Privacy Policy

Effective date: April 12, 2026

1. Introduction

Koladr ("we", "us", or "our") respects your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use the Koladr platform ("the Service").

2. Information We Collect

We collect the following categories of information:

  • Account information — email address, name, and password when you register or sign in.
  • Workspace data — tenant name, workspace slug, team member roles, and organizational settings.
  • Agent and execution data — agent configurations, run logs, action requests, policy evaluations, approval decisions, and execution results generated through platform usage.
  • Connector credentials — API keys, OAuth tokens, and related metadata you provide to connect third-party services. These are encrypted at rest and never exposed after submission.
  • Usage data — page views, feature usage patterns, browser type, and IP address collected automatically for analytics and security.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and enforce access controls
  • Execute governed actions through connected third-party services on your behalf
  • Enforce policies, process approvals, and log audit trails
  • Improve the Service, diagnose issues, and prevent abuse
  • Communicate with you about your account, updates, or support requests
  • Comply with legal obligations

4. Third-Party Integrations

When you connect a third-party service (such as Stripe, HubSpot, Zendesk, or Gmail), we store your credentials securely and use them solely to execute governed actions you initiate through the platform. We access only the minimum scopes and permissions required for the actions you configure. We do not sell, share, or use your third-party credentials for any purpose other than operating the connector on your behalf.

5. Google User Data

When you connect a Google account (Gmail connector), we request access to the following OAuth scopes:

  • gmail.send — to send email on your behalf through governed actions
  • userinfo.email — to identify your connected Google account
  • userinfo.profile — to display your name in the connector UI

We do not read, modify, or delete your existing emails. We do not access your inbox, contacts, or calendar. Access and refresh tokens are encrypted at rest and stored server-side only. Tokens are never exposed to client-side code. You can revoke access at any time from your Google Account permissions, which will transition the connector to a "needs reconnection" state.

Koladr's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Data Security

We take security seriously and implement the following measures:

  • Connector credentials are encrypted at rest using AES-256-GCM with scrypt-derived keys
  • Tenant data is isolated through PostgreSQL row-level security (RLS)
  • All API routes enforce server-side authentication and role-based authorization
  • OAuth state parameters are encrypted to prevent CSRF attacks
  • Secrets are never returned to the browser after initial submission

No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your account data and execution logs for as long as your account is active. Connector credentials are deleted immediately when you disconnect an integration. If you delete your account, we will remove your personal information within 30 days, except where retention is required by law.

8. Data Sharing

We do not sell your personal information. We may share information only in the following circumstances:

  • Service providers — with trusted infrastructure providers (hosting, database, authentication) that process data on our behalf under contractual obligations.
  • Third-party connectors — with services you explicitly connect, using only the data required to execute your governed actions.
  • Legal compliance — when required by law, subpoena, or legal process.
  • Safety — to protect the rights, safety, or property of Koladr, our users, or the public.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and associated data
  • Withdraw consent for data processing
  • Export your data in a portable format
  • Revoke third-party connector access at any time

To exercise any of these rights, contact us at privacy@koladr.com.

10. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Session cookies are scoped to your authenticated session and are not shared with third parties.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Continued use of the Service after changes constitutes acceptance.

13. Contact

If you have questions about this Privacy Policy, contact us at privacy@koladr.com.