Privacy Policy

01Who we are

KPIcons Inc. ("KPIcons", "we", "us") is the data controller for information about our website visitors, prospects, and authorized users of our platform (the "Service").

Registered office: 15736 Howard Dr., Macomb Twp, Michigan 48042, USA.
LATAM operations: Oficentro La Sabana, Floor 6, Tower 6, San José, Costa Rica.

For questions about this policy or our data practices, email privacy@kpicons.com.

02What we collect

We collect the minimum necessary to operate the Service. Specifically:

2.1 Information you give us

Account data — name, work email, job title, organization, role.
Content — KPI targets, coaching notes, roleplay transcripts, custom AI-persona source material (Slack exports, 1:1 notes, coaching recordings) that you choose to upload.
Billing data — company name, billing email, purchase order references. Payment card details are processed by our PCI-DSS-compliant payment processor; we never see your card number.
Support communications — anything you send us by email, chat, or support ticket.

2.2 Information collected automatically

Usage data — product telemetry: pages visited, features used, nudges acted on, event timestamps.
Device & network — IP address, browser type, device identifiers, approximate geolocation (city-level).
Cookies & similar tech — see Section 10.

2.3 Information from third parties

Identity providers (Okta, Microsoft Entra, Google Workspace, etc.) — name, email, and SAML/OIDC attributes.
Connected integrations (Salesforce, HubSpot, Slack, Gmail, etc.) — only data within the scopes your IT admin explicitly approves.
Enrichment providers — company size, industry, funding stage for sales/marketing prospects (not applicable to authorized users).

What we don't collect. We do not collect race, ethnic origin, sexual orientation, political affiliation, genetic data, biometric data, or precise geolocation. We do not build advertising profiles.

03How we use it

We use personal data only for clearly-stated purposes:

Operate the Service — authenticate users, render dashboards, generate nudges, compute attribution.
Improve the Service — aggregate usage analytics, crash reports, A/B tests. Individual records are not used for product improvement without explicit consent.
Security & compliance — detect fraud, prevent abuse, investigate incidents, meet legal obligations.
Communicate with you — onboarding emails, feature announcements, billing, support. You can opt out of marketing anytime.
Train AI models — only on data your tenant explicitly opts in to share. Default is opt-out. We never train shared models on identifiable customer data.

04Legal basis (GDPR)

If you are in the European Economic Area, UK, or Switzerland, we process personal data on the following lawful bases:

Contract — to deliver the Service you signed up for.
Legitimate interests — product security, abuse prevention, service improvement, limited direct marketing to existing customers.
Consent — for marketing to prospects, cookies beyond strictly-necessary, AI model training on opt-in data.
Legal obligation — tax, financial, anti-money-laundering records.

See our GDPR page for full details including your rights and our Data Processing Agreement.

05Who we share it with

We never sell personal data. We share limited data with categories of recipients:

Sub-processors — cloud infrastructure (AWS us-east, us-west, eu-central, eu-west, ap-southeast), observability, email delivery, payment processing, customer support. The full list is on our Security page.
Your organization — usage data is visible to admins of your tenant (standard SaaS model).
Legal / compliance — only if compelled by law, subpoena, or valid legal process. We notify you unless legally barred.
In a transaction — if KPIcons is acquired or merged, personal data may transfer; you will be notified.

06International transfers

Your tenant chooses its data-residency region at provisioning: US-East, US-West, EU-Central, EU-West, or AP-Southeast. Data at rest stays in that region.

For cross-border transfers (e.g., if your region requires engineering support from a different region), we rely on EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and equivalent mechanisms for other jurisdictions. Transfers are documented in our Record of Processing Activities.

07How long we keep it

Account & content data — for the life of your subscription plus 30 days after termination (for recovery). Then deleted within 60 days or exported on request.
Usage logs / telemetry — 13 months rolling.
Financial records — 7 years (tax / legal obligation).
Support tickets — 3 years.
Marketing data — until you unsubscribe, then purged within 30 days.

08Your rights

Depending on your jurisdiction, you have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccuracies.
Erasure ("right to be forgotten") — request deletion, subject to legal exceptions.
Restriction — limit how we process your data while a dispute is resolved.
Portability — export your data in a machine-readable format (JSON/CSV).
Objection — object to processing based on legitimate interests; opt out of marketing.
Withdraw consent — for any processing that relies on consent.
Complaint — lodge a complaint with a supervisory authority.

Exercise any right by emailing privacy@kpicons.com. We respond within 30 days (typically 5 business days).

For California (CCPA/CPRA) residents. You have additional rights including the right to know, delete, correct, opt out of "sale/sharing" (we don't do either), and limit use of sensitive personal information. We treat all users to the same standard — the stronger of applicable rights applies.

09Security

We maintain administrative, technical, and physical safeguards including AES-256 at rest, TLS 1.3 in transit, SOC 2 Type II certified controls, annual pen tests, and mandatory MFA for all employees. Full details on our Security page.

10Cookies

We use cookies and similar technologies sparingly. Categories:

Strictly necessary — auth session, CSRF tokens, load balancing. Cannot be disabled.
Preferences — theme (dark/light), language, last-visited page. Disabled if you opt out.
Analytics — aggregated product usage. Opt out in cookie banner or via "Do Not Track" header.
Marketing — only on public pages (kpicons.com), never in-product. Opt in only.

You can change preferences anytime via the cookie banner footer link.

11Children's privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have, email privacy@kpicons.com and we'll delete it immediately.

12Changes to this policy

We may update this policy as our Service evolves or law changes. Material changes will be announced at least 30 days in advance by email and via an in-product banner. The "Last updated" date at the top always reflects the current version.

13How to contact us

General questions: privacy@kpicons.com
Data Protection Officer (EU): dpo@kpicons.com
Mailing address: KPIcons Inc., 15736 Howard Dr., Macomb Twp, MI 48042, USA

01Who we are

02What we collect

2.1 Information you give us

2.2 Information collected automatically

2.3 Information from third parties

03How we use it

04Legal basis (GDPR)

05Who we share it with

06International transfers

07How long we keep it

08Your rights

09Security

10Cookies

11Children's privacy

12Changes to this policy

13How to contact us

Questions about your data?