Last updated: July 2, 2026
Privacy Policy
Effective Date: May 22, 2026
1. Introduction
This Privacy Policy describes how Pure Reason Inc. (“Pure Reason,” “we,” “us,” or “our”), a Delaware corporation, collects, uses, discloses, and protects personal information through our product Kylon and our website at kylon.io (collectively, the “Service”).
Kylon provides individuals and teams with a platform to build and manage Agent Teams.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.
This Privacy Policy applies to all users of the Service, including workspace administrators, members, and any individuals whose information may be processed through the Service.
2. Information We Collect
We collect information in the following categories:
2.1 Account Information
When you create an account or are invited to a workspace, we collect:
- Name and display name
- Email address
- Avatar image URL
- Authentication provider information (e.g., SSO provider, session identifiers)
Account creation and authentication are managed through our authentication partner, Clerk. Please refer to Section 6 and Clerk’s own privacy policy for details on their data handling practices.
2.2 User Preferences
We store your configurable preferences, which may include:
- Timezone and language settings
- User interface preferences
- Notification preferences
2.3 Device and Session Information
When you access the Service, we automatically collect:
- Device information: installation identifier, platform (web, macOS, iOS, Android), client type, device name, and application version
- Session information: authentication provider used, session identifiers, session issuance time, last activity time, and session expiration time
- First and last seen timestamps for each device
2.4 Content Data
The Service is designed for collaboration, and we process content you and other workspace members create, including:
- Messages: text messages sent in channels and threads
- Files: documents, images, and other files you upload, along with associated metadata (file name, MIME type, file size)
- Table data: structured data entries you create in workspace tables
- Voice and audio data: audio from voice meetings and calls conducted through the Service
2.5 Connection and Integration Data
When you connect third-party services to your workspace (e.g., Gmail, GitHub, Notion, Twitter/X), we collect:
- OAuth tokens and API keys for the connected service (stored in encrypted form)
- External account identifiers and remote user identifiers
- Connection metadata (service type, connection status)
We do not access data from connected third-party services beyond the scope of permissions you grant during the connection process.
2.6 Usage and Analytics Data
We collect product usage data to improve the Service, including:
- Feature usage patterns and interaction events
- Performance metrics
- Error reports (error messages, page URLs, HTTP status codes, request identifiers)
2.7 Push Notification Tokens
If you enable push notifications, we collect device tokens necessary to deliver notifications via:
- Web Push (VAPID protocol)
- Firebase Cloud Messaging (FCM) for Android
- Apple Push Notification Service (APNs) for iOS and macOS
3. How We Collect Information
We collect information through the following means:
- Directly from you: when you create an account, configure your profile, send messages, upload files, set preferences, or connect third-party services.
- Automatically: through your use of the Service, including device information, session data, and usage analytics.
- From authentication providers: account information is synchronized from our authentication provider, Clerk, based on your sign-up or SSO login.
- From third-party integrations: when you authorize connections to external services, we receive authentication credentials and identifiers from those services via OAuth or API key exchange, managed through our integration partner, Composio.
- From AI model providers: responses generated by AI agents in your workspace are received from third-party AI model providers (see Section 5).
4. How We Use Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service: creating and managing your account, enabling workspace collaboration, processing messages, storing files, and facilitating AI agent interactions | Performance of contract |
| AI Processing: sending user content to third-party AI model providers to generate agent responses, summaries, and automated actions within workspaces | Performance of contract; Legitimate interest |
| Authentication and Security: verifying your identity, managing sessions, preventing unauthorized access, and detecting abuse | Performance of contract; Legitimate interest |
| Third-Party Integrations: connecting your workspace to external services you authorize, executing workflows, and synchronizing data | Performance of contract; Consent |
| Push Notifications: delivering real-time notifications about workspace activity to your devices | Consent; Performance of contract |
| Voice Communications: facilitating voice meetings and calls within workspaces | Performance of contract |
| Analytics and Improvement: understanding how the Service is used, diagnosing technical issues, and improving features and performance | Legitimate interest |
| Error Reporting and Debugging: collecting and analyzing error data to identify and resolve technical issues | Legitimate interest |
| Compliance: meeting legal obligations, responding to lawful requests, and enforcing our terms of service | Legal obligation; Legitimate interest |
| Communications: sending you service-related communications (e.g., security alerts, policy changes) | Performance of contract; Legitimate interest |
We do not sell your personal information. We do not use your personal information for advertising or ad-targeting purposes.
5. AI Processing Disclosure
5.1 How AI Agents Work in Kylon
Kylon’s core functionality includes AI agents that operate as workspace members. These agents can read messages, generate responses, process files, execute workflows, and interact with connected services — all within the permissions and context of your workspace.
5.2 Data Sent to AI Model Providers
To enable AI agent functionality, user-generated content— including messages, file contents, table data, and related workspace context — is transmitted to third-party AI model providers listed on our Subprocessors page. The specific provider used may vary depending on the task, model routing configuration, and availability.
5.3 What AI Providers Do with Your Data
We use these providers’ API services, which are governed by their respective data processing agreements. Under our agreements with these providers:
- Your data is processed to generate responses and is not used to train their general-purpose models.
- Data is transmitted securely via encrypted connections (TLS).
- Providers may temporarily retain input and output data for abuse monitoring and safety purposes, in accordance with their policies.
5.4 Your Control Over AI Processing
Workspace administrators can configure which channels and workflows involve AI agent interactions. If you have questions about AI processing in your workspace, please contact your workspace administrator or reach out to us at the contact information provided in Section 14.
6. Information Sharing and Sub-processors
We share personal information only as described in this policy. We do not sell personal information.
6.1 Sub-processors
We use a number of third-party service providers (“sub-processors”) to operate the Service. A current, maintained list of our sub-processors — including their function — is available at: kylon.io/subprocessors. We update that page whenever our sub-processors change; we do not separately notify workspace administrators by email.
6.2 Other Disclosures
We may also share personal information:
- With your workspace administrator and members: content you contribute to a workspace is visible to other members of that workspace, subject to workspace and channel access controls.
- As directed by you: when you connect third-party services or authorize specific data sharing.
- For legal compliance: to comply with applicable law, regulation, legal process, or governmental request.
- To protect rights and safety: to enforce our agreements, protect the rights, privacy, safety, or property of Pure Reason, our users, or the public.
- In business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, in which case personal information may be transferred to the successor entity.
7. Data Storage and Security
7.1 Where We Store Data
Your data is stored primarily on Google Cloud Platform infrastructure in the United States. Specific storage mechanisms include:
- PostgreSQL database (with pgvector extension) hosted on GCP for structured data (accounts, messages, tables, metadata)
- Google Cloud Storage (GCS) for uploaded files
- Redis for caching and ephemeral data
7.2 Security Measures
We implement technical and organizational measures designed to protect your personal information, including:
- Encryption at rest and in transit: data is encrypted in transit using TLS. Sensitive credentials (OAuth tokens, API keys) are encrypted at rest using pgcrypto.
- Authentication and access control: Clerk-based authentication with session management, API key authentication with rotation support, and role-based access control scoped to workspaces and channels.
- Session management: device tracking, session expiration, and session revocation capabilities.
- Network security: CORS restrictions and API gateway protections.
- Secrets management: production secrets are managed through Doppler and GCP Secret Manager, with separation from application code.
- Monitoring: error reporting and logging infrastructure for incident detection.
While we take reasonable measures to protect your information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
7.3 SOC 2 Type II in Progress
Pure Reason's SOC 2 Type II is in progress to demonstrate our commitment to security, availability, and confidentiality.
8. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention practices include:
- Account data: retained for the duration of your account. Upon account deletion, account data is deleted within 30 days, with backups purged within 90 days.
- Content data (messages, files, table data): retained for the duration of the workspace in which the content resides. Workspace administrators may delete content within the Service. When a workspace is deleted, all associated content data is deleted within 30 days, with backups purged within 90 days.
- Session and device data: session records are retained for 90 days after session expiration.
- Usage and analytics data: retained in aggregated or anonymized form for 12 months.
- Error logs: retained for 30 days.
- Connection credentials: OAuth tokens and API keys are deleted when a connection is removed by the user or workspace administrator.
We may retain certain information as required by applicable law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).
Pure Reason maintains a formal data retention schedule and deletion procedures in accordance with this policy.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
9.1 Rights Under the EU/EEA General Data Protection Regulation (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete personal data.
- Erasure(“right to be forgotten”): request deletion of your personal data, subject to legal exceptions.
- Restriction: request that we restrict processing of your personal data in certain circumstances.
- Data portability: receive your personal data in a structured, commonly used, machine-readable format.
- Object: object to processing based on legitimate interests, including profiling.
- Withdraw consent: withdraw consent at any time where processing is based on consent.
- Lodge a complaint: file a complaint with your local data protection authority.
To exercise these rights, contact us at the address provided in Section 14. We will respond within 30 days (or as required by applicable law).
Data Protection Officer: Quinn — privacy@kylon.io
9.2 Rights Under the California Consumer Privacy Act (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know: request disclosure of the categories and specific pieces of personal information we have collected about you.
- Delete: request deletion of your personal information, subject to legal exceptions.
- Correct: request correction of inaccurate personal information.
- Opt out of sale/sharing: we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
- Non-discrimination: we will not discriminate against you for exercising your privacy rights.
| CCPA Category | Examples |
|---|---|
| Identifiers | Name, email address, device identifiers, account ID |
| Internet or electronic network activity | Usage data, error logs, session information |
| Professional or employment-related information | Workspace membership, role within workspaces |
| Geolocation data | Timezone setting (approximate location only) |
| Audio, electronic, or visual information | Voice call audio, uploaded files |
| Inferences | AI-generated content based on workspace data |
To submit a CCPA request, contact us at the address provided in Section 14. We will verify your identity before processing your request.
9.3 Rights Under Singapore’s Personal Data Protection Act (PDPA)
If you are located in Singapore, you have the right to:
- Access: request access to your personal data held by us and information about how it has been used or disclosed in the past year.
- Correction: request correction of any error or omission in your personal data.
- Withdrawal of consent: withdraw your consent for collection, use, or disclosure of your personal data (subject to legal and contractual restrictions).
- Data portability: request a copy of your data in a commonly used machine-readable format (where applicable under the PDPA’s data portability provisions).
To exercise these rights, contact our Data Protection Officer at the address provided in Section 14.
9.4 How to Exercise Your Rights
You may exercise your rights by contacting us using the information in Section 14. We may need to verify your identity before fulfilling your request. We will respond within the timeframe required by applicable law.
10. Cookies and Tracking Technologies
10.1 Marketing site (kylon.io)
Our public marketing site uses cookieless analytics— our analytics provider does not set cookies, does not write to localStorage, and does not store a persistent identifier in your browser.
We may use third-party advertising and conversion-tracking services (such as Google Ads) that set their own cookies or local-storage entries in your browser to measure the effectiveness of our marketing campaigns. These cookies are governed by the respective provider’s privacy policy. You can manage or disable these cookies through your browser settings at any time.
10.2 Product (app.kylon.io)
| Type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Authentication, session management, security | Session / persistent |
| Functional | User preferences, language, timezone | Persistent |
| Analytics | Product usage analytics (PostHog), enabled after sign-in | Persistent |
10.3 Third-Party Cookies
Our authentication provider (Clerk) may set cookies inside the product (app.kylon.io) for authentication and session management. Once you sign in, our analytics provider (PostHog) may set cookies to associate product usage with your account.
10.4 Your Cookie Choices
You can manage cookies through your browser settings at any time. Disabling strictly necessary cookies inside the product may prevent it from functioning properly.
11. Children’s Privacy
The Service is not intended for use by individuals under the age of 16 (or under 13 in the United States). We do not knowingly collect personal information from children under these ages.
If we become aware that we have collected personal information from a child under the applicable age threshold, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at the address provided in Section 14.
12. International Data Transfers
Your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, where our primary infrastructure is located. Our Data Processing Agreement, available at kylon.io/dpa, sets out the safeguards that apply to such transfers, including the EU Standard Contractual Clauses where applicable.
By using the Service, you acknowledge that your information may be transferred to and processed in jurisdictions with different data protection laws than your own.
13. Data Processing Agreement
Where Pure Reason processes Personal Data as a processor on behalf of a Customer, our Data Processing Agreement, available at kylon.io/dpa, sets out our processing terms — including our roles, sub-processor arrangements, and the EU Standard Contractual Clauses that apply to international transfers — and is incorporated by reference into our agreement with that Customer.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:
- Update the “Last Updated” date at the top of this policy.
- Notify workspace administrators via email and in-app notification.
- For material changes that significantly alter how we process personal data, continued use of the Service after the notice period constitutes acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
15. Contact Information
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us at:
Pure Reason Inc.
privacy@kylon.io
For GDPR inquiries: Quinn — privacy@kylon.io
For CCPA requests: privacy@kylon.io
16. Supplemental Notices
16.1 For Workspace Administrators
As a workspace administrator, you may have additional responsibilities under applicable data protection laws regarding the personal data of members in your workspace. You act as a data controller (or equivalent) for content data created within your workspace, and Pure Reason acts as a data processor on your behalf. Our Data Processing Agreement is available at kylon.io/dpa.
16.2 For AI Agent Developers
If you develop or configure AI agents within Kylon, you are responsible for ensuring that the agents you deploy comply with applicable data protection laws and do not process personal data beyond the scope authorized by your workspace’s data governance policies.
© 2026 Pure Reason Inc. All rights reserved.