Privacy Policy

This Privacy Policy explains how Kollitech (“Kollitech”, “we”, “us”, or “our”) collects, uses, discloses, and protects information in connection with KollGuard (the “Service”), available at kollguard.com. It applies to visitors of our website and to customers and authorized users of the Service.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service.

We collect the following categories of information:

• Account information — name, email address, display name, organization name, and role, provided when you create an account or organization.
• Integration credentials — access tokens you choose to connect (e.g., GitHub personal access tokens and Supabase access tokens), stored encrypted and used solely to perform the scans you request.
• Scan data — security findings, the controls they map to (e.g., SOC 2, HIPAA), scan-run metadata, and configuration you enter (such as scan targets, projects, and your compliance profile).
• AI cost & usage data — where you enable it, aggregated daily AI usage summaries read from a view you create in your own systems.
• Payment information — a billing identifier and subscription status from our payment processor. We do not collect or store full payment card numbers.
• Usage, device & log data — IP address, browser and device type, pages and features used, timestamps, and diagnostic logs generated when you use the Service.
• Cookies and similar technologies — used for authentication and essential functionality, and where applicable for analytics.

We collect information directly from you (when you register, configure the Service, or contact us), automatically through your use of the Service (logs, cookies, and similar technologies), and from third-party service providers acting on our behalf (such as our payment processor and infrastructure providers).

We use information to provide, operate, maintain, secure, and improve the Service; to authenticate users and administer organizations; to perform the read-only scans you request and map findings to compliance frameworks; to recommend applicable regulations; to track AI cost and usage you opt into; to process subscriptions and billing; to provide customer support and send service-related communications; to monitor, detect, and prevent fraud, abuse, and security incidents; and to comply with legal obligations.

Integration tokens you provide are encrypted at rest and are accessible only to the backend processes that execute the scans you request. Scanning is read-only. We retain findings and related metadata to provide the Service and your compliance posture over time. We do not store your source code or the contents of your databases. We recommend providing least-privilege, read-only tokens and rotating them periodically.

The compliance advisor recommends frameworks based on the industry and jurisdiction you enter. To expand coverage, it may transmit that industry and jurisdiction (and not your code, data, or credentials) to third-party AI providers or to an AI endpoint you configure. Recommendations are informational and do not constitute legal advice.

Where the GDPR or UK GDPR applies, we process personal data on the following legal bases: performance of a contract (to provide the Service you request); our legitimate interests (to secure, maintain, and improve the Service and prevent abuse); compliance with legal obligations; and your consent where required (which you may withdraw at any time).

We do not sell your personal information. We disclose information only as follows:

• Service providers (sub-processors) who process data on our behalf under confidentiality and security obligations — see the section below.
• Legal and safety — where required by law, legal process, or to protect the rights, property, or safety of Kollitech, our users, or the public.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
• With your direction or consent — for example, integrations you choose to connect.

We rely on the following categories of sub-processors to operate the Service:

• Cloud hosting and infrastructure (e.g., Amazon Web Services).
• Database, authentication, and backend platform (e.g., Supabase).
• Payment processing (e.g., Stripe).
• AI providers used by the compliance advisor (e.g., Anthropic, OpenAI, Google, xAI), or an endpoint you configure.

We require sub-processors to protect personal data consistent with this Policy. A current, named list is published at kollguard.ai/sub-processors.

Where we process personal data on your behalf as a processor, a Data Processing Addendum (DPA) is available on request. Customers subject to HIPAA who require a Business Associate Agreement (BAA) may request one at info@kollitech.com.

We use strictly necessary cookies for authentication and core functionality, and may use limited analytics to understand and improve usage. You can control cookies through your browser settings; disabling essential cookies may impair the Service.

We retain personal data for as long as your account is active or as needed to provide the Service, and thereafter as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. You may request deletion of your account and associated data as described below; some data may be retained where required by law or for legitimate business purposes.

We implement administrative, technical, and organizational safeguards designed to protect information, including encryption of integration credentials, tenant isolation enforced via row-level security, least-privilege access controls, and audit logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

We and our sub-processors may process information in the United States and other countries that may have different data-protection laws than your jurisdiction. Where required, we use appropriate safeguards, such as Standard Contractual Clauses, for international transfers.

Depending on your jurisdiction, you may have rights to access, correct, update, delete, restrict, or object to the processing of your personal information, to data portability, and to withdraw consent. Residents of California and certain other U.S. states may have rights to know, delete, correct, and opt out of the “sale” or “sharing” of personal information; we do not sell personal information.

To exercise any of these rights, contact us at info@kollitech.com. We will respond consistent with applicable law and may need to verify your identity. We will not discriminate against you for exercising your rights.

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

The Service may link to or integrate with third-party websites and services that we do not control. Their privacy practices are governed by their own policies, and we are not responsible for them.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date and, where appropriate, communicated to you. Your continued use of the Service after changes take effect constitutes acceptance.

Questions, requests, or complaints about this Privacy Policy or our data practices can be sent to info@kollitech.com. We are the controller of personal information processed in connection with the Service.