Kimova AI
Privacy Policy
Last updated 2026-06-08. Canonical version at kimova.ai/privacy-policy.
What we collect
To deliver the Kimova auditor workbench we collect: your email address, display name, the audit framework selections you make, the documents you upload to a workspace, the comments and annotations you author, and a record of the actions you take inside a workspace (the audit trail).
Where it lives
Data is stored in Google Cloud (Firestore + Cloud Storage) in regions you select on workspace creation. We support us-central1 and europe-west1 today. Backups are encrypted at rest and retained for 30 days.
Custom-framework content
If you author a custom framework, we also store the control definitions, reference text, and any source standard you upload to build it. This content is scoped to your account, stored in the same Google Cloud regions as the rest of your data, and isolated from other customers at the application layer. We process it only to run your audits and the AI assists you invoke; we do not reuse it to train shared models or to serve other accounts. It follows the same retention and erasure rules as your workspace data.
Who can see it
Within an audit firm: only the people the workspace admin invites. Across firms: nobody — workspace boundaries are enforced at the application layer and verified by automated tests. Kimova staff cannot read your data without an explicit support consent token.
Service providers (sub-processors)
We rely on a small set of vetted providers to run the service. Each processes only what it needs, under contract, and none of them use your data to train shared models:
- Google Cloud Platform — hosting + storage (Firestore, Cloud Storage), in the region you select on workspace creation.
- Firebase (Google) — authentication and session management.
- Stripe — payment processing (billing only; we never receive full card numbers).
- Sentry — error monitoring, hosted in the EU; receives privacy-scrubbed diagnostics, never your audit content.
- AI model providers — the AI provider configured for your account (e.g. Google, OpenAI, or Anthropic) processes the content you submit to an AI assist in order to generate that response.
The authoritative sub-processor list — including each provider's processing region and international-transfer safeguards — is in our Data Processing Agreement; request it at privacy@kimova.ai. We notify workspace admins before adding or changing a sub-processor.
Your rights (GDPR)
- Right to access — export your workspace data as JSON
- Right to erasure — delete your account; workspace data is archived for 30 days then hard-deleted
- Right to portability — same export covers this
- Right to object — contact us to opt out of any usage
Reach us at privacy@kimova.ai to exercise any of these rights.
Cookies & diagnostics
We use the minimum browser storage required to keep you signed in (Firebase session storage in IndexedDB; a navigation-hint cookie for edge routing) and to remember your theme + workspace selection (localStorage). To keep the product reliable we also send diagnostic error reports to our error-monitoring provider (Sentry, hosted in the EU); these are stripped of personal data in your browser before they are sent, and used only to diagnose crashes. We use no analytics cookies, no marketing cookies, and no advertising trackers.
Changes
We'll notify workspace admins by email at least 30 days before any material change to this policy.