Privacy Policy

AI Data Desk B.V. ("we", "us", "our") operates the KAI platform, accessible at aidatadesk.com and kai.aidatadesk.com ("the Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have under applicable law — including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

We do not sell your personal data. We do not use your Gmail data, Google Calendar data, Outlook data, Microsoft Calendar data, email content, or meeting transcripts for advertising, profiling, or any purpose other than providing the Service to you.

This Privacy Policy should be read alongside our Cookie Policy and Terms of Service.

KAI does not carry out automated decision-making within the meaning of Article 22 GDPR. All AI-generated outputs are suggestions only and require human review before use.

AI Data Desk B.V. has assessed its obligations to appoint a Data Protection Officer under Article 37 GDPR and has determined that a formal appointment is not required at this stage of operations. This assessment will be reviewed as the Service scales.

The data controller is:

AI Data Desk B.V.
Zekeringstraat 34c, 1014 BS Amsterdam, The Netherlands
KvK: 98144243
Email: info@aidatadesk.com

For all privacy-related questions or requests, contact us at info@aidatadesk.com. We will respond within 30 days at no charge.

• Full name
• Email address
• Profile picture (if provided via Google or Microsoft OAuth)
• Organisation name and role within the organisation

• OAuth tokens for Google (Gmail, Google Calendar) and/or Microsoft (Outlook, Microsoft Calendar), issued when you connect your account
• Tokens are stored using AES-256 encryption at rest and used solely to access the data you have authorised
• We request only the minimum OAuth scopes necessary to deliver the features of the Service. Specifically:
• https://www.googleapis.com/auth/gmail.modify (restricted scope) — allows KAI to read Gmail messages and metadata to generate AI-assisted reply suggestions, and to save AI-drafted replies as drafts in your Gmail account.
• https://www.googleapis.com/auth/gmail.labels (non-sensitive scope) — allows KAI to create, apply, and manage labels on your emails to organise your inbox.
• https://www.googleapis.com/auth/calendar.events (sensitive scope) — allows KAI to read existing calendar events to detect and join meetings for transcription, and to create new meeting invites on your behalf from within the KAI platform.

We do not request any Google API scope beyond what is strictly necessary to deliver these specific features. We do not request scopes for features not yet implemented.

• Email metadata: sender, recipient, subject line, and date
• Email body content, accessed solely to generate AI-assisted reply suggestions
• Labels and categories that KAI applies to your inbox to organise email threads

We access only the inbox data strictly necessary to provide the AI-assisted replies feature. We do not access, read, or store emails unrelated to that purpose. Email body content is not retained beyond the 6-month retention period described in Section 7, calculated from the date the email was first processed by the Service.

Human access to email data: No employee or contractor of AI Data Desk B.V. reads, accesses, or reviews your Gmail or Outlook data, except in the following narrowly limited circumstances: (a) you have given explicit permission for us to view specific content to resolve a support issue; (b) it is necessary to investigate a confirmed security incident or prevent abuse of the Service; or (c) we are required to do so by applicable law. In all such cases, access is strictly limited, logged, and auditable.

• Calendar event metadata (title, time, participants, and meeting links), used to detect and join meetings for transcription and to create meeting invites on your behalf
• Calendar content is not stored beyond what is necessary for the meeting transcription feature

• Audio and video of meetings you invite KAI to record
• Transcripts generated from meeting audio
• AI-generated summaries and action items

Raw audio and video are transmitted to Recall.ai solely for the purpose of transcription and are permanently deleted by Recall.ai immediately after transcription is complete. Recall.ai processes this data within the EU (Frankfurt, eu-central-1). They are never stored on our infrastructure. Note: meeting audio and video transmitted to Recall.ai is derived from your meeting, not from Google API data — Google Calendar data is used only to detect and schedule meeting joins. Transcripts and AI-generated summaries are retained for up to 6 months from the date of the meeting.

(Professional, Enterprise, and Free Trial plans only)

• Documents, files, and text uploaded to KAI's Knowledge Base
• Retained for the duration of your subscription and deleted within 30 days of account termination

Email reply suggestions, meeting summaries, action items, and Knowledge Base answers generated by the Service are stored in association with your account for up to 6 months from the date of generation

• IP address
• Browser type and version
• Operating system
• Pages visited and features used within the Service
• Session timestamps
• Error logs

• Subscription plan and status
• Payment processing is handled entirely by Stripe. We do not store credit card numbers or full payment credentials on our systems.

We process your personal data on the following legal bases under GDPR:

We will never use your Gmail data, Google Calendar data, Outlook data, Microsoft Calendar data, email content, or meeting transcripts for:

• Advertising or ad targeting of any kind
• Building or selling user profiles
• Training AI models — see Section 5 regarding Anthropic
• Improving our AI models or services beyond what is strictly necessary to operate the Service for you
• Profiling for purposes unrelated to delivering the Service

We work with the following sub-processors to deliver the Service. Each processes personal data only as instructed by us, under contractual data protection obligations consistent with GDPR Article 28.

Regarding HubSpot: HubSpot is used in two distinct ways: (a) on the marketing website (aidatadesk.com), HubSpot analytics and marketing cookies are placed with your consent to measure campaign performance and manage form submissions; and (b) as a CRM for users who have explicitly opted in to marketing communications from AI Data Desk B.V. HubSpot does not receive email content, meeting transcripts, or any data processed through the KAI application. When contextual web search is used within the Service, anonymised search queries may be sent to DuckDuckGo. No personally identifying information — including email content, names, or any user-identifiable data — is transmitted. DuckDuckGo does not act as a data processor under GDPR for this use as no personal data is shared.

Regarding Anthropic: Email content and meeting transcripts processed via Anthropic through AWS Bedrock (eu-central-1) are used solely to generate AI suggestions for the user who authorised access. Anthropic contractually does not use this data to train its models.

Regarding Recall.ai: Meeting audio and video is processed in the EU (Frankfurt, eu-central-1). Recall.ai receives meeting audio and video only — it does not receive Google API data (Gmail or Google Calendar data). Recall.ai deletes all audio and video immediately after transcription is complete.

We do not sell personal data to any third party. We do not share personal data with third parties for their own marketing purposes.

We will provide prior written notice at least 14 days in advance of any new sub-processor, giving you a reasonable opportunity to object before the new sub-processor begins processing your data.

KAI's access to and use of data received from Google APIs — including Gmail and Google Calendar — strictly complies with the Google API Services User Data Policy, including the Limited Use requirements.

KAI's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We use Gmail and Google Calendar data only to provide or improve user-facing features that are prominent in KAI's user interface and that the user has explicitly enabled and authorised. We do not use this data for any other purpose.
• We do not use Gmail or Google Calendar data for serving advertisements, including retargeting, personalised advertising, or interest-based advertising.
• We do not sell Gmail or Google Calendar data to any third party.
• We do not transfer Gmail or Google Calendar data to third parties except: (a) as necessary to provide or improve user-facing features that are clearly disclosed to the user; (b) to comply with applicable law; or (c) as part of a merger, acquisition, or sale of assets in which case the acquirer must agree to these same limitations.
• We do not use Gmail or Google Calendar data to build user profiles for sale or for use outside the Service.
• We do not use Gmail or Google Calendar data to train AI models.
• We do not allow any human at AI Data Desk B.V. to read Gmail or Google Calendar data, except in the following circumstances: (a) the user has given explicit, affirmative permission to access specific content for a defined support purpose; (b) it is necessary to investigate a confirmed security incident or prevent abuse of the Service; or (c) we are required to do so by applicable law. In all such cases access is minimised, logged, and auditable.
• We do not transfer Gmail or Google Calendar data to third parties except as strictly necessary to deliver the Service — specifically Anthropic via AWS Bedrock (eu-central-1) for AI-assisted reply generation — or as required by law. Meeting audio transmitted to Recall.ai for transcription is derived from your meeting session and is not Google API data.
• We request only the minimum OAuth scopes necessary — specifically gmail.modify (to read emails and save AI-drafted replies as drafts), gmail.labels (to create and apply email labels), and calendar.events (to read calendar events for meeting detection and to create meeting invites). We do not request scopes for features not yet implemented.

If Google API access is suspended or revoked: In the event that Google suspends or revokes KAI's access to Gmail or Google Calendar APIs, we will notify affected users promptly and disable Gmail and Google Calendar features until access is restored. Previously processed data remains subject to the retention periods in Section 7.

Backup purge: When data is deleted, it is removed from all active systems immediately. Residual copies in encrypted backups are purged within 30 days of the deletion date.

During suspension: If your account is suspended (for example due to a payment issue), your data is preserved and not deleted during the suspension period.

What happens when you disconnect your Google or Microsoft account:If you revoke KAI's access — either via the Service or directly through your Google or Microsoft account settings — we immediately invalidate and delete the associated OAuth tokens. Email or calendar data previously processed will be retained only for the remainder of the applicable 6-month window, calculated from the original date of first processing, after which it is permanently deleted. You may request immediate deletion by contacting info@aidatadesk.com.

What happens when you delete your account:Upon account deletion, all personal data — including email content, transcripts, Knowledge Base documents, and OAuth tokens — is permanently deleted within 30 days. Backups are purged within 30 days of deletion. Billing records are retained for 7 years as required by Dutch law. Firebase authentication tokens stored locally in your browser become invalid immediately upon account deletion; we recommend clearing your browser's local storage after account deletion.

We implement appropriate technical and organisational measures to protect your personal data, including:

• All data stored on AWS EU infrastructure (Frankfurt, eu-central-1)
• Encryption in transit (TLS 1.3) and at rest (AES-256)
• OAuth tokens stored securely and never exposed to other users
• Role-based access control and zero-trust architecture
• Periodic penetration testing by independent third parties
• Information security practices aligned with ISO 27001 standards

In the event of a personal data breach, we will notify the Controller within 48 hours of becoming aware of the incident, and will notify the relevant supervisory authority within 72 hours. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.

As a data subject under GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data, subject to legal retention obligations
• Right to restriction — request that we limit how we use your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right to disconnect — you may revoke KAI's access to your Google account at myaccount.google.com/permissions or Microsoft account at account.microsoft.com/privacy/app-access at any time, independently of contacting us

To exercise any of these rights, contact info@aidatadesk.com. We will respond within 30 days at no charge.

You have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit PersoonsgegevensPostbus 93374, 2509 AJ Den Haag www.autoriteitpersoonsgegevens.nl

Our primary infrastructure is located in the EU (AWS Frankfurt, eu-central-1). Where sub-processors operate outside the EU/EEA, we ensure adequate safeguards via Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46. Full details of each sub-processor's location and transfer mechanism are listed in Section 5.

The Service is intended exclusively for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact info@aidatadesk.com and we will delete it promptly.

We may update this Privacy Policy from time to time. For material changes — including any change to how we handle Google API data — we will notify you by email and via a prominent notice within the Service at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance.

AI Data Desk B.V. Zekeringstraat 34c, 1014 BS Amsterdam, The Netherlands

KvK: 98144243

Email: info@aidatadesk.com

Website: www.aidatadesk.com