← Back to Kopai

Privacy Policy

Effective date: March 25, 2025. Last updated: March 25, 2025.

1. Introduction

This Privacy Policy describes how Kopai ("Kopai," "we," "us," or "our") collects, uses, discloses, and otherwise processes information in connection with our websites, applications, and related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, you must not use the Service.

Not legal advice. This policy is provided for transparency. It does not create rights or obligations beyond what applicable law requires, and it is not a substitute for independent legal advice. Certain jurisdictions impose mandatory rules that may limit or override portions of this policy where inconsistent with law.

2. Scope

This policy applies to personal information we process when you visit our site, create or use an account, participate in organizations or projects, subscribe to paid plans, upload files, exchange messages with AI agents, or otherwise interact with the Service. It does not govern third-party websites, applications, or services that we do not control, even if linked from the Service.

3. Information we collect

Depending on how you use the Service, we may collect or process the following categories:

  • Account and authentication data. Identifiers and profile details associated with your account, including information we receive from our identity and access management provider when you sign in (for example, a provider user identifier and, where applicable, email address and profile attributes). Session and security-related data may also be processed to keep you logged in securely.
  • Organization and collaboration data. Names, roles, invitations, and membership information for workspaces you belong to or are invited to, including invitation email addresses and tokens used to accept invitations.
  • Chat and agent content. Messages, prompts, attachments, titles, model selections, token usage metadata, reasoning outputs where applicable, and other content you submit to conversations, agents, or projects.
  • Knowledge base and documents. Files you upload (such as PDFs), extracted text, derived embeddings or vector references, filenames, file sizes, page counts, and storage URLs needed to operate retrieval features.
  • Long-term memory signals. Where enabled, we may send conversation-derived signals to our long-term memory provider so the Service can recall preferences or context across sessions, scoped as described in that provider's terms.
  • Billing and subscription data. Payment-related identifiers (such as customer and subscription identifiers), plan tier, subscription status, and transaction records processed by our payment processor. We do not store full payment card numbers on our application servers; such data is handled by the payment processor.
  • Optional API credentials. If you choose to store provider API keys for multi-device use, those values may be stored in encrypted form in our systems.
  • Onboarding and safety fields. Information you provide during onboarding (which may include age-related fields used to apply safeguards where configured).
  • Technical and usage data. IP address, device and browser type, general location derived from IP, timestamps, diagnostic logs, cookies and similar technologies, feature usage, and identifiers used for rate limiting, security, analytics, and product improvement.
  • Anonymous or limited sessions. Where applicable, we may associate coarse identifiers (such as session keys or network-derived identifiers) with usage counters to enforce fair use or abuse prevention.

4. How we use information

We use personal information to:

  • Provide, operate, maintain, and improve the Service;
  • Authenticate users, enforce access controls, and protect accounts;
  • Process subscriptions, invoices, and customer support requests;
  • Generate AI responses, run tools you enable (such as web search or URL extraction), index and retrieve knowledge-base content, and manage long-term memory features when activated;
  • Monitor usage, secure the Service, detect fraud and abuse, and enforce our terms;
  • Comply with law, respond to lawful requests, and establish or defend legal claims;
  • Analyze product usage and performance (including error and analytics telemetry); and
  • Communicate about the Service, including transactional and (where permitted) promotional messages.

5. Legal bases (where applicable)

Where the GDPR or similar laws apply, we rely on one or more of the following: performance of a contract with you; legitimate interests that are not overridden by your rights (such as security, product improvement, and fraud prevention); compliance with legal obligations; and consent where required (for example, certain cookies or marketing, where applicable).

6. Third-party services and subprocessors

We use third-party service providers to operate the Service. Those providers process data on our behalf or receive data as independent controllers in connection with their own services. Their processing is subject to their respective privacy policies, terms, and security practices, which may change from time to time. We do not control their independent processing and are not responsible for their acts or omissions except as required by applicable law.

Non-exhaustive examples include:

  • WorkOS and related identity services. Sign-in, session management, organization features, and invitations may be processed through WorkOS (or similar identity providers). Authentication data and organization identifiers are handled by them in accordance with their policies.
  • Stripe. Payments, billing portals, and subscription lifecycle events are processed by Stripe. Payment method details and certain billing records are handled by Stripe under its terms and privacy policy.
  • Hosting and infrastructure. Our application and APIs may run on Vercel or comparable cloud platforms. Content delivery, serverless execution, logs, and related metadata may be processed by the hosting provider.
  • AI gateway and model providers. Model inference may be routed through an AI gateway (such as Vercel AI Gateway). Underlying model providers (for example, OpenAI, Google, Anthropic, or others depending on configuration) may process prompts, attachments, and outputs to deliver AI features. Their terms and privacy notices apply to that processing.
  • Database and storage. Application data is stored in databases and object storage services (for example, PostgreSQL-compatible hosting such as Neon, and blob storage such as Vercel Blob). Files and backups may reside in those environments.
  • Upstash (Redis / vector). We may use Upstash or similar services for caching, rate limiting, and vector search for retrieval features. Embeddings and metadata may be stored in vector indexes keyed to your agents or projects.
  • Mem0. Long-term memory features may transmit and store memory-related data with Mem0 (or affiliated services) under their terms.
  • PostHog. Product analytics and (where configured) server-side tracing may use PostHog. Events and identifiers may be processed per PostHog's policies.
  • Parallel (web search and URL extraction). When tools are invoked, queries and URLs may be sent to Parallel or similar vendors to retrieve search results or extracted page excerpts, subject to their terms and policies.

We may add or replace subprocessors as our architecture evolves. Where required by law, we will provide appropriate notice or obtain consent.

7. Cookies and similar technologies

We and our providers use cookies, local storage, and similar technologies for authentication, preferences, security, analytics, and performance. You can control cookies through browser settings; disabling certain cookies may break sign-in or features.

8. Disclosure of information

We may disclose personal information:

  • To subprocessors and service providers who assist in operating the Service;
  • To comply with law, regulation, legal process, or governmental requests;
  • To enforce our terms, policies, or agreements, or to protect rights, privacy, safety, or property;
  • In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and continuity safeguards where required by law; and
  • With your direction or consent.

We do not sell personal information as "sale" is defined under U.S. state privacy laws that prohibit selling covered data without appropriate consent, and we do not share personal information for cross-context behavioral advertising as defined under those laws where such sharing is restricted.

9. International transfers

We may process and store information in the United States and other countries where we or our providers operate. Those countries may have different data protection rules than your country of residence. Where required, we implement appropriate safeguards (such as Standard Contractual Clauses) and supplementary measures consistent with applicable law.

10. Retention

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on data category, legal requirements, and operational needs (for example, billing records, security logs, and backups). When data is no longer needed, we delete or de-identify it in accordance with our internal procedures, subject to technical limitations and legal holds.

11. Security

We implement administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and devices.

12. Your rights and choices

Depending on your jurisdiction, you may have rights to access, correct, delete, or export certain personal information; object to or restrict certain processing; withdraw consent where processing is consent-based; and lodge a complaint with a supervisory authority. You may also have rights under U.S. state laws (including California) to know, delete, and correct personal information, and to limit certain uses of sensitive information where applicable.

To exercise rights, contact us using the details below. We may need to verify your request. We will respond within the timeframes required by applicable law. Appeals and authorized agent requests may be handled as required by law.

13. Children

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children below that age for commercial purposes inconsistent with law. If you believe we have collected such information, contact us and we will take appropriate steps.

14. Automated processing and AI outputs

The Service uses automated systems, including large language models and related tools. Outputs may be inaccurate or incomplete. You should not rely on outputs as legal, medical, financial, or professional advice. Human review is advised for high-risk decisions.

15. Limitation of liability for this notice

To the maximum extent permitted by applicable law, Kopai and its affiliates, directors, employees, and suppliers shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenues, data, or goodwill, arising out of or related to this Privacy Policy or the Service, except where liability cannot be excluded or limited under applicable law (for example, liability for personal injury caused by gross negligence or willful misconduct, where applicable).

No guarantee against claims. Nothing in this Privacy Policy waives any mandatory rights you may have under law, and nothing herein is a guarantee that disputes or claims cannot be brought. Some jurisdictions do not allow certain limitations; in those jurisdictions, our liability is limited to the fullest extent permitted.

16. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. If changes are material, we will provide additional notice as required by law (for example, email or in-product notice). Your continued use of the Service after the effective date constitutes acceptance of the updated policy, except where prohibited by law.

17. Contact

For privacy-related requests or questions, contact us at the support or legal contact method published on our website or in your account settings. If you are in the European Economic Area, the United Kingdom, or Switzerland and require the identity of our representative or data protection contact, request it using the same channel.

© 2026 Kopai. All rights reserved.