PRIVACY POLICY

1. INTRODUCTION

Kona Business AI. ("Company," "we," "us") respects your privacy and is committed to protecting Personal Data in accordance with the EU General Data Protection Regulation ("GDPR"), UK GDPR, Swiss Federal Data Protection Act ("FDPA"), U.S. state privacy statutes (including the California Consumer Privacy Act as amended by the CPRA), and other applicable laws worldwide. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit Konabusiness.ai or use our Services.

2. SCOPE

This Policy applies to users worldwide and covers Personal Data collected online and offline in connection with the Services. For purposes of this Policy, "Personal Data" means information that identifies or can reasonably be linked to an identified or identifiable individual.

3. PERSONAL DATA WE COLLECT

• Account Data: name, e-mail address, company, password, authentication tokens.
• Payment Data: last four digits of payment card, billing address (processed by Stripe).
• Usage Data: logs, device identifiers, browser type, IP address, timestamps, clickstream.
• Content Data: prompts, files, and AI Output generated through the Services.
• Cookies & Similar Technologies: HTTP cookies, local storage, and pixels for analytics.
• Optional Marketing Data: preferences, survey responses, and feedback when you consent.

4. LEGAL BASES FOR PROCESSING

We process Personal Data on the following bases:

• Performance of a contract (Art. 6(1)(b) GDPR)
• Legitimate interests (Art. 6(1)(f)) such as improving Services, preventing fraud, and securing systems
• Your consent where required (Art. 6(1)(a)), e.g., marketing cookies
• Compliance with legal obligations (Art. 6(1)(c))

5. HOW WE USE PERSONAL DATA

• Provide and maintain the Services and customer support
• Process transactions and manage subscriptions
• Generate AI Output and improve models (using de-identified data)
• Monitor, detect, and prevent security incidents and abuse
• Conduct analytics and develop new features
• Send service notices, billing reminders, and marketing communications (with opt-out)

6. AI TRANSPARENCY & RISK MANAGEMENT

The Services incorporate generative-AI capabilities powered by Azure OpenAI services. Inputs you provide will be transmitted to OpenAI's servers in the United States where they may be processed to generate AI Output. We employ human oversight, content-filtering, and auditing to mitigate risks as required by the EU AI Act. You have the right to request information about the logic involved and to opt out of profiling for direct-marketing purposes.

7. CHILDREN'S DATA

The Services are not directed to children under 13, and we do not knowingly collect Personal Data from them. If we learn that a child under 13 has provided data, we will delete it. Users between 13 and 16 may use the Services only with verifiable parental consent where required by law.

8. DATA SHARING & THIRD-PARTY SERVICES

We share Personal Data only with:

• Service Providers acting on our behalf under Data Processing Agreements, including OpenAI LLC, Amazon Web Services, Vercel, Microsoft Azure, Upstash, Stripe, and Google LLC (Analytics).
• Law enforcement or regulators where required by law.
• Successors in the event of a merger, acquisition, or asset sale, subject to confidentiality.

We do not "sell" or "share" Personal Data for cross-context behavioral advertising as defined under U.S. state privacy laws.

9. INTERNATIONAL DATA TRANSFERS

We store data on Upstash servers in the United States. Where GDPR applies, transfers outside the EEA, UK, or Switzerland rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, or another lawful mechanism.

10. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have rights to:

• Access, rectify, erase, restrict, object, or port your data (EEA/UK/Swiss)
• Know, delete, correct, opt out of sale/share, or limit sensitive data (California & other U.S. states)
• Access, delete, correct, opt out of targeted advertising and profiling (other U.S. states listed)

To exercise rights, e-mail support@konabusiness.ai. We will verify your request and respond within legally mandated timelines. You may appeal a denied request by following instructions in our response.

11. AUTOMATED DECISION-MAKING

We do not engage in solely automated decision-making that produces legal or similarly significant effects.

12. COOKIES & SIMILAR TECHNOLOGIES

We use first-party and third-party cookies for analytics and performance. Where required by the ePrivacy Directive and GDPR, we obtain your consent via a cookie banner. You can manage preferences in your browser settings or through our cookie-management tool.

13. DATA SECURITY

We implement technical and organizational measures including encryption in transit (TLS 1.2+), encryption at rest (AES-256), role-based access controls, and regular penetration testing. No method is 100% secure, and we cannot guarantee absolute security.

14. DATA RETENTION

We retain Personal Data for as long as your account is active and for a reasonable period thereafter (typically 24 months) or as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

15. CHANGES TO THIS POLICY

We will post any changes on this page and, if material, provide a prominent notice (e.g., e-mail) at least 30 days before they become effective. Continuing to use the Services after changes take effect constitutes acceptance.

16. CONTACT & COMPLAINTS

If you have questions or concerns about this Policy or our data practices, contact us atsupport@konabusiness.ai. EEA residents may lodge a complaint with their local supervisory authority; UK residents may contact the Information Commissioner's Office (ICO); Swiss residents may contact the FDPIC.