pages or features used, login timestamps, and other usage logs. This data helps us secure the service, prevent fraud, and understand platform performance. We also gather analytics (e.g. page response times, user interactions) to improve our services. This information is generally collected in aggregate form, but may be considered personal data in some cases (for example, IP addresses are treated as personal data under GDPR).

2.5. We do not knowingly collect special categories of personal data about you (such as health, race, or biometric data) unless you choose to upload such information in case files. We also do not intentionally collect any data from children under 18, as our service is not for household or personal consumer use.

3. How We Use Personal Data (Purposes and Legal Bases)

We only use your personal data for specified, explicit, and legitimate purposes, and in accordance with a lawful basis under the UK GDPR. Below we explain the purposes for which we process data and the corresponding legal bases:

3.1. Providing and Improving the Service: We process personal data to operate Kenneth AI and deliver services you request, such as restructuring case management and AI-powered analysis. This includes hosting your data, running AI models on your inputs, and displaying results to you. The legal basis is “contractual necessity” – processing is necessary to perform our contract with you as a user of Kenneth AI (UK GDPR Article 6(1)(b)). We may also use aggregated or anonymised data to improve and develop our services; such processing is done under our legitimate interests to enhance our platform’s functionality (UK GDPR Article 6(1)(f)), ensuring no undue impact on your rights.

3.2. AI Processing (OpenAI Integration): Kenneth AI integrates AI models (provided by OpenAI) to assist with tasks like document analysis or summarisation. If you use these features, relevant portions of your data may be sent securely to our AI model provider solely for on-the-fly processing. To generate a response, we provide relevant, temporary context from your documents to the AI model. This process, often known as Retrieval-Augmented Generation (RAG), ensures the model uses your information for that single query only, without retaining it for future learning or training. According to OpenAI’s API terms, data submitted for processing is not used to train their models and is deleted from OpenAI’s systems within approximately 30 days. The AI processing is part of our service to you (contractual necessity), and we minimise the data shared to only what’s needed for the requested AI function (data minimisation principle).

3.3. Account Management and Support: We use your contact and account information to administer your account, authenticate you when you log in, provide customer support, send service notifications, and communicate about feature updates or security alerts. This is done to perform our contract with you (managing the service) and in some cases under our legitimate interest in ensuring customer satisfaction and proper service delivery (e.g. if responding to a support query you initiated).

3.4. Communications and Marketing: We may send you informational content about new features, industry insights, or events. Any email marketing to you will either be based on your consent (Article 6(1)(a)), or (for existing customers) our legitimate interest in promoting similar services you might find useful. You will always have the option to opt-out of marketing communications. Transactional or service-related communications (like billing notices, policy updates or security alerts) are not marketing – these are sent as part of our contract with you or to comply with legal obligations.

3.5. Legal Compliance and Protection: We process personal data as required to comply with laws and regulations applicable to our services (legal basis: compliance with a legal obligation, Article 6(1)(c)). For example, we may need to retain certain financial records for tax and accounting regulations, or verify identities to prevent fraud or money laundering where laws mandate it. We may also process data to exercise or defend legal claims. Additionally, we may process data under legitimate interests to enforce our terms of service, prevent misuse of Kenneth AI, ensure the security of our systems, and protect the rights or safety of our company, users, or others (Article 6(1)(f)). We only rely on legitimate interests when these are not overridden by individuals’ data protection rights.

3.6. Cookies and Analytics: As detailed below, we use cookies/trackers for site functionality and to analyse usage. Non-essential analytics cookies are only used with your consent (Article 6(1)(a)), whereas essential cookies (e.g. for login or load balancing) are used under legitimate interests or contract necessity.

3.7. We will not use your personal data for any purpose incompatible with the ones described above without asking for your permission. Importantly, we do not engage in any automated decision-making that produces legal or similarly significant effects on individuals (all AI outputs are reviewed or used at your discretion, and human oversight is involved in the process).

4. Cookies and Analytics

4.1. Like most online services, Kenneth AI uses cookies and similar tracking technologies to provide and improve our website and platform. Cookies are small text files placed on your device that help us remember your preferences and gather usage information. We use the following types of cookies:

4.2. Essential Cookies: These are necessary for our website and platform to function. For example, we set cookies to keep you logged in to your account, to route requests to the correct server, or to remember your cookie consent choices. Without these cookies, the service may not perform properly. The use of essential cookies is based on our legitimate interest in providing a functional service or on the necessity to perform the service you request.

4.3. Analytics and Performance Cookies: We use these cookies to collect information about how users interact with our website, such as which pages are visited, traffic metrics, and any error reports. This helps us understand and improve user experience. For instance, we might use a third-party analytics service (with data stored in the UK/EU) to get aggregate statistics. We do not collect personally identifying info through analytics cookies – IP addresses may be recorded, but we may anonymise or truncate them for analytics purposes where feasible. We will only set analytics cookies with your consent, in compliance with UK and EU law. On your first visit, you will be shown a cookie banner or settings tool to manage your cookie preferences. You can withdraw consent at any time by adjusting your browser settings or via our website’s cookie preference center.

4.4. For detailed information, please see our separate Cookie Policy which provides more specifics on the cookies in use. You can also manage and delete cookies through your browser settings. Note that if you disable certain cookies, some features of Kenneth AI may not work as intended.

4.5. We may also use other tracking technologies (like local storage or pixels) in a similar way to cookies, for purposes described above. Any use of such technologies will follow the same consent requirements and preferences you have set for cookies.

5. How We Share Personal Data

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, we do share data in certain circumstances, as outlined below, always under strict controls:

5.1. Service Providers (Processors): We employ trusted third-party companies to perform services on our behalf and to support the Kenneth AI platform. These include cloud hosting, data storage, and AI processing providers. For example, Kenneth AI is hosted on Vercel (for front-end and application delivery), uses Supabase for database and file storage, and integrates OpenAI for AI model processing. These providers act under our instructions and only process your data for the purposes of providing their services to us. We have signed Data Processing Agreements with each, obligating them to protect your data in line with GDPR. Notably:

• (a) Vercel (Hosting): Vercel hosts our web application front-end and serves static content through a content delivery network. In providing this service, Vercel may incidentally process technical data like your IP address and browser information when you interact with our site. Vercel does not access the personal data you store in our database; it only handles the delivery of the user interface and basic network logs. We have configured our Vercel deployment such that user data is handled within the EU/UK region as much as possible.
• (b) Supabase (Database Storage): We use Supabase to store and manage our application data (including account details, case data, and uploaded files). All your data in Supabase is hosted exclusively on European servers. Supabase’s infrastructure relies on certified data centers and offers encryption at rest for stored data. This means your documents and case records remain physically within the UK/EU and are protected by strong security measures. Supabase does not have access to view plain text of your stored content and only processes data as needed to keep it available to you.
• (c) OpenAI (AI Services): When you use AI features of Kenneth AI, certain data (e.g. text from your documents or queries) may be sent to OpenAI’s API to generate responses. OpenAI acts as our processor for these purposes. We ensure that only the necessary snippets of data are transmitted (and not entire documents unless required) to minimise exposure. OpenAI, which is based in the United States, is contractually bound by standard data protection clauses and their API terms specify that your data will not be used to train AI models and is retained only temporarily (up to 30 days) for service monitoring, then deleted. We will monitor OpenAI’s compliance and any changes in their policies to maintain the confidentiality of your information.

5.2. In addition to the above, we may use other vendors for related services (such as email delivery, authentication, or analytics). For each such provider, we limit the personal data shared to what is necessary. All our processors are chosen for their high standards of security and privacy; for example, our critical sub-processors like Supabase and Vercel maintain industry security certifications (ISO 27001, SOC 2 Type II, etc.). They are not allowed to use your data for their own purposes.

5.3. Business Transfers: If Crescent Advisors Limited (trading as Kenneth AI) is involved in a merger, acquisition, investment, or sale of all or part of its business, personal data held in our platform may be transferred to the new owners or partners as part of that transaction. In such cases, we will ensure the confidentiality of your personal data is maintained and give affected users notice before their data becomes subject to a different privacy policy.

5.4. Legal Requirements and Protection: We may disclose personal data to third parties (such as regulators, courts, or law enforcement) if required to do so by law or if we believe in good faith that such disclosure is reasonably necessary to (i) comply with a legal obligation or government request, (ii) enforce our Terms of Service or other agreements, (iii) protect the rights, property, or safety of Crescent Advisors Limited (trading as Kenneth AI), our users, or the public. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, in accordance with data protection laws.

5.5. We will always aim to limit the personal data we share to the minimum necessary in any given scenario, and we will ensure any third party has an obligation to handle your data securely and lawfully.

6. Data Storage and International Transfers

6.1. Data Location: All personal data collected through Kenneth AI is stored on servers located within the United Kingdom and the European Union. We use EU-based data centers for primary storage (e.g. Supabase in EU region, as noted above) and we strive to process and retain data in the UK/EU to the fullest extent possible. By providing this information, we comply with UK GDPR requirements to inform you of where your data is stored.

6.2. No Routine Transfers Outside UK/EU: We do not transfer or store your personal data in countries outside the UK or European Economic Area (“third countries”) unless it is necessary and compliant with data protection law. Our default practice is to keep your data within jurisdictions deemed to have adequate data protection. For example, our database and file storage are in the EU, and our application hosting is configured for EU/UK regions. This means that your data is not normally subject to foreign laws or jurisdictions outside of the UK/EU.

6.3. Use of International Service Providers: While our primary infrastructure is in the UK and EU, some of our essential service providers, such as OpenAI (United States), are based in third countries. We ensure that any transfer of your personal data outside the UK is protected by appropriate legal safeguards.

• (a) For transfers to the United States, we rely on the UK-US Data Bridge. This is an adequacy decision made by the UK Government which allows personal data to be transferred freely and safely to US organisations that are certified under the "EU-US Data Privacy Framework" and its UK Extension.
• (b) We verify that our US-based sub-processors, including OpenAI, are certified under this framework before transferring any personal data. This ensures your data is protected by binding data privacy principles and redress mechanisms that are deemed equivalent to UK law.
• (c) For any transfers to other third countries that do not have a UK adequacy decision, or to any US provider not certified under the Data Privacy Framework, we will implement the UK’s International Data Transfer Addendum (IDTA) as our primary safeguard, supplemented by a Transfer Impact Assessment (TIA) to ensure the protection of your data.

6.4. By using these approved legal mechanisms, we ensure that your rights and protections travel with your data, no matter where it is processed. If you would like more information, you can contact us at michael@kenneth.team.

7. Data Security

We take data security seriously and implement appropriate technical and organisational measures to safeguard your personal data. These measures are designed to protect against unauthorised or unlawful access, alteration, disclosure, or destruction of personal data we hold. They include:

7.1. Encryption: Data you provide to Kenneth AI is encrypted in transit (using HTTPS/TLS encryption).

7.3. Secure Infrastructure: Our platform runs on reputable cloud infrastructure with robust security practices. As noted, our sub-processors like Supabase and Vercel maintain high security certifications (e.g. ISO 27001, SOC 2) and undergo regular audits. We utilise firewalls, intrusion detection, and other safeguards provided by these platforms.

7.4. Monitoring and Testing: We monitor the platform for suspicious activities and vulnerabilities. Regular security testing, including penetration testing and code reviews, is conducted to identify and address potential weaknesses. We also keep our software and dependencies up to date with security patches.

7.5. Data Backups and Recovery: We perform backups of critical data to ensure we can recover data in case of accidental deletion or disaster. Backup data is protected and stored in secure UK/EU locations.

7.6. Anonymisation/Pseudonymisation: Where possible, especially for analytics and testing, we anonymise or pseudonymise personal data so that individuals cannot be readily identified. For example, analytics may use aggregated data, and any use of production data for troubleshooting is handled in a controlled manner.

7.7. Despite our efforts, no system is completely infallible. We cannot guarantee absolute security of data. However, we follow industry best practices and continually improve our safeguards to reduce risks. In the unfortunate event of a data breach that poses a risk to your rights, we will notify you and the appropriate authorities as required by law.

8. Data Retention

We keep personal data only for as long as necessary to fulfill the purposes described in this Policy, and to comply with legal or business requirements. Retention periods will vary depending on the type of data and the purposes for which we collected it. Below is a general overview of our retention practices:

8.1. Account Data: We retain your account information (like your profile details, organisation info, and settings) for as long as you maintain an active account with us. If you terminate your account or your subscription ends, we will delete or anonymise your personal data associated with the account after a set period following closure (for example, we may keep data for a short grace period in case you reactivate, or to resolve any post-termination issues). In general, deletion will occur within a few weeks after account closure, once any owed services are concluded.

8.2. Case Data and Documents: Case-related data that you upload or generate in Kenneth AI (documents, case notes, financial records, etc.) will remain stored while your account is active so that you can use the platform. If you delete specific cases or files from the platform, we will remove those from our live database promptly (subject to any system caching or indexing delays). After account termination, we will purge or anonymise remaining case data typically within 30 days, except where retention is required for legal reasons. We do not retain your uploaded documents longer than necessary once you no longer wish to use the service. You also have the ability to delete or export your data at any time during the service term.

8.3. Communications: If you contacted us (e.g. support emails or contact form submissions), we may retain those communications and our responses for a period of time necessary to deal with your inquiry and for training or quality assurance purposes. Typically, routine support tickets are retained for up to 1–2 years.

8.4. Analytics Data: Analytics and website usage data is either collected in an anonymous form or purged after analysis. Raw analytics logs that may contain personal data (like IP addresses) are generally rotated or deleted within 13 months at most, following guidance from European data protection authorities on analytics data retention. Aggregated statistics that contain no personal identifiers may be kept longer for historical trend analysis.

8.5. Legal and Financial Records: We may need to retain certain data for compliance with legal obligations even after you delete your account or after we have provided a service. For instance, billing and payment records (invoices, transaction records) are kept for the period required by UK/EU financial and tax regulations (typically 6 years in the UK for tax records, or as required by applicable law). Similarly, if we had an agreement or interaction that could be relevant for legal claims, we might retain the necessary information until the potential claim expires (statute of limitations).

8.6. Once the applicable retention period expires, or upon your valid request for erasure, we will securely delete or irreversibly anonymise the personal data so that it can no longer be associated with you. If complete deletion is not immediately possible (for example, stored in secure backups), we will ensure the data is isolated and protected until deletion is feasible.

8.7. Please note that even after deletion from our active systems, data may persist in encrypted backups for a limited time until those backups are cycled out; we maintain backup data for disaster recovery purposes on a rolling basis and purge old backups regularly. All retained data remains subject to the safeguards outlined in this Privacy Policy.

9. Your Rights Under UK GDPR

As an individual whose personal data is processed by Kenneth AI, you have certain rights under the UK GDPR and (if applicable) the EU GDPR. We respect and uphold these data subject rights, which include:

9.1. Right to be Informed: You have the right to clear and transparent information about how we use your personal data. This Privacy Policy is part of our effort to inform you.

9.2. Right of Access: You can request a copy of the personal data we hold about you, as well as information on how we process it (commonly known as a Subject Access Request).

9.3. Right to Rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected or updated without undue delay.

9.4. Right to Erasure: Also called the “right to be forgotten,” this allows you to request deletion of your personal data when it is no longer necessary for the purposes we collected it, or if you withdraw consent or object to processing and we have no overriding grounds to continue, or if we processed your data unlawfully. Please note this right is not absolute – sometimes we may have legal obligations or legitimate grounds to retain some data (we will inform you if so).

9.5. Right to Restrict Processing: You can ask us to suspend or limit the processing of your personal data in certain circumstances – for example, while we are verifying the accuracy of data you’ve contested or assessing an objection you have made.

9.6. Right to Data Portability: For data you provided to us and which we process by automated means on the basis of your consent or our contract, you have the right to obtain it in a structured, commonly used, machine-readable format, and to have it transferred to another controller where technically feasible. In practice, this means you can export certain data from our platform, or ask us to directly transfer it to another service if possible.

9.7. Right to Object: You have the right to object to our processing of your personal data when we are relying on legitimate interests as the legal basis, or if we were processing your data for direct marketing. If you object, we will evaluate your request and will stop or adjust processing unless we have a compelling legitimate ground that overrides your interests or if we need to continue processing for legal claims. Where you object to direct marketing (or withdraw any consent given for marketing), we will stop sending you marketing communications.

9.8. Rights in Relation to Automated Decision-Making: You have rights to not be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you. As noted, Kenneth AI does not engage in such automated decision-making without human involvement; however, we include this for completeness of your rights.

9.9. To exercise any of your rights, please contact us at michael@kenneth.team with your request. We may need to verify your identity to ensure we’re providing information to the correct person. We will respond to requests within one month, or inform you if an extension is needed for complex requests (we may extend by up to two further months as allowed by law, and will explain why). There is no fee for exercising your rights, except in rare cases of excessive or unfounded requests where we are permitted to charge a reasonable fee or refuse the request.

9.10. If you believe we have not addressed your data protection concerns adequately, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). You can find more information on the ICO website: https://ico.org.uk/. If you are in the EU, you may contact your local Data Protection Authority. We encourage you to contact us first, so we have the opportunity to address your concerns directly.

10. Children’s Privacy

10.1. Kenneth AI is not intended for use by children under the age of 18. We do not knowingly collect personal data from anyone under 18 years old. Our platform and services are designed for professional use by adults (e.g. licensed insolvency practitioners, attorneys, accountants, etc.). If you are under 18, you should not use Kenneth AI or submit any information about yourself.

11. Updates to this Privacy Policy

11.1. We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or privacy practices. When we make changes, we will post the updated Privacy Policy on our website and update the “Last Updated” date at the top of this Policy. For substantial or material changes, we may also notify you directly via email or through an in-service notification, especially if required by law.

11.2. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of Kenneth AI after any updates constitutes acceptance of the revised Policy, to the extent permitted by law. If we seek to use your personal data for a new purpose that is not compatible with the purposes outlined here, we will obtain your consent or provide you with a choice, as required by data protection laws.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

Company: Crescent Advisors Limited (trading as Kenneth AI)

Email: michael@kenneth.team

This is the dedicated contact for privacy inquiries, including requests to exercise your rights. We will gladly assist you and aim to respond promptly (typically within one month for rights requests).

Thank you for trusting Kenneth AI. We are committed to protecting your data and privacy while providing you with effective tools for the restructuring and insolvency process.