Last updated: 15 June 2026
This policy explains how KiTT, operated by Wiktis Pty Ltd (ABN 72 692 004 970) ("KiTT", "we", "us", or "our"), collects, uses, discloses, and protects personal information when you use the KiTT platform and website (the "Service"). KiTT is an AI chief of staff that connects to the tools you authorise and helps you run your team and your day.
By using the Service, you agree to the practices described in this policy. We handle personal information in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and, where they apply to you, other privacy laws.
This policy covers personal information we handle as the business responsible for the Service. Where we process data on your behalf as part of running your workspace ("Customer Data") — such as the messages and content KiTT reads and drafts for you — we handle it to provide the Service to you and in line with this policy.
1. Definitions
Customer Data means data submitted to or processed by the Service on your behalf, including connection credentials such as authorisation tokens, workspace and user identifiers, your workspace settings, content you add to or generate in KiTT, the messages KiTT reads and drafts, your scheduled tasks, your approval decisions, and service logs.
Personal information has the meaning given in the Australian Privacy Act, and broadly means information about an identified individual, or an individual who is reasonably identifiable.
2. Information we collect
Account information. When you sign up, we collect your name and email address, and the settings and content you add to your workspace. If you subscribe, our payment processor collects your billing details (we do not store full card numbers).
Workspace and user identifiers. To run the integrations you connect, we store identifiers and limited metadata for your workspace and for the people who interact with KiTT, such as a Slack or account user ID, display name, and email address where the provider makes it available.
Connection credentials. We store the authorisation tokens and related settings needed to maintain the integrations you enable, including their scopes and expiry information. These are stored encrypted.
Content inside KiTT. To provide continuity and run the Service, we store content created or used in KiTT, including your conversations with KiTT and its responses, drafts and documents, summaries and working notes KiTT maintains to do its job, your approval and rejection decisions, and your scheduled task settings.
Message and tool content from connected services. When you connect a service, KiTT accesses the data you authorise so it can read context, draft, and carry out tasks you approve. This may include messages in the channels where KiTT is active, direct messages to KiTT, calendar events, email content, and documents, depending on the integrations you enable and the access you grant.
Service logs and usage data. We collect operational data such as timestamps, error logs, and records of tasks run and approvals given, so we can keep the Service running, secure, and reliable.
Communications with us. If you contact us for support or otherwise, we collect what you send.
Website analytics, advertising, and attribution data. When you visit our marketing website or begin a sign up, we may collect cookie and similar identifiers, device and browser information, IP address, pages viewed, and campaign or referral data, for analytics, measurement, and attribution. These run on our marketing surface, not inside the application. See our Cookies Policy for detail.
Sensitive information. We do not seek to collect sensitive information (such as health information) unless it is necessary for the Service and you provide it.
3. How we use your information
We use the information above to:
- Provide and run the Service — authenticate you, maintain the integrations you enable, read context, draft content, carry out tasks you approve, and keep your workspace working over time. This includes sending communications on your behalf — replies you approve, and, where you turn on automatic clarifying messages, a clarifying question sent on your behalf to gather a missing detail before KiTT brings the item to you.
- Generate output using AI — relevant content is processed by AI to produce drafts, summaries, and suggestions at your direction. We do not use Customer Data for advertising, and we do not train our own or any third-party foundation models on Customer Data.
- Keep the Service secure — detect and prevent fraud, abuse, and unauthorised access, and investigate incidents.
- Improve the Service — using aggregated or de-identified data that does not reasonably identify you, to understand usage and improve reliability.
- Communicate with you — send service and security messages, billing and account messages, and support.
- Run analytics and attribution on our marketing surface — measure website use and how sign ups come about.
- Meet our legal obligations and enforce our terms.
4. AI processing and AI providers
When you use KiTT's AI features, the content needed is sent to third-party AI providers. We currently use Anthropic (language models, to read context and generate drafts, summaries, and suggestions) and Voyage AI, operated by MongoDB, Inc. (embeddings, to convert content into numerical representations so KiTT can retrieve the most relevant context for you). We require AI providers to use your data only to generate the output you have asked for, and:
- your data is processed in isolated requests and is not visible to other customers;
- your data is not used to train or improve the provider's models;
- Anthropic automatically deletes the inputs and outputs of each API request after 7 days, does not use them to train its models, and has applied this as its API default since 14 September 2025; other providers may briefly retain data under their API policies for security and abuse monitoring; and
- processing takes place in the United States or other regions used by those providers under their enterprise terms.
Embeddings and semantic memory. To let KiTT retrieve the most relevant context for you, content you or KiTT generate, including content derived from your connected accounts, is converted into numerical embeddings using the voyage-3.5 model provided by Voyage AI, a business of MongoDB, Inc. Embeddings are generated for your workspace only, are not shared across customers, and are not used to train or improve Voyage AI's, MongoDB's, or any other party's models. Content derived from Google Workspace, Microsoft or Slack is never used to train generalised or foundation AI or machine-learning models, by us or by any provider.
5. How we share information
We do not sell your personal information.
Service providers (subprocessors). We use trusted providers to host and run the Service. They process data only to provide their service to us, under agreements that limit their use of it. Our current subprocessors are:
| Provider | Purpose | Data potentially processed |
|---|---|---|
| Supabase | Database and storage (hosted in the United States (AWS US East, Northern Virginia)) | Account data, workspace content, logs, encrypted credentials |
| Vercel | Web and application hosting | Request metadata, logs, content needed to serve the app |
| SendGrid | Email delivery | Email addresses and the content of service emails |
| Inngest | Background job and workflow execution | Task inputs and outputs needed to run scheduled work |
| Stripe | Payments and billing | Billing contact details and transaction metadata (card details handled by Stripe) |
| Anthropic | AI processing | The prompt and context needed to generate an output; inputs and outputs auto-deleted after 7 days, not used to train models |
| Voyage AI (MongoDB, Inc.) | Text embeddings for retrieval and search (United States) | Workspace content you or KiTT generate, converted to embeddings; not used to train models |
| Slack | Slack integration | Messages and metadata in channels and DMs where KiTT is active |
| Gmail, Calendar, and Drive integrations (if enabled) | Data accessed via the scopes you authorise | |
| Microsoft | Outlook integration (if enabled) | Data accessed via the scopes you authorise |
| Notion | Notion integration (if enabled) | Notion content you authorise |
AI providers. As described in section 4.
Analytics and attribution. We use analytics and attribution tools on our marketing surface, which may receive online identifiers and campaign data. We do not use the content KiTT reads from your connected services for advertising.
Legal and protection. We may disclose information where we reasonably believe it is required by law or legal process, or necessary to prevent harm, prevent fraud or abuse, or protect the rights, property, or safety of our users, the public, or us.
Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be disclosed to advisers and any successor, subject to confidentiality protections.
6. Google user data
This section describes how KiTT handles data from Google services, and applies in addition to the rest of this policy.
When you connect a Google service, KiTT accesses Google user data only after you grant permission through Google's consent screen, and only within the scopes you authorise. Depending on which Google services you enable, this may include:
- Gmail — reading email content and metadata, and sending email on your behalf, so KiTT can summarise and surface what matters, and draft and send the replies you approve;
- Google Calendar — reading and managing calendar events so KiTT can help you manage your schedule; and
- Google Drive — accessing files you authorise so KiTT can work with them at your request.
KiTT uses Google user data only to provide and improve the user-facing features described above, and only as you direct. We affirm that:
- our use of information received from Google APIs follows the Google API Services User Data Policy, including its Limited Use requirements;
- we do not use Google user data for advertising;
- we do not sell Google user data;
- we do not transfer Google user data to others except as needed to provide or improve user-facing features, to comply with the law, or as part of a merger or acquisition; and
- we do not use Google user data to train or improve generalised or foundation AI or machine learning models, and we do not allow our AI providers to do so.
Any human access to Google user data is limited to the narrow cases the Limited Use requirements allow, such as with your consent, for security, to comply with the law, or where the data has been aggregated and de-identified.
You can revoke KiTT's access to your Google account at any time from your KiTT settings or from your Google Account permissions page. Revoking access stops new collection from that source.
7. Microsoft and Slack data
Microsoft. When you connect Outlook, KiTT accesses Microsoft data only within the scopes you authorise, and uses it only to provide the features you have asked for. We do not sell it or use it for advertising, and we do not use it to train generalised AI models. You can revoke access at any time. We maintain a privacy statement that is at least as protective of your data as the Microsoft Privacy Statement, apply retention and deletion policies to Microsoft data (including deleting it when you uninstall KiTT, close your account, or your account is abandoned), and obtain renewed consent if our processing of Microsoft data materially changes. Our relationship with Microsoft is not a joint-controller or processor-subprocessor relationship.
Slack. When you connect Slack, KiTT accesses messages and metadata in the channels and DMs where it is active, and may provision a private channel for a team member, to read context, respond and carry out tasks you approve. We use Slack API data only to operate the Service for you; we store only the minimum necessary; we do not use Slack API data to train large language models, do not bulk-export Slack data or create persistent copies, archives, indexes or long-term data stores beyond what is needed to provide the Service, and do not use one organisation's Slack data to benefit another organisation or any third party. We do not sell it or use it for advertising. You can revoke access at any time from Slack.
8. Storage and security
Customer Data is stored with reputable cloud providers, primarily in the United States (AWS US East, Northern Virginia), using encryption in transit and at rest, access controls, and monitoring appropriate to the data. We maintain organisational and technical safeguards designed to protect personal information from loss, misuse, and unauthorised access, and we have processes to respond to security incidents, including notifying affected people and authorities where the law requires.
You are responsible for keeping your own workspace secure, including managing who has access to your connected services and to KiTT.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
9. Data retention
We keep personal information only as long as we need it to provide the Service, to meet our legal obligations, and to resolve disputes.
When your account is closed, or we receive a valid deletion request, we delete Customer Data from our active systems within around 30 days. Encrypted backups used for business continuity age out on their normal rotation, after which they are overwritten or purged. Derived data, such as indexes or other internal representations, is deleted or disassociated when the underlying Customer Data is deleted, subject to backup rotation and legal obligations.
Disconnecting an integration or cancelling stops new collection, but does not by itself delete data already stored. To have stored data deleted, close your account or contact us.
10. Your rights and choices
Depending on where you live, you have rights over your personal information. In Australia, under the Australian Privacy Principles, you can:
- Access the personal information we hold about you;
- Correct information that is inaccurate, out of date, or incomplete;
- Ask us to delete your workspace and the personal information associated with it; and
- Withdraw consent or disconnect a service at any time from your settings or the provider.
For workspace-level data, we may need a request to come from the account owner or an administrator, or we may direct an individual to their administrator, where that is appropriate.
To exercise a right, contact us at privacy@trykitt.app. We may need to verify your identity first. We will respond within the time the law requires. If we refuse a request, we will explain why and how you can take it further.
Marketing. If you opt in to marketing, you can opt out at any time using the unsubscribe link or by contacting us. You will still receive essential service messages.
Complaints. If you have a privacy concern, contact us first and we will try to resolve it. If you are in Australia and are not satisfied, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Users outside Australia. If you are in the EEA, the UK, or another region with its own privacy laws, you may have additional rights, such as the right to data portability, to object to or restrict certain processing, and to lodge a complaint with your local supervisory authority. If you are a resident of a US state with privacy rights, you may have rights to know, access, delete, correct, and opt out of certain uses. Contact us to exercise any of these.
10A. US state privacy rights and Your Privacy Choices
US state privacy rights. If you are a resident of California or another US state with privacy rights, you have the right to know, access, correct, delete, and to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising, and to limit the use of sensitive personal information. We treat the contents of your communications as sensitive personal information. We do not sell personal information for money. Because we use advertising and analytics tags (Google Ads, Meta, LinkedIn) on our marketing website, some disclosures may be considered "sharing." You can exercise your choices via the "Your Privacy Choices" link in our website footer, and we honor Global Privacy Control (GPC) browser signals. We do not use the content KiTT reads from your connected accounts for advertising.
10B. Automated decision-making
Automated processing. KiTT uses AI to triage messages, draft content and make suggestions, and, where you enable it, to send clarifying messages on your behalf. These features assist you; you make the decisions and review output before relying on it. KiTT does not make decisions that produce legal or similarly significant effects about you without your involvement. Where a feature could significantly affect an individual's rights or interests, we describe in this policy the kinds of personal information used and the role of automated processing.
11. Children
The Service is for business use and is not directed at children. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, contact us and we will delete it.
12. International transfers
International transfers. Customer Data is processed primarily in the United States. Where we transfer personal data from the EEA, the UK or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021), the UK International Data Transfer Addendum/IDTA, and equivalent Swiss safeguards, supported by a Transfer Impact Assessment, together with technical measures including encryption in transit and at rest. A copy of the relevant clauses is available on request.
12A. Data Processing Addendum and roles
Controller and processor roles. For personal information in the content KiTT reads, drafts and acts on from your connected accounts (such as email, calendar, messages and documents), you are the controller (or, under the Australian Privacy Act, the responsible APP entity) and KiTT acts as your processor, handling that data on your documented instructions to provide the Service. For account, billing and website-analytics data, KiTT is the controller. A Data Processing Addendum (DPA), incorporating the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where relevant, is available at trykitt.app/dpa and is offered to all customers; for business customers it is deemed incorporated into these Terms on acceptance.
13. Changes to this policy
We may update this policy as the Service and the law change. Where changes are material, we will take reasonable steps to let you know, for example by notifying you in the app or by email. The "Last updated" date shows the most recent version. If you keep using the Service after a change takes effect, you accept the updated policy.
14. Contact
Privacy questions and requests can be sent to privacy@trykitt.app, or to the address published on our website.