Privacy Policy
Last updated: 2026-05-14
This Privacy Policy explains how Kiwana AI, Inc. ("we", "us", "Kiwana AI"), a Delaware corporation that builds and operates Tacit, collects, uses, and protects information when you use Tacit ("the Service") at tacitapp.ai.
This is a placeholder draft. It is intended as a starting structure for legal review and does not constitute legal advice. Have a privacy attorney review before publishing.
1. Information We Collect
Account data. Email, name, workspace name, role, profile preferences. Workspace data. Process descriptions, BPMN graphs, agent specifications, system prompts, tool manifests, evaluation runs, shadow-run history, decision queue items, audit log, billing identifiers. Telemetry. Page views, click streams, error stack traces (Sentry), API latencies, run-time spans persisted to our database. Payment data. Processed by Stripe; we never store full card numbers. Statement descriptor: **Kiwana AI*tacitapp.ai**.
2. How We Use Information
- Operate, maintain, and improve the Service
- Authenticate users and prevent abuse
- Send transactional emails (signup, invites, approval notifications, billing receipts)
- Send service announcements (rare, opt-out available)
- Detect and respond to fraud, abuse, and security incidents
- Comply with legal obligations
3. Data Sharing
We do not sell personal information.
We share information with sub-processors (listed at /legal/subprocessors) that operate the Service: Firebase (auth), Postgres host, Resend (email), Stripe (billing), Sentry (errors), and the LLM provider (Anthropic via Vertex AI). Each is bound by a data-processing agreement.
We may share information when required by law, court order, or to protect rights / safety.
4. Data Retention
- Active workspace: retained until you delete it
- Deleted workspace: hard-deleted within 30 days; some backups may persist up to 90 days
- Audit logs: retained 7 years for SOX/compliance customers; 90 days otherwise
- Encrypted credential vault entries: deleted with the workspace
5. Your Rights
You have the right to access, correct, port, and delete your data. Use:
- Export:
POST /api/tenant/exportreturns a JSON dump of all your workspace data - Cancel:
POST /api/tenant/cancelstops billing at period-end - Delete:
POST /api/tenant/deletepermanently removes your workspace
For GDPR/CCPA inquiries: privacy@kiwana.ai
6. International Data Transfers
Data is processed in the United States (primary), with sub-processors operating in multiple regions. For EU customers we offer EU data residency on enterprise plans.
7. Security
- Encryption in transit (TLS 1.2+)
- Encryption at rest (Postgres-level + pgcrypto for credentials)
- Postgres Row-Level Security enforces tenant isolation at the database
- SOC 2 Type II in progress
8. Children
The Service is not directed to children under 16.
9. Changes to This Policy
We will post material changes here with at least 14 days' notice via email.
10. Contact
Kiwana AI, Inc. · privacy@kiwana.ai · tacitapp.ai · www.kiwana.ai