Legal

Privacy Policy.

What data we collect, why, who we share it with, and your rights.

Effective: 14 May 2026 Last updated: 30 May 2026 Controller: Kanonik LLC

1. Who we are

Kanonik is operated by Kanonik LLC, organised under the laws of the State of Wyoming, United States of America (the "Provider", "we", or "us").

For questions about this policy, contact our privacy team at [email protected].

2. Scope of this policy

This policy applies to personal data we collect through:

The Kanonik website (kanonik.ai);
The Kanonik hosted platform (the "Service");
Direct interactions with our team (sales, support, and customer onboarding).

Two roles. When you visit our website or sign up as a Customer, we act as a controller for the personal data described below. When the Service processes Customer Data on behalf of a Customer (for example, names of internal compliance officers stored in your GRC tool), we act as a processor. The Customer is the controller of that data. Processor terms are set out in our Data Processing Addendum.

3. What data we collect

3.1 Account data

When you create an account or contact sales, we collect: name, work email, company name, role/title, country, and the GRC tool you use. For paid Customers, we also collect billing details (handled by our payment provider; see Section 6).

3.2 Service usage data

When you use the Service, we collect: your authentication identifiers (OIDC subject), the MCP tool calls your AI makes, the inputs and outputs of those calls, the Verifier's verdicts, approval-token references and approver identity, sync operations to your GRC tool, and the content of audit-log events (see Section 8 for retention).

3.3 Customer Data (we are processor only)

The canonical representation of your GRC entities (controls, evidence, mappings, frameworks) and any personal data they contain (e.g., names of policy owners). We process this only to provide the Service to you. See the DPA for details.

3.4 Communications

If you email us, attend a call, or fill out a form, we keep records of those interactions (content, date, contact details) to provide support and to maintain a relationship history.

3.5 Website analytics

If we run analytics on this site, we collect aggregated, privacy-preserving usage signals (page visits, referrer, country at country-level granularity). We do not use cookies for advertising. See Section 11.

3.6 What we do NOT collect

The content of your conversations with your AI (those happen inside your model-provider environment; we never see them);
Your model-provider API keys or token-usage metering;
Special-category personal data (race, religion, health, etc.) unless it appears incidentally in Customer Data, in which case it is encrypted at rest and processed only as part of the Service.

4. How we use data

We use personal data to:

Provide the Service - authenticate users, execute MCP tool calls, run the Verifier, deliver approval requests, write to your connected GRC tool, maintain the audit log, generate Auditor Exports;
Operate the business - invoice and collect payment, provide customer support, respond to enquiries, manage customer onboarding and early-access arrangements;
Improve the Service - diagnose issues, monitor performance, debug, and inform product roadmap (always using minimal data; PII redacted from operational logs at ingestion);
Security and integrity - detect, prevent, and respond to fraud, abuse, security incidents, and policy violations;
Legal and compliance - meet our legal obligations, enforce our terms, and exercise or defend legal claims.

We do not sell personal data, train general-purpose AI models on Customer Data, or use Customer Data for advertising or profiling beyond providing the Service.

5. Legal bases (GDPR / UK GDPR)

If you are in the EU, UK, or another jurisdiction with similar law, our legal bases for processing are:

Contract - to provide the Service to you (account data, service usage data, billing);
Legitimate interests - to operate, secure, and improve the Service, to communicate with prospects who have shown interest, and to respond to enquiries (we balance these against your privacy interests);
Legal obligation - to comply with tax, accounting, anti-money-laundering, and other legal requirements;
Consent - where required, for example for some forms of marketing communication or non-essential analytics; you can withdraw consent at any time.

For Customer Data we process on behalf of a Customer-controller, the legal basis is the controller's instruction (governed by the DPA).

6. Sub-processors & sharing

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purposes set out in Section 4.

Recipient	Purpose	Data categories	Location
Cloud hosting provider	Run the Service infrastructure (Kubernetes, object storage, networking)	All Service usage data + Customer Data, encrypted at rest and in transit	United States - see DPA Annex III for exact regions
Anthropic, PBC	Server-side Verifier LLM calls (rule-based + LLM cross-check before any commit)	Canonical entity excerpts and retrieved candidates; PII redacted at ingress	United States (Anthropic data-handling terms apply)
Payment provider (Merchant of Record)	Subscription billing, tax calculation, chargeback handling	Billing contact, company name, billing address, payment method (handled by provider)	Per provider's data residency terms
Email delivery provider	Transactional and approval emails	Recipient email and approval-token references; no GRC content	United States
Customer's GRC tool	Read and draft-write to your own GRC tool (e.g., Eramba) on your authority	Whatever you've stored there, accessed via the credentials you provide us	Wherever you host your GRC tool
Slack, Inc. (optional)	Approval-channel notifications, if your tenant opts in	Approval-token references; no GRC content	United States
Auditors, advisors, and counsel	Professional services, audits, legal compliance	As strictly necessary, subject to confidentiality	Various
Acquirer or successor	If we are involved in a merger, acquisition, or asset sale, your data may be transferred to the successor entity, subject to this policy	All data	Various

An always-current list of sub-processors with versions and data-residency details is in DPA Annex III.

7. International transfers

The Service infrastructure is operated in the United States. Where personal data of EU / UK / Swiss data subjects is transferred outside the EEA / UK / Switzerland, we rely on:

The European Commission's Standard Contractual Clauses (Module 2 or Module 3 as applicable), and the UK International Data Transfer Addendum where required;
Adequacy decisions where applicable;
Supplementary technical measures including encryption in transit (TLS 1.3 with FIPS-validated cipher suites), encryption at rest (AES-256-GCM), per-tenant key isolation, and pseudonymisation where feasible.

You can request a copy of the relevant transfer mechanism by emailing [email protected].

8. Retention & deletion

We retain personal data only as long as necessary for the purposes for which it was collected, plus any period required by law:

Account data - for the life of your account, then up to 30 days for export and 12 months for legitimate business records (tax, billing, dispute resolution);
Operational logs - Solo tier 30 days, Team tier 90 days, Business tier 1 year (PII redacted at ingestion);
Audit-log events - minimum 7 years to support audit obligations of regulated Customers; the underlying personal data is rendered cryptographically inaccessible by tenant-key destruction (crypto-erase) where the Customer requests deletion before the 7-year window elapses;
Marketing prospect data - until you unsubscribe or 24 months of inactivity, whichever is sooner;
Backups - encrypted snapshots of the Service event store are retained for 30 days for disaster recovery, then automatically deleted.

Crypto-erase model. Each Customer tenant has a dedicated key encryption key (KEK). On deletion request and after a 30-day grace period, we destroy the KEK in our secrets vault. All data encrypted under that KEK becomes mathematically inaccessible. Append-only audit-log rows remain in the event store for the retention window above, but their canonical content is unrecoverable. This satisfies the GDPR Article 17 right to erasure for systems with append-only audit obligations.

9. Security measures

We apply the technical and organisational measures described in DPA Annex II, including:

FIPS 140-validated cryptography for all key operations;
TLS 1.3 in transit, mutual TLS between internal services;
AES-256-GCM at rest, with per-tenant key envelopes;
Append-only, hash-chained, FIPS-signed audit log;
OIDC-based authentication, MFA for privileged operations;
Multi-tenant isolation through type-system separation, signed tenant context, Postgres row-level security, and per-tenant encryption envelopes;
Infrastructure-as-code, GitOps deploys, signed container images, SBOM per build, supply-chain vulnerability scanning in CI;
Documented incident-response procedure with break-glass access logged.

See the Security page for an overview and the DPA for the binding measures.

10. Your rights

10.1 Under GDPR / UK GDPR

If you are in the EU, UK, or other jurisdictions with similar law, you have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase your data ('right to be forgotten'), subject to lawful exceptions;
Restrict processing in certain circumstances;
Receive your data in a portable format and have it transmitted to another controller;
Object to processing based on legitimate interests or for direct marketing;
Withdraw consent where processing relies on consent;
Lodge a complaint with your supervisory authority (e.g., the Irish DPC, the UK ICO, your country's national authority).

10.2 Under CCPA / CPRA (California)

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt-out of sale or sharing (we do not sell or share personal information for cross-context behavioural advertising), and to non-discrimination for exercising these rights.

10.3 Other regions

Residents of other jurisdictions (including Australia, Canada, Brazil) have similar rights under local law. Contact us using the details below and we will respond in line with applicable law.

10.4 How to exercise rights

Email [email protected] with your request. We will verify your identity, respond within the applicable statutory period (usually 30 days under GDPR; we may extend by two months for complex requests with notice), and confirm the action taken.

If you are an end user of a Customer organisation (for example, a compliance officer at a Kanonik customer), please contact your organisation first; we will support them in fulfilling your request as a processor.

10.5 Automated decision-making

We do not make decisions that produce legal effects concerning you, or that similarly significantly affect you, based solely on automated processing. The Verifier applies automated checks (rule-based checks plus an independent model cross-check) to changes your AI proposes, but every consequential change requires approval by a human in your organisation, recorded against a single-use approval token, before it takes effect. You can ask us about the logic involved and request human review of any decision; where you are an end user of a Customer organisation, that human review sits with the Customer that operates the workspace.

11. Cookies & site tracking

Our public website uses minimal cookies and tracking. We may use:

Strictly necessary - for site functionality (e.g., remembering your dark/light mode if applicable);
Aggregate analytics - privacy-preserving page-view counts via a privacy-friendly analytics provider that does not set cross-site cookies and does not require a consent banner under most jurisdictions; we do not collect IP addresses in identifiable form for marketing purposes.

The Service dashboard uses authentication cookies that are essential for keeping you logged in.

You can control cookies through your browser settings. Blocking essential cookies will prevent the Service from working.

12. Children

The Service is intended for business use only. We do not knowingly collect personal data from anyone under 16. If you believe we may have collected data from a child, contact us and we will delete it.

13. Changes

We may update this policy from time to time. We will post the updated version at this URL with a new "Last updated" date. For material changes that affect your rights, we will give you reasonable advance notice by email or in-app notification.

14. Contact & complaints

For privacy questions or to exercise your rights:

Email: [email protected]
Postal address available on request via [email protected]

If you are in the EU/UK and unhappy with our response, you have the right to lodge a complaint with your local supervisory authority. Lists are available at the European Data Protection Board and the UK ICO.

↑ Back to top