KairoDesk

Privacy Policy

What we collect, why, who touches it, and how to make us delete it — in plain English, with the legal precision underneath.

Effective date: June 10, 2026 · KairoDesk is a product of Altinea LLC.

1. Who we are

KairoDesk (kairodesk.com and app.kairodesk.com) is an AI work assistant for solopreneurs, operated by Altinea LLC (“ Altinea”, “we”, “us”). This policy explains how we handle your personal data when you use KairoDesk or visit our websites.

For any privacy question or request, write to security@kairodesk.com. A human answers.

2. Data we collect

Account data

  • Name, email address, and avatar (from your sign-in provider or magic link).
  • Timezone and display preferences you set.

Google user data (only if you connect Google)

  • Gmail messages (read access): message metadata and bodies, limited to the window each feature needs — for example the last 24 hours for Morning Clarity and the last 90 days for Drift Detector. Messages matching a Privacy Zone you defined are excluded before any processing.
  • Gmail send (gmail.send): used only when you explicitly click “Send” on a draft you reviewed. We never send anything on our own.
  • Google Calendar events (read access): to build your daily brief and meeting context.

Section 4 below describes the specific commitments that apply to all Google user data. The same principles apply to Microsoft 365 data if you connect Outlook.

Content you give us

  • Contracts and documents you upload to Obligation Radar.
  • Invoices you create manually, and notes you add to contacts.
  • Stripe account data (invoices, payment status) if you connect Stripe — read-only.

Billing data

  • Subscriptions are processed by Stripe. Your card number never touches our servers; we store only your Stripe customer ID, plan, and billing status.

Product and technical data

  • The Action Ledger: a record of every action the AI took for you (timestamp, type, sources, model, cost, your decision). This exists so you can audit the AI.
  • Analytics (PostHog): only after you accept the consent banner. Nothing fires before.
  • Error reports (Sentry): scrubbed of email content, contact names, and document text before they leave the application.

3. How we use your data

We use your data for exactly one purpose: providing the features you asked for.

  • Building your Morning Clarity brief from recent email and calendar events.
  • Analyzing contracts you upload (Obligation Radar).
  • Detecting commitments in your email threads (Drift Detector).
  • Tracking invoices and drafting reminders you approve (Cash-Flow Compass).
  • Preparing meeting context and recaps (KairoDesk Link, Clarity Export, Contextual Memory).
  • Operating your account, billing, and support.

We do not:

  • Sell your data. To anyone. Ever.
  • Share your data with advertisers — we have no advertising business.
  • Use your data to train AI models (see Sections 4 and 5).
  • Read anything inside a Privacy Zone you designated.

4. Google user data — Limited Use

KairoDesk’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Concretely, for all Google user data (Gmail and Calendar):

  • We only use it to provide and improve the user-facing features described in Section 3.
  • We do not transfer it to anyone except: (a) the subprocessors listed in Section 6, and only as necessary to provide those features; (b) when you direct us to (for example, sending an email you approved); (c) for security purposes such as abuse investigation; or (d) when required by law.
  • No human at Altinea reads your Google user data, unless: you explicitly ask us to (for example, a support request on a specific item), it is necessary for security purposes, or it is required by law. Aggregated, anonymized data that cannot identify you may be used for internal operations.
  • We never use Google user data for advertising, retargeting, or profiling.
  • We never use Google user data to develop, improve, or train generalized AI or machine learning models. Our AI provider is contractually bound to the same restriction (Section 5).

You can revoke KairoDesk’s access to your Google account at any time from myaccount.google.com/permissions or from Settings → Connectors in the app. Revoking access deletes our stored OAuth tokens and stops all processing of your Google data.

5. AI processing

KairoDesk’s features are powered by large language models from Anthropic. When a feature runs, the relevant content (an email thread, a contract, a calendar event) is sent to Anthropic’s API to generate the output you see — a brief, an analysis, a draft.

  • Anthropic is contractually prohibited from using your data to train its models. This is a contract term, not a preference.
  • Privacy Zone filtering happens before anything is sent to the model.
  • Every AI call is recorded in your Action Ledger with its sources, model, and cost, so you can audit exactly what was processed.

6. Sharing and subprocessors

We share data only with the service providers below, each bound by a data processing agreement, and only to the extent needed to run KairoDesk:

  • Anthropic — LLM inference (US). No training on your data.
  • Supabase — database, authentication, file storage (US-East).
  • Vercel — application hosting (US).
  • Stripe — payment processing (US). Card data is handled entirely by Stripe under PCI DSS.
  • Resend — transactional email (US).
  • Sentry — error monitoring (US), PII scrubbed before sending.
  • PostHog — product analytics (US), consent-gated, no email or document content.
  • Cloudflare — DNS and DDoS protection (global edge).

Beyond that, we disclose data only if required by law (and we will notify you unless legally barred), or as part of a merger or acquisition — in which case this policy continues to apply and you will be notified before any change takes effect.

7. Retention and deletion

  • Your data is retained while your account is active.
  • Delete your account from Settings: all personal data — including synced email content, documents, and OAuth tokens — is permanently deleted from production systems within 30 days. Encrypted backups roll off within 30 additional days.
  • If you cancel a paid plan, your Action Ledger stays exportable for 60 days, then is permanently deleted.
  • Disconnecting a connector (Google, Microsoft, Stripe) deletes its tokens immediately and stops all related processing.
  • We may retain minimal billing records (invoices, transaction history) as required by tax and accounting law.

8. Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • OAuth tokens are stored encrypted and never exposed to the browser.
  • Database access is enforced with row-level security: every row is scoped to its owner at the database layer, not just the application layer.
  • Production access is restricted, logged, and protected by hardware-key MFA.

Found a vulnerability? Tell us at security@kairodesk.com. We respond fast and we don’t shoot messengers.

9. Your rights

Wherever you live, we extend the same rights: access (a copy of your data), rectification, deletion, portability (machine-readable export), and objection to processing.

  • GDPR (EEA/UK): the legal bases we rely on are contract performance (providing the service), legitimate interest (security, support), and consent (analytics). You may lodge a complaint with your supervisory authority.
  • CCPA/CPRA (California): you have the right to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as defined by the CCPA, and we do not use sensitive personal information beyond what is necessary to provide the service. We never discriminate for exercising your rights.

To exercise any right, email security@kairodesk.com from the address linked to your account. We answer within 30 days.

10. Children

KairoDesk is a business tool for adults. It is not directed at anyone under 18, and we do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

11. Changes to this policy

If we change this policy in a way that matters, we will email you and post a notice in the app at least 14 days before the change takes effect. The effective date at the top always reflects the current version.

12. Contact

Altinea LLC — operator of KairoDesk
30 N Gould Street, Ste 225
Sheridan, WY 82801, USA
Privacy & security: security@kairodesk.com
Support: support@kairodesk.com

See also our Trust page for the plain-English version of how data flows through KairoDesk, and our Terms of Service.