How KBPilot handles data for EU/EEA users.
KBPilot Inc. is committed to full compliance with the General Data Protection Regulation (GDPR) for all users located in the European Union, European Economic Area (EEA), and Switzerland. This page explains how we comply with GDPR requirements and outlines the rights available to you under the regulation.
The GDPR grants EU/EEA residents enhanced rights over their personal data, including rights of access, deletion, portability, and objection. We take these rights seriously and have implemented processes to fulfill all data subject requests within the timeframes required by GDPR.
KBPilot Inc. is the data controller for personal information collected through the KBPilot Service. This means we determine the purposes and means of processing your personal data. If you have questions about data handling or wish to exercise your GDPR rights, please contact our Data Protection Officer:
Email: privacy@kbpilot.ai
Address: KBPilot Inc., Data Protection Officer, Wilmington, Delaware, United States
We are committed to responding to all data subject requests and GDPR inquiries within 30 days, as required by Article 12(3) of the GDPR.
Under GDPR Article 6, we process your personal data only when we have a lawful basis to do so. Here are the legal bases we rely on:
We process your account information (name, email, company) and payment data because it is necessary to perform our contract with you—providing the KBPilot Service. Without this data, we cannot create your account, process payments, or deliver the Service.
We process usage data, log data, and analytics information to:
We balance our legitimate interests against your privacy rights and have implemented safeguards to minimize data processing to only what is necessary.
For marketing emails and optional analytics, we rely on your explicit consent. You can withdraw consent at any time by clicking the unsubscribe link in marketing emails or contacting privacy@kbpilot.ai.
We process the following categories of personal data from EU/EEA users:
Your personal data is stored on Amazon Web Services (AWS) infrastructure located in the United States (US-East region). This means data is transferred from the EU/EEA to the United States for processing and storage.
To ensure adequate protection for this transfer, KBPilot Inc. has adopted Standard Contractual Clauses (SCCs) between KBPilot and AWS. These contractual safeguards ensure that data receives equivalent protection in the US as it would in the EU, in accordance with GDPR Article 46.
When you use KBPilot's AI features, questionnaire content and Knowledge Base excerpts may be sent to OpenAI's API for processing. OpenAI also processes data outside the EU. OpenAI relies on SCCs and potentially adequacy decisions for data transfers. We have executed a Data Processing Agreement with OpenAI confirming their GDPR compliance commitments.
Your Knowledge Base is never transferred to OpenAI for training purposes. Only the specific content needed for your current questionnaire inference is processed, and that data is not retained for model improvement.
You have the right to know about data transfers and the safeguards in place. For more information about international data transfers, please contact privacy@kbpilot.ai.
The GDPR grants you several rights regarding your personal data. Here's how to exercise them:
You have the right to request access to the personal data we hold about you and information about how we process it. We will provide this information in a clear, intelligible format within 30 days of your request.
If your personal data is inaccurate or incomplete, you have the right to request correction. You can update much of your information directly in your account settings, or contact us for assistance.
You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the original purpose or when you withdraw consent. Note that some data may need to be retained for legal compliance (e.g., tax records for 7 years). We will delete your account and associated data within 30 days of your erasure request, except where legal obligations require retention.
You can request that we restrict how we process your data while we verify disputed information or pending a deletion request. Restricted data will not be used except with your consent or for legal proceedings.
You have the right to request your personal data in a structured, commonly-used, machine-readable format (such as CSV or JSON). This allows you to move your data to another service provider. We will provide this within 30 days of your request.
You have the right to object to processing of your data based on legitimate interest. You can object to marketing communications at any time by unsubscribing or contacting privacy@kbpilot.ai. If you object to other processing based on legitimate interest, we will cease processing unless we can demonstrate compelling legitimate interests that override yours.
You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. KBPilot does not make purely automated decisions about you without human involvement, so this right is not applicable to our Service.
To exercise any of your GDPR rights, please send a request to privacy@kbpilot.ai with:
To protect your privacy, we may need to verify your identity before processing your request. We may ask for additional information or a copy of your government ID (which we will securely delete after verification).
We will acknowledge your request within 5 business days and respond with a substantive answer within 30 days of your request. If a request is complex, we may extend the timeline by up to 2 additional months, and we will inform you of the extension and reasons.
We will not discriminate against you or deny service for exercising your GDPR rights. Your access to KBPilot will not be affected by submitting data subject requests.
We retain your personal data only as long as necessary to provide the Service and fulfill the purposes outlined in our Privacy Policy:
Personal information for active accounts is retained indefinitely while your account exists. You can request deletion at any time.
Upon account deletion, all personal data, including Knowledge Base documents, questionnaires, and usage records, is securely deleted within 30 days. Encrypted backups containing your data are destroyed after our backup retention window expires (also within 30 days).
Payment and billing information is retained for 7 years to comply with tax and accounting requirements in the United States. After 7 years, payment records are securely deleted.
Server logs, IP addresses, and technical data are retained for 90 days for security and troubleshooting purposes, then deleted.
Your personal data may be shared with the following sub-processors, all of whom are GDPR-compliant:
Payment processing. Stripe is located in the US and is certified under the EU-US Data Privacy Framework.
Infrastructure and data hosting. AWS processes data on our behalf and is bound by our Data Processing Agreement (DPA).
API processing for AI-powered questionnaire features. OpenAI is bound by our DPA and Data Processing Agreement, and complies with GDPR requirements for data transfers.
Transactional email delivery. Resend sends confirmations and account notifications and is GDPR-compliant.
All sub-processors are contractually obligated to process data only as we direct and to maintain appropriate security measures. We have Data Processing Agreements in place with all processors.
KBPilot uses cookies minimally and only for essential functionality:
We use session cookies to maintain your login state and authentication. These cookies are strictly necessary for the Service to function and do not require separate consent under GDPR (Recital 32).
We do not use third-party cookies for advertising, retargeting, or behavioral tracking. No advertising networks or ad exchanges have access to your data through cookies.
We do not use third-party analytics tools that set cookies. Any optional analytics we use are based on explicit consent.
Because we use only strictly necessary cookies for authentication and do not set optional cookies, we do not require a cookie consent banner under GDPR.
We implement technical and organizational measures to protect your data:
In the event of a personal data breach, we will:
We maintain a breach register and log all incidents for regulatory compliance.
We may update this GDPR policy to reflect changes in our practices, technology, or legal requirements. Material updates will be announced via email or notice on our platform. Your continued use of KBPilot constitutes acceptance of any updates.
You have the right to lodge a complaint with your local Data Protection Authority if you believe we have violated your GDPR rights. The contact details for your supervisory authority can be found here:
You may lodge a complaint at any time, but we encourage you to contact us first at privacy@kbpilot.ai to attempt to resolve any concerns.
For all GDPR-related inquiries, data subject requests, or to report concerns about our data handling practices, please contact our Data Protection Officer:
Email: privacy@kbpilot.ai
Response Time: We aim to respond within 5 business days
We are committed to transparent, accountable data handling and welcome your questions about our GDPR compliance.