Privacy Policy

1. Information We Collect

We collect information in several ways depending on how you interact with our Services.

1.1 Information You Provide Directly

• Account Registration: When you create an account, we collect your name, email address, job title, organization name, and a hashed password.
• Payment Information: If you subscribe to a paid plan, payment details (e.g., credit card numbers) are collected and processed by our third-party payment processor (Stripe). We do not store full payment card numbers on our servers.
• Communications: When you contact us by email, support ticket, or form, we collect the contents of those communications.
• Profile Information: Any optional profile information you add to your account, such as a profile picture or department affiliation.

1.2 Information We Collect Automatically

• Log Data: Our servers automatically record log data when you use the Services, including your IP address, browser type and version, operating system, referring URLs, pages visited, and timestamps.
• Usage Data: We collect information about how you use the Services, including which features you access, scan configurations you create, and interactions with the platform interface.
• Device Data: Information about the device you use to access the Services, including hardware models, operating system and version, and unique device identifiers.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to maintain session state, remember preferences, and analyze usage patterns. See Section 7 for more detail.

1.3 Scan Data and Third-Party Website Content

When you initiate an accessibility scan using our Services, our platform's automated scanner visits and analyzes the URLs you submit. The scan process may result in our servers briefly fetching and rendering the content of those third-party web pages. This content is analyzed for accessibility violations and is not retained beyond the period necessary to generate your scan report, except as described in Section 12 regarding the AI Knowledge Base feature.

2. How We Use Your Information

We use the information we collect to:

• Provide and Operate the Services: Create and manage your account, process transactions, run accessibility scans, generate reports, and facilitate team collaboration features.
• Improve the Services: Analyze usage patterns, diagnose technical problems, and develop new features and improvements.
• Communicate With You: Send transactional emails (e.g., account confirmations, password resets, scan completion notifications), respond to support inquiries, and provide service updates.
• Marketing: With your consent where required, we may send promotional communications about Kozite features, new offerings, or industry news. You may opt out at any time.
• Security and Compliance: Detect, investigate, and prevent fraudulent, abusive, or illegal activity; enforce our Terms of Service; and comply with applicable legal obligations.
• Analytics: Generate internal aggregated and anonymized analytics to understand how the Services are used and to improve them.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for processing your personal data under the General Data Protection Regulation (GDPR) or applicable national law includes:

• Contract Performance: To perform our agreement with you and provide the Services you have requested.
• Legitimate Interests: To operate and improve our platform, prevent fraud, and send relevant service communications, where these interests are not overridden by your rights.
• Legal Obligation: To comply with applicable laws and regulations.
• Consent: For optional activities such as marketing emails, where we rely on your freely given, specific, and informed consent.

4. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

• Service Providers: We engage trusted third-party vendors who perform services on our behalf, such as cloud hosting (Hetzner, Supabase), email delivery (Resend), payment processing (Stripe), and AI processing (Google Cloud / Google Gemini). These vendors are contractually bound to use your data only as directed by us and to protect it appropriately.
• Within Your Organization: If your account is provisioned under an organizational subscription, your profile information, assigned issues, and activity may be visible to administrators and managers within that organization.
• Legal Requirements: We may disclose your information to comply with applicable law, court orders, government requests, or to protect the rights, property, and safety of Kozite, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of some or all of our assets, your information may be transferred. We will notify you before your personal data is transferred and subject to a different privacy policy.
• With Your Consent: We may share information for any other purpose with your explicit consent.

5. Data Retention

We retain your personal information for as long as is necessary to fulfill the purposes described in this Privacy Policy. Specifically:

• Account Data: Retained for the duration of your account's active status. Upon account deletion, personal identifiers are anonymized or deleted within 30 days, except where retention is required by law.
• Scan Reports and Issue Data: Retained for the duration of the subscription or as configured by your organization administrator. Deletion of scan data follows the account or organization deletion process.
• Log Data: Server logs are typically retained for 90 days for security and diagnostic purposes.
• Legal Obligations: Certain financial and compliance records may be retained longer as required by applicable law.

6. Security of Your Information

We implement industry-standard technical and organizational security measures designed to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS (HTTPS).
• Password hashing using Argon2, a memory-hard hashing algorithm.
• Restricted database access with role-based controls.
• Session management with secure, HTTP-only cookies.
• Rate limiting and CORS protections on our API.
• Regular security reviews of our infrastructure.

Notwithstanding our efforts, no security system is impenetrable and we cannot guarantee the absolute security of our systems. If you believe your account has been compromised, please contact us immediately at [email protected].

7. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for the Services to function, including authentication session cookies. These cannot be disabled.
• Preference Cookies: Remember your settings and preferences (e.g., theme mode).
• Analytics Cookies: Help us understand how users interact with the Services on an aggregated basis. We use Google Analytics (GA4), which uses first-party cookies to collect usage data. GA4 does not store full IP addresses. You may opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.

You can control cookies through your browser settings. Disabling essential cookies may impair your ability to use the Services. We do not use third-party advertising cookies or sell data to advertising networks.

Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, we do not respond to DNT signals, but you may opt out of analytics tracking as described above.

8. Your Privacy Rights

Depending on your location, you may have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to our retention obligations.
• Restriction: Request that we restrict processing of your personal data in certain circumstances.
• Data Portability: Receive your personal data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the "sale" of personal information. We do not sell personal information.

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law.

9. Children's Privacy

The Services are designed for professional use by adults and organizations. We do not knowingly collect or solicit personal information from children under the age of 13 (or 16 in the EEA). If we discover that we have inadvertently collected personal information from a child, we will delete it promptly. If you believe we have collected information from a child, please contact us at [email protected].

10. Third-Party Links

Our Services and marketing materials may contain links to third-party websites, integrations, or resources. These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review the privacy policies of any third-party services you access through links on our platform.

11. International Data Transfers

Kozite is operated from the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other countries where our service providers are based. These countries may not have data protection laws equivalent to those in your jurisdiction.

Where required, we rely on appropriate legal transfer mechanisms, such as Standard Contractual Clauses under the GDPR, to transfer personal data internationally.

12. AI Knowledge Base and Chat Widget

Certain subscription tiers include access to our AI Knowledge Base and Embeddable Chat Widget features. These features process data as follows:

• Organization-Scoped Data: The AI Knowledge Base is scoped entirely to your organization's own scan data. Data from one organization is never made accessible to another.
• Embeddable Widget: If you embed the Kozite Chat Agent on your website, it processes end-user prompts to provide accessibility information based on your organization's compliance data. It does not track users across different third-party websites.
• Processing as Directed: We use Google Gemini to process AI queries. Prompts and responses are processed according to our enterprise agreement, which ensures data is not used to train global AI models shared with other customers.
• Data Retention: Chatbot conversation history may be retained for up to 90 days to improve response quality within your organization's tenant.
• Your Ownership: You may request deletion of your AI data by contacting [email protected] or by deleting your organization's data within the platform.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending you an email notification. We encourage you to review this policy periodically.

Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

If you are located in the EEA and believe we have not addressed your complaint, you also have the right to lodge a complaint with your local data protection supervisory authority.