Privacy Policy

Kiln ("Kiln", "we", "us", or "our") operates the product intelligence platform available at kilnhq.co (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have with respect to your data.

This policy applies to all users of the Service, including administrators, team members, and anyone who visits our website. It does not apply to third-party websites or services that may be linked from the Service.

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Account data — When you create a Kiln account we collect:

• Full name
• Work email address
• Password (stored as a secure hash by our authentication provider — we never see it in plaintext)
• Company / organisation name
• Your role within your organisation (admin or member)

Google sign-in data — If you choose to sign in with Google, we receive from Google:

• Your Google account display name
• Your Google account email address
• Your Google user ID (used solely to link your account)

Google Calendar data — If you connect your Google Calendar to Kiln, we request only the Google OAuth scopes needed to provide calendar-based meeting recording: openid, email, and https://www.googleapis.com/auth/calendar.events.readonly. We read your calendar events on a read-only basis. We never write to, edit, delete, or create events on your calendar.

Through the Google OAuth connection we receive your verified Google email address and a Google refresh token. We pass the refresh token to Recall.ai, our meeting-recording sub-processor, so Recall.ai can keep the calendar connection active and sync event metadata for Kiln. Kiln stores the connected calendar email address and Recall.ai calendar identifier, but does not store your Google refresh token in Kiln's database.

From synced calendar events we receive:

• Event identifiers, titles, start and end times, time zones, update timestamps, and cancellation status
• Conference URLs, including Zoom, Google Meet, Microsoft Teams, and Webex links where present
• Attendee and organizer email addresses, and attendee response statuses
• Your Google account email address, used to identify the calendar owner

We use this data to display synced meetings in Kiln, identify upcoming meetings with a supported video conference URL, apply the recording settings you choose, and schedule or cancel the Kiln Notetaker for those meetings.

Customer data you upload — Kiln is a data-processing tool. When you use the Service you may upload or connect:

• Call and interview transcripts (VTT / text files)
• Support ticket conversations from connected tools (e.g. Intercom)
• Metadata about your customers: company name, industry, headcount, ARR, plan tier, domain

This data is processed on your behalf. You, as the Kiln customer, are the data controller for the personal data of your own end-customers. We process it only to provide the Service to you.

Integration credentials — If you connect third-party tools (e.g. Intercom, Gong, Salesforce) we store OAuth access tokens and refresh tokens on your behalf to retrieve data from those services.

Product usage and device data — We collect limited product usage events, such as sign-up, login, onboarding, integration connection, billing, and feature interaction events. We may also collect device and browser metadata associated with those events, such as page URL, referrer, browser type, operating system, and approximate location derived from IP address. We use this information to understand product adoption, debug issues, and improve the Service. We do not use it for advertising.

Cookies and local storage — When you use the Service, our authentication provider sets a session cookie to keep you signed in. We may also use cookies or browser storage for product analytics and application preferences. We do not use advertising cookies.

• To create and manage your account and organisation workspace
• To authenticate you and maintain your session
• To process your uploaded data (transcripts, tickets) through our AI pipeline and generate signals and themes
• If you connect Google Calendar, to create and maintain the calendar connection, display synced meetings, identify upcoming meetings with a supported video conference URL, apply your recording preferences, and schedule or cancel the Kiln Notetaker (via Recall.ai) to attend and record those meetings
• To send transactional emails such as account invitations and password resets
• To respond to support inquiries sent to hello@kilnhq.co
• To measure product usage and improve the Service
• To maintain the security, reliability, and integrity of the Service

We do not use your data to train AI models, sell advertising, or share your information with third parties for their own marketing purposes.

If you are located in the European Economic Area (EEA) or the UK, we process your personal data on the following legal bases:

• Performance of a contract — processing your account data and uploaded data is necessary to provide the Service you have signed up for.
• Legitimate interests — maintaining security, preventing fraud, and improving the reliability of the Service, where this does not override your interests or rights.
• Compliance with legal obligations — where processing is required to comply with applicable law.
• Consent — where you have given explicit consent, such as connecting Google Calendar or receiving non-transactional communications. You may withdraw consent at any time.

We do not sell, rent, or trade your personal data. We share data only with the sub-processors necessary to operate the Service:

• Supabase — cloud database, authentication, and file storage. Your account data, uploaded files, and derived data (signals, themes) are stored in Supabase-managed infrastructure.
• OpenAI — we send transcript and support-ticket content to OpenAI's API to extract product signals and generate thematic summaries. OpenAI processes this data as a data processor under our agreement with them and does not use it to train models.
• Recall.ai — meeting recording and calendar-sync infrastructure. If you connect Google Calendar, we send Recall.ai the Google OAuth refresh token, OAuth client information, and your connected calendar email so Recall.ai can maintain the calendar connection, sync event metadata, and dispatch the Kiln Notetaker to meetings selected by your settings. Recall.ai captures the audio, video, and transcript of any meeting the Notetaker joins. Recall.ai processes this data as our data processor; see Recall.ai's privacy policy.
• Google — if you use Google sign-in or Google Calendar connection, Google processes the authentication and authorization exchange per their own privacy policy.
• PostHog — product analytics. We use PostHog to understand how users interact with the Service and to improve reliability and usability. We do not send Google Calendar event contents to PostHog.

We may also disclose data if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of Kiln, our users, or others.

This section applies in addition to the rest of this policy and describes how Kiln handles information received through Google APIs, including Google sign-in data and Google Calendar data.

Kiln's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Our commitments with respect to Google Calendar data:

• We use it only to provide or improve user-facing calendar and meeting-recording features that are visible in Kiln, and we request only the read-only calendar events scope needed for that feature.
• We do not use it for advertising of any kind.
• We do not sell it, and we do not share it with third parties except with Recall.ai (our calendar-sync and recording sub-processor) to provide the feature, where required by law, or where necessary to protect the security of Kiln or its users.
• We do not allow our employees to read it, except where you have given consent for a specific event, where necessary for security investigations, where required by law, or where the data has been aggregated and de-identified for internal operational purposes.
• We do not use it to develop, improve, or train artificial intelligence or machine-learning models.
• We do not use it to determine creditworthiness, for lending purposes, or for any surveillance, advertising, or data-broker purpose.

You can disconnect Google Calendar at any time from your Kiln settings, or revoke Kiln's access directly from your Google Account permissions page.

We retain your account data for as long as your account is active. If you close your account or request deletion, we will delete your personal data within 30 days, subject to any legal retention obligations.

Customer data (transcripts, signals, themes) is retained for as long as your organisation's workspace exists. You can delete individual interactions or signals, and archive themes, at any time through the Service. You may also request full workspace deletion by contacting hello@kilnhq.co.

Google Calendar and Recall.ai meeting data. We retain synced calendar event data — including event identifiers, titles, conference URLs, attendee and organizer emails, response statuses, start and end times, and update timestamps — for as long as your organisation's workspace exists, unless you disconnect Google Calendar, delete the related meeting or interaction, request deletion, or we are otherwise required to delete it by law.

When the Kiln Notetaker records a meeting, the meeting's title and start time are saved on the resulting recording so you can identify it in your workspace. These details remain with the recording until you delete it. You can delete any recording from Kiln at any time, or request full workspace deletion by emailing hello@kilnhq.co.

Disconnecting Google Calendar deletes the calendar connection record and synced calendar data we hold immediately, and we instruct Recall.ai to delete the associated calendar resource. It does not delete meetings you have already recorded — those remain in your workspace until you delete them yourself.

OAuth tokens for connected integrations are deleted immediately when you disconnect an integration.

If you are based in the EEA or UK, you have the following rights under applicable data protection law:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your personal data ("right to be forgotten"), subject to certain exceptions.
• Right to data portability — receive your personal data in a structured, machine-readable format.
• Right to restriction — ask us to restrict processing of your data in certain circumstances.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email hello@kilnhq.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt-out of sale — we do not sell personal information, so this right does not apply.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, email hello@kilnhq.co with "CCPA Request" in the subject line. We will respond within 45 days.

We use strictly necessary cookies, including session tokens set by Supabase to keep you authenticated while you use the Service. No consent is required for these cookies as they are essential to the Service's operation.

We may use cookies or browser storage for product analytics and application preferences. We do not use advertising cookies or third-party tracking for advertising.

We take the security of your data seriously:

• All data in transit is encrypted using TLS.
• All data at rest is encrypted by Supabase.
• Database access is governed by Row-Level Security (RLS) policies that enforce organisation-scoped isolation — users can only access data belonging to their own organisation.
• OAuth tokens for integrations are stored encrypted and are never exposed in API responses.
• Google Calendar sync rows are scoped to the calendar owner and are not visible to other users by default.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please disclose it responsibly to hello@kilnhq.co.

Kiln is operated from, and our infrastructure is primarily located in, the United States. By using the Service, you acknowledge that your data will be transferred to and processed in the US.

For users in the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as the legal basis for transferring personal data to our US-based sub-processors.

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact hello@kilnhq.co and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email (sent to the address associated with your account) or by a prominent notice within the Service, and update the "Last updated" date at the top of this page.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Kiln
hello@kilnhq.co
kilnhq.co