Privacy Policy

Contents

Data controller
What we collect
What we never do
Legal basis & purposes
Sub-processors
Data retention
International transfers
Your rights
Security
Children's privacy
Changes to this policy
Contact

1. Data controller

The data controller responsible for your personal data is Flowlabs, operating the Kyntra service.

Legal operator: Flowlabs
Business Registration Number: 331-78-00505
Representative: Koo Yoobhin
Address: 50 Deokpunggongwon-ro, Hanam-si, Gyeonggi-do, 12973, Republic of Korea
Data protection contact: contact@kyntra.ai.kr

2. What we collect

2.1 Account data

Email address
Display name (optional)
Country code (derived from IP at signup)
Paddle customer ID (assigned by our payment processor)
Authentication timestamps

2.2 Billing data

Billing information (credit card number, billing address, VAT ID where applicable) is collected and processed directly by Paddle, our Merchant of Record. We do not receive, store, or have access to full payment card numbers. We only receive a Paddle-issued subscription ID, transaction status, and high-level metadata required to manage your subscription.

2.3 Governance event data

When you use the Kyntra Client SDK, each AI tool-call event sent to our /governance/check endpoint may include:

Event type (pre_tool_use, post_tool_use, stop, etc.)
Tool name (Bash, Edit, Write, Read, etc.)
Command string, file path, or diff associated with the tool call
A content hash used for deterministic caching
Principle ID matched (when a violation is detected)
Client SDK version and operating system identifier

This data is necessary to return an allow / block / warn decision. We do not require, request, or store your entire source-code repository. The adapter sends only the minimum metadata required for a governance decision.

2.4 Usage logs & counters

We record per-call metadata (user ID, API key ID, decision outcome, processing layer, input / output token counts, latency) for the purposes of Fair-Use enforcement, debugging, billing, and product improvement.

2.5 Web analytics

Our marketing website (kyntra.ai.kr) may use privacy-friendly analytics (such as Cloudflare Web Analytics) that do not set third-party cookies and do not track individual visitors. We do not use Google Analytics or advertising trackers.

3. What we never do

We do not train machine-learning models on your principles, governance events, code snippets, or any other content you submit.
We do not sell or rent your personal data to third parties under any circumstances.
We do not share your data with advertisers or ad networks.
We do not access your source code beyond the metadata you explicitly send via the Client SDK.
We do not store full payment card numbers. All card data is handled by Paddle.

4. Legal basis & purposes of processing

We process your data for the following purposes, with the following legal bases:

Providing the service (contract performance) — account management, governance decisions, principle synchronization.
Billing & fraud prevention (contract performance + legitimate interest) — subscription management, Fair-Use enforcement, abuse detection.
Security (legitimate interest) — logging for intrusion detection, rate-limiting.
Legal compliance (legal obligation) — tax records, response to lawful requests.
Product improvement (legitimate interest) — aggregated, de-identified metrics only. No individual-level profiling.

5. Sub-processors

We rely on the following sub-processors to deliver Kyntra. Each has been chosen for its security and compliance posture:

Cloudflare, Inc. (USA) — hosting, CDN, D1 database, KV storage, Workers compute. Data is served from Cloudflare's global edge network.
Paddle.com Market Ltd. (United Kingdom) — Merchant of Record, payment processing, tax compliance, subscription billing.
Anthropic PBC (USA) — AI model inference for Layer 2 (Haiku) and Layer 3 (Sonnet) governance analysis. Governance event metadata is sent to Anthropic's API under its zero-retention data policy for API customers.

We do not use any other third-party processors for your personal data. If we add a new sub-processor, we will update this section.

6. Data retention

Account data: retained while your account is active, and for up to 30 days after deletion to handle billing reconciliation.
Billing records: retained for at least 5 years as required by Korean tax law.
Governance event metadata: retained for up to 90 days for debugging and Fair-Use enforcement, then deleted or fully anonymized.
Usage counters: retained for up to 13 months for billing accuracy and trend analysis.
Webhook events (Paddle): retained for 12 months for idempotency and audit purposes.

7. International transfers

Because our sub-processors are located in the United States and the United Kingdom, your data may be transferred outside the Republic of Korea. We rely on standard contractual clauses and the recipient's own adequacy assessments (Cloudflare, Paddle, and Anthropic each maintain GDPR and international transfer safeguards).

8. Your rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase your data (“right to be forgotten”) where applicable;
Restrict or object to certain processing;
Data portability — receive your data in a structured, machine-readable format;
Withdraw consent at any time where consent is the legal basis;
Lodge a complaint with the Personal Information Protection Commission (PIPC) of Korea, or with your local data protection authority.

To exercise any of these rights, email contact@kyntra.ai.kr. We will respond within 30 days.

9. Security

We take the following technical and organizational measures:

All traffic is encrypted in transit via TLS 1.3.
API keys are hashed with SHA-256 before storage; raw keys are never persisted.
Access to production systems is limited to Flowlabs personnel and secured with multi-factor authentication.
Our infrastructure runs on Cloudflare, which maintains ISO 27001 and SOC 2 Type II certifications.
Governance event metadata is processed and cached with deterministic hashing; we do not store plaintext source code.

No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

10. Children's privacy

Kyntra is not directed at children under 14 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users or via an in-product notice at least 14 days before they take effect. Continued use of Kyntra after the effective date constitutes acceptance of the updated policy.

12. Contact

Questions about privacy? Email contact@kyntra.ai.kr or write to the address above.