Skip to content
kairo
Try Kairo

Privacy policy

Last updated
Effective
Entity
Kairo Labs LLC · Illinois, USA

Last updated: May 2026 · This policy describes how Kairo Labs LLC handles personal information. We try to keep the language plain — it is still a binding statement of practice.

Kairo is operated by Kairo Labs LLC, an Illinois limited liability company ("Kairo," "we," "us," "our"). The product is designed to hold a lot of personal context — your schedule, your notes, your team, your relationships — so we hold ourselves to a higher bar than most productivity tools. This policy explains what we collect, why we collect it, the legal bases we rely on, how long we keep it, and the rights you have to control it.

1. Categories of personal information we collect

For purposes of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) law, we collect the following categories of personal information:

  • Identifiers — name, email address, account ID, IP address, device identifiers, OAuth subject IDs from connected accounts.
  • Customer records — billing name, billing address, last four digits and brand of payment card (held by Stripe; we do not store full card numbers).
  • Commercial information — subscription plan, transaction history, refunds, promotional codes used.
  • Internet or other electronic network activity — pages visited, features used, click events, browser type, timezone, referrer.
  • Geolocation — general location inferred from IP for fraud prevention and US-only eligibility enforcement. Precise device location only when you opt into commute or leave-by features, used in-memory and not stored.
  • Professional or employment-related information — optional title, school, or organization you add to your profile.
  • Content you create — events, tasks, notes (text, sketches, attachments), files, captures, AI prompts and outputs you save, quizzes and flashcards, messages inside Spaces.
  • Inferences — limited product-improvement inferences (e.g., which features you use most). We do not build behavioral advertising profiles.

1a. Sources of personal information

  • Directly from you — when you sign up, edit settings, create content, or contact us.
  • Automatically — from your browser and device when you use the Service (IP, user-agent, telemetry events).
  • From integrations you authorize — Google, Microsoft (Outlook), Apple, Canvas, Blackboard, Google Classroom, Moodle, Brightspace, Notion, Slack, and similar services you choose to connect.
  • From service providers — Stripe (billing events), Supabase (auth events), Resend (email delivery events) acting on our instructions.

1b. Sensitive personal information

The only categories of sensitive personal information we routinely process are account credentials (password hash, OAuth tokens) and, if you opt into commute features, precise geolocation. We use these only to provide the Service you requested and to secure your account. We do not use sensitive personal information to infer characteristics about you, and we do not sell or share it.

2. Purposes for which we process personal information

  • To provide and operate the Service you signed up for.
  • To authenticate you, secure your account, and prevent fraud or abuse.
  • To process payments and manage your subscription.
  • To send transactional messages (sign-in codes, billing receipts, security alerts, important Service updates). We do not send marketing email without your consent.
  • To diagnose bugs and improve the Service (aggregated and pseudonymized).
  • To comply with legal obligations, including tax, accounting, and lawful requests from government authorities.
  • To enforce our Terms and AUP.

2a. Legal bases for processing

Although Kairo is currently offered only in the United States, we set our legal bases the way GDPR-aligned products do, because it is good practice:

  • Performance of a contract — to provide the Service under our Terms.
  • Consent — for optional cookies, AI features that you opt into, and precise location.
  • Legitimate interest — for security monitoring, fraud prevention, and product improvement, balanced against your rights.
  • Legal obligation — to comply with tax, accounting, and lawful government requests.

3. Detailed list of what we collect

  • Account info: email, name, optional title, password hash (if not using OAuth), timezone, profile photo if you set one.
  • Personal content: events, tasks, notes (text, sketches, attachments), captures, AI summaries you generate, quizzes and flashcards you create from your notes.
  • Space content: if you create or join a Space — its mission, rules, member roles, invite codes, shared calendar/notes/files, tracker board, discussion, announcements, subgroups, resource hub, contacts, and direct messages within the Space.
  • Sharing: per-note and per-event share lists (who has view/edit access).
  • Connected accounts: tokens for Google Calendar, Outlook, Apple, Canvas, Blackboard, Google Classroom, Moodle, Brightspace, Drive, Notion, Slack — encrypted at rest. Per-Space integrations are stored on the Space, not on you.
  • Smart Notes recording: audio captured while you actively press Record. Live transcription uses your browser's built-in speech recognition where supported; nothing audio leaves your device for that step unless you explicitly use a cloud recorder.
  • AI request log: for each AI generation, we keep the task type, model class chosen by the router, a hash of the input, and an estimated cost — so we can answer billing questions and detect abuse. We do not keep the prompt or output content beyond the cache TTL for that task.
  • Usage telemetry: pseudonymized page views and feature usage so we can fix what's broken.

4. We do not sell or share your personal information

We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA, VCDPA, CPA, CTDPA, or UCPA. We have no advertising business. We do not run third-party tracking pixels or cookies. See Do not sell or share for the California-specific opt-out mechanism, which exists even though there is nothing to opt out of today.

4a. We do not train AI models on your content

  • We do not sell your data.
  • We do not train our or our providers' AI models on your private content.
  • We do not scan your notes for advertising or third-party signals.

5. AI features

AI processing is off by default. When you opt in, the relevant content for that specific feature is sent to our AI provider under a zero-retention agreement. Full details on the AI disclosure page. Sub-processors are listed at /legal/sub-processors. Manage this any time from Settings → Privacy & AI.

5a. Location data

Commute and leave-by features need your device's location. We ask before reading it, only read it when a feature actively needs it, and never store a location history. Disable any time from Settings → Privacy & AI.

Quick locations(your home, work, and any other named places you add in Settings → Profile) are stored on your account and used to estimate travel time. They don't track your actual whereabouts — they're a list of addresses you typed in.

5b. Notifications

Kairo can show desktop notifications if you grant the browser permission, and send transactional emails. We don't send marketing emails. Notification preferences are managed in Settings → Notifications; revoke browser permission at any time from your site settings.

5c. Messaging and announcements in Spaces

When you post in a Space's Discussion, your message is visible to every member of that Space. Announcements are visible to every member. Subgroup threads are visible only to members of that subgroup. Space direct messagesare visible only to the two people in the conversation, but stored on the Space and accessible to a Space admin under legal compulsion only (subpoenas, court orders). We don't scan message content for advertising, and AI features never read messages from Spaces you aren't a member of.

5d. Per-note and per-event sharing

You can share an individual note or calendar event with specific people, separate from any space membership. The share list (emails + view/edit permissions) is stored on the note or event. People you share with can see the content; they do not get access to your account or your other content.

5e. Team workspaces and seats

Hosting a team workspace requires a Pro plan. When you invite people to a team, the team owner (you) pays for the team's features — invited people can join on any plan, including Free, because the team covers participation. If you cancel the team owner's subscription, the team workspace is archived after 30 days unless another Pro user takes ownership.

6. Retention

We keep each category of personal information only as long as we need it for the purpose we collected it for, plus the period required by law:

  • Account profile + content — for the life of your account, then deleted within 30 days of account closure (backups roll off within 90 days).
  • AI request logs — 30 days for abuse detection and billing reconciliation, then deleted.
  • Security and audit logs — up to 12 months.
  • Billing records and invoices — at least 7 years to comply with US tax and accounting law.
  • Support correspondence — 24 months from the last interaction.
  • Marketing consent records — until you withdraw, then 24 months as proof of withdrawal.

7. Your rights

Depending on where you live in the United States, you may have some or all of these rights:

  • Right to know — what categories and specific pieces of personal information we hold about you.
  • Right to access / portability — receive a copy of your data in a portable format (JSON + ICS via in-app export).
  • Right to delete — request deletion of your account and associated personal information.
  • Right to correct — fix inaccurate information.
  • Right to opt out of sale or sharing — see Do not sell or share. (We do not sell or share, so this is a no-op, but the right exists.)
  • Right to limit use of sensitive personal information — available under California law.
  • Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised any of these rights.
  • Right to appeal — under Virginia, Colorado, Connecticut, and Utah law, if we deny your request you may appeal by replying to our denial email; we will respond within the statutory window.

To exercise any of these rights, email privacy@heykairo.iowith the email address tied to your account. We respond within 15 business days and complete verified requests within 45 days, with a 45-day extension where law permits. Authorized agents may submit requests on your behalf; we will verify the agent's authority before acting.

8. Security

Technical and organizational measures — encryption at rest and in transit, MFA on administrative access, row-level security, audit logging — are documented on the Security page.

9. Children

Kairo is intended for users aged 13 and older. See Children's privacy for details on how we handle teen accounts and how parents or guardians can request access or deletion.

10. Cookies

We use a small, specific set of cookies — described on the Cookies page. You can manage non-essential cookies from the preferences link in the footer.

11. International data transfers

Kairo is operated from the United States and is currently offered only to residents of the US and its territories (see Terms § 1.1). All of our sub-processors store the personal information they receive from Kairo in the United States. We do not currently transfer personal information outside the United States. If that changes, we will update this policy and provide the safeguards required by applicable law.

12. Breach notification

If we confirm a security incident that compromises your personal information, we will notify you and any applicable regulator without undue delay, and in any event within 72 hours of confirmation where law requires. Notification will describe what happened, what information was involved, what we are doing in response, and steps you can take to protect yourself.

13. Changes to this policy

We may update this policy from time to time. For material changes that expand how we use personal information, we will give at least 30 days' advance noticeby email or in-app banner before the changes take effect. The "Last updated" and "Effective" dates at the top of the page always reflect the current version.

14. Contact

Privacy questions and rights requests: privacy@heykairo.io.
Security disclosures: security@heykairo.io.
Anything else: hello@heykairo.io.
Mail: Kairo Labs LLC, Illinois, USA — request the current registered agent address by emailing legal@heykairo.io.