Privacy Policy

Kyudo, Inc. (“Kyūdō,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (kyudo.ai), use our platform, or interact with our services (collectively, the “Services”).

1. Information We Collect

1.1 Information You Provide

• Account Information. Name, email address, job title, company name, and phone number when you register, request a demo, or contact us.
• Payment Information. Billing address and payment details processed by our third-party payment processor. We do not store full credit card numbers on our systems.
• Communications. Messages you send to us via email, contact forms, or support channels.

1.2 Information Collected Automatically

• Usage Data. Pages visited, features used, click patterns, session duration, and referral sources.
• Device Information. Browser type, operating system, IP address, device identifiers, and screen resolution.
• Cookies and Similar Technologies. We use cookies, web beacons, and similar technologies as described in Section 6 below.

1.3 Customer Data

When customers use the Kyūdō platform, they may submit compliance-related data, documents, policies, and configurations (“Customer Data”). We process Customer Data solely on behalf of the customer as a data processor, as detailed in our Data Processing Agreement.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Services.
• Process transactions and send related confirmations.
• Respond to inquiries, provide support, and communicate with you.
• Send marketing communications (with your consent where required).
• Monitor usage patterns and analyze trends to improve user experience.
• Detect, prevent, and address fraud, security issues, and technical problems.
• Comply with legal obligations and enforce our terms.

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

• Service Providers. With trusted third-party vendors who assist in operating our Services (hosting, analytics, email delivery, payment processing), subject to contractual data protection obligations.
• Legal Compliance. When required by law, regulation, legal process, or governmental request.
• Business Transfers. In connection with a merger, acquisition, or sale of assets, in which case your information may be transferred to the successor entity.
• With Your Consent. When you have given explicit consent for a specific purpose.

4. Data Sovereignty and Residency

Kyūdō is built with data sovereignty as a core principle. For customer-hosted deployments:

• Customer Data resides exclusively within your Microsoft Azure tenant.
• We do not transfer, copy, or replicate Customer Data outside your designated region.
• All AI processing occurs within your tenant boundary. No Customer Data is sent to external AI endpoints.
• You maintain full administrative control over your data, including encryption keys.

5. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and least-privilege principles.
• Regular penetration testing and vulnerability assessments.
• SOC 2 Type II audit (in progress) and ISO 27001 certification (in progress).
• Incident response and breach notification procedures.

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Cookies and Tracking Technologies

We use the following categories of cookies:

• Strictly Necessary. Required for the website to function (session management, security tokens). Cannot be disabled.
• Analytics. Help us understand how visitors interact with our website (page views, traffic sources). We use privacy-respecting analytics tools.
• Functional. Remember your preferences and settings (language, region).
• Marketing. Used to deliver relevant advertisements and measure campaign effectiveness. Deployed only with your consent.

You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling certain cookies may affect the functionality of the Services.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer required, we securely delete or anonymize it.

8. Your Rights

Depending on your location, you may have the following rights:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate or incomplete data.
• Deletion. Request deletion of your personal data, subject to legal retention requirements.
• Portability. Request your data in a structured, machine-readable format.
• Objection. Object to processing based on legitimate interests or direct marketing.
• Restriction. Request restriction of processing in certain circumstances.
• Withdrawal of Consent. Withdraw consent at any time where processing is based on consent.

To exercise your rights, contact us at privacy@kyudo.ai. We will respond within 30 days (or sooner as required by applicable law).

9. GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract Performance. To provide Services you have requested.
• Legitimate Interests. To improve our Services, prevent fraud, and communicate with you.
• Consent. For marketing communications and non-essential cookies.
• Legal Obligation. To comply with applicable laws and regulations.

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

10. CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know. Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete. Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Opt-Out.We do not sell personal information. If this changes, we will provide a “Do Not Sell My Personal Information” link.
• Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@kyudo.ai with the subject line “CCPA Request.”

11. International Transfers

For our SaaS offering, data may be processed in the United States. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or other approved transfer mechanisms under applicable data protection law. Customer-hosted deployments are not subject to international transfers by Kyūdō.

12. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

13. Third-Party Links

The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Policy on our website and updating the “Last updated” date. For significant changes, we may also provide notice by email.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: