Privacy Policy

Last updated:

1. Overview

KONDWIT Inc. ("we", "us", or "our") operates the KONDWIT platform. This policy describes how we collect, use, and protect your information when you use our Service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization. If you sign in via Microsoft Entra ID, we receive your profile information from your identity provider.

Usage Data

We collect information about how you use the Service, including pages visited, searches performed, and features used. This helps us improve the product.

Content You Create

Research sessions, memos, collections, and other content you create within the Service is stored in our database to provide the Service to you.

AI Assistant Connector Data (MCP & Copilot)

When you connect an AI assistant — Claude, ChatGPT, Cursor, VS Code, Goose, or Microsoft Copilot — to KONDWIT through our Model Context Protocol (MCP) server or the Microsoft Copilot agent, we process and log the following so we can answer the request and maintain a compliance-grade audit trail:

  • Tool requests and responses — the inputs you (or your assistant on your behalf) send to a KONDWIT tool, and the regulatory content we return. These are audit-anchored (tamper-evident) because the compliance use case requires a verifiable record of what guidance was retrieved and when.
  • Identity from the connector's OAuth flow — the account identifier the assistant authenticates with, bound to your KONDWIT user.
  • Microsoft Graph delegated tokens (Copilot only) — received transiently to act on your behalf for the current request; used in-memory andnot stored.
  • Adaptive Card interaction payloads (Copilot only) — the fields you submit when you act on a KONDWIT card inside Copilot.

Your tool inputs and outputs are never used to train any AI model, ours or a third party's.

3. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process billing and subscription management
  • Send transactional emails (account, billing, compliance alerts)
  • Respond to support requests
  • Analyze usage patterns to improve the product

We do not sell your personal information to third parties.

3a. What We Do NOT Collect

  • Procedure documents and other content you upload for regulatory analysis are processed transiently; we do not retain that analysis input unless you explicitly pin the result to a Canvas Session.
  • No third-party advertising or cross-site tracking.
  • No biometric data and no special-category / sensitive PII beyond the authentication identity your identity provider supplies.

4. Data Storage and Security

Your data is stored on Microsoft Azure infrastructure in the United States (Central US region). We use encryption in transit (TLS) and at rest. Access to production systems is restricted to authorized personnel.

Database backups are performed automatically with 7-day point-in-time recovery.

5. Third-Party Services

We use the following third-party services that may process your data:

  • Microsoft Azure — cloud infrastructure and hosting
  • Microsoft Entra ID — single sign-on authentication
  • Stripe — payment processing (we do not store credit card numbers)
  • Anthropic / OpenAI — AI-powered analysis features (your queries are processed but not used for model training)
  • Microsoft — Microsoft 365 Copilot agent hosting and Microsoft Graph (delegated, transient) when you use the Copilot connector
  • Neo4j — graph database for relationship analysis

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

Compliance audit anchors — because KONDWIT serves a regulatory audit-trail use case, the tamper-evident record of tool requests and the regulatory content returned is retained per your organization's compliance retention policy (default 7 years). Operational usage logs (IP, request timing, error traces) are retained for 90 days. Transient processing data, including Microsoft Graph delegated tokens, is cleared at the end of the request or session.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for optional data processing

To exercise these rights, contact us at privacy@kondwit.com.

8. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Analytics, when enabled, use privacy-focused tools that do not track individual users across sites.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect.

10. Contact

Questions about privacy? Contact us at privacy@kondwit.com.

Privacy Policy — KONDWIT