Legal

Privacy Policy

Last updated: 6 May 2026

Keen is built on listening to people who already know — your frontline. That means we treat the information you and your team share with us as something to be looked after, not exploited. This policy explains what we collect, why, and what choices you have.

On this page

Who we are
Scope of this policy
Information we collect
How we use information
Legal bases (GDPR)
Sharing & sub-processors
International transfers
Retention
Security
Your rights
Cookies & analytics
Children
Changes to this policy
Contact us

1. Who we are

Keen (“Keen”, “we”, “us”, “our”) is a customer experience platform operated by MindSpyr Pty Ltd, a company incorporated in the Republic of South Africa. Where this policy refers to the “Service”, it means the Keen web applications, mobile apps, APIs, and related services available at keen.cx.

For purposes of the EU/UK GDPR and the South African Protection of Personal Information Act (POPIA), MindSpyr Pty Ltd acts as the data controller for our marketing site and account sign-up data, and as the data processor (or “operator” under POPIA) on behalf of customer organisations that use Keen to listen to their own frontline teams.

2. Scope of this policy

This policy covers personal information processed through the Service. It does not cover third-party websites or services that we link to. When a customer organisation deploys Keen to its own staff, that organisation is the controller of the data its team contributes; their own privacy notices apply alongside ours.

3. Information we collect

3.1 Information you give us

Account & profile: name, work email, role, team, organisation name, and the workspace slug you choose at sign-up.
Authentication: hashed passwords, sign-in tokens, and limited device metadata to keep your session secure.
Frontline contributions: recognitions, impact updates, observations, and feedback that you or your colleagues submit through Keen.
Billing: for paying customers, billing contact details and payment status. Card data is handled by our payment provider (PayFast / Stripe) — we never store full card numbers.
Support: messages you send to support@keen.cx, including any attachments.

3.2 Information we collect automatically

Usage: pages visited, features used, errors encountered, approximate location derived from IP, and device/browser information.
Cookies: small files stored on your device for session, preferences, and (where permitted) product analytics. See section 11.

3.3 Information from third parties

If your organisation enables single sign-on (SSO) or syncs HRIS data with Keen, we receive the profile information needed to provision your account from that source. We only request the minimum needed.

4. How we use information

Provide and operate the Service, including authenticating you and routing your contributions to the right workspace.
Surface insights, summaries, and trends to authorised people inside your organisation.
Maintain security, prevent abuse, and investigate incidents.
Communicate with you about your account, product changes, and service issues.
Comply with legal obligations and enforce our Terms of Service.
With your consent or on a legitimate-interest basis, send occasional product updates. You can opt out at any time.

We do not sell personal information, and we do not use your team's contributions to train third-party generative AI models.

5. Legal bases (GDPR)

Where the GDPR applies, we rely on the following legal bases:

Contract — to provide the Service to you and your organisation.
Legitimate interests — to keep the Service secure, improve it, and communicate with customers about it.
Consent — for optional cookies and marketing emails, where required.
Legal obligation — to meet tax, accounting, and other regulatory requirements.

We share personal information only with parties that need it to help us run the Service, and only under written contracts that require appropriate safeguards. Our current sub-processors include:

Cloud hosting — for application and database hosting.
Email delivery — for transactional and notification emails.
Payment processing — PayFast (ZA) and/or Stripe for card and EFT payments.
Product analytics — PostHog, configured to minimise personal data and respect Do-Not-Track where applicable.
Error monitoring — to detect and diagnose service issues.

We may also disclose information if required by law, to protect the rights and safety of users, or in connection with a corporate transaction (with notice where reasonably possible).

7. International transfers

Keen is operated from South Africa and uses cloud infrastructure that may process data in other regions. Where we transfer personal information across borders, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms permitted under applicable law.

8. Retention

We keep personal information only as long as needed to deliver the Service, meet legal obligations, resolve disputes, and enforce our agreements. When you or your organisation closes a Keen workspace, we delete or anonymise associated personal data within 90 days, except where we are required to retain it longer (for example, financial records).

9. Security

We protect data with encryption in transit (TLS), encryption at rest, role-based access controls, audit logging, regular dependency scanning, and least-privilege engineering practices. No system is perfectly secure, but we work continuously to reduce risk and to respond quickly if something goes wrong. Suspected security issues can be reported to security@keen.cx.

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, or port your personal information, and to object to certain processing. You can also withdraw consent where processing is based on consent.

If you contribute to Keen as part of your employer's workspace, please contact your employer first — they control that data. You can also reach us at privacy@keen.cx and we will help route your request appropriately. EU/UK users can also lodge a complaint with their local supervisory authority. South African users may lodge a complaint with the Information Regulator.

11. Cookies & analytics

We use a small number of strictly necessary cookies to keep you signed in and remember your preferences. With your permission (where required by law), we also use product analytics cookies via PostHog to understand how Keen is used so we can improve it. You can control cookies through your browser settings.

12. Children

Keen is a workplace tool intended for use by adults. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with information, please contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, where appropriate, give notice through the Service or by email.

14. Contact us

Questions, requests, or concerns about privacy at Keen?
Email: privacy@keen.cx
Postal: MindSpyr Pty Ltd, South Africa.