Privacy Policy
Last updated: May 31, 2026
Version 1.0.0 | Effective April 30, 2026
In plain English: You own your content. We don't train on it. The AI models you choose GPT, Claude, Gemini, and others are large language models (LLMs). An LLM works by statistically predicting what text should come next, based on patterns learned from massive datasets. Roughly every 4 characters is a "token," and the model's job is to predict the next token, then the next, then the next, assembling words, sentences, and paragraphs one prediction at a time. This means LLMs can be remarkably useful, but they also make mistakes. They hallucinate — generating confident-sounding text that is factually wrong. They are not a substitute for human reasoning, especially when decisions impact the physical world. Do not rely on AI outputs for legal, medical, financial, or other professional advice without independent verification.
1. Overview
KontextAI.ai, LLC ("KontextAI," "we," "us," "our") respects your privacy. This Privacy Policy describes how we collect, use, store, and protect your information when you use our personal AI agent platform ("Service"). This policy applies to all users worldwide, including users in the European Economic Area (EEA), United Kingdom, and California.
2. The Short Version
Our commitments:
- We do not train AI models on your content
- We do not sell your data to third parties
- We do not share your uploaded content with other users
- You can export or delete your data at any time
- Your uploaded files are stored in isolated, per-user storage
3. Information We Collect
Account information: Email address, name, and authentication credentials when you register. We use this to create and manage your account.
Content you upload: Documents, files, books, transcripts, and other materials you upload to create AI agents. This is processed to generate vector embeddings and enable retrieval-augmented generation (RAG).
Chat and usage data: Your queries to AI agents, conversation history, agent configurations, and how you interact with features of the Service.
Technical data: Browser type, operating system, IP address, device identifiers, referring URLs, and access timestamps, collected automatically through server logs.
Cookies and analytics: We use essential cookies required for the Service to function. We use Umami (self-hosted, privacy-focused analytics) to understand aggregate usage patterns. Umami does not use cookies and does not collect personally identifiable information. We do not use third-party advertising cookies or tracking pixels.
4. How We Use Your Information
We use your information for the following purposes:
- Providing the Service: Processing your uploads, generating embeddings, powering AI agent responses, and maintaining conversation history
- Account management: Creating and managing your account, authenticating access, and communicating about your account
- Improvement: Understanding aggregate usage patterns to improve features, performance, and reliability (using anonymized, non-personal data only)
- Safety and security: Detecting and preventing abuse, unauthorized access, and violations of our Terms of Service
- Legal compliance: Complying with applicable laws, regulations, and legal processes
Legal basis (GDPR): We process your data based on: (a) contractual necessity (to provide the Service), (b) legitimate interest (security and improvement), and (c) your consent (where applicable, such as optional analytics).
5. What We Don't Do
- We do not use your User Content or conversation data to train, fine-tune, or improve AI models (ours or anyone else's)
- We do not sell, rent, or trade your personal information to third parties
- We do not share your uploaded content with other users of the Service
- We do not access your BYOK API keys beyond the scope of processing your requests
- We do not use third-party advertising trackers, retargeting pixels, or behavioral advertising cookies
6. Third-Party AI Providers and BYOK
When you use "Bring Your Own Key" (BYOK), your queries, uploaded file content, and conversation context are transmitted to the third-party AI provider you select (e.g., OpenAI, Anthropic, Google, Together AI) using your own API credentials. That transmission is governed by the applicable provider's own Terms of Service and Privacy Policy:
KontextAI acts as a technical pass-through for BYOK requests. We encrypt BYOK Keys at rest and do not log or persist key values beyond active use. We do not control how third-party providers process data sent through their APIs. If you use the Service in a regulated industry, you should independently verify your chosen provider's data handling practices.
7. Service Providers and Subprocessors
We use the following service providers to operate the Service:
| Provider | Purpose | Data Processed |
|---|---|---|
| DigitalOcean | Cloud hosting and infrastructure | All Service data (encrypted at rest and in transit) |
| Cloudflare | CDN, DNS, marketing site hosting | IP addresses, request metadata |
| Stripe | Payment processing | Payment card data, billing address, transaction records |
| WorkOS | Authentication and identity management | Email, name, authentication metadata |
| Together AI | AI model inference (primary provider) | Queries + document context for retrieval-augmented generation |
| Fireworks AI | AI model inference (failover provider) | Queries + document context (when primary is unavailable) |
| Modal | GPU compute for embedding generation | Uploaded document content (transformed into vector embeddings) |
8. Data Security
We use industry-standard security measures to protect your data, including:
- Encryption in transit (TLS 1.2+) for all connections
- Encryption at rest for stored data and credentials
- Isolated, per-user storage for uploaded content
- Access controls and authentication for all internal systems
- Regular security reviews and dependency updates
Design principles: KontextAI is designed with user trust as a structural requirement, not a marketing claim. We do not use dark patterns, infinite scroll, autoplay, or engagement-maximizing algorithms. We do not design features to maximize time-on-platform. We do not target minors. Our Service is intended for professionals, researchers, and knowledge workers age 18 and older. The age minimum stated in our Terms of Service (13) reflects legal requirements; our product design, pricing, and content are directed at adults.
No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. If we become aware of a security breach affecting your personal data, we will notify affected users and relevant authorities as required by law (within 72 hours for GDPR-covered incidents, within 30 days for California residents).
9. Data Retention
In plain English: We keep your data for as long as your account is active. You can delete individual items (files, sessions, memories) at any time. When you close your account, your account is suspended immediately and you have 7 days to cancel deletion via a restoration link sent to your email. After 7 days, your data is deleted from active systems. Some data (billing records, server logs) is retained longer for legal and security purposes.
| Data Type | Retention Period |
|---|---|
| Uploaded documents and files | Retained while your account is active. Deleted upon your request or 7 days after account closure (via the cancellation window). |
| Vector embeddings | Retained while the source document exists. Deleted when you delete the document. |
| Chat and conversation history | Retained while your account is active. You can delete individual sessions at any time. |
| Memories | Retained while your account is active. You can view, edit, and delete individual memories at any time. |
| BYOK API keys | Encrypted at rest. Deleted immediately upon revocation or account closure. |
| Account information | Account suspended at closure. 7-day cancellation window via email restoration link. After 7 days, account and personal data deleted from active systems. |
| Server and access logs | Retained for up to 90 days for security, debugging, and abuse prevention. |
| Billing and payment records | Retained for 7 years as required by US tax law (IRS). |
Note: Deletion from active systems does not guarantee immediate removal from encrypted backups, which are retained for disaster recovery and rotated on a regular schedule. We do not use backup data for any purpose other than system recovery.
Third-party providers: When you delete your account, we delete your data from KontextAI's systems within the timelines above. However, third-party providers we rely on (WorkOS for authentication, Stripe for payments, the AI provider you select for inference) maintain their own data retention policies and we do not currently issue automated deletion requests to these providers on your behalf. To request deletion of data held by these providers directly, please consult their privacy policies linked in Section 7.
10. Your Rights
Depending on your location, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data ("right to be forgotten")
- Portability: Request your data in a portable, machine-readable format
- Restriction: Request that we limit how we process your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time
For California residents (CCPA): You have the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell or share your personal information as defined under CCPA/CPRA. We do not use personal information for cross-context behavioral advertising. To exercise any of these rights, contact us at [email protected].
For EEA/UK residents (GDPR): You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data in accordance with applicable law.
11. International Data Transfers
KontextAI is based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection of your personal data. By using the Service, you consent to the transfer of your data to the United States.
12. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].
13. Automated Decision-Making
The Service uses AI models to generate responses based on your uploaded content and queries. These AI-generated outputs are informational tools and are not used to make automated decisions that produce legal or similarly significant effects on you. You always retain control over how you use AI Outputs.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address associated with your account or by posting a prominent notice on the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of revised terms constitutes acceptance of those changes.
15. Contact
Questions about privacy or your data? Contact us at [email protected].
KontextAI.ai, LLC. Registered in the State of Wyoming, USA. Data Controller for GDPR purposes: KontextAI.ai, LLC.