Privacy Policy

Welcome to KAIROS ("we," "us," or "our"), an AI-powered marketing platform available at kairos-ai.co. This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you use our website, platform, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

This policy applies to all users of the Service, regardless of location. Where specific regulations apply (such as the GDPR, CCPA, or EU AI Act), we have included additional sections addressing those requirements.

We collect and process the following categories of personal data:

3.1 Account Data

When you create an account, we collect your email address, full name, password (stored using bcrypt hashing), avatar image, locale preference, and timezone. This data is necessary to provide and personalize the Service.

3.2 Business Data

To deliver relevant marketing insights, we collect information about your business including product type, business model, revenue model, target markets, competitors, industry, primary website URL, distribution channels, conversion events, compliance notes, and marketing maturity level.

3.3 Authentication Data (OAuth)

If you sign in using Google or GitHub, we receive and store OAuth tokens and provider-specific identifiers. We do not receive your passwords from these providers.

3.4 Social Media Connection Data

When you connect social media accounts for content distribution, we store OAuth tokens for the following platforms: Twitter/X, Instagram, LinkedIn, TikTok, Facebook, YouTube, Threads, Reddit, Pinterest, Bluesky, Telegram, Snapchat, Google Business, and WhatsApp. These tokens are stored as JSONB data in our database and are used solely to publish and manage content on your behalf.

3.5 Content Data

We store marketing content you create or that our AI generates on your behalf, including posts, brand voice configurations, conversations, and messages exchanged within the platform.

3.6 Media Data

When you upload or generate images and videos, we store associated metadata including S3 storage keys, image dimensions, file sizes, and content types. Media files are stored in cloud object storage.

3.7 Knowledge Data

If you choose to connect external knowledge sources (such as Notion documents or website content), we ingest and create embeddings of that content to power AI-assisted marketing recommendations. This ingestion is always user-initiated.

3.8 Payment Data

We process payments through Stripe. We store your Stripe customer ID, subscription ID, and billing event records. We do not store, process, or have access to your raw credit card numbers or payment card data. Stripe handles all PCI-DSS compliance obligations.

3.9 Usage and Analytics Data

We collect usage data including page views, clicks, and session recordings through PostHog. All session recordings use input masking (maskAllInputs) to prevent capture of sensitive form data. We also collect general event data related to how you interact with the Service.

3.10 Device Data

We automatically collect technical data including browser type, operating system, IP address, and device identifiers to ensure compatibility, security, and service optimization.

3.11 Notification Data

If you enable push notifications, we store your push subscription endpoints and web push tokens (using VAPID protocol) to deliver notifications to your devices.

3.12 Memory Data

To provide contextual and personalized AI interactions, we maintain graph-based memory of your interactions using Mem0 and Neo4j. This memory helps our AI agents understand your preferences, past decisions, and business context over time.

We use the personal data we collect to:

• Provide, maintain, and improve the Service
• Generate AI-powered marketing content, strategies, and recommendations
• Publish content to your connected social media platforms
• Process payments and manage your subscription
• Send transactional emails (account verification, billing receipts, service notifications)
• Deliver push notifications you have opted into
• Analyze usage patterns to improve features and user experience
• Monitor and resolve errors and technical issues
• Maintain AI memory to provide personalized, context-aware interactions
• Ingest and embed knowledge sources you connect for marketing intelligence
• Prevent fraud, abuse, and unauthorized access
• Comply with legal obligations

Your personal data may be transferred to and processed in countries outside your jurisdiction, including:

• United States — Most of our third-party processors (OpenAI, Anthropic, Google, Stripe, Resend, PostHog, Sentry, Cloudflare) are based in the USA.
• China — DeepSeek (text generation) and Kling AI / Kuaishou (video and avatar generation) process data in China.
• Germany — Black Forest Labs / FLUX (image generation) processes data in Germany.

7.1 Transfer Safeguards

For transfers outside the European Economic Area (EEA), we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party processors
• Technical and organizational measures to protect data in transit and at rest

7.2 Transfers to China

China does not currently have an EU adequacy decision. For data transferred to processors in China (DeepSeek, Kling AI), we apply additional safeguards including Standard Contractual Clauses, supplementary measures as recommended by the EDPB, and transfer impact assessments to ensure your data remains protected. We minimize the data shared with these processors to only what is necessary for content generation.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Rights Under the GDPR (EEA/UK Residents)

• Right of Access — Request a copy of the personal data we hold about you.
• Right to Rectification — Request correction of inaccurate or incomplete personal data.
• Right to Erasure ("Right to Be Forgotten") — Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction of Processing — Request that we limit how we process your data in certain circumstances.
• Right to Data Portability — Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object — Object to processing based on legitimate interest or for direct marketing purposes.
• Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint — File a complaint with your local supervisory authority if you believe we have violated your data protection rights.

9.2 Rights Under CCPA/CPRA (California Residents)

• Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete — Request deletion of personal information we have collected from you.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — We do not sell your personal information. If this changes, you will have the right to opt out.
• Right to Non-Discrimination — You will not receive discriminatory treatment for exercising your privacy rights.
• Right to Limit Use of Sensitive Data — Request that we limit the use and disclosure of sensitive personal information to what is necessary for the Service.

9.3 Right to Opt Out of AI-Powered Profiling

You have the right to opt out of automated decision-making and profiling that produces legal or similarly significant effects. While our AI systems assist with marketing content creation, they do not make automated decisions with legal effects on you. You may contact us to request human review of any AI-driven analysis of your data.

9.4 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

The Service is not directed at, and is not intended for use by, children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

We implement appropriate technical and organizational measures to protect your personal data, including:

• Password Protection — All passwords are hashed using bcrypt before storage. We never store passwords in plain text.
• Token-Based Authentication — Sessions are managed using secure JWT tokens with httpOnly and Secure cookie flags.
• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
• Row-Level Security — Database-level access controls ensure users can only access their own data.
• CAPTCHA Protection — Cloudflare Turnstile is used to prevent automated abuse.
• Input Masking — Session recordings mask all form inputs to prevent sensitive data capture.
• Secure Cookies — Authentication cookies are set with httpOnly and Secure attributes to prevent client-side access and ensure encrypted transmission.

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes, we will provide at least 30 days' advance notice via email to the address associated with your account before the changes take effect. Non-material changes (such as formatting or clarifications) may be made without prior notice.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.