Privacy Policy

1. Introduction

Welcome to Kyndi ("we," "our," or "the Service"). Kyndi is an AI-powered personal assistant that helps you manage communications and scheduling across multiple platforms including Gmail, Google Calendar, Twitter/X, and LinkedIn.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service. By using Kyndi, you agree to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (via Clerk authentication)
• Name and profile information
• Personal Assistant profile settings (PA name, location, language preferences)

2.2 Google Services Data

When you connect Gmail and Google Calendar, we access the following specific types of Google user data:

Gmail API Access:

• Read emails: Access to read emails from your Gmail account when you explicitly request the AI assistant to read, search, or retrieve specific emails
• Compose emails: Ability to draft and compose new emails based on your instructions
• Send emails: Permission to send emails on your behalf when you request the AI assistant to send an email
• Permanently delete emails: Ability to permanently delete emails from your Gmail account when you explicitly request deletion
• Email metadata: Access to email headers, subject lines, sender/recipient information, and timestamps

Google Calendar API Access:

• View calendars: Access to see all calendars you can access using Google Calendar
• Edit calendars: Ability to modify calendar settings, properties, and sharing permissions for calendars you can access
• Share calendars: Permission to share calendars with other users when you request it
• Permanently delete calendars: Ability to permanently delete calendars you can access when explicitly requested
• View calendar events: Access to see events on Google calendars you own, including event titles, descriptions, dates, times, locations, and attendee information
• Create calendar events: Ability to create new events on calendars you own
• Modify calendar events: Permission to change existing events on calendars you own (update times, descriptions, attendees, etc.)
• Delete calendar events: Ability to delete events from calendars you own

Important: We only access this Google user data when you explicitly instruct the AI assistant to perform a specific action (e.g., "send an email to John" or "create a calendar event for tomorrow"). We do not continuously monitor, scan, or access your Gmail or Calendar data without your explicit request.

2.3 Social Media Platform Data

• Twitter/X: OAuth tokens to post tweets and schedule posts on your behalf
• LinkedIn: OAuth tokens to create and publish professional posts on your behalf

2.4 Usage Data

We automatically collect:

• Chat conversation history with the AI assistant
• Tool usage patterns (which integrations you use)
• Timestamps and frequency of service usage
• Error logs and diagnostic information

2.5 OAuth Tokens

We securely store OAuth access tokens and refresh tokens for Gmail, Google Calendar, Twitter, and LinkedIn. These tokens allow us to perform actions on your behalf when instructed by you through the AI assistant.

3. How We Use Your Information

We use your information solely to provide and improve our Service:

• Service Delivery: To execute your requests (send emails, create calendar events, post to social media)
• Google User Data Usage:
  • Gmail data (email content, metadata) is used to read, compose, send, or delete emails only when you explicitly request these actions
  • Calendar data (events, calendars) is used to view, create, modify, or delete calendar events only when you explicitly request these actions
  • Google user data is accessed in real-time via Google APIs and is not stored beyond what is necessary for conversation context
• AI Processing: Your messages and relevant Google user data (email content, calendar event details) are sent to OpenAI's GPT-4 API to generate intelligent responses and determine appropriate actions. This processing is necessary to understand your requests and provide relevant assistance.
• Account Management: To maintain your account, preferences, and connected services
• Scheduling: To schedule and execute delayed posts/emails at your specified times
• Service Improvement: To analyze usage patterns and improve our AI assistant's capabilities (we do not use Google user data for this purpose)
• Security: To detect and prevent fraud, abuse, or security incidents

4. Data Storage and Retention

4.1 What We Store

• Chat History: Stored in MongoDB for context and service improvement. May contain references to Google user data but not the actual email content or detailed calendar event data.
• OAuth Tokens (Google Services): Stored securely in Clerk's encrypted metadata system. These tokens allow access to Gmail and Calendar APIs but we do not store the actual email content or calendar event details.
• Google User Data: We do NOT permanently store email content or calendar event details. These are accessed in real-time via Google APIs only when you request an action.
• Scheduled Posts: Stored in SQLite database until execution or deletion
• User Profiles: Stored in Clerk's secure infrastructure

4.2 How Long We Keep Data

• Google OAuth Tokens: Retained until you disconnect the Google service or delete your account. Tokens are immediately revoked and deleted when you disconnect.
• Email Content: We do not store email content. Email data is accessed in real-time and not retained after the requested action is completed.
• Calendar Event Data: We do not store calendar event details. Calendar data is accessed in real-time and not retained after the requested action is completed.
• Chat History: Retained for 90 days, then automatically deleted
• Scheduled Posts: Deleted 7 days after successful execution
• Account Data: Retained until account deletion
• Temporary Processing Data: Any temporary data used for processing your requests is deleted immediately after the action is completed

4.3 Data Location

Your data is stored in secure cloud infrastructure:

• MongoDB Atlas: Chat history and scheduled posts (encrypted at rest)
• Clerk: Authentication and OAuth tokens for Google services (SOC 2 Type II certified, encrypted)
• Our secure backend servers: Temporary processing only; data is not permanently stored
• Google APIs: Email and calendar data remain in Google's infrastructure; we access it via APIs but do not store it

5. Third-Party Services

5.1 OpenAI (GPT-4)

Your chat messages are sent to OpenAI's API to generate AI responses. OpenAI processes this data according to their own privacy policy. We send only the necessary context (your message and recent conversation history) to generate responses.

View OpenAI Privacy Policy

5.2 Clerk (Authentication)

We use Clerk for authentication and secure storage of OAuth tokens. Clerk is SOC 2 Type II certified and provides enterprise-grade security.

View Clerk Privacy Policy

5.3 Connected Platforms

When you connect third-party accounts, those platforms may collect their own data:

• Google Privacy Policy (Gmail, Calendar)
• Twitter/X Privacy Policy
• LinkedIn Privacy Policy

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data in transit is encrypted using HTTPS/TLS
• OAuth Security: We use OAuth 2.0 for secure authorization without storing passwords
• Token Storage: OAuth tokens are encrypted and stored in Clerk's secure infrastructure
• Access Controls: Strict access controls limit who can access user data
• Regular Audits: We conduct regular security reviews and updates

While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security but maintain industry best practices.

8. Data Sharing and Disclosure

8.1 Google User Data Sharing

Regarding Google user data (Gmail and Calendar data) specifically:

• OpenAI (GPT-4 API): Google user data (email content, calendar event details) is shared with OpenAI solely for the purpose of processing your natural language requests and generating AI responses. OpenAI is contractually obligated to use this data only for providing the AI processing service. See OpenAI's privacy policy: https://openai.com/policies/privacy-policy
• Clerk: OAuth tokens for Google services are stored in Clerk's infrastructure. Clerk does not access or use the Google user data itself, only the authentication tokens.
• MongoDB Atlas: Chat conversation history that may contain references to Google user data is stored in MongoDB. We do not store actual email content or detailed calendar event data.
• We Do NOT: Sell, rent, trade, or share Google user data with advertisers, data brokers, or any third parties for purposes other than providing the Service.

8.2 General Data Sharing - We Do NOT:

• Sell your personal data to anyone
• Share your data with advertisers
• Use your data for marketing purposes without consent
• Allow unauthorized third parties to access your information

8.3 We May Share Data:

• With Your Consent: When you explicitly authorize sharing
• Service Providers: OpenAI (for AI processing), Clerk (for authentication), MongoDB Atlas (for data storage) - only as necessary to provide the Service
• Legal Requirements: If required by law, court order, or government regulation
• Safety: To protect the rights, property, or safety of Kyndi, our users, or the public

9. Your Rights and Choices

You have the following rights regarding your personal data:

9.1 Access and Portability

You can access your chat history, scheduled posts, and account settings at any time through the Kyndi dashboard.

9.2 Disconnect Services

You can disconnect any integrated service (Gmail, Calendar, Twitter, LinkedIn) at any time through the Settings page. This will:

• Immediately revoke Kyndi's access to that service
• Delete stored OAuth tokens
• Cancel any scheduled posts/emails for that platform

9.3 Delete Your Data

You can request deletion of your data by:

• Delete Google User Data: Disconnect Gmail or Calendar through the Settings page to immediately revoke access and delete OAuth tokens. You can also revoke access directly through Google Account Permissions.
• Delete Your Account: Deleting your account through the Settings page removes all data within 30 days, including OAuth tokens and any references to Google user data.
• Request Specific Data Deletion: Email us at kindi@gandal.ai to request deletion of specific data. We will process your request within 30 days and provide confirmation.

Note: Since we do not store email content or calendar event details, disconnecting Google services immediately prevents any further access to your Google data.

9.4 Clear Chat History

You can clear your chat history at any time using the "Clear Chat" button in the interface.

9.5 Export Your Data

You can request a copy of your personal data by contacting us at kindi@gandal.ai.

10. Children's Privacy

Kyndi is not intended for users under 13 years of age (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at kindi@gandal.ai.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your country. By using Kyndi, you consent to such transfers.

We ensure that all transfers comply with applicable data protection laws and use appropriate safeguards (such as standard contractual clauses) where required.

12. Cookies and Tracking

We use minimal cookies and tracking technologies:

• Essential Cookies: Required for authentication and session management (via Clerk)
• Functional Cookies: To remember your preferences and settings

We do not use advertising or analytics cookies. You can control cookies through your browser settings.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you via email or through a prominent notice in the app
• We will provide at least 30 days' notice before changes take effect

Your continued use of Kyndi after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: