Privacy Policy

What we collect

Account information (name, email, organization), authentication data (encrypted password hashes, MFA factors), usage data (audit log entries, billing events), and the data you put into Kaito (encrypted TOTP seeds, inbound SMS messages, group memberships).

Why we collect it

• To operate the Service.
• To bill you accurately.
• To meet our security and compliance obligations.
• To respond when you contact us.

We do not sell your data. We do not share it with advertisers. We do not use it to train any model.

Who we share with

The third parties that help us operate the Service ("subprocessors"). They are listed at /legal/subprocessors and updated with 30 days' notice.

How long we keep it

• Account data: while your org is active, plus 30 days post-deletion.
• Audit log: 365 days (7 years on Enterprise).
• Backups: 30 days, encrypted, then cryptographically shredded.
• Operational logs: 90 days.

Your rights

If you are in the EU/UK or California, you have rights under GDPR/UK GDPR/CCPA including access, correction, deletion, and portability. Email privacy@kaito.io to exercise them.

Cookies & tracking

We use a minimal, cookieless analytics tool that does not track you across sites. We do not use advertising cookies.

Children's data

Kaito is not directed at children under 16. We do not knowingly collect personal data from children.

Changes

We will announce material changes here and via email at least 30 days in advance.

Contact

Email privacy@kaito.io.