Privacy Policy

Last updated: 2026-06-08

Kibo ("Kibo", "we", "us") operates the AI assistant available at kibowork.ai (the "Service"). This Privacy Policy explains what data we access, how we use and protect it, who we share it with, and the rights you have. We are committed to handling your data responsibly and transparently. It includes specific sections for the EU/EEA & UK (GDPR), California (CCPA/CPRA) and Japan (APPI).

1. Who we are

The data controller / personal-information-handling business operator is:

• [Legal entity name], [Registered address]
• Representative: [Representative name]
• Privacy contact: [email protected]

2. Information we collect

• Account data: name, email, organization name, authentication details.
• Content you provide: messages to the assistant, files you upload or index, preferences.
• Connected-service data: only the data covered by the permissions you grant (see §3).
• Usage data: technical logs, feature usage, and diagnostics needed to operate and secure the Service.

3. Connected services and Google user data

With your explicit consent, Kibo connects to the services you choose and accesses only what the features you enable require:

• Google Calendar — view and manage your calendar events.
• Google Contacts — view and manage your contacts.
• Google Tasks — view and manage your tasks.
• Google Drive (per-file access only) — Kibo can access only the files you create with Kibo or explicitly open/select for it (the drive.file scope). Kibo cannot browse or search the rest of your Drive.

We request the minimum scopes needed and never request access we don't use. You can revoke access at any time from your Google Account or within Kibo.

Limited Use of Google user data

Kibo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google user data to train, develop, or improve generalized or foundation AI/ML models.
• We use Google user data only to provide the user-facing features you request.
• We do not sell Google user data, and we share it only with the subprocessors strictly necessary to run the features you use (see §5).
• Humans do not read your Google user data except with your explicit permission (e.g., for support) or as required by law (see §7).

4. How we use your data (purpose of use)

We use the data above only to:

• Provide and operate the Service and the features you enable (managing events, tasks and contacts; finding and organizing files you share with Kibo).
• Build a private, per-user memory that improves the relevance of the assistant's responses to you.
• Secure the Service, prevent abuse, and meet legal obligations.

(For Japan/APPI, this section is the published purpose of use (利用目的).)

5. AI processing and subprocessors

Kibo is an AI assistant: to generate responses and perform actions, the content you send and the relevant connected-service data are transmitted to third-party AI model providers (currently Google Cloud Vertex AI) for processing (inference). We also use cloud hosting providers to run the Service.

• These providers act as subprocessors, bound by data-processing agreements, and may process your data only to provide the service to us — never for their own purposes.
• Our AI model providers do not use your data to train their models, and we do not permit such use.
• We do not share your data with advertisers, data brokers, or unrelated third parties.

6. Data storage and security

• In transit: all traffic between you and Kibo, and between Kibo and external services, is encrypted with TLS (HTTPS).
• At rest: your connected-account credentials and OAuth tokens are encrypted at the application level using AES-256-GCM. Other stored data is protected by access controls [and, where enabled, encrypted storage volumes].
• We apply industry-standard security control measures (安全管理措置). No method is perfectly secure, but we work to protect your data appropriately.

7. Data isolation and human access

• Isolation: Kibo is multi-tenant. Your data is logically isolated and accessible only to your account (and, on organization plans, the organization you belong to) and the AI assistant acting on your behalf.
• No routine human access: no member of our staff accesses your content except when you explicitly request support, to investigate a security incident, or where required by law.

8. Data retention and deletion

• You can disconnect any integration at any time; new data stops being accessed immediately.
• You can delete conversations, indexed documents, and your account from within the Service.
• Conversation debug data is kept for a limited, configurable period.
• On an account-deletion request, we permanently remove your associated data within 30 days, subject to legal retention obligations. Contact [email protected].

9. International and cross-border data transfers

Your data may be processed in countries other than your own — in particular by our AI model and hosting providers, which may be located in the United States and/or the European Union [confirm regions].

• We rely on appropriate safeguards (e.g., contractual data-protection clauses) for such transfers.
• For users in Japan (APPI): by using the Service you consent to the transfer of your personal data to third parties (our AI and hosting subprocessors) located outside Japan, including the United States. The data-protection frameworks of these countries may differ from Japan's; we require these recipients to maintain protection measures consistent with the APPI and will provide further information on request.

10. Your rights

EU/EEA & UK — GDPR

You have the right to access, correct, export (portability), delete, and restrict or object to the processing of your personal data, and to withdraw consent at any time. You may lodge a complaint with your supervisory authority. Contact [email protected].

California — CCPA/CPRA

You have the right to know what personal information we collect and how it is used, to request deletion, to correct it, and to opt out of the "sale" or "sharing" of personal information — we do not sell or share your personal information. You will not be discriminated against for exercising these rights.

Japan — APPI

The personal-information-handling business operator is [Legal entity name], [Registered address], represented by [Representative name]. You may request disclosure, correction, addition, deletion, suspension of use, or suspension of third-party provision of your retained personal data. The purpose of use is set out in §4; cross-border transfers in §9; security control measures in §6. To exercise your rights or raise a complaint, contact [email protected].

11. Cookies and tracking

We use only strictly necessary cookies / local storage for the Service to function (e.g., authentication, session, security, and your preferences such as language). We do not use advertising or cross-site tracking cookies, so no cookie-consent banner is required.

For usage statistics we use our own privacy-first, cookieless analytics: it does not set cookies, does not track you across other websites, and does not store data that identifies you. You can control cookies through your browser settings.

12. Children's privacy

The Service is not intended for individuals under the age of 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. We will communicate material changes through the Service or by email.

14. Contact

• Privacy: [email protected]
• Support: [email protected]
• [Legal entity name], [Registered address]