Privacy Policy

Last updated: 2026-05-14

This Privacy Policy explains how Kiwana AI, Inc. ("we", "us", "Kiwana AI"), a Delaware corporation that builds and operates Tacit, collects, uses, and protects information when you use Tacit ("the Service") at tacitapp.ai.

This is a placeholder draft. It is intended as a starting structure for legal review and does not constitute legal advice. Have a privacy attorney review before publishing.

1. Information We Collect

Account data. Email, name, workspace name, role, profile preferences. Workspace data. Process descriptions, BPMN graphs, agent specifications, system prompts, tool manifests, evaluation runs, shadow-run history, decision queue items, audit log, billing identifiers. Telemetry. Page views, click streams, error stack traces (Sentry), API latencies, run-time spans persisted to our database. Payment data. Processed by Stripe; we never store full card numbers. Statement descriptor: **Kiwana AI*tacitapp.ai**.

2. How We Use Information

  • Operate, maintain, and improve the Service
  • Authenticate users and prevent abuse
  • Send transactional emails (signup, invites, approval notifications, billing receipts)
  • Send service announcements (rare, opt-out available)
  • Detect and respond to fraud, abuse, and security incidents
  • Comply with legal obligations

3. Data Sharing

We do not sell personal information.

We share information with sub-processors (listed at /legal/subprocessors) that operate the Service: Firebase (auth), Postgres host, Resend (email), Stripe (billing), Sentry (errors), and the LLM provider (Anthropic via Vertex AI). Each is bound by a data-processing agreement.

We may share information when required by law, court order, or to protect rights / safety.

4. Data Retention

  • Active workspace: retained until you delete it
  • Deleted workspace: hard-deleted within 30 days; some backups may persist up to 90 days
  • Audit logs: retained 7 years for SOX/compliance customers; 90 days otherwise
  • Encrypted credential vault entries: deleted with the workspace

5. Your Rights

You have the right to access, correct, port, and delete your data. Use:

  • Export: POST /api/tenant/export returns a JSON dump of all your workspace data
  • Cancel: POST /api/tenant/cancel stops billing at period-end
  • Delete: POST /api/tenant/delete permanently removes your workspace

For GDPR/CCPA inquiries: privacy@kiwana.ai

6. International Data Transfers

Data is processed in the United States (primary), with sub-processors operating in multiple regions. For EU customers we offer EU data residency on enterprise plans.

7. Security

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (Postgres-level + pgcrypto for credentials)
  • Postgres Row-Level Security enforces tenant isolation at the database
  • SOC 2 Type II in progress

8. Children

The Service is not directed to children under 16.

9. Changes to This Policy

We will post material changes here with at least 14 days' notice via email.

10. Contact

Kiwana AI, Inc. · privacy@kiwana.ai · tacitapp.ai · www.kiwana.ai