K
Kumty

Privacy Policy

Last updated: March 2026 · Version 1.0

1. Information We Collect

1.1 Account Information

When you register, we collect your name, email address, organization name, and password (stored as a bcrypt hash — we never store plaintext passwords).

1.2 Usage Data

We collect information about how you use the Service, including features accessed, actions taken, and performance metrics. This data is used to improve the Service and is never sold to third parties.

1.3 Project Data

Data you enter into the Service (projects, tasks, risks, decisions, documents) is stored securely and is only accessible to authorized users within your organization.

2. How We Use Your Information

  1. To provide, maintain, and improve the Service.
  2. To send transactional emails (password resets, notifications, billing).
  3. To provide AI-powered features (with full data anonymization — see Section 4).
  4. To detect and prevent fraud, abuse, and security incidents.
  5. To comply with legal obligations.

3. Data Storage and Security

Your data is stored in PostgreSQL databases with row-level security (RLS) ensuring complete tenant isolation. All data is encrypted at rest and in transit. We use Istio service mesh with mutual TLS for all internal communications.

4. AI Data Protection

Kumty includes AI-powered features that use external language models. We implement a Data Anonymization Layer (DAL) that ensures:

  1. All personally identifiable information is anonymized before being sent to any external AI provider.
  2. Nine categories of data are anonymized: names, emails, budgets, dates, vendors, organizations, locations, phone numbers, and identifiers.
  3. Anonymization mappings are temporary (60-second TTL) and destroyed after each request.
  4. AI responses are de-anonymized before being shown to users.
  5. Your data is never used to train external AI models.

5. Third-Party Processors

We use the following categories of third-party services:

  1. Cloud Infrastructure: For hosting and data storage.
  2. AI Providers: For language model inference (data anonymized via DAL).
  3. Email Services: For transactional email delivery.
  4. Payment Processing: For subscription billing (Stripe).

6. Your Rights (GDPR)

Under applicable data protection laws, you have the right to:

  1. Access: Request a copy of your personal data.
  2. Rectification: Correct inaccurate personal data.
  3. Erasure: Request deletion of your personal data.
  4. Portability: Export your data in a machine-readable format.
  5. Restriction: Restrict processing of your data.
  6. Objection: Object to processing of your data.

To exercise any of these rights, contact us through the Service or at the email address provided on our website. We will respond within 30 days.

7. Data Retention

We retain your data for as long as your account is active. Upon account termination, we make your data available for export for 30 days, after which it is permanently deleted. Audit logs may be retained for up to 7 years as required by applicable regulations.

8. Children's Privacy

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service.

10. Contact

For privacy-related inquiries, please contact our Data Protection Officer through the Service or at the email address provided on our website.