This Privacy Policy explains how Kagliostro SAS ("we", "us") collects, uses and shares personal data when you use the Service. We act as data controller for account data and as data processor for the content you process through your Agents.

1. Data we collect

Account data: name, email, company, role, billing details.
Usage data: pages viewed, agents deployed, tokens consumed, IP, device.
Workspace data: messages, files, integrations connected by you or your Agents.

2. How we use data

Provide, secure and improve the Service.
Bill subscriptions and prevent fraud.
Send service announcements and (with consent) product updates.

3. Legal bases (GDPR)

Performance of contract (account), legitimate interest (security, analytics), consent (marketing, optional cookies), legal obligation (tax/accounting).

4. Sharing

We share data with vetted subprocessors (cloud hosting, LLM providers, payment, email). A current list is available on request. We do not sell personal data.

5. International transfers

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses and supplementary technical measures (encryption at rest and in transit).

6. Retention

Account data: lifetime of the account + 3 years. Logs: 12 months. Backups: 30 days. You can request deletion at any time.

7. Your rights

Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your local supervisory authority (CNIL in France).

8. Security

TLS 1.3 in transit, AES-256 at rest, SSO/MFA available, SOC 2 Type II in progress, role-based access, audit logs.

9. Contact

Data Protection Officer: dpo@kagliostro.cloud