Skip to main content
Keloa is built in the Netherlands and hosted in the EU. Everything privacy-related lives in one place: Settings → Data & privacy.

Export data

Whole workspace

Export workspace → JSON and Export workspace → CSV return a machine-readable snapshot of contacts, conversations, messages, knowledge sources, flows, and audit log entries. The CSV is a spreadsheet-friendly subset (contacts + conversations); the JSON is the full record. Both download immediately for typical workspaces; very large workspaces are streamed in chunks.

Audit log

Admins on the Scale plan can export the full audit log as CSV from Settings → Security → Audit log → Export CSV. The download streams every privacy action — exports, deletions, retention changes, role updates — with timestamp, actor, target, IP, and a JSON diff of changes. See Audit log export.

Single contact

On any contact profile → ⋯ → Export contact JSON. Returns the complete record for that person — used to fulfill GDPR subject access requests.

Delete a contact

Data & privacy → Delete contact — search, select, confirm. Effects:
  • The contact record is deleted.
  • Every conversation with this contact is deleted.
  • Every message (inbound and outbound) is deleted.
  • Files they uploaded are purged from storage (within 24h).
  • Audit log retains the deletion event (timestamp, operator) — that stays.
Irreversible. We don’t retain a hidden copy.

Retention

Set how long resolved conversations are kept (in days). The setting lives at Settings → Data & privacy → Retention and is stored per workspace.
  • 0 (default) — keep forever; nothing auto-deletes.
  • N days — resolved conversations older than N days are removed by a daily job. Pick a value that matches your DPA commitment.
Retention runs daily. Messages, attachments, and any AI metadata on the conversation are removed. Setting a retention policy does not retroactively delete older data. It applies as the cleanup job runs each day. To delete a specific person’s data immediately, use Delete contact.

Data residency

  • Application data, knowledge vectors, and attachments live in the EU.
  • LLM providers (when used) are routed through their EU endpoints where available.
  • Zero-retention flags are set with every LLM provider — no prompts or completions are used for provider training.
Full sub-processor list at keloa.ai/legal/sub-processors.

Encryption

  • At rest — AES-256.
  • In transit — TLS 1.2+.
  • Passwords — bcrypt, never stored in plaintext.

Who can do what

ActionRole
Export workspaceAdmin
Export single contactAdmin, Agent
Delete contactAdmin
Change retention policyAdmin

Audit log

Settings → Security → Audit log records every privacy action — exports, deletions, retention changes, role changes — with timestamp, operator, and IP. The audit log itself is visible on every paid plan; CSV export is Scale-only. See Audit log export for details and Security for retention. Process docs, DPA templates, and sub-processor lists live at keloa.ai/legal. Contact privacy@keloa.ai for DPA requests or anything not answered above.