Privacy Policy

Data Controller

KvarnAI AB ("KvarnAI," "we," "us," or "our") is the controller for personal data relating to our website visitors, account holders, billing, support, security, and direct interactions with our platform. We are a Swedish company registered and operating under EU data protection laws.

When our business customers use KvarnAI to process messages, files, or other content on behalf of their own end users, KvarnAI will in many cases act as a processor or service provider under that customer's instructions. In those cases, the relevant customer or organization is primarily responsible for the end-user privacy notice and lawful basis for processing.

• Company: KvarnAI AB
• Country: Sweden
• Contact: privacy@kvarn.ai
• Data Protection Officer: dpo@kvarn.ai

Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use KvarnAI's AI agent platform, including our website, dashboard, APIs, and messaging integrations. Please read this policy carefully to understand our practices regarding your personal data.

Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide our services, manage your account, and fulfill our agreement with you.
• Legitimate interest (Art. 6(1)(f)): Analytics, security monitoring, fraud prevention, and service improvement.
• Consent (Art. 6(1)(a)): Marketing communications, non-essential cookies, and optional features like China-based AI providers.
• Legal obligation (Art. 6(1)(c)): Tax records, regulatory compliance, and responding to lawful requests.
• Vital interests (Art. 6(1)(d)): In exceptional cases, to protect the life or physical safety of a person, including child safety situations disclosed in conversation.

Information We Collect

Account Information

• Registration data: Name, email address, and profile avatar.
• Authentication data: Managed securely through our authentication provider (Supabase Auth). We do not store passwords in plaintext.
• Subscription data: Plan tier, billing cycle, and usage limits.

Conversation Data

• Messages: Text messages sent to and received from AI agents across all channels (web chat, WhatsApp, Telegram, SMS, Discord, Slack, and others).
• Session history: Conversation context is maintained to provide coherent responses. We retain the most recent messages per session.
• Metadata: Timestamps, channel type, session identifiers, and sender information (e.g., display name or username from messaging platforms).

Files and Documents

• Chat attachments: Images and documents sent during conversations (max 10 MB).
• Knowledge base documents: Files you upload to train your AI agent (PDF, DOCX, XLSX, CSV, TXT, and other formats). Document text is extracted, split into chunks, and converted to embeddings for retrieval.

Voice Data

• Voice calls: Call audio processed through our telephony provider. Recordings may be stored temporarily based on your settings.
• Transcriptions: Audio is transcribed to text for agent responses.

Usage and Device Information

• Usage data: Pages visited, features used, and interaction patterns.
• Device data: Browser type, operating system, and screen resolution.
• IP address: Collected for security (rate limiting, fraud prevention) and anonymized for analytics.

Identity Verification (Optional)

If you choose to verify your identity using Swedish digital identity services:

• BankID: Personal identity number (personnummer), verified name.
• Freja eID: Authentication reference and verification status.

How We Obtain Your Data

We collect personal data from a number of sources depending on how you use KvarnAI:

• Directly from you: When you create an account, contact us, upload files, configure agents, or submit messages.
• Automatically: Through your use of the website and platform, including device, log, and security data.
• From connected services: Messaging platforms, social networks, payment providers, identity providers, and third-party login providers you choose to connect.
• From your organization or account owner: If you use KvarnAI through an employer, client, or other organization, they may provide us with your account details or authorize us to process your communications on their behalf.

Messaging Channels

KvarnAI agents can communicate through multiple messaging platforms. When you or your customers interact with an agent on these platforms, we process the messages and associated metadata:

• WhatsApp: Messages are sent and received through the Meta WhatsApp Business Platform. Message content, sender phone number, and timestamps are processed.
• Telegram: Messages, sender name/username, and chat identifiers are processed through the Telegram Bot API.
• SMS: Phone numbers and message content are processed through Twilio.
• Discord, Slack, Microsoft Teams: Messages and user identifiers from these platforms are processed when connected.

Each platform has its own privacy policy that governs how they handle data on their end. We only store what is necessary to provide agent responses and maintain conversation context.

How We Use Your Information

• Provide, maintain, and improve our AI agent services
• Process and respond to messages across all connected channels
• Generate AI responses using your selected AI model provider
• Retrieve relevant information from your knowledge base for agent responses
• Process payments and manage subscriptions
• Send service notifications and, with your consent, marketing communications
• Monitor for security threats, abuse, and fraud
• Analyze anonymized usage patterns to improve the platform
• Comply with legal obligations

Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

• We use encryption in transit (TLS) and encryption at rest in our primary infrastructure
• Certain sensitive credentials, including API keys and 2FA secrets, are encrypted using strong industry-standard encryption
• Authentication sessions use secure, httpOnly cookies where supported
• We use access controls, audit logging, rate limiting, abuse detection, and security monitoring
• We validate webhook signatures or shared secrets for inbound integrations where the integration supports it

Data Location

Your data is stored in Stockholm, Sweden. We use Supabase with servers in the EU (eu-north-1 region) for all customer data, including user accounts, agent configurations, conversation history, and uploaded files. Your data remains within the European Union and is subject to EU data protection laws, including GDPR.

Data Retention

• Conversations: 365 days (configurable)
• Leads and contacts: 730 days
• Analytics data: 365 days
• Voice recordings: 90 days
• Security and audit logs: Retained for as long as reasonably necessary for security, fraud prevention, troubleshooting, and legal compliance
• Billing, accounting, and tax records: Retained for as long as required by applicable law, which may be up to 7 years under Swedish bookkeeping rules
• Account data: Retained while your account is active and deleted or irreversibly anonymized within 30 days of confirmed account closure, except where longer retention is required by law or needed for legal claims

AI Model Providers

When an AI agent responds to a message, the conversation text and relevant context may be sent to the AI provider configured for that agent. In personal use this may be chosen by you. In organizational use it may be chosen by the account owner or administrator. Where required, we rely on contractual, technical, and organizational safeguards for international transfers, which may include Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

EU-Based Providers

For customers requiring data to remain entirely within the EU, we offer:

• Berget AI (Swedish company, Stockholm servers)
• Mistral (French company, EU servers)

When using these providers combined with our Swedish data storage, your data never leaves Europe.

US-Based Providers

Data may be processed in the US. Where required, we rely on appropriate transfer mechanisms such as SCCs or the EU-US Data Privacy Framework:

• OpenAI (GPT models, embeddings, transcription)
• Anthropic (Claude models)
• Google (Gemini models)
• xAI (Grok models)
• Groq, Cerebras, Together AI (fast inference)
• ElevenLabs (text-to-speech)
• Cohere (Command models)

China-Based Providers

Important: DeepSeek and certain other models are provided by companies based in China. If you select these models, your conversation data will be processed on servers in China. By selecting a China-based model, you explicitly consent to this data transfer for your own use. If you are using KvarnAI on behalf of an organization, that organization is responsible for ensuring it has an appropriate legal basis and has provided any required notice to end users before enabling such providers. We recommend EU-based providers for privacy-sensitive use cases.

Other Third-Party Services

In addition to AI providers, we use the following services:

• Supabase (EU): Database, authentication, and file storage. All data stored in Stockholm.
• Stripe (US): Payment processing. We send your email and user ID. Stripe handles all card data directly and we never see or store your card number.
• Twilio (US): SMS, voice calls, and WhatsApp message delivery. Phone numbers, call audio, and message content are processed.
• Meta (US): WhatsApp Business Platform for WhatsApp messaging.
• Vercel (US): Application hosting and edge delivery.
• Plausible Analytics (EU): Privacy-friendly, cookie-free web analytics.
• PostHog (EU): Product analytics hosted on EU servers. All form inputs are masked.

We may also disclose personal data to professional advisers, auditors, insurers, regulators, law enforcement authorities, courts, or counterparties in a corporate transaction where this is necessary and lawful.

Payment Processing

Payments are processed by Stripe and, where available, Nordic payment methods (Swish, Klarna, Trustly, Vipps). We do not store credit card numbers or bank account details. Payment providers handle card data directly under PCI DSS compliance. We store only transaction references, subscription status, and billing metadata necessary for account management.

Your Rights

Under GDPR, you have the following rights:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Request correction of inaccurate data.
• Erasure (Art. 17): Request deletion of your data. In some cases, we may delete or irreversibly anonymize data instead of fully removing every record where retention is still required by law (Art. 17(3)(b)) or needed for the establishment, exercise, or defense of legal claims (Art. 17(3)(e)).
• Restriction (Art. 18): Request that we limit processing of your data.
• Portability (Art. 20): Request your data in a machine-readable format.
• Objection (Art. 21): Object to processing based on legitimate interest.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

How to Exercise Your Rights

• Data export: Available in your dashboard under Settings → GDPR & Compliance.
• Account deletion: Contact privacy@kvarn.ai to request account closure and data erasure.
• Processor role situations: If you interacted with an agent operated by one of our business customers, we may direct your request to that customer where they are the primary controller.
• Identity verification: We may request reasonable information to verify your identity before fulfilling a privacy request.
• Supervisory authority: You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

Cookies

We use the following cookies:

• Authentication cookie (essential): Maintains your login session.
• Cookie consent (essential): Remembers your cookie preferences.
• Analytics technologies: Plausible Analytics is cookie-free. Other analytics tools, such as PostHog or Vercel Analytics, may use cookies or local storage depending on configuration.

Our cookie banner records your stated preference. Where required by applicable law, non-essential cookies should only be used on the basis of consent.

Automated Decision-Making

We do not normally make solely automated decisions about you that produce legal or similarly significant effects within the meaning of Article 22 GDPR. AI-generated outputs are intended to assist communication, workflow automation, and information retrieval.

If you expressly enable optional automated transaction, approval, or workflow features with predefined rules and limits, you may contact us to request human review of a disputed automated action.

Is Providing Your Data Required?

Some personal data is required to create and maintain your account, provide the services you request, take payment, and comply with legal obligations. If you do not provide mandatory information such as your name, email address, and required billing details, we may not be able to provide the service. Other information, such as voice data, identity verification data, or optional file uploads, is only required if you choose to use those features.

Children's Privacy

Our services are not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a user is under 13 without verifiable parental consent, we will delete the account and associated data promptly. Users between 13 and 18 must have permission from a parent or legal guardian to use the services.

Our AI agents are designed to provide age-appropriate responses. The agent does not produce explicit sexual content, provide links to adult material, or engage in sexual conversation with any user. When a user discloses they are under 18, the agent adjusts its responses accordingly and may redirect to trusted educational resources (such as UMO.se in Sweden).

Child Safety and Vital Interests

If a user discloses a situation involving imminent risk to the safety or wellbeing of a child, such as abuse, exploitation, or self-harm, we may log a safety event (including a session identifier and timestamp, but not message content) under GDPR Article 6(1)(d) (vital interests) and Article 6(1)(f) (legitimate interests). In exceptional circumstances where there is an imminent threat to life or safety, we may disclose relevant information to law enforcement or child protection authorities as permitted by GDPR Article 6(1)(d). The agent will always provide the user with appropriate crisis resources and encourage them to seek help directly. We do not perform automated surveillance or scanning of message content. Safety events are triggered only when a user voluntarily discloses a crisis situation in conversation.

International Data Transfers

Your core data is stored in the EU (Stockholm, Sweden). When data is transferred to providers outside the EU (e.g., OpenAI, Stripe, Twilio in the US), these transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or by the EU-US Data Privacy Framework where applicable. For China-based AI providers, transfers are based on your explicit consent.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email.

Contact Us

If you have any questions about this Privacy Policy or want to exercise your data rights:

• General privacy inquiries: privacy@kvarn.ai
• Data Protection Officer: dpo@kvarn.ai

For our Terms of Service, see our Terms page.