Back to Home
Legal

Privacy Policy

Last updated: December 8, 2025

Our Core Principle: Kondu is designed with privacy at its foundation. Our platform orchestrates workflows using content references - we never store or process your actual message content. Your data stays in your infrastructure.

1 Introduction

Kondu AI ("Kondu", "we", "us", or "our") operates the kondu.ai website and the Kondu platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

2 Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, company name, and password when you create an account.
  • Contact Information: Information you provide when contacting us, including email correspondence.
  • Billing Information: Payment details processed through our payment provider (we do not store full credit card numbers).

2.2 Information Collected Automatically

  • Usage Data: Information about how you use our platform, including workflow configurations, job statistics, and feature usage.
  • Log Data: IP address, browser type, operating system, access times, and pages viewed.
  • Device Information: Device type, unique device identifiers, and mobile network information.

2.3 Information We Do NOT Collect

Kondu operates on a "content by reference" architecture. We do NOT collect, store, or process:

  • The actual content of your emails, messages, or files
  • Personal data contained within your communications
  • Customer data processed by your workflows

Your content remains in your own storage systems (such as AWS S3, Azure Blob, or other providers you choose). Kondu only stores references (URIs) to this content.

3 How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our platform
  • Process your account registration and manage your account
  • Send you service-related communications
  • Respond to your inquiries and provide customer support
  • Monitor and analyze usage patterns to improve our services
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

4 Data Sharing and Disclosure

We do not sell your personal information. We may share information with:

  • Service Providers: Third parties that perform services on our behalf (hosting, analytics, payment processing).
  • Legal Requirements: When required by law or to protect our rights.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets.

5 Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Audit logging of administrative actions

6 Data Retention

We retain your account information for as long as your account is active. Metadata and logs are retained for up to 90 days. You may request deletion of your account and associated data at any time.

7 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services to you (Article 6(1)(b) GDPR)
  • Legitimate Interests: Analytics, security, and service improvement (Article 6(1)(f) GDPR)
  • Legal Obligation: Compliance with applicable laws (Article 6(1)(c) GDPR)
  • Consent: Where you have given explicit consent for specific processing (Article 6(1)(a) GDPR)

8 Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights under GDPR:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Request correction of inaccurate data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Restriction (Art. 18): Request restriction of processing
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@kondu.ai. We will respond within 30 days.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Norway, this is the Norwegian Data Protection Authority (Datatilsynet): www.datatilsynet.no

9 International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10 Cookies

We use essential cookies for authentication and security. We do not use tracking or advertising cookies. You can control cookies through your browser settings.

11 Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal information from children.

12 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date.

13 Data Controller

The data controller responsible for your personal data is:

14 Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us: