KitopusKitopus/

Privacy Policy

Last updated: April 17, 2026

1. Introduction & Objective

Kitopus acts as an analytical AI co-pilot built proactively for SaaS founders. To provide real-time business intelligence, proactive crossed-alerts, and Telegram automation, we require access to strategic operational data. This Policy outlines how we treat, correlate, and thoroughly protect these operational indicators fetched from third-party integrations (Stripe, Firebase/Supabase, Vercel, Google Analytics 4) globally.

2. Data We Collect

We limit our footprint solely to data needed for valuable insights:

  • Identity & Account Information: Your personal name, email, and associated Telegram chat identifier.
  • Integration Metrics: API Keys & Tokens (strictly encrypted). We read aggregated financial and inbound webhook events (Stripe), cloud resource usage spanning across deployment logs (Vercel), organic and paid web traffic (GA4), and general database row activity and statistics (Supabase/Firebase).
  • Protection of Third-Party PII: Kitopus is purposely built to ingest sweeping aggregated analytics (MRR, Retention, Funnel Conversion). We explicitly do not request, hunt, nor harvest targeted Personally Identifiable Information (PII) regarding the end-users accessing your products, firmly avoiding scraping content rows and sticking to metadata events and user IDs.
  • In-app Interactions & Audits: Chat history deployed to our AI bot (/ask commands), potential snapshots/images uploaded for computer vision analysis, specific notification habits, and usage frequency on the Kitopus web dashboard.

3. Underlying Artificial Intelligence (AI) Processing

A core differentiator at Kitopus is employing Large Language Models (LLMs) securely across your connected analytics:

  • Sharing Scopes with AI Providers: Contextual slices of aggregate data and usage are routed securely toward closely-vetted enterprise-grade LLM partner environments (specifically powering frameworks like Google's Gemini or Anthropic Claude APIs) executing over strict B2B boundaries.
  • Zero Foundation Model Training Commitment: Data requests exchanged in operations do not fuel or undergo background assimilation meant to 'train' general foundational structures on the respective AI platforms. Your indicators simply catalyze targeted inferences (such as predicting cohort shifts or compiling investor updates on the fly) under fleeting cache states.

4. Token Architecture & Vault Security

Safeguarding your SaaS entry keys is undeniably paramount:

  • Resting Cryptography Protocols: Every single provided integration OAuth credential or private string is firmly subjected to standard AES-256-GCM resting encryption directly. Decoupled worker functions in sync procedures retain the lone isolated privilege to briefly decrypt logic within closed environment runs for API callbacks.
  • The Expectation for 'Read-Only' Scopes: Integrators (clients) must strictly supply keys provisioned at limited Read-Only, Viewer, or Analytics capacities. Kitopus carries absolutely zero liability for catastrophic breaches impacting your root infrastructures stemming from allocating reckless Full Read/Write 'God-level' permissions via tokens.

5. Legal Purpose of Treatment

Processing pursues the legitimate, requested interest of a complete technical service delivery:

  • Syntheses shaping your 'Daily / Weekly Briefings' addressing conversion rates and health scores dispatched routinely by Telegram and the Web Application;
  • Deploying proactive and immediate Telegram alerts cross-referencing events (e.g. bounce-rates on GA4 ballooning minutes after an extensive Vercel deploy or immediate Stripe cancellations);
  • Assessing contextual answers dynamically drafted by AI queries (/diagnose, /ask);
  • Fixing active bugs and testing Kitopus operational integrity.

6. Restricted Sub-Processing & Disclosures

We do not trade, barter, or sell your lagging traffic behaviors or financial MRR milestones. Sharing transpires only bound up towards fundamental infrastructure servers ensuring platform compute availability (Vercel, Supabase instances) alongside AI providers bound similarly by explicit rigid confidentiality arrangements, except where unequivocally mandated by law enforcement via verifiable judicial warrants.

7. Operational Logistics & Defense

Data connections route exclusively utilizing modernized HTTPS / TLS cryptographic handshakes preventing man-in-the-middle sniffing scenarios. Subjacent cloud relational mapping enacts non-negotiable Row Level Security (RLS) guaranteeing exhaustive multi-tenant segregation, negating any structural risk of cross-account data overlaps globally.

8. User Autonomy and Regulatory Rights

Your dominion over your data is upheld securely meeting sweeping local and broader overarching rights (e.g. GDPR, LGPD mandates):

  • Expeditious retrieval towards operational dashboards mirroring your data and related insights;
  • Refactoring data mistakes on-hand manually or on-demand;
  • Right To Erasure / Project Abolition: Selecting the 'Delete Project' function instantly eradicates the mapped instances, keys, paired DB rows spanning AI tasks, cached daily events, session histories and chat logs entirely and irreversibly.
  • Available exports containing your account metrics.

9. Compliance Point of Contact

Direct technical privacy concerns, audits, specific legal claims or DPO-related requisitions primarily through hi@kitopus.com.

hi@kitopus.com