Privacy Policy

Effective Date: May 27, 2026

This Privacy Policy describes how kaimon ("we", "us", "our") collects, uses, and shares information when you use our website, dashboard, API, and File Integrity Monitoring agent (collectively, the "Service"). kaimon is operated in the United States. Use of the Service is also governed by our Terms of Service.

1. Information We Collect

Account Information. When you create an account, we collect your name, email address, and authentication credentials. Authentication is handled by a third-party identity provider using social login (Google, GitHub). We do not store passwords.

Billing Information. Payment processing is handled entirely by a PCI-compliant third-party payment processor. We do not receive, process, or store credit card numbers, bank account details, or other payment instrument data on our servers.

Agent Telemetry. The kaimon eBPF kernel agent collects filesystem event metadata from your monitored endpoints, including:

• File paths, filenames, file permissions, and file sizes
• Filesystem event types (CREATE, MODIFY, ATTRIB, CLOSE_WRITE, MOVED_FROM, MOVED_TO, DELETE)
• Process names, process IDs, parent process IDs, and the username that owns the process
• Host metadata: hostname, IP address, kernel version, and agent version
• Timestamps and sequence numbers for event ordering

The agent does not read or transmit file contents, memory contents, keystrokes, network packet payloads, or screen recordings. It captures only filesystem event metadata and process context.

Usage Data. We may collect standard usage information such as pages visited, features used, and session duration to improve the Service. We do not currently use third-party analytics trackers. If we add analytics services in the future, we will update this policy accordingly.

2. How We Use Your Information

• To provide, operate, maintain, and improve the Service
• To generate compliance reports using AI-powered analysis
• To perform automatic baselining — our AI analyzes your telemetry to generate suppression rules that filter operational noise from genuine security anomalies
• To deliver daily compliance digest emails containing presigned links to your reports
• To deliver webhook notifications to endpoints you configure (Slack, Discord, or custom HTTPS)
• To process payments and manage your subscription
• To respond to support requests and communicate service updates
• To detect and prevent fraud, abuse, or security threats to the Service

3. AI Processing

Your agent telemetry is processed by large language models (LLMs) to generate suppression rules during automatic baselining and to produce executive compliance summaries in your reports. AI processing occurs within the United States on infrastructure that contractually prohibits the use of customer inputs and outputs to train foundation models. We do not use your data to train AI models.

4. Data Isolation & Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Agent telemetry is stored in isolated, per-customer partitions on cloud infrastructure located in the United States — your data is never co-mingled with or accessible to other customers. Access to your data is restricted by customer-specific API keys.

5. Data Retention

Agent telemetry and generated reports follow a tiered retention lifecycle:

• Days 0–60: Stored in hot storage for fast analytics and report generation
• Days 60–365: Automatically transitioned to cold storage for cost-optimized forensic retrieval
• After 365 days: Permanently and automatically deleted

Upon account termination, your data follows the standard lifecycle policy above. You may request earlier deletion of all your data at any time by contacting us at hello@kaimon.co.

6. Third-Party Services

We use third-party service providers (sub-processors) to operate the platform, including providers for cloud infrastructure and data storage, payment processing, authentication, AI model inference, and email delivery. All infrastructure sub-processors are located in the United States.

We do not sell, rent, or trade your personal information or telemetry data to third parties. We do not share your data with third parties for their own marketing purposes.

7. Customer-Configured Integrations

You may configure webhook integrations (Slack, Discord, or custom HTTPS endpoints) to receive report notifications. When you enable a webhook, summary report data is delivered to the endpoint URL you provide. You are responsible for the security and privacy practices of your chosen webhook destinations. You may add, test, or remove integrations at any time from your account settings.

8. Cookies & Local Storage

We use essential cookies and local storage for authentication and session management. These are strictly necessary for the Service to function. We do not use third-party advertising or tracking cookies.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data and telemetry
• Data Portability: Request your data in a structured, machine-readable format (JSON)
• Restriction: Request that we limit how we process your data
• Objection: Object to the processing of your personal data

To exercise any of these rights, contact us at hello@kaimon.co. We will respond within 30 days.

10. California Residents (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect, use, and disclose; (b) request deletion of your personal information; and (c) opt out of the sale of your personal information. We do not sell personal information. To exercise your CCPA rights, contact us at hello@kaimon.co.

11. European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases: (a) performance of a contract when providing the Service; (b) legitimate interests in operating, improving, and securing the Service; and (c) your consent where applicable. Your data is transferred to the United States where our infrastructure is located. We rely on our sub-processors' data processing agreements and standard contractual clauses for lawful international data transfers. You have the right to lodge a complaint with your local data protection authority.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child, we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date and, where required, by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at hello@kaimon.co.