Kevin Luma, LLC ("we", "us", or "our") respects your privacy and is committed to protecting your personal data and corporate intellectual property. This Privacy Policy outlines how we collect, use, process, and safeguard the data you provide when using our AI orchestration platform and related integrations.
1. Information We Collect
To provide our services, we collect the following types of information:
- Account Information: Name, email address, billing details, and authentication tokens via Auth0.
- Integration Data: API keys, OAuth tokens, and payloads from third-party services you authorize Kevin to access (e.g., Slack, Zendesk, Salesforce).
- Memory and Context Data: Conversation histories, file uploads, and system state snapshots used by our vector database to provide the "memory-first" experience.
- Telemetry and Diagnostics: Platform usage metrics, error logs, and performance traces collected via tools like Sentry and Langfuse.
2. Data Usage and AI Model Training
We employ strict boundaries regarding how your data interacts with foundational models:
Zero Training Policy for Enterprise Models: By default, Customer Data (including prompts, integration payloads, and memory embeddings) is NOT used to train, retrain, or improve the base capabilities of third-party foundational models (e.g., OpenAI, Anthropic). We utilize secure API endpoints with zero-data-retention agreements from these providers.
Internal RAG Optimization: Your data is solely used to build your private Retrieval-Augmented Generation (RAG) index. This index facilitates Kevin's contextual memory but is hard-partitioned by tenant. Your semantic data never bleeds into another tenant's workspace.
3. Third-Party Sub-Processors
To orchestrate multi-step tasks globally, we utilize trusted third-party sub-processors. When your data is transmitted to these entities, it is governed by Data Processing Agreements (DPAs) compliant with GDPR and CCPA.
Our core sub-processors include:
- Auth0: Identity and access management.
- Stripe: Payment processing and billing.
- Vercel & AWS: Edge routing and secure cloud hosting.
- Pinecone / Qdrant: Vector database hosting for user memory.
- OpenAI / Anthropic: Foundational LLMs (Zero-retention inference APIs).
4. Telemetry and Analytics
We collect anonymized or pseudonymized telemetry data to monitor system health and improve platform latency. This includes tracking workflow execution times, integration failure rates, and token consumption statistics. This data is rigorously sanitized to ensure PII (Personally Identifiable Information) is excluded from analytical models.
5. Data Security Protocols
We implement enterprise-grade security measures to protect your data:
- Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
- Access Controls: Strict RBAC (Role-Based Access Control) governs internal employee access. Production databases operate under zero-trust paradigms.
- Audits: We undergo regular SOC 2 Type II compliance audits and vulnerability penetration testing.
6. Your Data Rights (GDPR & CCPA)
Depending on your jurisdiction, you have the right to access, rectify, port, or delete your personal data. You may execute a "Right to be Forgotten" request directly through your account settings or by contacting our Data Protection Officer (DPO). Upon receiving a validated deletion request, we will expunge all vectors, integration tokens, and conversation histories within 30 days.
7. Contact Us
For privacy inquiries, DPAs, or to exercise your subject rights, please email us directly at privacy@kevinluma.ai or consult the Legal Notice page for our physical mailing address.