Legal

Privacy Policy

Effective date: June 13, 2026

This Privacy Policy describes how Koji Technologies Inc. (“Koji”, “we”, “us”, or “our”) collects, uses, and shares information when you use our platform, services, and websites (the “Service”). It applies to information about visitors to our websites, account holders, and end users of the Service.

This Policy is designed to comply with applicable Canadian privacy law (PIPEDA), and where applicable, GDPR (for EU/UK data subjects) and CCPA/CPRA (for California residents). If you have questions, contact us at privacy@getkoji.dev.

1. Information we collect

1.1 Account information

When you sign up, we collect:

Name, email address, and (optionally) phone number
Company name and role
Billing contact information
Account credentials (we store password hashes, not passwords)
Authentication identifiers from third-party identity providers (e.g., Clerk, Google Sign-In) if you use them

1.2 Billing information

We use Stripe, Inc. as our payment processor. Stripe collects payment card or bank account information directly from you and provides Koji with a tokenized reference and transaction metadata (amounts, descriptions, status). We do not store full payment card numbers on our servers.

1.3 Customer Data (documents and extractions)

When you use the Service, you may upload or forward documents (PDFs, images, scans, email attachments) and configure schemas describing what data to extract. We process these documents to produce structured extracted data, which we return to you. Collectively, this is “Customer Data.”

Customer Data may include personal information about individuals (such as insureds, holders, or policy contacts named in documents). You are responsible for ensuring you have the right to upload Customer Data containing personal information of third parties.

1.4 Usage and technical data

We collect information about how you interact with the Service, including:

Pages and features used, time spent, click paths
API calls and request metadata
Device, browser, and operating system information
IP address and approximate location (derived from IP)
Cookies and similar technologies (see Section 9)
Logs of errors, performance metrics, and security events

1.5 Communications

If you contact support, participate in pilots, or otherwise communicate with us, we keep records of those communications.

2. How we use information

We use the information we collect to:

Provide, maintain, and improve the Service
Process documents and return extracted data
Bill and process payments
Authenticate users and secure the Service
Communicate with you about your account, the Service, security, and important updates
Provide customer support
Detect, prevent, and respond to fraud, abuse, and security incidents
Comply with legal obligations and respond to lawful requests
Improve the accuracy and quality of our extraction models, in accordance with Section 4

We do not sell personal information, and we do not use Customer Data for advertising.

If you are in the EU or UK, we process personal information on the following legal bases:

Contract: Processing necessary to provide the Service under our Terms of Service
Legitimate interests: Improving the Service, ensuring security, preventing fraud, and operating our business — balanced against your rights and interests
Consent: Where you have given us consent (which you can withdraw at any time)
Legal obligation: Complying with applicable law

4. Use of Customer Data for model improvement

We may use aggregated and de-identified data derived from Customer Data to improve the accuracy of our extraction engine, develop new features, and benchmark performance. This processing is designed so that the resulting data does not identify you or any individual.

For pilot customers and customers on certain plans, we may use Customer Data (in identifiable form) to improve extraction accuracy where we have a specific agreement, separate consent, or where you have made corrections through our user interface (which serves as feedback to improve the system for your own tenant). We do not use one customer’s Customer Data to train models that are then used to serve a different customer except in de-identified, aggregated form.

You can opt out of having your corrections used to improve broader model accuracy by contacting privacy@getkoji.dev.

We share information only in the following circumstances:

5.1 Service providers

We share information with vendors who help us operate the Service, including:

Stripe, Inc. — payment processing
Amazon Web Services, Inc. — hosting, storage, email delivery (SES)
Cloudflare, Inc. — content delivery, security, and (in some configurations) compute
Authentication providers (e.g., Clerk) — user identity
Customer support and analytics tools — operating the Service

Each of these is bound by contractual obligations to handle information consistently with this Policy.

5.2 Business transfers

If Koji is involved in a merger, acquisition, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality protections.

5.3 Legal and safety

We may disclose information when we believe in good faith that disclosure is necessary to:

Comply with applicable law, legal process, or government request
Protect the rights, property, or safety of Koji, our customers, or others
Detect, prevent, or respond to fraud, security, or technical issues
Enforce our Terms of Service or other agreements

5.4 With your direction

We share information at your direction (for example, when you connect the Service to a third-party system or grant access to a partner).

6. International transfers

Koji is based in Canada. We may transfer, store, and process information in Canada, the United States, and other countries where our service providers operate. Where we transfer personal information of EU/UK data subjects outside the EEA/UK, we rely on appropriate safeguards (such as Standard Contractual Clauses) where required.

7. Data retention

We retain information for as long as needed to provide the Service and for legitimate business and legal purposes:

Account information: while your account is active, and up to thirty (30) days after closure (longer where required by law)
Customer Data: by default, retained while your account is active and up to ninety (90) days after closure; customers on paid plans may configure shorter retention through account settings
Billing records: as required by applicable tax and accounting law (typically 7 years in Canada)
Logs and security data: typically 90 days to 1 year, depending on type
Backups: may persist beyond active retention periods but are subject to deletion on rolling schedules

You may request deletion of your Customer Data at any time by contacting privacy@getkoji.dev. Deletion may be subject to legal hold requirements.

8. Your rights

8.1 Canadian residents (PIPEDA)

You have the right to access personal information we hold about you, request correction of inaccuracies, and withdraw consent. To exercise these rights, contact privacy@getkoji.dev.

You have the right to access, correct, delete, restrict processing of, port, and object to processing of your personal information. You may also lodge a complaint with your local supervisory authority.

8.3 California residents (CCPA/CPRA)

You have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of sale or sharing of personal information (we do not sell personal information).

8.4 How to exercise your rights

Email privacy@getkoji.dev with the request and sufficient information for us to verify your identity. We will respond within the time required by applicable law.

9. Cookies and similar technologies

We use cookies and similar technologies to authenticate users, maintain sessions, remember preferences, and understand how the Service is used. You can control cookies through your browser settings; disabling cookies may impair some functionality.

We use a limited set of analytics tools to understand usage patterns. We do not use cross-site tracking or advertising cookies.

10. Security

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest, access controls, audit logging, and routine security reviews.

No system can be fully secure. If we become aware of a security incident affecting your personal information, we will notify you in accordance with applicable law.

11. Children’s privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Third-party links and services

The Service may contain links to third-party websites or integrate with third-party services. This Policy does not apply to those third parties. We encourage you to review their privacy policies.

13. Changes to this Policy

We may update this Policy from time to time. We will notify you of material changes by email or through the Service. The “Effective date” at the top reflects the latest version.

14. Contact

Questions, requests, or complaints regarding this Policy or our handling of your information:

Email: privacy@getkoji.dev
Mail: Koji Technologies Inc., 2727 Steeles Avenue West, Unit 103-923, Toronto, Ontario M3J 3G9, Canada

For data subjects in the EU/UK, you may also contact our designated representative once appointed; details will be added here.