Privacy Policy
This Privacy Policy explains how Kameas AI, Inc. (“Kameas”, “we”, “us”, “our”) collects, uses, shares, retains, and protects personal information when you visit the websites we operate at kameas.ai and its subdomains (including kenaz.kameas.ai) (the “Site”), and when you join the waitlist or receive product updates about Kenaz, our secure AI workbench (together with the Site, the “Service”).
This Privacy Policy describes what we do as a controller (or, under U.S. state laws, a business) of personal information about Site visitors, waitlist signups, prospective customers, and recipients of our marketing communications. If you are a customer of the Kameas Fleet product and personal information of your end users is processed through the product, the Kameas Subscription Agreement — specifically Part 2 (the Data Processing Addendum) — governs that processing and supersedes this Privacy Policy with respect to it.
1. The categories of personal information we collect
In the twelve months preceding the “Last updated” date above, we have collected the following categories of personal information (using the categories defined in Cal. Civ. Code § 1798.140(v)):
| Category (CCPA § 1798.140(v)) | Examples we actually collect | Sources | Why we collect it | Who we share it with |
|---|---|---|---|---|
| A. Identifiers | Email address; the “role” tag you select on the waitlist form (engineer, lead, CTO, curious, unspecified); IP address; browser/device user-agent | Directly from you when you submit the waitlist form; automatically from your browser when you visit the Site | Send waitlist confirmation, product updates, and launch announcements; protect against abuse of the signup form; produce aggregate analytics | Email delivery vendor (Resend); cloud hosting vendor (AWS); analytics vendor (Google, only with your consent and only as described in §4) |
| F. Internet or other network activity | Referring URL; pages viewed on the Site; approximate session length; coarse approximate location derived from IP (country / region for the Consent Mode default decision only) | Automatically from your browser; from Google Analytics where you have consented (or where consent is the regional default) | Understand which pages are useful; improve the Site; debug; choose the correct consent default for visitors from different regions | Google Analytics (where consented); AWS (in standard server access logs) |
| K. Inferences | Aggregate, non-individualized inferences about Site traffic patterns (e.g., which pages convert) | Derived from the categories above | Product and content decisions; capacity planning | Internal only; never sold |
We do not collect “sensitive personal information” as defined in Cal. Civ. Code § 1798.140(ae) (such as government identifiers, financial account details, precise geolocation, racial/ethnic origin, religion, union membership, contents of communications, genetic data, biometric identifiers, or sex-life/sexual-orientation information) on the Site. If you contact us by email, the contents of your message will become personal information we hold; do not send us sensitive information through unencrypted email.
2. How we use personal information
We use the personal information described above for the following business and commercial purposes:
- Provide the Service. Acknowledge your waitlist signup; send the confirmation, product updates, launch announcements, and transactional messages you signed up for; provide customer support for any inquiry you send us.
- Operate the Site. Serve the pages you request; produce server access logs for debugging and abuse-prevention; allocate capacity; detect and prevent fraud, denial-of-service attempts, and other forms of abuse of the signup form.
- Understand how the Site is used. Produce aggregate analytics about traffic patterns; choose which pages, examples, and documentation to invest in. We do this through Google Analytics 4, subject to your consent and the regional defaults described in §4.
- Comply with the law. Respond to lawful requests from courts, regulators, and other authorities; enforce our terms; meet our record-keeping obligations.
- Marketing. Send you newsletters and product announcements about Kenaz and Kameas Fleet to which you have subscribed. You can unsubscribe at any time using the unsubscribe link in any marketing email, by contacting privacy@kameas.ai, or by configuring your account preferences (when an account is available).
- Defend our rights. Investigate and address security incidents, suspected fraud, violations of our terms, and threats of harm to our users or the public.
We do not use personal information for “automated decisionmaking that produces legal or similarly significant effects” about you. We do not use personal information to make decisions about creditworthiness, employment, housing, insurance, or any other consequential decision under applicable law.
3. The legal basis on which we process personal information (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or the UK GDPR, or the Swiss FADP, as applicable) requires us to identify a legal basis for each purpose for which we process your personal information. Our legal bases are:
- Consent (Art. 6(1)(a)). Setting non-essential analytics cookies; sending marketing emails.
- Performance of a contract (Art. 6(1)(b)). Sending the waitlist confirmation and the product-update messages you specifically requested when you signed up.
- Legitimate interests (Art. 6(1)(f)). Operating the Site, protecting it against abuse, debugging, and producing server access logs. Our interest is in keeping the Site available and secure; we have assessed this against your right to privacy and concluded that the limited data we log (IP, user-agent, request path) is proportionate to that interest.
- Legal obligation (Art. 6(1)(c)). Responding to valid requests from supervisory authorities, courts, and other competent regulators.
You can object to processing based on legitimate interests, or withdraw consent for processing based on consent, at any time using the contact information in §11 below. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
4. Cookies and analytics
We use Google Analytics 4 to understand how visitors use our Site (pages viewed, time on page, where traffic comes from). We do not use Google Analytics for advertising, remarketing, or to build profiles of you across other sites. IP addresses are anonymized before storage.
Google Analytics is loaded with Google Consent Mode v2. The default state varies by where you are visiting from:
- European Union, EEA, United Kingdom, Switzerland, or any region we cannot determine — analytics storage is denied by default. No analytics cookies are written and no measurement data is sent to Google until you explicitly accept the consent banner shown on your first visit. If you decline, only a small first-party preference record is stored in your browser to remember that choice; that record is a strictly-necessary preference and is not used for analytics or tracking.
- United States — analytics storage is granted by default and a small first-visit toast points you at the opt-out link. We additionally enable Google’s restricted data processing mode for U.S. visitors, which directs Google to treat your data as if you had opted out of any “sale” or “sharing” under the California Privacy Rights Act and similar U.S. state laws.
- Other regions — analytics storage is granted by default with the same opt-out toast.
Regardless of region, we honor two browser-level opt-out signals: Global Privacy Control (navigator.globalPrivacyControl) and the legacy Do Not Track header. If your browser sends either signal, we set Consent Mode to denied and do not show a banner.
You can change your choice at any time by clicking Your privacy choices in the Site footer.
If you accept analytics, the following cookies may be set on this domain: _ga, _ga_<ID> (Google Analytics, used to distinguish visitors and sessions). These are first-party cookies with a lifetime of up to 2 years; you can clear them at any time through your browser settings.
Google’s data practices for Analytics are described in Google’s Privacy Policy. You can opt out of Google Analytics globally across all sites by installing Google’s browser opt-out add-on.
5. How long we keep personal information
We retain personal information only for as long as we need it for the purposes described above, subject to longer retention where required by law. Specifically:
- Waitlist signups (email address, role tag, signup date, source): retained for so long as you remain on the waitlist plus thirty (30) days after you unsubscribe or after the Kenaz product reaches general availability and the waitlist is retired, after which the record is deleted from our primary database. Suppression records (a hash of your email address and an unsubscribe / bounce / complaint flag) are retained indefinitely so that we do not accidentally email you again after you have opted out.
- Server access logs (IP, user-agent, request path, timestamp): 30 days, then deleted in the ordinary course.
- Google Analytics data: 14 months at the property level; aggregated reports may be retained longer.
- Cookie preferences: stored in your browser only, for the lifetime of the cookie or until you clear it.
- Email correspondence: up to 24 months after the conversation closes, unless we need it longer to defend against a legal claim, comply with a legal obligation, or maintain a permanent record (in which case we retain it for the period required and then delete it).
6. Who we share personal information with
We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California or other U.S. state privacy laws. Within the twelve months preceding the “Last updated” date, we have not sold or shared personal information for those purposes.
We do disclose personal information to the following categories of recipients, in each case under written contracts that restrict their use of the information to the purposes for which we disclosed it:
- Service providers / processors who help us run the Service:
- Amazon Web Services, Inc. — cloud hosting, storage, server access logs, and the data store for the waitlist (United States).
- Resend, Inc. — transactional and marketing email delivery and bounce/complaint webhook processing (United States).
- Google LLC — Google Analytics 4 (subject to your consent and the regional defaults in §4; United States).
- Professional advisors (accountants, lawyers, insurers, auditors) when reasonably necessary to obtain advice or defend a claim.
- Authorities in response to valid legal process, or where we have a good-faith belief that disclosure is necessary to comply with the law, enforce our terms, address fraud or security incidents, or protect our users or the public from harm.
- Acquirers, in a corporate transaction. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal information may be transferred as part of that transaction. We will provide notice on the Site and, where required, by email before personal information becomes subject to a new privacy policy.
7. International transfers of personal information
We are based in the United States and our service providers operate primarily from the United States. If you access the Site from outside the United States, your personal information will be transferred to, stored in, and processed in the United States.
For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office, and, for Switzerland, the SCCs construed under the Swiss FADP. We are not, at this time, self-certified to the EU–U.S. Data Privacy Framework. You may request a copy of the relevant transfer documentation by emailing dpo@kameas.ai.
8. Your rights
8.1 Rights for U.S. state-law residents (California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others)
If you are a resident of a U.S. state with a comprehensive consumer privacy law, you have the right (subject to verification of your identity, and subject to limited exceptions in those laws) to:
- Know what personal information we have collected about you, the sources, the purposes, the categories of recipients, and (in California) the specific pieces of personal information we hold;
- Delete personal information we have collected about you;
- Correct inaccurate personal information we hold about you;
- Receive a portable copy of personal information you have provided to us, in a structured, commonly used, machine-readable format;
- Opt out of sale or sharing of personal information, and opt out of profiling that produces legal or similarly significant effects. We do not sell or share personal information and we do not engage in such profiling, so there is nothing to opt out of, but you can confirm that decision at any time by writing to us;
- Limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information through the Site;
- Be free from retaliation or discrimination for exercising any of these rights;
- Appeal a denial of your request (where applicable law provides an appeal right).
To exercise any of these rights, email privacy@kameas.ai with the subject line “Privacy rights request” and tell us which right you want to exercise. We will acknowledge receipt within ten (10) business days and substantively respond within forty-five (45) days (extendable by another forty-five (45) days where reasonably necessary, in which case we will tell you why). We will verify your identity using the email address you provide, by matching it against the record we hold; if we cannot verify your identity, we will tell you and ask for additional information.
Authorized agents. You may designate an authorized agent to make a request on your behalf. We may ask the agent to provide written permission signed by you, and we may ask you to verify your own identity directly.
California “Shine the Light”. California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for those third parties’ direct-marketing purposes. We do not disclose personal information for third parties’ direct-marketing purposes. You may confirm that by writing to privacy@kameas.ai.
“Do Not Sell or Share My Personal Information”. Because we do not sell or share personal information for cross-context behavioral advertising, we do not display a dedicated opt-out link. We do, however, honor Global Privacy Control signals as described in §4.
8.2 Rights for EEA, UK, and Swiss residents (GDPR)
If you are in the EEA, the UK, or Switzerland, you have the right to:
- access the personal information we hold about you (Art. 15 GDPR);
- have inaccurate personal information rectified (Art. 16);
- have personal information erased in the circumstances set out in Art. 17;
- restrict processing in the circumstances set out in Art. 18;
- receive a portable copy of personal information you provided to us (Art. 20);
- object to processing based on legitimate interests, including direct marketing (Art. 21);
- withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3));
- lodge a complaint with your national supervisory authority. A list of EU/EEA authorities is available from the European Data Protection Board; UK residents may contact the Information Commissioner’s Office; Swiss residents may contact the Federal Data Protection and Information Commissioner.
To exercise any of these rights, email dpo@kameas.ai. We will respond within thirty (30) days of receipt of a verifiable request, extendable by a further sixty (60) days where the request is complex or numerous.
9. Security
We implement and maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These include encryption in transit (TLS 1.2 or higher), encryption at rest for the waitlist data store, role-based access controls, multi-factor authentication for personnel access to production systems, and a documented incident response plan. No security control is perfect; we cannot guarantee absolute security, and you should take care with how you share information with us (in particular, do not send sensitive information through unencrypted email).
If we become aware of a personal data breach affecting your personal information, we will notify you and any applicable supervisory authority as required by applicable law.
10. Children
The Site and the Service are not directed to children under the age of 13. We do not knowingly collect or solicit personal information from anyone under the age of 13. If you believe we have collected personal information from a child under 13, please email privacy@kameas.ai and we will delete it as soon as possible. The Kameas Fleet product (separate from the Site) is intended for use only by individuals at least 18 years old.
11. Contact us
For privacy questions, requests, complaints, or to exercise any right described in §8, contact:
| Purpose | Contact |
|---|---|
| General privacy questions; U.S. state-law rights requests; unsubscribe requests; COPPA reports | privacy@kameas.ai |
| GDPR / UK GDPR / Swiss FADP rights requests; Data Protection Officer matters; international transfer documentation | dpo@kameas.ai |
| Legal notices | legal@kameas.ai |
Attn: Privacy
701 E Franklin Street
Suite 105 1597
Richmond, Virginia 23219
United States of America
Telephone: 804-808-1811
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you are a waitlist subscriber and have provided us with an email address) and by posting a prominent notice on the Site at least thirty (30) days before the changes take effect. Non-material changes (clarifications, typo fixes, contact-detail updates) take effect immediately. The “Last updated” date at the top of this page reflects the most recent change.