Privacy Policy

Kiln ("Kiln", "we", "us", or "our") operates the product intelligence platform available at kilnhq.co (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have with respect to your data.

This policy applies to all users of the Service, including administrators, team members, and anyone who visits our website. It does not apply to third-party websites or services that may be linked from the Service.

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Account data — When you create a Kiln account we collect:

• Full name
• Work email address
• Password (stored as a secure hash by our authentication provider — we never see it in plaintext)
• Company / organisation name
• Your role within your organisation (admin or member)

Google sign-in data — If you choose to sign in with Google, we receive from Google:

• Your Google account display name
• Your Google account email address
• Your Google user ID (used solely to link your account)

Customer data you upload — Kiln is a data-processing tool. When you use the Service you may upload or connect:

• Call and interview transcripts (VTT / text files)
• Support ticket conversations from connected tools (e.g. Intercom)
• Metadata about your customers: company name, industry, headcount, ARR, plan tier, website

This data is processed on your behalf. You, as the Kiln customer, are the data controller for the personal data of your own end-customers. We process it only to provide the Service to you.

Integration credentials — If you connect third-party tools (e.g. Intercom, Gong, Salesforce) we store OAuth access tokens and refresh tokens on your behalf to retrieve data from those services.

Automatically collected data — When you use the Service, our authentication provider sets a session cookie to keep you signed in. This is a functional cookie necessary for the Service to operate. We set no analytics, marketing, or tracking cookies.

• To create and manage your account and organisation workspace
• To authenticate you and maintain your session
• To process your uploaded data (transcripts, tickets) through our AI pipeline and generate signals and themes
• To send transactional emails such as account invitations and password resets
• To respond to support inquiries sent to hello@kilnhq.co
• To maintain the security, reliability, and integrity of the Service

We do not use your data to train AI models, sell advertising, or share your information with third parties for their own marketing purposes.

If you are located in the European Economic Area (EEA) or the UK, we process your personal data on the following legal bases:

• Performance of a contract — processing your account data and uploaded data is necessary to provide the Service you have signed up for.
• Legitimate interests — maintaining security, preventing fraud, and improving the reliability of the Service, where this does not override your interests or rights.
• Compliance with legal obligations — where processing is required to comply with applicable law.
• Consent — where you have given explicit consent (e.g. receiving non-transactional communications). You may withdraw consent at any time.

We do not sell, rent, or trade your personal data. We share data only with the sub-processors necessary to operate the Service:

• Supabase — cloud database, authentication, and file storage. Your account data, uploaded files, and derived data (signals, themes) are stored in Supabase-managed infrastructure.
• OpenAI — we send transcript and support-ticket content to OpenAI's API to extract product signals and generate thematic summaries. OpenAI processes this data as a data processor under our agreement with them and does not use it to train models.
• Google — if you use Google sign-in, Google processes the authentication exchange per their own privacy policy.

We may also disclose data if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of Kiln, our users, or others.

We retain your account data for as long as your account is active. If you close your account or request deletion, we will delete your personal data within 30 days, subject to any legal retention obligations.

Customer data (transcripts, signals, themes) is retained for as long as your organisation's workspace exists. You can delete individual interactions, signals, or themes at any time through the Service. You may also request full workspace deletion by contacting hello@kilnhq.co.

OAuth tokens for connected integrations are deleted immediately when you disconnect an integration.

If you are based in the EEA or UK, you have the following rights under applicable data protection law:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your personal data ("right to be forgotten"), subject to certain exceptions.
• Right to data portability — receive your personal data in a structured, machine-readable format.
• Right to restriction — ask us to restrict processing of your data in certain circumstances.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email hello@kilnhq.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt-out of sale — we do not sell personal information, so this right does not apply.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, email hello@kilnhq.co with "CCPA Request" in the subject line. We will respond within 45 days.

We use only strictly necessary cookies. These are session tokens set by Supabase to keep you authenticated while you use the Service. No consent is required for these cookies as they are essential to the Service's operation.

We do not use analytics cookies, advertising cookies, or any other tracking technologies. There is no third-party tracking on kilnhq.co.

We take the security of your data seriously:

• All data in transit is encrypted using TLS.
• All data at rest is encrypted by Supabase.
• Database access is governed by Row-Level Security (RLS) policies that enforce organisation-scoped isolation — users can only access data belonging to their own organisation.
• OAuth tokens for integrations are stored encrypted and are never exposed in API responses.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please disclose it responsibly to hello@kilnhq.co.

Kiln is operated from, and our infrastructure is primarily located in, the United States. By using the Service, you acknowledge that your data will be transferred to and processed in the US.

For users in the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data to our US-based sub-processors (Supabase, OpenAI).

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact hello@kilnhq.co and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email (sent to the address associated with your account) or by a prominent notice within the Service, and update the "Last updated" date at the top of this page.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Kiln
hello@kilnhq.co
kilnhq.co