Privacy Policy

This Privacy Policy explains how Kaneto ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use our project management platform ("Service"). We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant regulations.

1. Data Controller

Kaneto acts as the data controller for the personal information we collect through our Service. For any privacy-related inquiries, you can contact us at:

• Email: privacy@kaneto.io

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Full name (optional)
• Password (securely hashed)
• Company information (if provided)

2.2 Project and Business Data

Data you create and store in the Service:

• Projects (names, descriptions, budgets, dates)
• Tasks and subtasks
• Meetings and site supervisions
• Files and documents you upload
• Financial data (payments, expenses, quotes)
• Notes and comments

2.3 Contact Information of Third Parties

You may store contact information of your clients, team members, and vendors including names, emails, phone numbers, addresses, and tax identification numbers. You are responsible for ensuring you have the right to store this information.

2.4 Location Data

With your consent, we may collect:

• Project site addresses
• GPS coordinates for mapping features
• Location data for weather information at construction sites

2.5 Technical Data

Automatically collected when you use the Service:

• IP address
• Browser type and version
• Device information
• Usage patterns and preferences

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our Service
• Process and complete your transactions
• Send you important notifications about your account
• Respond to your inquiries and support requests
• Ensure the security and integrity of our Service
• Comply with legal obligations

4. AI-Powered Features

Important: Some features use artificial intelligence services provided by Google. When you use these features, data is sent to Google for processing.

4.1 Receipt Scanner

When you upload a receipt or invoice image for automatic extraction, the image is sent to:

• Google Cloud Vision API for text recognition (OCR)
• Google Gemini API for intelligent data extraction

Data extracted includes: amounts, dates, vendor names, and other receipt details.

4.2 Voice Commands

When you use voice input to create tasks or notes, the transcribed text is sent to Google Gemini API to understand your intent and extract relevant information.

4.3 Meeting Summaries

When you request a meeting summary, your meeting notes and transcript are sent to Google Gemini API to generate key points, action items, and follow-up questions.

5. Legal Basis for Processing (GDPR)

Under the GDPR, we process your data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b))
• Consent: For optional features like AI processing and marketing communications (Article 6(1)(a))
• Legitimate Interests: For security, fraud prevention, and service improvement (Article 6(1)(f))
• Legal Obligation: When required by law (Article 6(1)(c))

6. Third-Party Services

We use trusted third-party services to provide our Service. These providers are bound by data processing agreements and comply with applicable data protection laws.

For a complete list of our sub-processors, please visit our Sub-processors page.

Key service providers include:

• Supabase - Database, authentication, and file storage (EU hosting)
• Google Cloud - AI services (Vision API, Gemini)
• Google Calendar - Calendar synchronization (optional)
• Google Maps - Location services
• Open-Meteo - Weather data (EU-based, no personal data transferred)

7. International Data Transfers

Some of our service providers are located in the United States. When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all processors
• Additional technical and organizational measures as required

8. Data Retention

We retain your personal information for as long as:

• Your account is active
• Necessary to provide you with our Service
• Required by applicable law (e.g., tax records may be retained for 7-10 years)

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it by law.

9. Your Rights

9.1 Rights Under GDPR (EU/EEA Users)

If you are located in the EU/EEA, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time for consent-based processing
• Lodge a Complaint: File a complaint with your local supervisory authority

9.2 Rights Under CCPA/CPRA (California Users)

If you are a California resident, you have the right to:

• Know: What personal information we collect and how we use it
• Delete: Request deletion of your personal information
• Correct: Request correction of inaccurate information
• Opt-Out: Opt out of the sale or sharing of personal information
• Non-Discrimination: Not be discriminated against for exercising your rights

Note: We do not sell your personal information. We respect the Global Privacy Control (GPC) signal as a valid opt-out request.

9.3 Exercising Your Rights

You can exercise most rights directly in your account Settings → Privacy & Data. For other requests, contact us at privacy@kaneto.io. We will respond within 30 days (or as required by law).

10. Data Security

We implement robust security measures to protect your data:

• Encryption in transit (TLS/HTTPS) and at rest
• Row Level Security (RLS) ensuring users can only access their own data
• Secure authentication with hashed passwords
• Regular security audits and updates
• Access controls and audit logging

11. Cookies and Tracking

We use cookies and similar technologies to operate our Service. For detailed information about the cookies we use, please see our Cookie Policy.

Essential cookies are required for the Service to function (authentication, security). Functional cookies remember your preferences (theme, language).

12. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

13. Public Sharing Features

Kaneto allows you to share project information with clients through shareable links (Client Portal). When you enable sharing:

• You control exactly what information is visible
• Shared links can be revoked at any time
• Links can have expiration dates
• Access is tracked (view counts)

You are responsible for ensuring you have the right to share any information made available through these features.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@kaneto.io
• For data subject requests: Settings → Privacy & Data in the app