Privacy Policy

1. Roles: When We Act as "Service Provider" vs. "Business"

Depending on how you use Kuvai, we may act in different privacy roles:

Service Provider / Processor

For enterprise and business customers, when we process Customer Data (as defined below) on your behalf (e.g., documents, emails, CRM data you connect), we generally act as a "service provider" or "processor" under applicable privacy laws. In that capacity, we process data only to provide the Services and as otherwise permitted in our contracts with you.

Business / Controller

For information like your account profile, billing data, cookie/analytics data from our website, support interactions, and our own marketing lists, we act as an independent "business" or "controller."

Role as Technical Conduit for Communications

When our Services are used to send outbound communications (including emails, SMS/text messages, and voice calls), Kuvai acts strictly as a technical transmission conduit. We do not select the recipients, draft the message content, or determine the timing of these communications. The Customer who sends the message is solely responsible for ensuring they have the necessary consents and for providing valid opt-out mechanisms. If you have received a communication via our platform and wish to unsubscribe or exercise your privacy rights regarding that communication, please contact the sender (our Customer) directly.

This Privacy Policy covers both roles. Where we process Customer Data purely as a service provider/processor for a business customer, our obligations may also be governed by a separate data processing addendum or master services agreement.

2. Information We Collect

We collect information in three main ways: (1) information you provide directly; (2) information collected automatically; and (3) information obtained from integrated third-party sources.

2.1 Information You Provide

Account & Verification Information: When you sign up, we collect information such as your name, email address, password, organization name, role, and other business contact details. For certain business accounts, we may request additional information (e.g., incorporation details, tax IDs, domain verification) to verify your organization.

Payment Information: If you purchase a subscription, our third-party payment processors (such as Stripe) collect your payment card details and billing address. Kuvai does not store full payment card numbers.

Customer Data (Content): We collect the text, documents, files, structured data, voice inputs, and prompts you upload or submit to the Services ("Input") and the content generated or returned by the Services in response ("Output"). Together, Input and Output, along with connected system data, are referred to as "Customer Data."

Forwarded Emails: If you use email forwarding (e.g., forwarding emails to a Kuvai inbox for analysis or automation), we collect and process the contents, headers, and attachments of those forwarded messages.

Support and Communications: When you contact us (e.g., support requests, product feedback), we collect the information you choose to provide and any associated metadata (such as timestamps and communication channel).

Incidental and Unstructured Data: Because our Services allow you to upload, analyze, and query unstructured data (such as PDFs, emails, and open-text prompts), you may provide us with types of personal information not explicitly listed above. We collect and process any such information contained within your Inputs as part of your Customer Data, in accordance with your instructions and this Privacy Policy.

Chrome Browser Extension

If you use the Kuvai Chrome browser extension ("Extension"), the following information is collected and processed only when you explicitly initiate it through the Extension's sidebar chat interface:

• API Key: Your Kuvai API key (obtained from your account's Settings > Profile section) is stored locally in your browser using Chrome's built-in storage mechanism (chrome.storage.sync). The API key is transmitted only to Kuvai's servers (api.kuvai.com) for the purpose of authenticating your requests. It is never shared with any third party.
• Web Page Content: When you attach a web page to a chat conversation (either automatically when the sidebar opens or manually via the attach button), the visible text content of the active browser tab is read and sent to Kuvai's API as part of your chat request. Page content is only captured when you explicitly initiate it and is not collected passively or in the background.
• Page URL: The URL of the attached web page is sent alongside the page content to provide source context for your request.
• Screenshots: When you choose to capture a screenshot through the Extension, the visible area of the current browser tab is captured and uploaded to Kuvai Drive via the Kuvai API for processing. Screenshots are only captured when you explicitly select this option.
• Uploaded Files: Files you choose to upload through the Extension (such as PDFs, documents, images, and other supported file types) are sent to Kuvai Drive via the Kuvai API for storage and processing.
• Chat Messages: Messages you type in the Extension's chat sidebar, along with conversation history for the current session, are sent to Kuvai's API for processing. Chat history is maintained only for the duration of the active session and is not persisted locally after the sidebar is closed.
• Selected Text: If you select text on a web page and use the right-click context menu to open the Extension, the selected text is pre-filled into the chat input. This text is only sent to Kuvai's API when you submit a message.

All data collected through the Extension is treated as Customer Data (as defined above) and is subject to the same use, sharing, security, and retention practices described in this Privacy Policy. The Extension does not collect any data passively, does not run in the background, and does not track your browsing activity.

2.2 Information Collected Automatically

Usage Data: We may collect information that your browser sends whenever you visit our Services or when you access the Services by or through a mobile device. This Usage Data may include information such as your computer's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

Mobile Device Data: When you access the Services by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers, and other diagnostic data.

Platform & AI Metrics: To properly meter usage and billing, we also strictly monitor metadata regarding your interaction with the AI platform, including login times, specific agent workflows triggered, number and types of API calls, token usage, and performance metrics associated with your account.

Device & Log Data: We automatically collect technical information, including IP address, browser type, device identifiers, operating system, referring URLs, and log data (e.g., timestamps, error logs, session IDs).

Tracking & Cookies Data: We use cookies and similar tracking technologies to track the activity on our Services and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services. Examples of Cookies we use:

• Session Cookies: We use Session Cookies to operate our Services (e.g., to keep you logged in).
• Preference Cookies: We use Preference Cookies to remember your preferences and various settings.
• Security Cookies: We use Security Cookies for security purposes.
• Analytics Cookies: We use Analytics Cookies to track information on how the Services are used so that we can make improvements.

Chrome Extension Permissions

The Kuvai Chrome extension requests the following browser permissions:

• Access to all website URLs (<all_urls>): This permission is required solely to enable the page content attachment feature, which allows the Extension to read the text content of any web page you are viewing when you explicitly choose to attach it. No browsing history, page content, or user activity is collected automatically or in the background. This permission is never used for tracking, advertising, or any purpose other than reading page content at your request.
• Active Tab and Scripting: Used to read the content of the currently active tab when you attach a page or capture a screenshot. These permissions are only exercised when you initiate an action through the Extension's interface.
• Storage: Used to store your API key and theme preference locally in your browser. No personal data is stored beyond these settings.
• Context Menus: Used to add a "Chat with Kuvai" option to the browser's right-click menu, allowing you to quickly open the chat sidebar from any page.
• Side Panel: Used to display the chat interface as a sidebar within your browser window.

You may review and manage the Extension's permissions at any time by visiting chrome://extensions in your browser and clicking "Details" on the Kuvai extension. You may also uninstall the Extension at any time, which will remove all locally stored data (API key and preferences) from your browser.

2.3 Information from Integrations (Agentic Data)

If you connect Kuvai to third-party services (for example, Gmail, Outlook, Slack, Salesforce, HubSpot, or data warehouses), either directly or via an integration partner, we access data from those services strictly in accordance with the permissions you grant. This may include:

• Reading emails or messages to generate summaries or draft replies;
• Accessing database records or structured data for analysis and reporting;
• Retrieving contact or lead lists to facilitate outbound email, SMS, or voice campaigns; and
• Writing updates back into those systems (e.g., updating CRM records) when explicitly configured.

You can disconnect integrations at any time via your account settings or the relevant third-party platform.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Operate the Services

• To create and manage your account and authenticate your identity (including via SSO providers such as Okta, if configured);
• To process your Inputs, documents, and forwarded emails using our AI workflow engine and connected models;
• To vectorize and index your Customer Data to enable retrieval-augmented generation (RAG) and search within your workspace;
• To execute automated workflows and "Agents" you configure (e.g., sending emails, SMS, or performing third-party API calls);
• To provide customer support and respond to your requests.

3.2 To Improve and Develop Kuvai

• To understand how users interact with the Services and which features are used;
• To debug, optimize, and improve our models, workflows, and user experience;
• To develop new products, features, and capabilities.

AI Training Policy: We do not use your Customer Data or Output to train the foundational large language models ("LLMs") provided by third-party model providers (such as OpenAI, Anthropic, or Google). Your proprietary data remains scoped to your tenancy or processing context. However, we may use Aggregated and De-Identified Data (data that has been stripped of personal identifiers and Customer-identifying information) for the purpose of machine learning training, tuning, benchmarking, and improving Kuvai's proprietary algorithms and internal models (for example, to improve how our system routes requests to specific Agents).

3.3 For Security, Abuse Prevention, and Legal Compliance

• To monitor, detect, and prevent fraud, abuse, and misuse of the Services (including misuse of voice cloning, deepfakes, or outbound channels);
• To protect the security and integrity of the Services, our users, and our infrastructure;
• To enforce our Terms of Use and other policies; and
• To comply with applicable laws, regulations, and legal processes.

In limited cases, authorized Kuvai personnel may access specific Inputs/Outputs or workspace data (for example, to troubleshoot a support ticket, investigate abuse, or as required by law). Such access is restricted, logged, and subject to confidentiality obligations.

4. How We Share Your Information

We do not sell your personal information. We share information only as described below.

4.1 Third-Party AI Model Providers (Sub-Processors)

To provide AI reasoning and generative capabilities, we transmit portions of your Inputs and related context to third-party model providers via API. These may include, for example, OpenAI, Anthropic, and Google (Gemini), as well as other providers we may add over time. These providers process data solely to generate Outputs or perform related AI services for Kuvai. Under our enterprise/API arrangements, data sent to these providers is generally not used to train their publicly available base models. Our use of these providers is subject to contractual and security safeguards, but your data will also be processed under their privacy and security practices.

4.2 Infrastructure and Service Providers

We use vendors and sub-processors to help us operate the Services, including:

• Cloud Hosting & Storage: Amazon Web Services (AWS), including Canadian regions;
• Databases and Queues: e.g., managed databases, message queues, and search infrastructure;
• Integration Middleware: API aggregation and middleware services to connect to your external systems;
• Authentication & Identity: Providers like Okta (if configured);
• Communications: Providers such as Twilio (for SMS/voice) and email delivery platforms;
• Analytics and Monitoring: Tools for application monitoring, error tracking, and product analytics.

These vendors are authorized to use your information only as necessary to provide their services to us and are bound by contractual confidentiality obligations.

4.3 Business Transfers

If Kuvai is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, your information may be transferred as part of that transaction, subject to confidentiality obligations and applicable law.

4.4 Legal Requests and Protection of Rights

We may disclose your information if we reasonably believe such disclosure is:

• Required by law, regulation, or legal process (e.g., subpoena, court order);
• Necessary to protect the rights, property, or safety of Kuvai, our users, or the public; or
• Needed to detect, prevent, or address fraud, security, or technical issues.

5. Data Residency and International Transfers

5.1 Storage in Canada

Kuvai is a Canadian company. Our primary production databases and storage buckets are hosted in AWS Canada (Central) or other Canadian regions, subject to change as our infrastructure evolves.

5.2 AI Processing and International Transfer

While our primary storage is in Canada, you acknowledge that providing the Services (specifically AI inference and reasoning) requires transferring data to computers located outside your province, state, or country, including to the United States. Your submission of information and continued use of the Services represents your agreement to the transfer, processing, and storage of your information (including Customer Data and proprietary business information) in countries outside your province, state, or country of residence, where privacy laws may differ. Where required by law, we will implement appropriate safeguards for such transfers.

6. Security

We take security seriously. Kuvai maintains a security program aligned with SOC 2 Type II standards, which includes:

• Encryption of data in transit (e.g., TLS 1.2+) and at rest (e.g., AES-256);
• Strict access controls, role-based permissions, and multi-factor authentication for staff;
• Logging and monitoring of access to production systems;
• Regular security audits, vulnerability assessments, and penetration testing.

However, no method of transmission over the Internet or electronic storage is completely secure. You are responsible for maintaining the confidentiality of your account credentials, API keys, and integration tokens, and for promptly notifying us of any suspected compromise.

7. Data Retention and Deletion

We retain information for as long as reasonably necessary to:

• Provide and maintain the Services;
• Comply with our legal and contractual obligations;
• Resolve disputes and enforce our agreements; and
• Maintain appropriate business and financial records.

Retention periods may vary by data type and context (e.g., application logs vs. document storage).

Account Deletion: You may request the deletion of your account and associated Customer Data by contacting support@kuvai.com or using in-product controls where available. We will delete or anonymize your Customer Data from active systems within approximately 30 days, subject to legal or contractual retention obligations.

Backups and Logs: Certain data may remain in backups or logs for a limited period before being overwritten or deleted in the normal course of operations.

8. Your Rights and Choices

8.1 Access and Correction

You can access and update most of your account profile information through the Platform. If you are unable to correct information, you may contact us at support@kuvai.com.

8.2 Deletion

You may request deletion of your personal information or Customer Data as described above. We may retain certain information as required or permitted by law, such as for legal, security, or accounting purposes.

8.3 Marketing Communications

You may opt out of marketing or promotional emails at any time by using the "unsubscribe" link in those emails. We may still send you transactional or service-related communications (for example, billing notices, security alerts, and critical updates).

8.4 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, may provide you with rights regarding your personal information, including:

• Right to Know: You may request information about the categories of personal information we collect, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Access & Portability: You may request a copy of the personal information we hold about you.
• Right to Delete: You may request deletion of personal information we hold about you, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Sale / Sharing of Personal Information: Kuvai does not "sell" personal information as defined under the CCPA/CPRA, and we do not "share" personal information for cross-context behavioral advertising. To exercise any of these rights, you or your authorized agent may contact us at support@kuvai.com. We may need to verify your identity before fulfilling your request.

8.5 Other Jurisdictions

If you reside in a jurisdiction that grants you additional privacy rights (for example, access, correction, or deletion rights), you may contact us to exercise those rights. We will respond to requests as required by applicable law.

9. Children's Privacy

The Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete it as soon as reasonably practicable.

Users between 13 and 17 may use the Services only under the conditions described in our Terms of Use (for example, with parental or organizational consent). If you are a parent or guardian and believe your child has provided us information in violation of this policy, please contact us at support@kuvai.com.

10. Google Workspace Data (Google API Disclosure)

If you use Kuvai's integration with Google Workspace (such as Gmail or Google Drive):

• Kuvai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
• We will not use Google Workspace data for advertising or targeting purposes.
• We do not allow humans to read your Google Workspace content except: (a) when you explicitly grant consent for specific messages or files (for example, during a support session); (b) when necessary for security purposes or to investigate abuse; (c) when required by applicable law; or (d) when data is aggregated and anonymized for internal operations.

11. International Users and GDPR

The Services are primarily intended for customers in North America. We do not actively market or target the Services to individuals in the European Economic Area (EEA) or the United Kingdom. If you nonetheless access the Services from the EEA or UK:

• We will process your personal information primarily under Canadian and applicable U.S. laws;
• In limited cases where EU/UK data protection laws apply, our legal bases for processing typically include contract performance, legitimate interests (such as operating and securing the Services), and compliance with legal obligations; and
• Enterprise customers that require GDPR-aligned terms may enter into a separate data processing addendum with Kuvai.

If you are located in the EEA or UK and have questions about how your information is processed, you may contact us using the details below.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email, through the Services, or by posting a notice on our website. The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Services after any changes become effective constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should stop using the Services.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact our Privacy Officer:

Kuvai Inc. d/b/a Kuvai

Attn: Privacy Officer

325 Front Street West, 2nd Floor, Box 47

Toronto, Ontario, M5V 2Y1, Canada

Email: support@kuvai.com

Phone: +1 (416) 987-1127