Privacy Policy · Kontent
K
Kontent / Privacy Policy

Privacy Policy

Last updated: March 31, 2026

1. Introduction

Kontent Ltd ("Kontent", "we", "us", or "our") operates the Kontent platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service. By accessing or using Kontent you consent to the practices described in this policy.

This policy applies globally and is designed to comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), Brazil's LGPD, Australia's Privacy Act 1988, and other applicable data protection laws.

2. Data We Collect

2.1 Information You Provide

  • Account data — name, email address, password (hashed), organisation name, billing address.
  • User content — documents, files, images, and text you upload, create, or store on the Service.
  • Communications — support tickets, feedback, and any messages you send to us.
  • Payment data — processed by our PCI-DSS Level 1 compliant payment processor; we never store full card numbers.

2.2 Automatically Collected Data

  • Usage data — pages visited, features used, timestamps, session duration, and interaction patterns.
  • Device & network data — IP address, browser type, operating system, device identifiers, and screen resolution.
  • Cookies & similar technologies — session cookies (strictly necessary), analytics cookies (with consent), and local storage for user preferences.

2.3 Third-Party Connector Data

When you connect external services (Google Drive, OneDrive, social accounts), we access only the data you explicitly authorise. OAuth tokens are encrypted at rest using AES-256-GCM. We never access files outside the scopes you grant.

3. How We Use Your Data

We process your personal data for the following purposes:

  • Providing, maintaining, and improving the Service.
  • Processing documents via OCR, AI analysis, and search indexing.
  • Authenticating your identity and securing your account.
  • Processing payments and managing subscriptions.
  • Sending transactional communications (account alerts, security notices).
  • Sending marketing communications (only with your explicit opt-in consent; unsubscribe at any time).
  • Generating anonymised, aggregated analytics to improve the Service.
  • Complying with legal obligations and responding to lawful requests.
  • Detecting, preventing, and addressing fraud, abuse, and security incidents.

4. Legal Bases for Processing (GDPR)

  • Contract performance — processing necessary to deliver the Service you subscribed to.
  • Legitimate interests — improving the Service, fraud prevention, and security; balanced against your rights.
  • Consent — marketing communications, optional analytics, and AI-enhanced features.
  • Legal obligation — tax records, law enforcement requests, and regulatory compliance.

5. Data Sharing & Transfers

We do not sell your personal data. We share data only in these circumstances:

  • Service providers — hosting (cloud infrastructure), payment processing, email delivery, and error monitoring, bound by data processing agreements.
  • Connected services — when you authorise a third-party integration, data flows only as needed to fulfil your request.
  • Legal requirements — when required by law, court order, or governmental request.
  • Business transfers — in connection with a merger, acquisition, or asset sale, with prior notice to you.

5.1 International Transfers

Data may be transferred to and processed in countries outside your jurisdiction. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where available. For transfers from other jurisdictions, we apply equivalent safeguards.

6. Data Retention

  • Account data — retained while your account is active, plus 30 days after deletion request.
  • User content — deleted within 30 days of account deletion; backups purged within 90 days.
  • Audit logs — retained for 2 years for security and compliance purposes.
  • Payment records — retained for 7 years per tax and financial regulations.
  • Analytics data — anonymised and aggregated after 26 months; raw data deleted.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — limit how we process your data in certain circumstances.
  • Objection — object to processing based on legitimate interests or direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw at any time.
  • Non-discrimination — exercise your rights without adverse treatment (CCPA).

To exercise any right, email privacy@kontent.dev with your request. We will respond within 30 days (or sooner where required by law).

8. Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest (AES-256-GCM), regular penetration testing, multi-factor authentication, role-based access controls, and a bug bounty programme. Despite our efforts, no method of transmission or storage is 100% secure; we cannot guarantee absolute security.

9. Children's Privacy

The Service is not directed to individuals under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it promptly.

10. Cookies

We use strictly necessary cookies for authentication and session management. Optional analytics and preference cookies are only set with your explicit consent. You may manage cookie preferences in your account settings at any time.

11. AI & Automated Processing

Kontent uses AI and machine learning for OCR, document analysis, search relevance, and content suggestions. These automated processes do not produce legal effects or similarly significant decisions about you. You may opt out of AI-enhanced features in your account settings.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via in-app notification and/or email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact & Data Protection Officer

For any privacy-related questions or to exercise your rights:
Email: privacy@kontent.dev
Data Protection Officer: dpo@kontent.dev

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France, or the relevant authority in your jurisdiction).

Privacy Policy Terms of Service
← Back to sign in