Privacy Policy

01 / Policy

1. Who we are

kolm.ai ("kolm", "we", "us") is the controller of personal data collected through the kolm.ai website and hosted services. We are incorporated under the laws of the United States. Contact: dev@kolm.ai.

2. Definitions

• Audit Customer: an organisation that engages kolm to audit an AI application.
• Audit Subject: the AI application under review, meaning the agent and the tools, identities and data flows around it (not a natural person).
• Customer Content: redacted agent logs, tool-call traces, and configuration artefacts submitted for audit; these are treated as confidential and are not personal data in most cases unless the customer includes personal data in the submission.
• Evidence Report: the Ed25519-signed JSON document issued at the conclusion of an audit, containing the security findings, scope, and a SHA-256 Merkle log reference; verifiable offline against kolm's published public key.
• Personal Data: any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1) and equivalent legislation.

3. Data we collect

The data categories below represent a complete list of the personal and organisational data we collect. If something is not in this list, we do not collect it.

3.1 Account and contact data

When an Audit Customer registers, we collect: the account email address, organisation name, billing contact name, and any other contact details provided in the order form. Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and our legitimate interest in communicating with customers (Art. 6(1)(f)).

3.2 Billing data

We collect a Stripe-generated card token (never the primary account number), billing address, invoice line items, plan tier, and payment history. Prompt and completion content is never logged in billing records. Legal basis: performance of a contract and compliance with legal obligations (GDPR Art. 6(1)(b) and (c)).

3.3 Customer Content submitted for audit

Audit Customers submit redacted agent logs, tool-call traces, configuration files, and related artefacts necessary to run the security check suite. We process this data solely to deliver the audit and produce the Evidence Report. We do not use Customer Content to train any model, share it with third parties beyond the sub-processors listed in Section 7, or retain it beyond the retention periods in Section 6. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

3.4 Evidence Report registry data

When a signed Evidence Report is issued, we store the report ID, the SHA-256 content hash, the Ed25519 signature, the audit scope summary, and a timestamp in the verifier registry so that downstream parties can resolve and verify the report at /verify/<report-id> without an account or connection to kolm servers. The registry entry never includes raw logs, weights, or personal data beyond the Audit Customer's organisation name and the scope description they approved.

3.5 Gateway and API request metadata

When you use the kolm API or hosted control plane, we log: timestamp, route, HTTP status, latency, token counts (where applicable), and an API key fingerprint. Request and response bodies for audit-data endpoints are not retained after processing. Legal basis: legitimate interests in operating a reliable, secure service (GDPR Art. 6(1)(f)).

3.6 Authentication audit log

Sign-in events, API key rotations, permission changes, and administrator actions on the hosted control plane are logged for the purpose of security incident investigation. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)).

3.7 Support and correspondence

When you contact us by email at dev@kolm.ai, we retain the thread so that follow-up enquiries can be handled in context. Threads are deleted on request. Legal basis: legitimate interests (GDPR Art. 6(1)(f)).

3.8 Website analytics

Marketing and informational pages on kolm.ai carry a first-party analytics cookie. No third-party ad pixels or cross-site trackers are used. Product and API pages set no analytics cookies; a session cookie holds your authentication token only while you are signed in. You may opt out of the analytics cookie by setting kolm-no-track=1 in your browser. CLI tooling does not phone home unless you explicitly set KOLM_TELEMETRY=1; the opt-in telemetry records command name and exit code only, never content or filenames.

4. Purposes and legal bases

• Delivering audit services: processing Customer Content and producing the signed Evidence Report. Basis: contract.
• Account management and billing: provisioning access, issuing invoices, handling renewals. Basis: contract; legal obligation for tax records.
• Security and fraud prevention: maintaining the authentication audit log, detecting abuse of the API. Basis: legitimate interests.
• Service improvement: aggregate, anonymised usage metrics (not linked to individuals). Basis: legitimate interests.
• Legal compliance: responding to lawful requests from competent authorities. Basis: legal obligation.
• Marketing communications: product updates and announcements sent to account contacts who have not unsubscribed. Basis: legitimate interests; you may opt out at any time via the unsubscribe link in any message or by emailing dev@kolm.ai.

5. What we do not collect or retain

We do not retain raw agent inference outputs, model weights, or un-redacted prompt bodies after the audit processing window. We do not sell, rent, or license personal data to third parties. We do not enrich account data with broker-sourced data. Customer Content is never used to train any model, including our own. We do not target or knowingly collect data from consumers; the service is designed for organisations and developers.

When an engagement involves imported agent logs, redaction is applied before that content is stored, and the redacted material is held only for the processing window described in Section 6 before deletion. Questions about how an engagement handles Customer Content go to dev@kolm.ai.

6. Retention

• Account and contact data: held for the duration of the customer relationship and for a further three years to handle post-termination enquiries and legal claims, then deleted.
• Billing records: retained for seven years from the invoice date to satisfy statutory accounting obligations; the cardholder name and card token are deleted at account closure.
• Customer Content (audit artefacts): deleted within 90 days of the Evidence Report being issued, unless the customer requests earlier deletion or has contracted for a longer retention period for their own compliance needs.
• Evidence Report registry entries: kept indefinitely so that previously issued reports remain verifiable; the entry contains scope metadata, not Customer Content. Customers may request removal of their organisation name from the registry; the cryptographic record (hash and signature) will remain to preserve the audit trail.
• Authentication audit log: retained for 12 months then deleted, unless a live investigation requires extension.
• Support threads: deleted within 12 months of resolution or on request.
• Website analytics: aggregated at 30 days; individual-level records deleted at 90 days.

7. Sharing with third parties and sub-processors

We share data only as necessary to operate the service. The categories and roles of sub-processors are as follows. We do not share data with ad networks or data brokers under any circumstances.

• Cloud infrastructure (compute, storage, CDN): provides the hosting environment for the kolm platform. Data is encrypted at rest (KMS-backed keys) and in transit (TLS 1.3). Default region: US-East (AWS us-east-1). EU residency is available on the enterprise plan (AWS eu-west-1 or eu-central-1); Standard Contractual Clauses are included in the DPA.
• Payment processor: handles card tokenisation and payment settlement. This processor does not see Customer Content; it receives only billing-contact information and the invoice amount.
• Transactional email: delivers receipts, account notices, and policy-change announcements. Receives account email addresses and the content of the message being sent.
• Identity provider / SSO broker: on the enterprise plan, a third-party SSO broker handles SAML 2.0, OIDC, and SCIM provisioning. The identity records we transmit are limited to email, user ID, and group memberships needed to authorise requests. Disabled unless you have provisioned SSO on your plan.

When you supply your own API key to an upstream AI model provider (such as Anthropic, OpenAI, or Google) via the kolm platform settings, kolm routes your request directly to that provider; kolm is not the contracting party with the provider for those calls. If you use the free /v1/free/chat surface without supplying your own key, kolm acts as the contracting party with the upstream provider for those requests, and the gateway metadata logging described in Section 3.5 applies.

8. International data transfers

The hosted platform operates primarily in the United States. Personal data transferred from the European Economic Area to the United States is protected under the EU Standard Contractual Clauses (2021 SCCs, Module 2 controller-to-processor) incorporated into our Data Processing Agreement. Customers may request the DPA by contacting dev@kolm.ai. EU data residency (hosting within AWS eu-west-1 or eu-central-1) is available as an addendum on the enterprise plan.

9. Security measures

kolm applies the following technical and organisational measures to protect personal data:

• Encryption at rest using KMS-managed keys; encryption in transit using TLS 1.3.
• Ed25519 signing of all Evidence Reports; SHA-256 Merkle log (RFC 6962 style) for the registry, providing an append-only, tamper-evident record without implying any distributed ledger or token-based system.
• Role-based access controls limiting access to personal data to personnel with a demonstrated need.
• Least-privilege scoped API keys, with every Evidence Report signed and entered into an append-only transparency log so issued artifacts cannot be altered after the fact.
• Incident response procedures with a target notification window of 72 hours to supervisory authorities where required by GDPR Art. 33.

kolm does not currently hold a SOC 2 report, and there is no published third-party penetration test of kolm's own infrastructure. We will state either one here only once it is real and independently verifiable. This is distinct from the kolm product, which maps your AI application's findings to SOC 2, ISO 42001, NIST AI RMF, EU AI Act, and the OWASP LLM & Agentic Top 10.

10. Your rights under GDPR and CCPA

10.1 GDPR rights (EEA and UK data subjects)

• Access (Art. 15): you may request a copy of the personal data we hold about you.
• Rectification (Art. 16): you may ask us to correct inaccurate data.
• Erasure (Art. 17): you may ask us to delete your personal data where there is no overriding legal ground for retention.
• Restriction (Art. 18): you may ask us to restrict processing while a dispute is resolved.
• Portability (Art. 20): you may request your data in a structured, machine-readable format. Account data is exportable as JSON on request; billing summaries are provided in CSV.
• Objection (Art. 21): you may object to processing based on legitimate interests, including objection to direct marketing at any time.
• Automated decision-making (Art. 22): kolm does not make decisions with legal or similarly significant effects on individuals solely by automated means.
• Lodge a complaint: you have the right to lodge a complaint with the supervisory authority in your country of residence.

To exercise any of these rights, contact dev@kolm.ai. We will acknowledge within 2 business days and provide a substantive response within 30 days (extendable by a further two months for complex requests, with notice).

10.2 CCPA rights (California residents)

California residents have the right to know what personal information we collect and how it is used; the right to delete personal information we have collected; the right to opt out of any sale of personal information (we do not sell personal information); and the right not to receive discriminatory treatment for exercising these rights. To submit a CCPA request, contact dev@kolm.ai.

11. Cookies

We use cookies as described in Section 3.8. In summary: product and API pages use a session cookie only when you are authenticated; marketing and informational pages carry a first-party analytics cookie you can opt out of. We do not use third-party advertising cookies. A full cookie table is available on request from dev@kolm.ai.

12. Children

The kolm platform is designed for enterprise and developer use and is not directed at consumers or children. We do not knowingly collect personal information from individuals under the age of 13 (or the applicable minimum age in the relevant jurisdiction, which may be higher for EEA member states). If we become aware that such data has been collected, we will delete it promptly. To report a concern, contact dev@kolm.ai.

13. Changes to this policy

Material changes to this Privacy Policy will be announced by email to the account contact at least 30 days before they take effect. A dated summary of changes will be posted to the kolm.ai changelog. Non-material changes (clarifications, vendor address updates, typographic corrections) will be posted to the changelog without a mandatory advance notice period. Every version of this policy corresponds to a dated entry in the public changelog; previous versions are accessible through the changelog archive.

14. Governing law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law provisions, except where applicable data-protection law (including GDPR) requires otherwise. Disputes arising under this policy are subject to the dispute-resolution provisions in the kolm Terms of Service.

15. Contact

For all privacy enquiries, subject-rights requests, data-processing agreements, residency addenda, and incident reports:

• Email: dev@kolm.ai
• Response commitment: acknowledged within 2 business days; substantive response within 30 days for subject-rights requests.

There is no separate privacy desk address or DPO address. All privacy matters are routed through dev@kolm.ai.