Legal
Privacy Policy
Last updated 2026-06-29
Privacy Policy
Effective date: 2026-06-29
This Privacy Policy describes how Kalmantic Inc ("we", "us", "our") collects, uses, and shares your data when you use the Kalmantic website, products, and services (the "Service"). It supplements our Terms of Service.
Plain-English summary. We collect the minimum we need to authenticate you, bill you, and deliver our products. We do not sell your data. We do not train models on your prompts or content. Payments are handled by our merchant of record (Paddle or Lemon Squeezy). You can delete your account and your data anytime.
1. What we collect
Account data
When you sign up (directly or via Google or Microsoft single sign-on), we receive:
- Your email address
- Your display name (if your account exposes it)
- A unique user identifier
We do not receive or store your single-sign-on password.
Billing data
When you make a purchase, our merchant of record (Paddle or Lemon Squeezy) processes the payment. We receive:
- A customer ID issued by the merchant of record
- Invoice ID, amount, currency, and status
We do not receive or store your full card number, CVV, or bank credentials. The merchant of record handles those and is the seller of record for the transaction.
Usage data
For products you use, we may collect:
- The feature or model invoked
- Token counts, latency, and country (from request headers)
- Tenant id and user id (for attribution and quota enforcement)
- A request id (for support and debugging)
- The first ~500 characters of any error message returned by a third-party provider
We do not log full prompts, uploads, or outputs in standard operation, except where you explicitly opt into an analytics feature that records them under your account.
Telemetry
We collect anonymized aggregate metrics (request counts per region, error rates, feature distribution) to operate and improve the Service. These metrics do not identify individual users.
Cookies
See our Cookie Policy.
2. How we use your data
We use your data to:
- Operate the Service: authenticate sign-ins, deliver products, enforce quotas, render the dashboard
- Bill accurately: compute charges, send receipts, process refunds (via our merchant of record)
- Communicate with you: send transactional emails (welcome, invoice, account changes, security alerts) and — only if you opt in — marketing emails
- Improve the Service: analyze aggregate patterns, identify outages, plan capacity
- Comply with law: respond to lawful requests, enforce our Terms, prevent fraud and abuse
We do not:
- Use your prompts, content, or outputs to train Kalmantic-owned models
- Sell your data to advertisers or data brokers
- Share your data with third parties except as described in Section 4
3. Legal basis (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, our legal basis for processing your data is:
- Performance of a contract — for everything required to deliver the Service you signed up for
- Legitimate interest — for security, fraud prevention, and aggregate analytics
- Consent — for marketing emails and non-essential cookies (you can withdraw at any time)
- Legal obligation — for tax records, fraud reports, and lawful disclosure requests
4. Sharing your data
We share data with these categories of third parties, only to the extent necessary:
| Recipient | What | Why |
|---|---|---|
| Identity provider (Google / Microsoft / Firebase) | Email, name, UID | Authentication |
| Paddle / Lemon Squeezy (merchant of record) | Customer/invoice/payment data | Payment processing, tax remittance |
| Cloudflare / Vercel | Request metadata, IP address (transit-only) | DNS, CDN, hosting, edge compute |
| Third-party providers (e.g. LLM providers for inference products) | The contents of relevant requests | To generate the response. Each provider has its own data policy. |
| Resend | Email address, message body | Transactional email delivery |
| Government / law enforcement | Account or usage data | Only when required by valid legal process |
Important: when a product routes your request to a third-party provider, that provider receives your request content. Each provider has its own privacy and data-retention policy. We cannot control how a third-party provider processes data once it leaves Kalmantic. For workloads with strict data-residency requirements, contact us.
We do not sell personal information as defined under the California Consumer Privacy Act ("CCPA") or any other applicable law.
5. International data transfers
The Service runs on global cloud infrastructure. Your data may be processed in any region where our providers operate, including the United States, Europe, and elsewhere. For transfers from the EEA/UK to "third countries", we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
6. Retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account, plus 30 days for backup recovery |
| Billing records | 7 years (tax law) |
| Usage telemetry (aggregated) | 24 months |
| Per-request usage logs | 13 months |
| Pre-registration entries | Until reviewed, then kept up to 12 months for waitlist analysis |
| Support correspondence | 24 months after the issue closes |
When you delete your account, we delete or anonymize your data within 30 days, except where law requires longer retention (e.g. tax records).
7. Your rights
Regardless of where you live, you can:
- Access your data
- Correct your account profile
- Delete your account
- Export your usage data and invoices
If you're in the EEA/UK/Switzerland or California, you also have the right to portability, the right to restrict or object to certain processing, the right to withdraw consent, and the right to lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@kalmantic.com. We will respond within 30 days.
If you are in California, the CCPA gives you additional rights including the right to opt out of "sale" of personal information. We do not sell personal information, so there is nothing to opt out of, but you can exercise your other CCPA rights by emailing the same address.
8. Children's privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@kalmantic.com and we will delete it.
9. Security
We use industry-standard safeguards including:
- TLS for all data in transit
- Encryption at rest via our cloud storage providers
- Hashed API keys (we store a hash of the token, never the plaintext)
- Managed authentication for sign-in
- PCI-DSS-compliant payment processing via our merchant of record
- Principle of least privilege for internal access
No system is perfectly secure. If we discover a breach that affects your personal data, we will notify you within 72 hours where required by law.
10. Automated decision-making (GDPR Article 22)
Where our products make automated routing or technical decisions (for example, choosing which provider serves a given request), those decisions have no legal or similarly significant effect on you as a person. If we add automated systems that make decisions with legal or similarly significant effects (e.g. fraud-prevention auto-suspension), we will disclose the system, provide human review on request, and honor your right to contest the decision. Contact privacy@kalmantic.com to request human review.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email or site notice at least 14 days before they take effect.
12. Contact
Email privacy@kalmantic.com with any privacy-related question or request.
Kalmantic Inc operates the Kalmantic website and products. This Privacy Policy was last updated on 2026-06-29.