Privacy Policy
Kynara is a permission and governance platform for AI agents. This policy explains what data we collect when you use our service, how we use and protect it, and what choices you have. We've tried to write this in plain English — if something is unclear, reach out to [email protected].
1 Data we collect
We collect the minimum data needed to run the service. Here's what that looks like in practice:
Account data
When you sign up, we collect your name, email address, and a hashed password (or your OAuth provider identity if you use single sign-on). For organization accounts, we also store the organization name and any team member email addresses you invite.
Usage data
We log actions taken inside the platform — role assignments, policy changes, approval decisions, and agent activity — to power the audit log feature. These records form the core of the product.
Technical data
Standard server logs include IP addresses, browser type, and timestamps. These are used for debugging and security monitoring and are not linked to your profile for advertising purposes.
Billing data
Payment details (card number, billing address) are handled entirely by our payment processor, Stripe. We store only a non-sensitive token reference and your plan tier — we never see or store raw card data.
| Category | Examples | Purpose |
|---|---|---|
| Account | Name, email, org name | Authentication, notifications |
| Governance activity | Policy changes, approvals, role edits | Audit trail, core product features |
| Agent metadata | Agent names, assigned roles, status | Permission enforcement |
| Technical | IP address, timestamps, browser | Security, debugging |
| Billing | Plan tier, Stripe customer token | Subscription management |
2 MCP connector data
Kynara provides a Model Context Protocol (MCP) connector that allows AI agents and MCP-compatible tools to interact with the platform. When an agent or client connects via the MCP interface, the following information may be accessed or generated:
- Agent identifiers: names or IDs used to look up an agent's assigned roles and permissions.
- Permission check results: whether a given action is allowed or denied for a specific agent and resource.
- Audit log entries: records of actions taken (or attempted) by agents, including timestamps and outcomes.
- Approval decisions: records of requests that required human approval, including the decision and any reviewer notes.
- Role and policy data: the permission rules that govern what agents can do.
Data accessed via the MCP connector is scoped to the authenticated organization's workspace. Connectors authenticate with a short-lived token bound to a specific organization; they cannot read data belonging to other organizations.
3 How we use your data
We use the data we collect to:
- Provide and operate the Kynara platform, including enforcing permissions and generating audit logs.
- Send transactional emails — account verification, password reset, approval notifications, and billing receipts.
- Respond to support requests and diagnose bugs.
- Monitor for security threats and prevent abuse.
- Improve the product through aggregate, anonymized usage analytics (e.g., which features are most used). These analytics cannot be traced back to individuals.
- Comply with legal obligations when required.
We do not use your data for behavioral advertising, and we do not sell your data to third parties.
4 Storage & security
Kynara's infrastructure is hosted on Railway, with primary data stored in PostgreSQL databases in the United States. All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
We apply the following security practices:
- Passwords are hashed using bcrypt before storage — we cannot recover your plaintext password.
- Database access is restricted to application servers through private networking; no public database endpoints are exposed.
- Secrets and credentials are managed via environment variables and are not committed to source control.
- Access to production systems is limited to authorized personnel on a need-to-know basis.
No system is perfectly secure. If you discover a vulnerability, please report it to [email protected] and we'll respond promptly.
5 OAuth tokens
If you sign in using an external OAuth provider (such as Google or GitHub), or if you connect third-party services to Kynara, we receive and store OAuth access tokens and refresh tokens. Here's how we handle them:
- Tokens are stored encrypted in the database — they are never stored in plaintext.
- Tokens are only used to perform actions explicitly authorized by you (e.g., reading your profile to create an account).
- We request only the minimum OAuth scopes needed for the requested functionality.
- When you disconnect an integration or delete your account, associated OAuth tokens are revoked and deleted.
6 Third-party sharing
We share data only with the sub-processors necessary to operate the service. We do not sell data, and we do not share data with advertising networks.
| Service | Purpose | Data shared |
|---|---|---|
| Railway | Cloud hosting | All application data (stored on Railway infrastructure) |
| Stripe | Payment processing | Billing contact info, payment method details |
| Resend / SendGrid | Transactional email | Recipient email address, email content |
| Sentry (optional) | Error monitoring | Stack traces, anonymized request context |
We may also disclose data if required by law, court order, or government authority, or when necessary to protect the rights, property, or safety of Kynara, our users, or the public.
If we are acquired or merge with another company, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
7 Data retention
We keep data for as long as your account is active or as needed to provide the service. More specifically:
| Data type | Retention period |
|---|---|
| Account information | Until account deletion, then 30 days before permanent removal |
| Audit logs | 90 days on free plans; 1 year on paid plans; configurable for enterprise |
| Approval records | Same as audit logs |
| Server / access logs | 30 days, then automatically purged |
| Billing records | 7 years (legal requirement) |
| Backups | Retained for up to 30 days, then overwritten |
When you delete your account, we begin a 30-day deactivation window during which the account can be restored if the deletion was accidental. After that window, all personal data associated with your account is permanently deleted, with the exception of billing records required for legal compliance.
8 Your rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Ask us to correct inaccurate or incomplete data.
- Deletion: Request that we delete your account and associated personal data.
- Portability: Receive your data in a machine-readable format.
- Restriction: Ask us to limit how we process your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
To exercise any of these rights, email [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
If you are located in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority.
9 Children's privacy
Kynara is a business-facing tool and is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.
10 Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify account holders by email. Continuing to use Kynara after a policy update constitutes acceptance of the revised policy.
We encourage you to review this page periodically. The current version is always available at kynaraai.com/privacy.
11 Contact us
If you have questions about this policy or want to exercise your data rights, get in touch:
Kynara Privacy Team
Email: [email protected]
We aim to respond within 2 business days for general inquiries, and within 30 days for formal data subject requests.