Privacy Policy

We collect information you provide directly to us, information we obtain automatically when you use the Services, and information from third-party sources. This section describes each category in detail.

Information you provide: Account registration details (name, email address, organization name), billing information (processed securely by our payment provider — we do not store full payment card numbers), User Content submitted to the platform (prompts, files, data, instructions), communications you send to us (support requests, feedback, survey responses), and any other information you choose to provide.

Information collected automatically: Usage data (API calls, feature usage, session duration, actions taken within the platform), device information (browser type and version, operating system, screen resolution, IP address), log data (access times, pages viewed, referring URLs, request and response metadata), performance metrics (latency, error rates, resource consumption), and error reports generated by the platform.

Information from third parties: If you authenticate via OAuth or SSO providers, we receive your name, email address, and profile information as authorized by you during the authentication flow. Payment processors provide us with transaction status and the last four digits of your payment method for identification purposes. Analytics providers may supply aggregated usage patterns.

Information we do NOT collect: We do not collect biometric data, precise geolocation data (beyond IP-based approximation), financial account numbers or full payment card details, government-issued identification numbers, health or medical information, or information about racial or ethnic origin, political opinions, religious beliefs, or trade union membership, unless specifically required for billing verification or compliance purposes and disclosed at the time of collection.

We use the information we collect for the purposes described below. Where applicable, we have noted the legal basis for each processing activity:

• Provide and maintain the Services — processing your requests, executing Agent tasks, delivering API responses, and ensuring platform functionality. (Legal basis: Contract)
• Process transactions — managing billing, credit consumption, invoicing, and sending payment-related communications. (Legal basis: Contract)
• Send technical and security notices — delivering system alerts, security notifications, maintenance announcements, and support messages. (Legal basis: Legitimate Interest)
• Respond to requests and provide support — answering your inquiries, troubleshooting issues, and providing customer assistance during Service Hours. (Legal basis: Contract)
• Monitor and analyze usage — understanding trends, measuring platform performance, and identifying areas for improvement. (Legal basis: Legitimate Interest)
• Detect and prevent fraud — investigating unauthorized access, preventing abuse, and protecting the security of the platform and its users. (Legal basis: Legitimate Interest)
• Comply with legal obligations — fulfilling regulatory requirements and enforcing our Terms of Service. (Legal basis: Legal Obligation)
• Improve the platform — developing new features and enhancing AI capabilities using only aggregated, anonymized data that cannot be linked to individual users or User Content. (Legal basis: Legitimate Interest)

When you submit User Content to the Services, it is processed by our AI systems to generate Outputs. We do not use your User Content to train our models unless you explicitly opt in to a research or improvement program. Your User Content is isolated to your Account and is not accessible to other users.

AI-generated Outputs may be logged for quality assurance and abuse prevention purposes. These logs are retained for a maximum of thirty (30) days and are automatically purged thereafter, unless longer retention is required by law or for the resolution of an active dispute.

Human review. In limited and specific circumstances, authorized Kaer Labs personnel may access User Content for the following purposes: (a) investigating reports of abuse or Terms violations, (b) responding to support requests that you have initiated and that require examination of your data, (c) fulfilling legal compliance obligations. Human review is subject to strict access controls, is fully audited, and requires manager-level authorization. We do not conduct routine or proactive human review of User Content.

Abuse detection. Automated systems monitor for potential violations of our Terms of Service. These systems primarily analyze usage patterns and metadata (such as request frequency, output volume, and API call patterns) rather than the substantive content of your prompts or Outputs, unless a specific abuse threshold is triggered by the automated system.

As an AI platform, we recognize the importance of transparent data practices specific to AI processing. This section details how your data interacts with our AI systems.

• Prompt data: Prompts submitted to the platform are processed in memory for inference and are not stored beyond the session unless you enable conversation history. Stored conversation histories are encrypted at rest (AES-256) and are accessible only to you through your authenticated Account.
• Output logging: AI-generated Outputs may be temporarily logged for up to thirty (30) days for debugging, quality assurance, and abuse prevention. Logs are automatically purged after the retention period and cannot be recovered.
• Agent execution data: When Agents execute tasks on your behalf, we log execution metadata (timestamps, resource consumption, error codes, and completion status) but not the substantive content of Agent actions, unless content logging is required for debugging at your explicit request.
• Telemetry: We collect anonymized, aggregated telemetry data (such as response latency, token counts, error rates, and feature usage statistics) to improve platform performance and reliability. This data is fully anonymized and cannot be linked back to individual users, Accounts, or User Content.

We do not sell your personal information. We do not share your User Content with third parties except as described in this section.

• Service providers: We share data with trusted third-party service providers who assist us in operating the platform. These include: cloud infrastructure providers (compute and storage), payment processors (billing and transaction processing), customer support tools (ticket management and communication), and analytics providers (anonymized usage patterns only). All service providers are bound by data processing agreements that impose strict confidentiality and security obligations.
• Legal compliance: We may disclose information if required by law, regulation, legal process, or governmental request. We will attempt to notify you of such requests where legally permissible and practical.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and ensure the receiving entity is bound by commitments consistent with this Privacy Policy.
• With your consent: We may share information with your explicit consent for purposes not described in this policy.
• Aggregate data: We may share aggregated, de-identified data that cannot reasonably be used to identify you. This data may be used for industry analysis, benchmarking, or research purposes.

We use cookies and similar tracking technologies (such as local storage and session storage) to support authentication, remember your preferences, and collect analytics data to improve the platform experience.

Essential cookies required for platform functionality (session management, CSRF protection, theme preferences) cannot be disabled as the Services cannot function without them. Analytics cookies, which help us understand usage patterns, can be controlled through your browser settings. We honor Do Not Track (DNT) signals and will not set analytics cookies when a DNT header is detected.

For comprehensive details about the types of cookies we use, how to manage them, and our approach to third-party cookies, please see our Cookie Policy.

We implement comprehensive security measures to protect your information, including:

• Encryption in transit using TLS 1.3
• Encryption at rest using AES-256
• Role-based access controls with least-privilege principles
• Regular security audits and penetration testing
• Continuous monitoring and intrusion detection
• Infrastructure hosted in SOC 2 Type II certified data centers

While we take extensive steps to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Incident response. In the event of a data breach that affects your personal information, we will notify affected users within seventy-two (72) hours of confirmed breach discovery, provide details of the nature and scope of the breach, and outline the remediation steps being taken. If you discover a security vulnerability, please report it responsibly to [email protected].

We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy. The following retention schedule applies:

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you, including the categories of data collected, the purposes of processing, and any third parties with whom it has been shared.
• Correction: Request correction of inaccurate or incomplete personal information. You can also update most Account information directly through the platform settings.
• Deletion: Request deletion of your personal information, subject to legal retention requirements. We will inform you if we are unable to fully comply and explain the reasons.
• Portability: Request a machine-readable export of your data in commonly used formats (JSON or CSV), enabling you to transfer your data to another service provider.
• Objection: Object to the processing of your personal information for certain purposes, including direct marketing and processing based on legitimate interest.
• Restriction: Request that we restrict the processing of your personal information while disputes about accuracy or lawfulness are resolved.
• Withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
• Automated decision-making: You have the right to understand the logic involved in any automated decisions that significantly affect you, and to request human review of such decisions.
• Appeal: If we deny a rights request, you may appeal by contacting [email protected] with details of the original request and the basis for your appeal. We will review and respond to appeals within 30 days.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. There is no fee for reasonable requests. We may need to verify your identity before processing your request.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

• Right to Know: You have the right to request information about the categories of personal information we have collected, the purposes for which it is used, the sources from which it was collected, and the categories of third parties with whom it has been shared.
• Right to Delete: You may request the deletion of personal information we have collected, subject to certain exceptions permitted by law (such as data necessary for completing a transaction or complying with legal obligations).
• Right to Opt-Out of Sale: We do NOT sell your personal information, and we have not sold personal information in the preceding 12 months. If this practice ever changes, we will provide a clear opt-out mechanism and update this Privacy Policy accordingly.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level or quality of service for exercising your rights under the CCPA/CPRA.
• Shine the Light: Under California Civil Code Section 1798.83, California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

To exercise your California privacy rights, contact [email protected] or use the privacy settings in your Account dashboard. In the preceding 12 months, we may have collected: identifiers (name, email), commercial information (subscription and billing data), internet or network activity (usage data, log data), professional information (organization name), and inferences drawn from these categories (usage patterns and preferences).

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, additional protections apply to your personal data under the General Data Protection Regulation (GDPR) and equivalent local legislation.

Legal bases for processing. We process your personal data on the following legal bases: performance of a contract (providing the Services you have requested), legitimate interest (platform security, service improvement, fraud prevention), consent (optional features and marketing communications), and legal obligation (compliance with applicable laws and regulations).

Data Protection Officer. For GDPR-related inquiries, you may contact our Data Protection Officer at [email protected]. Our DPO oversees our data protection strategy, ensures compliance with GDPR requirements, and serves as the point of contact for data protection authorities.

Supervisory authority. You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates applicable data protection laws.

Controller and Processor roles. Kaer Labs acts as a data Controller with respect to Account data, billing information, and usage data that we collect for our own purposes. We act as a data Processor with respect to User Content that you submit through the platform, processing it on your behalf and in accordance with your instructions as defined by the Services.

We provide a clear and accessible process for submitting data subject access requests (DSARs). Whether you wish to access, correct, delete, or export your personal data, the procedure below applies.

• Submission: Send your request to [email protected]. Include your full name, the email address associated with your Account, a description of your request, and any relevant Account identifiers.
• Verification: We will verify your identity before processing any request. This may involve confirming information associated with your Account. For sensitive requests (such as full data deletion), we may require additional verification.
• Timeframe: We will respond within 30 days of receipt. Complex requests may require an extension of up to 60 additional days, in which case we will notify you of the delay and the reasons.
• Format: Data will be provided in a commonly used, machine-readable format (JSON or CSV), enabling you to review, port, or archive your data.
• Authorized agents: You may designate an authorized agent to submit a request on your behalf. We require written authorization from you, along with identity verification of both you and the agent.
• Fees: There is no fee for reasonable requests. Manifestly unfounded, excessive, or repetitive requests may incur a reasonable administrative fee, which we will communicate before proceeding.

Kaer Labs is headquartered in and operates primarily from the United States. When you use the Services, your data may be transferred to, stored in, and processed in the United States or other jurisdictions where our infrastructure providers and sub-processors operate.

We take the following steps to ensure your data is adequately protected regardless of where it is processed:

• Standard Contractual Clauses (SCCs): For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on SCCs approved by the European Commission and equivalent clauses approved by the UK Information Commissioner's Office.
• Data processing agreements: All sub-processors that handle personal data on our behalf are bound by data processing agreements imposing obligations equivalent to those in this Privacy Policy, including requirements for data security, confidentiality, and breach notification.
• Encryption: All data in transit between jurisdictions is encrypted using TLS 1.3, and data at rest is encrypted using AES-256, providing strong technical safeguards regardless of physical location.

The Services are not directed to individuals under the age of 18. We do not knowingly collect, solicit, or maintain personal information from children under 18 years of age. If we become aware that a child has provided us with personal information without verifiable parental consent, we will take prompt steps to delete that information from our systems.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at [email protected] so that we can investigate and take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes, we will provide at least 30 days' advance notice via email to the address associated with your Account or through a prominent notice on the platform.

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms. If you do not agree with the changes, you may delete your Account before the effective date. We encourage periodic review of this page. The "Last updated" date above indicates when the most recent revisions were made.

For questions, concerns, or requests related to this Privacy Policy or our data practices, please reach out through any of the channels below:

For more information about how we handle cookies, see our Cookie Policy. For the terms governing your use of the Services, see our Terms of Service.