1. Introduction
This Privacy Policy explains how [KatCore — full registered legal entity name, NIT] ("KatCore", "we", "us") collects, uses, shares, and protects personal data when you use our website, web application, API, and related services (the "Service"). It also describes your rights and how to exercise them.
This Policy is part of, and incorporated into, our Terms of Service.
2. Who We Are and How to Contact Us
KatCore is the data controller (responsable del tratamiento) for personal data we collect about visitors, account holders, and billing contacts.
- Address: [registered address, Colombia]
- Privacy contact / data-protection inquiries: [privacy@katcore.com]
- Security incidents: [security@katcore.com]
- [If a Data Protection Officer / responsable is appointed, name and contact here.]
3. Controller vs. Processor — Two Roles
KatCore plays two distinct roles depending on the data:
- As a controller (responsable): for account, billing, support, marketing, and usage data — the personal data we decide how and why to process to run our business. This Policy governs that data.
- As a processor (encargado): for personal data contained in the Customer Data you upload or connect (your files, datasets, database/API sources, prompts). We process that data only on your documented instructions to provide the Service. You are the controller of that data and are responsible for having a lawful basis, providing notices to, and honoring the rights of, the individuals it concerns. If you need a Data Processing Agreement (DPA), contact [privacy@katcore.com].
4. Information We Collect
(a) Information you provide directly
- Account data: name, email address, password (hashed), and profile details. If you sign in with Google, we receive basic profile and email from your Google account.
- Billing data: plan, subscription status, and limited payment metadata. Card details are collected and stored by our payment processor, Stripe — we do not store full card numbers.
- Support and communications: messages, requests, and survey/feedback responses.
(b) Customer Data (processed on your behalf — see Section 3)
- Files and datasets you upload (CSV, Excel, JSON, PDF, Parquet, and other supported formats);
- data retrieved from URL, REST API, or database connections you configure, including via scheduled ingestion;
- connection credentials you provide (stored encrypted at rest);
- semantic descriptions, column labels, audit results, embeddings, and notebooks/artifacts derived from your data;
- chat questions and conversation history within your Workspace.
Customer Data may contain personal data of third parties (e.g., your customers or employees). You control what you upload.
(c) Information collected automatically
- Usage and telemetry: features used, actions taken, job/processing status, AI-credit consumption, timestamps;
- Device and technical data: IP address, browser type, device and operating system, and similar identifiers;
- Cookies and similar technologies: see Section 11.
5. How We Use Personal Data
We use personal data to:
- create and administer your Account and authenticate you;
- provide the Service — ingest, store, label, audit, embed, search, query, schedule, and generate Output from your data;
- process payments, manage subscriptions, and prevent payment fraud;
- maintain security, enforce our Terms, and detect, prevent, and respond to abuse, incidents, and illegal activity;
- provide support and respond to your requests;
- monitor, analyze, and improve the Service, including creating aggregated and de-identified statistics;
- send service and transactional communications (e.g., security alerts, billing notices), and — where permitted and with consent where required — product updates and marketing, which you can opt out of;
- comply with legal obligations and establish, exercise, or defend legal claims.
We do not sell your personal data, and we do not use your Customer Data to train our own or third parties' foundation models. [Confirm this commitment matches operational reality, including AI Provider settings — see Section 7.]
6. Legal Bases for Processing
Where the GDPR or similar laws apply, we rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, operate, and improve the Service and for limited marketing, balanced against your rights); consent (e.g., certain cookies and marketing, which you may withdraw); and legal obligation (e.g., tax and accounting). Under Colombian Ley 1581 de 2012, we process personal data with authorization (autorización) of the data subject and in accordance with the purposes disclosed in this Policy and our information-management policy.
7. AI Processing and Sub-Processors
To deliver core features — automatic semantic labeling and column descriptions, the data-quality audit and readiness score, embeddings/semantic search, and natural-language chat — the Service transmits relevant portions of your Customer Data (for example, column names, schema, sample values, and your questions) to third-party AI Providers and infrastructure providers that process data on our behalf. You instruct us to make these transfers when you use those features.
We engage the following categories of sub-processors. [Confirm and keep this list current; this is a material disclosure.]
| Sub-processor | Purpose | Data involved | Location |
|---|---|---|---|
| Google Cloud (Cloud Run, Cloud SQL) | Application hosting and primary database | Account, usage, and Customer Data | [US / region] |
| Cloudflare (R2) | Object storage for uploaded/processed files | Customer Data (files) | [Global edge] |
| OpenAI | LLM features (semantic, audit synthesis, chat) and/or embeddings | Column names, samples, schema, prompts, Output | [US] |
| Google (Gemini) [if enabled] | Alternative LLM provider | As above | [US] |
| Groq [if enabled] | Alternative LLM provider | As above | [US] |
| Stripe | Payment processing and subscription billing | Billing/identity, payment metadata | [US/Global] |
| [Email provider, e.g., Resend] | Transactional email | Email address, message content | [region] |
| [Managed Redis / queue provider] | Background job processing | Transient processing metadata | [region] |
Notes:
- Where the Service is configured to use a self-hosted/local model (e.g., Ollama), the relevant data is not transmitted to an external AI Provider.
- We require sub-processors to provide appropriate confidentiality and security protections and to process data only for the purposes we specify. [Confirm zero-data-retention / no-training settings with each AI Provider and reflect them here.]
- A current sub-processor list is available on request at [privacy@katcore.com]; we will provide reasonable notice of new sub-processors where required by a DPA.
8. How We Share Personal Data
Beyond the sub-processors in Section 7, we may disclose personal data:
- within your organization/Workspace as you configure;
- to professional advisors (lawyers, accountants, auditors) under confidentiality;
- in a corporate transaction (merger, acquisition, financing, or asset sale), subject to this Policy;
- to comply with law, respond to lawful requests, or protect the rights, safety, and property of KatCore, our users, or the public.
We do not sell personal data and do not share it for cross-context behavioral advertising.
9. International Data Transfers
We are based in Colombia and use sub-processors that may store or process data in other countries, including the United States. Where we transfer personal data internationally, we rely on appropriate safeguards — such as the transfer mechanisms permitted under Colombian Law 1581/2012 and, where the GDPR applies, the European Commission's Standard Contractual Clauses or an adequacy determination. You may request more information at [privacy@katcore.com].
10. Data Retention and Deletion
- Account and billing data — we retain it for as long as your Account is active and thereafter as needed to comply with legal, tax, accounting, and dispute-resolution obligations.
- Customer Data — we retain it for the duration of your Subscription. Files are stored with limited version history (a rolling number of recent versions per file). When you delete data or close your Account, we delete or de-identify the associated Customer Data within [30–90] days, except where retention is required by law or for backups that expire on a rolling basis.
- Logs and security data — we retain it for a limited period needed for security and operations.
[Confirm exact retention windows, version count, and backup expiry with the engineering team and counsel.]
11. Cookies and Similar Technologies
We use strictly necessary cookies (for authentication, session, and security) and, where applicable, analytics or preference cookies. Necessary cookies are required to operate the Service. Where consent is required, we request it through a cookie banner, and you can manage non-essential cookies in your browser or our cookie settings. [Add a cookie table / link to a Cookie Policy if you deploy analytics or marketing cookies.]
12. Security
We implement administrative, technical, and organizational measures designed to protect personal data, including: logical tenant isolation between Workspaces; encryption in transit (TLS) and encryption at rest for stored files and connection credentials; access controls and authentication (including hashed passwords, short-lived access tokens, and scoped API keys); and security headers and network protections. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
13. Your Rights
Subject to applicable law, you have rights over your personal data. Under Colombia's Ley 1581 de 2012, data subjects (titulares) may: know (conocer), update (actualizar), and rectify (rectificar) their data; request proof of authorization; be informed about the use of their data; file complaints with the Superintendencia de Industria y Comercio (SIC); revoke authorization and/or request deletion (supresión) where appropriate; and access their data free of charge. Under the GDPR/UK GDPR (where applicable), you also have rights of access, rectification, erasure, restriction, portability, and objection, and the right not to be subject to certain solely automated decisions. Under the CCPA/CPRA (where applicable), you have rights to know, delete, correct, and opt out of "sale"/"sharing" (we do not sell or share for cross-context advertising).
To exercise rights regarding data we control, contact [privacy@katcore.com]; we will respond within the timeframes required by law. If your request concerns personal data within Customer Data for which a KatCore customer is the controller, we will refer you to that customer or act on their instructions. You also have the right to lodge a complaint with the SIC or your local supervisory authority.
14. Automated Processing
The Service uses automated and AI-assisted processing to label data, score data quality, suggest fixes, and answer questions. These features are decision-support tools; Output may be inaccurate and should be reviewed by a human before being relied upon. We do not use this processing to make decisions producing legal or similarly significant effects about individuals on our own behalf. If you use Output to make such decisions about individuals, you are responsible for any required safeguards and disclosures.
15. Children's Privacy
The Service is not directed to, and we do not knowingly collect personal data from, children under 18. If you believe a child has provided us personal data, contact [privacy@katcore.com] and we will delete it.
16. Data Breach Notification
If we become aware of a personal-data breach that affects you, we will notify the relevant authorities and affected individuals as and where required by applicable law (including the SIC under Colombian regulations and supervisory authorities under the GDPR), without undue delay.
17. Third-Party Links and Sources
The Service may link to, or ingest data from, third-party websites, APIs, and databases you choose to connect. Those third parties have their own privacy practices, for which we are not responsible.
18. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will provide notice (for example, by email or in-app) before they take effect, and we will update the "Last updated" date. Your continued use after the effective date constitutes acceptance where permitted by law.
19. Contact
[Registered address, Colombia]
Privacy: [privacy@katcore.com] · Security: [security@katcore.com] · General: [hello@katcore.com]