Privacy Policy
How we collect, use, and protect your personal information — clearly explained.
Introduction
Kaapaan ('we', 'us', or 'our') operates kaapaan.com and all associated subdomains (the 'Platform'). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.
We are committed to protecting your personal data and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy regulations.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of the Platform.
Information We Collect
We collect information in the following categories:
| Category | Details |
|---|---|
| Identity Data | First name, last name, username, or similar identifier provided during account registration or waitlist sign-up. |
| Contact Data | Email address, telephone number, and company name you provide when contacting us or joining the waitlist. |
| Technical Data | IP address, browser type and version, time zone setting, browser plug-in types, operating system, device identifiers, and other technology identifiers on the devices you use to access the Platform. |
| Usage Data | Information about how you use our website and services, including pages visited, time spent, clicks, and navigation paths. |
| Communications Data | Records of correspondence if you contact us, including emails and support requests. |
| Company Profile Data | If you use our GRC platform, information you provide about your organization including company name, industry, team size, technology stack, and compliance requirements. |
We do not intentionally collect Sensitive Personal Data (such as health data, racial or ethnic origin, political opinions, or financial account numbers). Please do not submit such information through our Platform.
How We Use Your Information
We use the information we collect for the following purposes, each grounded in a lawful basis:
| Category | Details |
|---|---|
| Service Delivery | To provide, operate, and maintain the Platform, including AI-generated policy drafting, risk assessments, and control mapping features. Basis: Contract performance. |
| Account Management | To manage your account, authenticate your identity, and provide customer support. Basis: Contract performance. |
| Waitlist Management | To communicate your position on the waitlist and notify you when early access opens. Basis: Consent. |
| Product Improvement | To understand how users interact with the Platform and improve our features, usability, and performance. Basis: Legitimate interests. |
| Security | To detect, prevent, and investigate fraud, abuse, and security incidents. Basis: Legitimate interests / legal obligation. |
| Legal Compliance | To comply with applicable laws, regulations, and lawful requests from authorities. Basis: Legal obligation. |
| Marketing | To send you product updates, newsletters, or promotional materials where you have opted in. Basis: Consent (withdrawable at any time). |
Data Sharing and Disclosure
We do not sell your personal data. We share your information only in the following limited circumstances:
- Service Providers: Trusted third-party vendors who assist us in operating the Platform (e.g., cloud hosting, analytics, email delivery). These parties are contractually bound to process data only on our instructions and to maintain appropriate security.
- AI Providers: When you use our AI-powered features, anonymized and pseudonymized prompts may be processed by third-party large language model APIs. We take care to minimize personal data included in these requests.
- Business Transfers: If Kaapaan undergoes a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.
- Legal Requirements: We may disclose your data if required to do so by law or in response to valid legal process (e.g., subpoena, court order), or to protect the rights, property, or safety of Kaapaan, our users, or the public.
- With Your Consent: We may share data for any other purpose with your explicit prior consent.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements.
| Category | Details |
|---|---|
| Account & Profile Data | Duration of the account plus 3 years after account deletion, to satisfy legal retention obligations. |
| Waitlist Data | Until the waitlist program concludes, or until you withdraw consent, whichever is earlier. |
| Usage & Technical Data | 13 months on a rolling basis for analytics purposes. |
| Communications | 3 years from the date of the last communication, unless a longer period is required by law. |
| Legal Hold Data | As long as required by applicable law or active legal proceedings. |
When data is no longer required, it is securely deleted or anonymized in accordance with our data retention schedule.
Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data where there is no overriding legitimate reason to continue processing it.
- Right to Restrict Processing: Request that we restrict processing of your data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to Object: Object to processing of your data based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
- Right to Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, email privacy@kaapaan.com with the subject line 'Privacy Rights Request'. We will respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.
Data Security
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest using AES-256.
- Access controls and authentication requirements for all personnel accessing personal data.
- Incident response procedures including breach notification protocols.
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by law.
International Data Transfers
Kaapaan operates globally. Your personal data may be transferred to, and processed in, countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.
Where we transfer data from the European Economic Area (EEA), UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.
For more information about the safeguards in place for international transfers, contact privacy@kaapaan.com.
Children's Privacy
The Platform is intended for use by businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction).
If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact privacy@kaapaan.com.
Third-Party Links
The Platform may contain links to third-party websites, services, or applications that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites.
We encourage you to review the privacy policy of every site you visit. This Privacy Policy applies solely to information collected by Kaapaan.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the 'Last Updated' date, and where required by law, by providing additional notice (such as an email notification).
Your continued use of the Platform after any changes take effect constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.
Questions?
Contact our legal team
If you have questions about this document or want to exercise your legal rights, reach out directly.
privacy@kaapaan.com