1. Introduction and Identity
This Privacy Policy explains how Kyndium LLC, a limited liability company registered in the Commonwealth of Virginia (“Kyndium,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information when you use kyndium.com and the Kyndium application (collectively, the “Service”).
We are the data controller for information processed under this policy. If you have questions, contact us at privacy@kyndium.com.
By using the Service, you acknowledge you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Personal Information We Collect
We collect personal information in three ways: information you provide directly, information generated automatically, and information from third-party services you connect.
| Category | Data | Purpose | Retention |
|---|---|---|---|
| Account | Email address, hashed password, display name | Authentication, account management, transactional email | Duration of account + 30 days |
| Profile | Plan tier, subscription status, consent timestamps | Feature gating, billing, compliance | Duration of account + 30 days |
| Content | Tasks, notes, labels, attachments, project data | Service delivery — storing your work | Duration of account; 30-day trash buffer |
| Usage | Page views, feature interactions, session events | Product improvement, analytics (with consent) | Up to 26 months (GA4 default) |
| Payment | Payment method token, last 4 digits, billing address | Processing subscriptions via Stripe | Per Stripe's retention policy |
| Technical | IP address, browser type, OS, referrer URL | Security, fraud prevention, debugging | 90 days in server logs |
| Consent | Consent decisions, document versions, timestamps | Legal compliance, audit trail | 5 years |
We do not collect: Social Security numbers, government ID numbers, financial account credentials, or health information.
3. How We Collect Information
Directly from you — when you create an account, fill in your profile, create projects and tasks, communicate with us, or respond to surveys.
Automatically — when you use the Service, we receive technical information such as your IP address, browser characteristics, pages visited, and time spent. This happens through server logs, cookies, and (if you consent) analytics tools. See our Cookie Policy for details.
From third parties — if you sign up via an OAuth provider (e.g. Google) we receive the information that provider shares per your authorization. Payment information is handled by Stripe and we receive only a tokenized reference, never full card details.
4. How We Use Personal Information
We use your personal information to:
(a) create and manage your Account and authenticate your sessions;
(b) deliver, operate, maintain, and improve the Service;
(c) process payments and manage your Subscription;
(d) send transactional communications — password resets, billing receipts, security alerts, and service notices (these cannot be opted out of while you hold an Account);
(e) send product update emails and newsletters (you may opt out at any time);
(f) analyze aggregate usage patterns to improve product features (only with your consent for analytics cookies);
(g) investigate and prevent fraud, abuse, and security incidents;
(h) comply with applicable laws, regulations, and legal process;
(i) enforce our Terms of Service and other policies.
We do not sell your personal information to third parties. We do not use your personal information for targeted advertising. We do not use your Content to train AI or machine learning models without your separate, explicit consent.
6. Data Retention
We retain your personal information for as long as your Account is active plus a 30-day grace period to allow data export after deletion. Consent records are retained for 5 years for compliance purposes. Server access logs are purged after 90 days. Analytics data is subject to Google Analytics 4's 26-month default retention period (if analytics consent is granted).
When we no longer need personal information, we delete or anonymize it securely. Some residual information may remain in encrypted backups for up to 90 additional days before those backups are overwritten.
7. Security
We implement industry-standard technical and organizational measures to protect your personal information, including:
• TLS encryption for all data in transit between your browser and our servers
• Row-Level Security (RLS) policies in our database ensuring your data is only accessible to your authenticated session
• Hashed password storage via Supabase Auth (bcrypt)
• Principle of least privilege for internal system access
• Regular security reviews of dependencies and configurations
Despite these measures, no security system is impenetrable. If you believe your Account has been compromised, contact us immediately at security@kyndium.com.
8. Your Privacy Rights
Depending on your state of residence, you may have the following rights regarding your personal information. To exercise any of these rights, email privacy@kyndium.com from the address associated with your Account. We will respond within 45 days (extensions permitted by applicable law will be communicated to you).
Right to Know / Access. You may request a copy of the personal information we hold about you and how it is used.
Right to Correct. You may update most of your personal information directly in your account settings. For corrections we cannot make available in-app, contact us.
Right to Delete. You may request deletion of your Account and associated personal information. We will process the request within 30 days, subject to exceptions required by law (e.g., financial records, consent audit logs).
Right to Data Portability. You can export all of your project data at any time via the “Export” function within any project (JSON or CSV format). You may also request a full data export by emailing us.
Right to Opt Out of Sale / Sharing. We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary, but you may contact us to confirm.
Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA), including the rights above plus the right to appeal a denial of your request. To appeal, email privacy@kyndium.comwith “VCDPA Appeal” in the subject line.
California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know categories of information shared with third parties and the right to non-discrimination for exercising your rights.
We will never discriminate against you for exercising your privacy rights.
10. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child under 16 has created an Account, contact us at privacy@kyndium.com and we will promptly delete the Account and all associated data.
11. Third-Party Links
The Service may contain links to third-party websites or integrations. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party site you visit through links on the Service.
12. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes (new categories of data collected, new purposes for processing, new third-party recipients), we will:
(a) update the “Effective” date at the top of this page;
(b) notify registered users by email at least 14 days before changes take effect;
(c) where consent is the legal basis, re-request consent before processing under the new terms.
Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact and Data Requests
For privacy questions, data requests, or to exercise your rights:
Email: privacy@kyndium.com
General enquiries: hello@kyndium.com
We aim to acknowledge all privacy requests within 5 business days and respond substantively within 45 days.