Privacy Policy

Summary

If you are short on time, here is what matters: We collect only what we need to operate the platform and respond to inquiries. We do not sell personal data. Customer data deployed inside a Katonic platform belongs to the customer; we are a processor, not a controller. End users of platforms operated by our customers should consult their organization's privacy policy first, then this one.

1. Who we are

Katonic AI Inc is a Delaware corporation with offices in Sydney, Singapore, Riyadh, and London. For the purposes of EU and UK GDPR, the data controller responsible for this website and direct customer relationships is Katonic AI Inc. Our Data Protection Officer can be reached at support@katonic.ai.

2. Information we collect

2.1 Information you give us

When you fill out a form on our website, request a demo, or correspond with our team, we collect:

Identifiers (name, work email address, employer, job title, country)
Inquiry context (deployment shape, intended use case, timeline, budget if shared)
Communications you send us (email, chat, call recordings if you consent)

2.2 Information we collect automatically

When you visit our public website, we collect:

Device and connection information (IP address, browser type, language, time zone)
Page-view information (pages visited, referring URL, time on page)
Cookies and similar technologies (see Section 8)

2.3 Information from third parties

We receive limited information from business intelligence providers and partner referrals. Where we receive personal data from a partner, we ask the partner to confirm they have a lawful basis to share it.

2.4 Customer data inside the platform

When your organization operates a Katonic deployment (cloud, private cloud, or sovereign), the data you put into Workroom, Studio, Control Room, the AI Gateway, the Knowledge Engine, and other platform services is customer data. We process this data on your organization's behalf as a processor under your Data Processing Agreement. Your organization's own privacy policy applies first.

3. How we use information

We use the information described above only for these purposes:

Respond to inquiries and provision sandbox access
Operate, maintain, and improve the platform and our website
Send transactional and account communications (sandbox provisioning, billing, security alerts, service updates)
Send limited marketing communications with your consent (newsletters, event invitations) - you can unsubscribe at any time
Detect, prevent, and respond to fraud, abuse, security incidents, and illegal activity
Comply with legal obligations and enforce agreements

We do not use customer data inside the platform to train Katonic models or any third-party models, except where you specifically configure a fine-tuning job using your own data inside your own deployment.

4. Legal bases for processing (EU/UK)

For visitors and prospects in the EU, UK, and Switzerland, we rely on the following legal bases under GDPR Article 6(1):

(b) Contract performance - to respond to your demo request, deliver sandbox access, or service the relationship
(f) Legitimate interest - to operate our website, secure our platform, and conduct B2B outreach proportionate to your role
(a) Consent - for non-essential cookies, marketing emails, and any sensitive categories where required
(c) Legal obligation - to comply with regulators, courts, and tax authorities

We do not sell personal data. We share information in these limited cases:

5.1 Service providers (subprocessors)

We use a small set of vetted subprocessors for hosting, communications, analytics, and security tooling. The current list is available on request - contact privacy@katonic.ai. We provide notice before adding a subprocessor that processes customer data.

5.2 Affiliates

We share information among Katonic AI Inc and its wholly owned affiliates for the purposes described in this policy. Each affiliate is bound by the same protections.

5.3 Business transfers

If Katonic is involved in a merger, acquisition, financing, or asset sale, personal data may transfer to the surviving entity, subject to standard confidentiality protections.

5.4 Legal compliance

We disclose information if required by law, court order, or valid government request. We push back against overbroad requests and notify customers when permitted.

6. International transfers

Katonic operates globally. Where we transfer personal data out of the EU, UK, or Switzerland to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) plus supplementary technical and organizational measures including encryption in transit and at rest.

Sovereign customers can configure their deployment to keep all personal data within a single jurisdiction. See /sovereign.

7. Retention

We keep personal data only as long as needed for the purposes set out above:

Marketing inquiries: 24 months from last interaction, then deletion or anonymization
Active customer relationships: for the term of the contract plus 7 years for legal and accounting purposes
Sandbox accounts: 30 days after sandbox expiry, unless converted to paid
Website analytics: 14 months
Security logs: 12 months by default, longer where required by law

8. Cookies and similar technologies

We use a minimal set of cookies. Strictly necessary cookies (session, CSRF) cannot be disabled and are not used for tracking. Analytics cookies are loaded only after consent in jurisdictions that require it. We do not use third-party advertising cookies.

You can manage cookie preferences in your browser. Disabling strictly necessary cookies will break parts of the website.

9. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Delete your data, subject to certain exceptions
Restrict or object to certain processing
Receive a portable copy of your data
Withdraw consent at any time, where processing is based on consent
Lodge a complaint with your supervisory authority

To exercise these rights, email support@katonic.ai. We will respond within 30 days, or 45 days if the request is complex (with notice). For end users of a customer deployment, your first point of contact is your organization's privacy team.

10. California (CCPA / CPRA) disclosures

California residents have additional rights including the right to know what categories of personal information we have collected and disclosed in the past 12 months, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information.

Katonic does not sell personal information and does not share personal information for cross-context behavioral advertising. To exercise other CCPA rights, contact support@katonic.ai.

11. Children

Katonic's platform is a B2B product for enterprise and government use. We do not knowingly collect personal information from anyone under 16. If we learn we have collected such information, we delete it promptly.

12. Security

We maintain technical and organizational measures appropriate to the risks of processing including encryption in transit and at rest, role-based access control, audit logging, and an incident response process. See our Trust Center for detailed security documentation including ISO 27001 certification and pen test reports.

No security program is perfect. If you believe you have discovered a vulnerability, please report it to support@katonic.ai through our coordinated disclosure process.

13. Changes to this policy

We may update this policy. When we do, we revise the "last updated" date at the top of this page. For material changes, we provide additional notice (email to active customers, banner on the website) at least 30 days before the change takes effect.

14. Contact

For privacy questions or to exercise your rights:

Email: support@katonic.ai
Postal: Katonic AI Inc, attn: Privacy Office, [Delaware mailing address - to be confirmed by legal]
EU representative: [to be confirmed by legal]
UK representative: [to be confirmed by legal]

We aim to respond within 14 days for general inquiries and within 30 days for verifiable rights requests.

Summary

1. Who we are

2. Information we collect

2.1 Information you give us

When you fill out a form on our website, request a demo, or correspond with our team, we collect:

Identifiers (name, work email address, employer, job title, country)
Inquiry context (deployment shape, intended use case, timeline, budget if shared)
Communications you send us (email, chat, call recordings if you consent)

2.2 Information we collect automatically

When you visit our public website, we collect:

Device and connection information (IP address, browser type, language, time zone)
Page-view information (pages visited, referring URL, time on page)
Cookies and similar technologies (see Section 8)

2.3 Information from third parties

2.4 Customer data inside the platform

3. How we use information

We use the information described above only for these purposes:

Respond to inquiries and provision sandbox access
Operate, maintain, and improve the platform and our website
Send transactional and account communications (sandbox provisioning, billing, security alerts, service updates)
Send limited marketing communications with your consent (newsletters, event invitations) - you can unsubscribe at any time
Detect, prevent, and respond to fraud, abuse, security incidents, and illegal activity
Comply with legal obligations and enforce agreements

4. Legal bases for processing (EU/UK)

For visitors and prospects in the EU, UK, and Switzerland, we rely on the following legal bases under GDPR Article 6(1):

(b) Contract performance - to respond to your demo request, deliver sandbox access, or service the relationship
(f) Legitimate interest - to operate our website, secure our platform, and conduct B2B outreach proportionate to your role
(a) Consent - for non-essential cookies, marketing emails, and any sensitive categories where required
(c) Legal obligation - to comply with regulators, courts, and tax authorities

We do not sell personal data. We share information in these limited cases:

5.1 Service providers (subprocessors)

5.2 Affiliates

We share information among Katonic AI Inc and its wholly owned affiliates for the purposes described in this policy. Each affiliate is bound by the same protections.

5.3 Business transfers

If Katonic is involved in a merger, acquisition, financing, or asset sale, personal data may transfer to the surviving entity, subject to standard confidentiality protections.

5.4 Legal compliance

We disclose information if required by law, court order, or valid government request. We push back against overbroad requests and notify customers when permitted.

6. International transfers

Sovereign customers can configure their deployment to keep all personal data within a single jurisdiction. See /sovereign.

7. Retention

We keep personal data only as long as needed for the purposes set out above:

Marketing inquiries: 24 months from last interaction, then deletion or anonymization
Active customer relationships: for the term of the contract plus 7 years for legal and accounting purposes
Sandbox accounts: 30 days after sandbox expiry, unless converted to paid
Website analytics: 14 months
Security logs: 12 months by default, longer where required by law

8. Cookies and similar technologies

You can manage cookie preferences in your browser. Disabling strictly necessary cookies will break parts of the website.

9. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Delete your data, subject to certain exceptions
Restrict or object to certain processing
Receive a portable copy of your data
Withdraw consent at any time, where processing is based on consent
Lodge a complaint with your supervisory authority

10. California (CCPA / CPRA) disclosures

Katonic does not sell personal information and does not share personal information for cross-context behavioral advertising. To exercise other CCPA rights, contact support@katonic.ai.

11. Children

12. Security

No security program is perfect. If you believe you have discovered a vulnerability, please report it to support@katonic.ai through our coordinated disclosure process.

13. Changes to this policy

14. Contact

For privacy questions or to exercise your rights:

Email: support@katonic.ai
Postal: Katonic AI Inc, attn: Privacy Office, [Delaware mailing address - to be confirmed by legal]
EU representative: [to be confirmed by legal]
UK representative: [to be confirmed by legal]

We aim to respond within 14 days for general inquiries and within 30 days for verifiable rights requests.

Summary

1. Who we are

2. Information we collect

2.1 Information you give us

2.2 Information we collect automatically

2.3 Information from third parties

2.4 Customer data inside the platform

3. How we use information

4. Legal bases for processing (EU/UK)

5. How we share information

5.1 Service providers (subprocessors)

5.2 Affiliates

5.3 Business transfers

5.4 Legal compliance

6. International transfers

7. Retention

8. Cookies and similar technologies

9. Your rights

10. California (CCPA / CPRA) disclosures

11. Children

12. Security

13. Changes to this policy

14. Contact

Privacy Policy

Summary

1. Who we are

2. Information we collect

2.1 Information you give us

2.2 Information we collect automatically

2.3 Information from third parties

2.4 Customer data inside the platform

3. How we use information

4. Legal bases for processing (EU/UK)

5. How we share information

5.1 Service providers (subprocessors)

5.2 Affiliates

5.3 Business transfers

5.4 Legal compliance

6. International transfers

7. Retention

8. Cookies and similar technologies

9. Your rights

10. California (CCPA / CPRA) disclosures

11. Children

12. Security

13. Changes to this policy

14. Contact