Privacy Policy

This policy applies to personal data that Kindred AI, PBC processes about you when you visit bekindred.ai, create an account, or use the Kindred platform. Where we process personal data on behalf of a business customer (for example, an employee using a company account), that customer is the controller of the data and our processing is governed by our Data Processing Agreement with that customer.

Account information. When you create an account we collect your email address. Sign-in is passwordless: we email you a one-click sign-in link each time, and you prove your identity by demonstrating control of the email. We do not collect or store a password.

Inputs. The queries you submit and the documents you upload for analysis.

Outputs. The analyses the platform generates from your Inputs, including phase content, sources, ratings, tags, and links you save.

Usage data. Aggregated, privacy-preserving metrics about platform use (analyses run, feature usage, error rates). We do not track individual browsing behavior across other websites.

Operational metadata. Request logs, performance metrics, and AI call traces used to operate and improve the service. We retain these for a limited period and do not sell them.

We use your data to provide and improve the service you signed up for. Specifically, to run analyses, store your library, apply your preferences, support billing, secure the platform, and produce aggregate metrics that help us improve quality. We do not use your Inputs or Outputs to train AI models without your explicit, opt-in consent.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR or UK GDPR:

• Performance of a contract for account creation, providing the platform, and billing.
• Legitimate interests for security, fraud prevention, debugging, and improving the platform, balanced against your rights and freedoms.
• Consent for any AI training opt-in, certain communications, and any non-essential cookies (we do not currently set any).
• Legal obligation for tax, accounting, and law-enforcement requests we are required to honor.

We share personal data only with the subprocessors required to operate the service, with law enforcement when legally required, and with any successor entity in connection with a merger, acquisition, or sale of assets (with notice to you).

The current list of subprocessors is published at Subprocessor List. We notify business customers before adding a new subprocessor as described in the Data Processing Agreement.

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising as those terms are defined in U.S. state privacy laws including the California Consumer Privacy Act (CCPA).

We retain your account data for as long as your account is open. Inputs, Outputs, tags, links, and feedback persist in your library until you delete them or close your account. Operational logs and AI call traces are retained for a limited period as needed for security, debugging, and abuse prevention, and are then deleted or anonymized. When you delete your account, we permanently delete the data tied to it within thirty (30) days, subject to legal hold and the retention of minimal records required by law (for example, billing records for tax purposes).

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data, including a hard delete of your account and library from settings or by request.
• Export your analyses in machine-readable formats (Markdown, Word, PDF) from the platform at any time.
• Object to or restrict certain processing, and to withdraw any consent you previously gave.
• Lodge a complaint with the data protection authority in your country if you are in the EEA, UK, or Switzerland.

California residents have additional rights under the CCPA, including the right to know what categories of personal data we collect, the right to delete it, the right to correct it, and the right to non-discrimination for exercising these rights. To exercise any of these rights, email privacy@bekindred.ai. We will respond within the timeframes required by applicable law.

When you run an analysis, the text of your query (and any uploaded content you choose to include) is sent to the AI model that powers the analytical engine. Our current AI provider is identified on the Subprocessor List. We do not include identifiers such as your name or email in the data we send to the model; we send only the content needed to perform the analysis.

Your Inputs and Outputs are stored in your personal library for your benefit. We do not use them to train or fine-tune AI models without your explicit, informed, opt-in consent. This is a foundational commitment, not a setting we can quietly flip.

Kindred and its current subprocessors operate from the United States. If you access Kindred from outside the United States, your data will be transferred to and processed in the United States. Where transfers from the European Economic Area, the United Kingdom, or Switzerland are involved, we rely on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor or Module Three: Processor-to-Processor as applicable), the UK International Data Transfer Addendum, and the Swiss data protection safeguards. [TODO: attach executed SCC modules and UK Addendum as annexes once finalized.]

We use industry-standard technical and organizational measures to protect your data, including encryption in transit and at rest, row-level access controls enforced at the database level, secret management for credentials, and a security review on every change. Our security posture is summarized in the Trust Center, and the deeper technical detail lives on the security architecture page.

Kindred is not directed to children under 13 years of age (or the higher minimum age in your jurisdiction). We do not knowingly collect personal data from children under that age. If we learn that we have collected personal data from a child under the applicable minimum age, we will delete it. If you believe a child has provided us personal data, contact privacy@bekindred.ai.

We may update this policy. If a change is material, we will give you reasonable advance notice by email or in-product notification before it takes effect. The “Last updated” date at the top of this policy will always reflect the current version.

For privacy questions or to exercise any right above, email privacy@bekindred.ai. Our data protection contact is [TODO: privacy/DPO contact name and address]. Notices to Kindred AI, PBC should be sent to [TODO: registered address].