Privacy Policy
Effective Date: December 17, 2024
Last Updated: December 17, 2024
PASV LLC ("Company," "we," "us," or "our") operates the Kompot platform and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Service.
Important Notice for End Users
If you are an End User (e.g., a contact in a Kompot customer's CRM), your information is controlled by the Kompot customer who entered your data. Please contact them directly for questions about how your data is used. This Privacy Policy primarily applies to our direct customers and website visitors.
1. Information We Collect
1.1 Information You Provide
| Category | Types of Data | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed), company name | Account creation, authentication, communication |
| Profile Information | Profile picture, timezone, language preferences | Personalization, service delivery |
| Payment Information | Billing address, payment method details (processed by Stripe) | Payment processing, invoicing |
| Customer Data | Contact information, communications, notes, attachments you upload | Providing the CRM service |
| Communications | SMS messages, call logs, email content (when using our communication features) | Communication services, history tracking |
| Support Data | Messages and information you provide when contacting support | Customer support, service improvement |
1.2 Information Collected Automatically
| Category | Types of Data | Purpose |
|---|---|---|
| Device Information | Device type, operating system, browser type, unique device identifiers | Security, analytics, troubleshooting |
| Usage Data | Pages viewed, features used, actions taken, time spent | Service improvement, analytics |
| Log Data | IP address, access times, referring URLs, error logs | Security, debugging, analytics |
| Cookies | Session cookies, preference cookies, analytics cookies | Authentication, preferences, analytics |
1.3 Information from Third Parties
- Google OAuth: If you sign in with Google, we receive your name, email, and profile picture
- Twilio: Delivery status and metadata for SMS messages
- Payment Processors: Transaction status and fraud prevention data
1.4 AI Feature Data
When you use AI-powered features, your prompts and relevant context are sent to third-party AI providers (OpenAI, Anthropic, or Google). We retain AI conversation history to provide the feature. See Section 11 for more details.
2. How We Use Your Information
We use collected information to:
2.1 Provide and Maintain the Service
- Create and manage your account
- Process transactions and send billing information
- Provide customer support
- Send service-related communications
2.2 Improve and Develop the Service
- Analyze usage patterns and trends
- Test and develop new features
- Fix bugs and improve performance
2.3 Security and Compliance
- Detect and prevent fraud and abuse
- Enforce our Terms of Service
- Comply with legal obligations
2.4 Communication
- Send service updates and announcements
- Respond to inquiries and support requests
- Send marketing communications (with your consent)
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA) or UK, we process your data based on:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Account creation, service delivery, payment processing |
| Legitimate Interests | Security, fraud prevention, service improvement, analytics |
| Consent | Marketing communications, optional cookies, AI feature usage |
| Legal Obligation | Tax compliance, responding to legal requests |
4. How We Share Information
4.1 Service Providers
We share data with third-party providers who assist in operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| MongoDB Atlas | Database hosting | All Customer Data (encrypted) |
| Stripe | Payment processing | Billing information |
| Twilio | SMS/voice services | Phone numbers, message content |
| OpenAI / Anthropic / Google | AI features | Prompts and context for AI processing |
| Railway / Cloud Providers | Application hosting | Application data, logs |
4.2 Legal Requirements
We may disclose information if required by law, court order, or government request.
4.3 Business Transfers
In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
4.4 With Your Consent
We may share information for other purposes with your explicit consent.
4.5 Aggregated Data
We may share anonymized, aggregated data that cannot identify you for research or marketing purposes.
5. International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including the United States. We implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): For transfers from EEA/UK
- Service Provider Agreements: Requiring data protection commitments
- Encryption: Data encrypted in transit and at rest
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account Data | Duration of account + 90 days after deletion |
| Customer Data | Duration of account + 90 days (or as specified in DPA) |
| Transaction Records | 7 years (legal/tax requirements) |
| Support Communications | 3 years after resolution |
| AI Conversations | Duration of account + 30 days |
| Usage Logs | 12 months |
| Security Logs | 2 years |
7. Data Security
We implement industry-standard security measures:
- Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
- Access Controls: Role-based access, multi-factor authentication
- Infrastructure: Secure cloud hosting with regular security audits
- Password Security: Passwords hashed using bcrypt
- Monitoring: Automated security monitoring and alerting
While we strive to protect your data, no method of transmission or storage is 100% secure.
8. Your Rights
8.1 All Users
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate data
- Deletion: Request deletion of your account and data
- Export: Receive your data in a portable format
- Opt-out: Unsubscribe from marketing communications
8.2 EEA/UK Residents (GDPR)
You have additional rights under GDPR:
- Restriction: Request restriction of processing
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent at any time
- Complaint: Lodge a complaint with your supervisory authority
8.3 Exercising Your Rights
To exercise your rights, contact us at i@kompot.ai. We will respond within 30 days (or 45 days for CCPA requests). We may verify your identity before processing requests.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights:
9.1 Right to Know
Request disclosure of:
- Categories of personal information collected
- Sources of personal information
- Business purposes for collection
- Categories of third parties with whom we share data
- Specific pieces of personal information collected
9.2 Right to Delete
Request deletion of personal information, subject to legal exceptions.
9.3 Right to Correct
Request correction of inaccurate personal information.
9.4 Right to Opt-Out of Sale/Sharing
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
9.5 Right to Non-Discrimination
We will not discriminate against you for exercising your privacy rights.
9.6 Categories of Information (Last 12 Months)
| Category | Collected | Sold | Disclosed for Business Purpose |
|---|---|---|---|
| Identifiers | Yes | No | Yes (Service Providers) |
| Commercial Information | Yes | No | Yes (Payment Processors) |
| Internet Activity | Yes | No | Yes (Analytics) |
| Professional Information | Yes | No | No |
9.7 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authorization.
10. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
11. Third-Party Services and AI
11.1 Third-Party Links
The Service may contain links to third-party websites. We are not responsible for their privacy practices.
11.2 AI Services
Our AI features use third-party providers (OpenAI, Anthropic, Google). When you use AI features:
- Your prompts and relevant context are sent to the AI provider
- AI providers may use data per their policies (typically not for training)
- We store AI conversations to provide the service
- Do not submit sensitive personal data unless necessary
Review the privacy policies of OpenAI, Anthropic, and Google.
11.3 Twilio (SMS/Voice)
SMS and voice features are powered by Twilio. Message content and phone numbers are transmitted to Twilio for delivery. See Twilio's Privacy Policy.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or through the Service. Your continued use after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
For privacy-related questions or to exercise your rights, contact us at:
PASV LLCEmail: i@kompot.ai
Website: https://kompot.ai
Data Protection Officer Contact: i@kompot.ai
EU Representative: Not applicable (we process data as a processor for EU customers under their instructions, governed by our Data Processing Agreement).
By using Kompot, you acknowledge that you have read and understood this Privacy Policy.