Privacy Policy — Kairos Analytics

Kairos Analytics ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding that data. If you have questions, contact us at privacy@polsia.app.

By using Kairos Analytics, you agree to the collection and use of information as described in this policy.

1 Data We Collect

1.1 Financial Transaction Data (via Plaid)

When you connect your business bank account, Plaid shares the following data with us:

Transaction descriptions, amounts, and dates
Account balances and institution name
Merchant names and category classifications provided by your bank

We do not collect or store your bank login credentials, PIN numbers, or one-time passcodes. All bank authentication is handled exclusively by Plaid under their security protocols.

1.2 Account Information

Email address (used for login and notifications)
Business profile (business name, industry, employee count, monthly revenue estimate)
Subscription tier and billing history

1.3 Usage & Analytics Data

We collect the following browser and usage data via Google Analytics 4 (GA4) and server-side logging:

Pages visited and time on page
Browser type, operating system, and screen resolution
Referring URL and UTM campaign parameters (for marketing attribution)
IP address (hashed before storage to remove direct identification)
Session ID (anonymous)

            GA4 Settings: We use GA4 with IP anonymization enabled. We do not use GA4 to track or collect individual-level financial transaction data. Analytics data is used solely for product improvement and aggregate usage reporting.
        

1.4 Cookies

We use cookies for:

Session management — required for authentication and secure access to your dashboard. These cookies are essential and cannot be disabled without logging you out.
Analytics — set by GA4 to measure page views and session duration. These are non-essential and you may opt out via your browser settings.

See Section 7 (Your Rights) for information on opting out of analytics cookies.

1.5 Error & Support Data

When errors occur in the platform, we log the following via Sentry (our error monitoring service): timestamp, feature area, HTTP status code, error message (truncated to 500 chars), request path, and anonymized user ID. We do not log raw bank credentials, payment card numbers, or full transaction amounts in error logs.

2 How We Use Your Data

We use collected data for the following purposes:

Transaction categorization — AI-powered classification of income and expense transactions into accounting categories (e.g., payroll, supplies, marketing).
Financial reporting — Profit & loss summaries, cash flow projections, and tax liability estimates based on your categorized transactions.
Bank sync — Pulling the latest transactions from your connected bank account(s) via Plaid.
Account management — Billing, subscription upgrades, account settings, and security notifications.
Product improvement — Analyzing aggregate usage patterns (never individual transaction content) to prioritize platform features and fix bugs.
Error diagnostics — Identifying and resolving platform errors via anonymized error logs.

We do not sell your personal data or financial information to advertisers, data brokers, or third parties.

3 Who We Share Data With

The following table summarizes third-party data sharing. All third parties are contractually bound to use your data only for the purpose of delivering their respective services.

Third Party	Data Received	Purpose
Plaid Inc. `plaid.com`	Bank access token, institution ID, transaction history via API	Bank account connection, transaction sync
Stripe `stripe.com`	Subscription status, billing email (no card data stored by us)	Payment processing, subscription management
Google Analytics 4 `analytics.google.com`	Page views, session duration, UTM params, hashed IP, browser type	Aggregate usage analytics, marketing attribution
Sentry `sentry.io`	Error timestamps, error type, feature area, anonymized user ID	Error monitoring and platform reliability
Neon (Neon Database Inc.) `neon.tech`	All user account data and transaction records stored in our PostgreSQL database	Data persistence — infrastructure provider, not a data consumer

We may also share aggregated, anonymized data with no individual user identification for research, public benchmarks, or product marketing — never your actual transactions or identity.

We will disclose your data if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to prevent fraud, protect the platform, or protect the rights and safety of others.

4 Data Storage & Security

Database: All user data and transaction records are stored in Neon PostgreSQL (cloud-hosted, located in the United States).
Encryption at rest: All database tables are encrypted at rest using AES-256 encryption provided by Neon Database Inc.
Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
Bank tokens: Plaid access tokens are stored in our database in encrypted form. We do not store raw bank credentials.
Access controls: Production database access is restricted to essential platform operations. No direct user access to raw financial data is provided via the platform UI.

While we implement industry-standard security measures, no system is completely immune to breach. In the event of a data breach affecting your information, we will notify you via email within 72 hours of discovery, in accordance with applicable law.

5 Data Retention

Active accounts: Transaction data and account information are retained for the duration of your active subscription.
Canceled accounts: All personal data and financial transaction records are deleted within 30 days of account cancellation. Anonymized usage statistics may be retained indefinitely.
Error logs: Purged automatically after 90 days.
Analytics data: GA4 data retention is set to 14 months in accordance with Google's default settings. You may request earlier deletion.

6 Children's Privacy

Kairos Analytics is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that a child under 18 has provided us with personal data, we will delete that data immediately. If you believe a child has submitted data to us, contact privacy@polsia.app.

7 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@polsia.app. We will respond within 30 days.

7.1 Data Export ("Right to Access")

You may request a machine-readable copy of all personal data we hold about you, including your transaction records, account information, and business profile. We will provide this within 30 days of your request.

7.2 Data Deletion ("Right to Erasure")

You may request deletion of your account and all associated personal and financial data at any time. Deletion is complete within 30 days. Some anonymized aggregate data may be retained for product improvement purposes, with no individual identification possible.

7.3 Correct Inaccurate Data

You may update your account information, business profile, and contact details at any time from your Account Settings page in the dashboard. For transaction data corrections, contact us at the email above.

7.4 Opt Out of Analytics Cookies

You may opt out of non-essential analytics cookies by disabling them in your browser settings. Note that this may affect our ability to improve the platform based on usage data. Session cookies (required for authentication) cannot be disabled without logging out.

7.5 Jurisdiction-Specific Rights

EEA / GDPR: Additional rights include the right to restrict processing, data portability, and the right to lodge a complaint with your local data protection authority.
California / CCPA: You have the right to know what data is collected, request deletion, and opt out of the "sale" of personal information (we do not sell data).

8 International Data Transfers

Kairos Analytics is operated from the United States. If you are accessing the platform from outside the US, your data will be transferred to and processed in the United States. We ensure that any international data transfers comply with applicable law, including Standard Contractual Clauses (SCCs) where required.

9 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Effective Date" at the top of this page.
Send an email notification to the address on your account (for significant changes).
Post a dashboard notice for 30 days following any material change.

Continued use of the platform after a change constitutes acceptance of the updated Privacy Policy.

10 Contact

For privacy inquiries, data deletion requests, or concerns:

Email: privacy@polsia.app
Mail: Kairos Analytics, c/o Polsia Inc., Delaware, USA

We aim to respond to all privacy-related inquiries within 5 business days.