Privacy Policy

1. Introduction

This Privacy Policy describes how Pure Reason Inc. (“Pure Reason,” “we,” “us,” or “our”), a Delaware corporation, collects, uses, discloses, and protects personal information through our product Kylon — an AI-native workspace platform — and our website at kylon.io (collectively, the “Service”).

Kylon enables organizations to create collaborative workspaces where human users and AI agents work together as peers. The Service includes channel-based messaging, file storage, structured data tables, AI agent interactions, voice meetings, workflow automations, and integrations with third-party services.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy applies to all users of the Service, including workspace administrators, members, and any individuals whose information may be processed through the Service.

2. Information We Collect

We collect information in the following categories:

2.1 Account Information

When you create an account or are invited to a workspace, we collect:

• Name and display name
• Email address
• Avatar image URL
• Authentication provider information (e.g., SSO provider, session identifiers)

Account creation and authentication are managed through our authentication partner, Clerk. Please refer to Section 6 and Clerk’s own privacy policy for details on their data handling practices.

2.2 User Preferences

We store your configurable preferences, which may include:

• Timezone and language settings
• User interface preferences
• Notification preferences

2.3 Device and Session Information

When you access the Service, we automatically collect:

• Device information: installation identifier, platform (web, macOS, iOS, Android), client type, device name, and application version
• Session information: authentication provider used, session identifiers, session issuance time, last activity time, and session expiration time
• First and last seen timestamps for each device

2.4 Content Data

The Service is designed for collaboration, and we process content you and other workspace members create, including:

• Messages: text messages sent in channels and threads
• Files: documents, images, and other files you upload, along with associated metadata (file name, MIME type, file size)
• Table data: structured data entries you create in workspace tables
• Voice and audio data: audio from voice meetings and calls conducted through the Service

2.5 Connection and Integration Data

When you connect third-party services to your workspace (e.g., Gmail, GitHub, Notion, Twitter/X), we collect:

• OAuth tokens and API keys for the connected service (stored in encrypted form)
• External account identifiers and remote user identifiers
• Connection metadata (service type, connection status)

We do not access data from connected third-party services beyond the scope of permissions you grant during the connection process.

2.6 Usage and Analytics Data

We collect product usage data to improve the Service, including:

• Feature usage patterns and interaction events
• Performance metrics
• Error reports (error messages, page URLs, HTTP status codes, request identifiers)

2.7 Push Notification Tokens

If you enable push notifications, we collect device tokens necessary to deliver notifications via:

• Web Push (VAPID protocol)
• Firebase Cloud Messaging (FCM) for Android
• Apple Push Notification Service (APNs) for iOS and macOS

3. How We Collect Information

We collect information through the following means:

• Directly from you: when you create an account, configure your profile, send messages, upload files, set preferences, or connect third-party services.
• Automatically: through your use of the Service, including device information, session data, and usage analytics.
• From authentication providers: account information is synchronized from our authentication provider, Clerk, based on your sign-up or SSO login.
• From third-party integrations: when you authorize connections to external services, we receive authentication credentials and identifiers from those services via OAuth or API key exchange, managed through our integration partner, Composio.
• From AI model providers: responses generated by AI agents in your workspace are received from third-party AI model providers (see Section 5).

4. How We Use Information

We do not sell your personal information. We do not use your personal information for advertising or ad-targeting purposes.

5. AI Processing Disclosure

5.1 How AI Agents Work in Kylon

Kylon’s core functionality includes AI agents that operate as workspace members. These agents can read messages, generate responses, process files, execute workflows, and interact with connected services — all within the permissions and context of your workspace.

5.2 Data Sent to AI Model Providers

To enable AI agent functionality, user-generated content— including messages, file contents, table data, and related workspace context — is transmitted to third-party AI model providers for processing. These providers include:

• Anthropic (Claude models)
• OpenAI (GPT models)
• Google (Gemini models)

The specific provider used may vary depending on the task, model routing configuration, and availability.

5.3 What AI Providers Do with Your Data

We use these providers’ API services, which are governed by their respective data processing agreements. Under our agreements with these providers:

• Your data is processed to generate responses and is not used to train their general-purpose models.
• Data is transmitted securely via encrypted connections (TLS).
• Providers may temporarily retain input and output data for abuse monitoring and safety purposes, in accordance with their policies.

We encourage you to review the privacy policies of our AI model providers:

• Anthropic Privacy Policy
• OpenAI Privacy Policy
• Google AI Privacy Policy

5.4 Your Control Over AI Processing

Workspace administrators can configure which channels and workflows involve AI agent interactions. If you have questions about AI processing in your workspace, please contact your workspace administrator or reach out to us at the contact information provided in Section 14.

6. Information Sharing and Sub-processors

We share personal information only as described in this policy. We do not sell personal information.

6.1 Sub-processors

We use the following categories of third-party service providers (“sub-processors”) to operate the Service:

A current list of sub-processors is available upon request. We will notify workspace administrators of material changes to our sub-processor list at least 30 days in advance via email.

6.2 Other Disclosures

We may also share personal information:

• With your workspace administrator and members: content you contribute to a workspace is visible to other members of that workspace, subject to workspace and channel access controls.
• As directed by you: when you connect third-party services or authorize specific data sharing.
• For legal compliance: to comply with applicable law, regulation, legal process, or governmental request.
• To protect rights and safety: to enforce our agreements, protect the rights, privacy, safety, or property of Pure Reason, our users, or the public.
• In business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, in which case personal information may be transferred to the successor entity.

7. Data Storage and Security

7.1 Where We Store Data

Your data is stored primarily on Google Cloud Platform infrastructure in the United States. Specific storage mechanisms include:

• PostgreSQL database (with pgvector extension) hosted on GCP for structured data (accounts, messages, tables, metadata)
• Google Cloud Storage (GCS) for uploaded files
• Redis for caching and ephemeral data

7.2 Security Measures

We implement technical and organizational measures designed to protect your personal information, including:

• Encryption at rest and in transit: data is encrypted in transit using TLS. Sensitive credentials (OAuth tokens, API keys) are encrypted at rest using pgcrypto.
• Authentication and access control: Clerk-based authentication with session management, API key authentication with rotation support, and role-based access control scoped to workspaces and channels.
• Session management: device tracking, session expiration, and session revocation capabilities.
• Network security: CORS restrictions and API gateway protections.
• Secrets management: production secrets are managed through Doppler and GCP Secret Manager, with separation from application code.
• Monitoring: error reporting and logging infrastructure for incident detection.

While we take reasonable measures to protect your information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

7.3 SOC 2 Type II in Progress

Pure Reason's SOC 2 Type II is in progress to demonstrate our commitment to security, availability, and confidentiality.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention practices include:

• Account data: retained for the duration of your account. Upon account deletion, account data is deleted within 30 days, with backups purged within 90 days.
• Content data (messages, files, table data): retained for the duration of the workspace in which the content resides. Workspace administrators may delete content within the Service. When a workspace is deleted, all associated content data is deleted within 30 days, with backups purged within 90 days.
• Session and device data: session records are retained for 90 days after session expiration.
• Usage and analytics data: retained in aggregated or anonymized form for 12 months.
• Error logs: retained for 30 days.
• Connection credentials: OAuth tokens and API keys are deleted when a connection is removed by the user or workspace administrator.

We may retain certain information as required by applicable law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

Pure Reason maintains a formal data retention schedule and deletion procedures in accordance with this policy.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

9.1 Rights Under the EU/EEA General Data Protection Regulation (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete personal data.
• Erasure(“right to be forgotten”): request deletion of your personal data, subject to legal exceptions.
• Restriction: request that we restrict processing of your personal data in certain circumstances.
• Data portability: receive your personal data in a structured, commonly used, machine-readable format.
• Object: object to processing based on legitimate interests, including profiling.
• Withdraw consent: withdraw consent at any time where processing is based on consent.
• Lodge a complaint: file a complaint with your local data protection authority.

To exercise these rights, contact us at the address provided in Section 14. We will respond within 30 days (or as required by applicable law).

Data Protection Officer: Ashton Teng — privacy@kylon.io

EU Representative: Ashton Teng — privacy@kylon.io

9.2 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know: request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: request deletion of your personal information, subject to legal exceptions.
• Correct: request correction of inaccurate personal information.
• Opt out of sale/sharing: we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Non-discrimination: we will not discriminate against you for exercising your privacy rights.

To submit a CCPA request, contact us at the address provided in Section 14. We will verify your identity before processing your request.

9.3 Rights Under Singapore’s Personal Data Protection Act (PDPA)

If you are located in Singapore, you have the right to:

• Access: request access to your personal data held by us and information about how it has been used or disclosed in the past year.
• Correction: request correction of any error or omission in your personal data.
• Withdrawal of consent: withdraw your consent for collection, use, or disclosure of your personal data (subject to legal and contractual restrictions).
• Data portability: request a copy of your data in a commonly used machine-readable format (where applicable under the PDPA’s data portability provisions).

To exercise these rights, contact our Data Protection Officer at the address provided in Section 14.

9.4 How to Exercise Your Rights

You may exercise your rights by contacting us using the information in Section 14. We may need to verify your identity before fulfilling your request. We will respond within the timeframe required by applicable law.

10. Cookies and Tracking Technologies

10.1 Marketing site (kylon.io)

Our public marketing site uses cookieless analytics. We do not set cookies, do not write to localStorage, and do not store a persistent identifier in your browser. PostHog computes a privacy-preserving daily hash server-side so we can count unique visitors and measure aggregate funnels, without linking that count to any individual or to your activity across sessions. Because no personal data is processed for analytics on the marketing site, we do not display a cookie consent banner.

10.2 Product (app.kylon.io)

10.3 Third-Party Cookies

Our authentication provider (Clerk) may set cookies inside the product (app.kylon.io) for authentication and session management. Once you sign in, our analytics provider (PostHog) may set cookies to associate product usage with your account.

10.4 Your Cookie Choices

On the marketing site, no action is required — we do not set cookies. Inside the product, you can manage cookies through your browser settings; disabling strictly necessary cookies may prevent the product from functioning properly.

11. Children’s Privacy

The Service is not intended for use by individuals under the age of 16 (or under 13 in the United States). We do not knowingly collect personal information from children under these ages.

If we become aware that we have collected personal information from a child under the applicable age threshold, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at the address provided in Section 14.

12. International Data Transfers

Your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, where our primary infrastructure is located.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): we enter into Standard Contractual Clauses approved by the European Commission with our sub-processors, as applicable.
• EU-U.S. Data Privacy Framework: where applicable, we rely on relevant adequacy decisions and data privacy framework certifications.

By using the Service, you acknowledge that your information may be transferred to and processed in jurisdictions with different data protection laws than your own.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy.
• Notify workspace administrators via email and in-app notification.
• For material changes that significantly alter how we process personal data, continued use of the Service after the notice period constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us at:

Pure Reason Inc.
privacy@kylon.io

For GDPR inquiries: Ashton Teng — privacy@kylon.io

For CCPA requests: privacy@kylon.io

15. Supplemental Notices

15.1 For Workspace Administrators

As a workspace administrator, you may have additional responsibilities under applicable data protection laws regarding the personal data of members in your workspace. You act as a data controller (or equivalent) for content data created within your workspace, and Pure Reason acts as a data processor on your behalf. We offer a Data Processing Agreement (DPA) upon request.

15.2 For AI Agent Developers

If you develop or configure AI agents within Kylon, you are responsible for ensuring that the agents you deploy comply with applicable data protection laws and do not process personal data beyond the scope authorized by your workspace’s data governance policies.