1. Introduction
Welcome to Kilo ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered language learning platform and services (the "Service") at heykilo.app.
By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.
2. Information We Collect
2.1 Personal Information
We may collect the following types of personal information:
- Account Information: Name, email address, username, password
- Profile Information: Language preferences, learning goals, proficiency level
- Payment Information: Billing address, payment method details (processed securely through Stripe)
- Usage Data: Learning progress, session duration, feature usage statistics
- Communication Data: Messages, voice recordings during AI conversations
2.2 Automatically Collected Information
- Device Information: IP address, browser type, operating system
- Usage Analytics: Pages visited, time spent, click patterns
- Cookies and Tracking Technologies: Session cookies, preference cookies
2.3 AI Conversation Data
When you use our AI conversation features:
- Voice recordings and text conversations are processed by OpenAI's services
- We utilize OpenAI's Zero Data Retention (ZDR) mode where possible
- Some advanced features may require temporary data processing outside ZDR mode
- All AI conversation data is subject to OpenAI's Data Processing Addendum
3. How We Use Your Information
We use your information to:
- Provide and maintain our language learning services
- Process payments and manage subscriptions
- Personalize your learning experience
- Analyze usage patterns to improve our services
- Communicate with you about your account and updates
- Ensure platform security and prevent fraud
- Comply with legal obligations
4. Information Sharing and Disclosure
4.1 Third-Party Service Providers
We share information with trusted third parties:
- OpenAI: For AI conversation processing (subject to their Data Processing Addendum)
- Stripe: For payment processing
- Analytics Providers: For usage analytics (anonymized data only)
- Cloud Infrastructure: For secure data storage and processing
4.2 Legal Requirements
We may disclose your information when required by law or to:
- Comply with legal processes
- Protect our rights and property
- Ensure user safety
- Investigate potential violations
4.3 Business Transfers
In case of merger, acquisition, or sale, your information may be transferred as part of business assets.
5. Data Security
We implement industry-standard security measures:
- Encryption: AES-256-GCM encryption for data at rest and in transit
- Access Controls: Role-based access with multi-factor authentication
- Security Monitoring: Real-time threat detection and response
- Regular Audits: Security assessments and vulnerability testing
- Secure Infrastructure: SOC2-compliant cloud services
6. Data Retention and Deletion
6.1 Account Data
- Account information is retained while your account is active
- Upon account deletion, all personal data is immediately and permanently deleted
- Backup systems are purged within 30 days of account deletion
6.2 AI Conversation Data
- We use OpenAI's Zero Data Retention (ZDR) mode by default
- Conversation data is not stored on OpenAI's servers when ZDR is active
- For features requiring data processing outside ZDR, data is deleted according to OpenAI's Data Processing Addendum
- We will assist users in requesting data deletion from OpenAI's servers upon request
6.3 Payment Data
- Payment information is processed and stored by Stripe
- We retain minimal payment records for accounting and legal compliance
- Payment data is deleted according to legal retention requirements
7. Your Rights and Choices
7.1 Access and Control
You have the right to:
- Access your personal information
- Update or correct your data
- Delete your account and associated data
- Export your data in a portable format
- Opt-out of marketing communications
7.2 GDPR Rights (EU Users)
Under GDPR, you have additional rights:
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
7.3 CCPA Rights (California Users)
Under CCPA, you have the right to:
- Know what personal information is collected
- Delete personal information
- Opt-out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising privacy rights
8. Cookies and Tracking
We use cookies and similar technologies for:
- Essential Cookies: Required for basic functionality
- Preference Cookies: Remember your settings and preferences
- Analytics Cookies: Understand how you use our service
- Security Cookies: Detect suspicious activity and prevent fraud
You can control cookies through your browser settings.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your own. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by relevant authorities
- Other appropriate safeguards as required by law
10. Children's Privacy
Our Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the information immediately.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on our website
- Sending email notifications to registered users
- Displaying prominent notices in our application
Continued use of our Service after changes constitutes acceptance of the updated policy.
13. Compliance and Certifications
We maintain compliance with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Children's Online Privacy Protection Act (COPPA)
- SOC2 Type II certification
- ISO 27001 security standards