Privacy Policy

Krownlabs LLC ("Krownlabs", "we", "us", or "our") operates the Kentral platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the Service. It also describes your rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA).

Data Controller: Krownlabs LLC  ·  privacy@kentral.io

1. Information We Collect

1.1 Information You Provide

• Account data — first name, last name, email address, and hashed password when you register with email/password.
• OAuth profile data — name, email, and profile picture provided by GitHub or Google when you sign in via OAuth (access tokens are encrypted at rest).
• Workspace data — workspace name, logo, and configuration settings.
• User-generated content — issues, documents, comments, project milestones, initiatives, customer/request records, and any other content you create within the Service.
• Profile information — avatar image (up to 5 MB) and display preferences.
• API keys — AI provider API keys (Anthropic, OpenAI, Google AI) you optionally supply, stored AES-256-GCM encrypted.
• Payment information — billing details processed by our payment processor (we do not store raw card data).
• Communications — messages you send to our support team.

1.2 Information Collected Automatically

• Log data — IP addresses, browser type, pages visited, timestamps, and request identifiers, collected via our internal structured logging system.
• Session data — authentication session tokens stored in secure, HttpOnly cookies (cookie name prefix: kentral.session_token, 30-day expiry).
• Workspace preference cookie — kentral_active_workspace (1-year expiry, first-party only).
• Device and browser information — collected for security (detecting unusual sign-ins) and service functionality.

1.3 Information from Third Parties

• GitHub — repository data, pull request status, workflow run data, and webhook events when you connect the GitHub integration.
• Slack — workspace identity and message events when you connect the Slack integration.
• Google — profile information for Google OAuth sign-in.

2. Cookies

We use only strictly necessary first-party cookies required to operate the Service. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies.

Because we only use strictly necessary cookies, a cookie consent banner is not legally required under the ePrivacy Directive for these cookies. If we introduce non-essential cookies in the future we will update this policy and add a consent mechanism.

3. How We Use Your Information

4. AI Features and Data Use

AI-powered features in Kentral may process your Content (e.g., issue descriptions, document text) through AI inference APIs. By default:

• AI data sharing is off. The "Improve AI features by sharing usage data" workspace toggle defaults to off. We do not use your Content to train AI models unless you explicitly enable this setting.
• User-supplied API keys. When you provide your own AI provider API keys, your data is processed subject to that provider's terms and privacy policy (Anthropic, OpenAI, or Google AI).
• Kentral-provided inference. When using Kentral's built-in AI (where no user-provided key is used), data is processed by Cloudflare AI and/or Anthropic under data processing agreements that prohibit training on customer data.

5. Sharing and Disclosure

We do not sell your personal information and have not sold personal information in the past 12 months. We do not share personal information for cross-context behavioral advertising.

We may share information with:

• Service providers (data processors) — third parties that process data on our behalf under written data processing agreements:
  • Resend — transactional email delivery
  • Cloudflare AI — AI inference
  • Stripe, Inc. — payment processing and billing. Stripe acts as an independent controller for payment card data; we never store raw card numbers.
• Integration partners — when you connect GitHub, Slack, Google, Discord, Microsoft Teams, or Figma, data is exchanged with those platforms as you direct.
• Within your workspace — your name, avatar, and Content are visible to other members of your workspace.
• Legal requirements — if required by law, court order, or government authority, or to protect the rights, property, or safety of Krownlabs, our users, or others.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with notice provided to affected users.

6. International Data Transfers

Krownlabs is based in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country.

We rely on the following transfer mechanisms for transfers out of the EEA/UK:

• Standard Contractual Clauses (SCCs) — we incorporate the European Commission's SCCs (June 2021) into our agreements with sub-processors for EEA data.
• UK International Data Transfer Agreements (IDTAs) — for transfers of UK personal data to third countries.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@kentral.io.

7. Data Retention

• Account and workspace data — retained for the duration of your subscription and for 30 days after account deletion or termination, after which it is permanently deleted.
• Log and security data — retained for up to 90 days for security and fraud prevention purposes.
• Billing records — retained for 7 years to comply with tax and financial reporting obligations.
• Session tokens — expire after 30 days; invalidated immediately on sign-out.
• Magic link tokens — stored hashed and automatically expire after use or after a short validity window.

8. Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• AES-256-GCM encryption for sensitive credentials (API keys, OAuth tokens) at rest.
• Password hashing using industry-standard algorithms; we never store plaintext passwords.
• Secure, HttpOnly, SameSite session cookies with HTTPS enforcement in production.
• Optional two-factor authentication (TOTP) for user accounts.
• Role-based access controls within workspaces.
• Rate limiting and throttling on authentication endpoints.

No method of transmission over the internet or electronic storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@kentral.io.

9. Your Rights Under GDPR (EEA / UK / Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data where there is no compelling reason for us to retain it.
• Right to restriction of processing (Art. 18) — request that we limit how we process your data while a dispute is resolved.
• Right to data portability (Art. 20) — receive your personal data in a structured, machine-readable format and have it transmitted to another controller.
• Right to object (Art. 21) — object to processing based on legitimate interests (including direct marketing).
• Rights related to automated decision-making (Art. 22) — we do not make solely automated decisions that produce legal or similarly significant effects.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).

To exercise any of these rights, contact us at privacy@kentral.io. We will respond within 30 days (extendable by up to two additional months for complex requests). We may need to verify your identity before processing your request.

10. Your Rights Under CCPA / CPRA (California Residents)

If you are a California resident, the CCPA / CPRA grants you the following rights:

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required.
• Right to Limit Use of Sensitive Personal Information — we only use sensitive personal information (such as account login credentials) to provide the Service and for security purposes.
• Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights. We will not deny you goods or services, charge different prices, or provide a different quality of service.

Categories of Personal Information Collected (CCPA)

How to Submit a CCPA Request

Submit requests through either of the following methods:

• Email: privacy@kentral.io with subject line "CCPA Request"
• In-product: Workspace Settings → Profile → Privacy & Data

We will respond within 45 days. We may extend this period by an additional 45 days with notice. We will verify your identity before fulfilling a deletion or data access request.

You may designate an authorized agent to submit a request on your behalf by providing written authorization and verifying your identity directly with us.

11. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will delete it promptly. Contact us at privacy@kentral.io if you believe we have collected information from a child under 16.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 30 days' notice by email or through the Service before the changes take effect. The updated policy will be posted at this URL with a new effective date.

13. Contact and Data Subject Requests

For privacy-related questions, to exercise your rights, or to report a security vulnerability:

EU/UK Representative: As Krownlabs does not yet have an establishment in the EEA or UK, we are required to designate a representative under GDPR Article 27 and UK GDPR Article 27 if we process EEA/UK personal data in a non-occasional manner. Please contact us at privacy@kentral.io for current representative details.