Privacy Policy

Kellexa Technologies Pvt. Ltd. ("Kellexa", "we", "us", or "our") respects your privacy. This Privacy Policy describes our practices regarding personal information collected through https://kellexa.com (the "Site"), https://app.kellexa.com (the "App"), and related services (collectively, the "Services").

By using the Services, you acknowledge that you have read this Privacy Policy. If you do not agree, please do not use the Services. For questions, contact info@kellexa.com.

For purposes of the EU/UK General Data Protection Regulation (GDPR), India Digital Personal Data Protection Act, 2023 (DPDP Act), and similar laws, Kellexa Technologies Pvt. Ltd. is the data controller for personal information described in this policy, unless we process data solely on your instructions under a Data Processing Addendum.

• Registered address: [Registered office address — update before launch]
• Privacy inquiries: info@kellexa.com
• Data Protection Officer: info@kellexa.com

This policy applies to visitors of the Site, registered users of the App, and individuals whose data we process to deliver workflow automation, billing, support, and security operations. It does not apply to third-party websites, social platforms (YouTube, Meta/Instagram), or payment processors except as described under "Third parties."

We collect information you provide, information generated through use of the Services, and information from third parties as follows:

• Account & identity: name, email address, profile photo, workspace name, authentication identifiers, session tokens, and notification preferences.
• Billing: subscription plan, payment method metadata (handled by Stripe/Razorpay — we do not store full card numbers), invoices, tax identifiers where provided, and transaction history.
• Connected platforms: OAuth tokens and refresh tokens for YouTube and Instagram (encrypted at rest), channel/page identifiers, display names, avatars, and granted scopes.
• Workflow & content: workflow definitions (flow graphs), media library metadata, uploaded file references, run logs, credit consumption, publish history, and webhook payloads you configure.
• Communications: support tickets, emails, and in-app messages.
• Technical & usage: IP address, device type, browser, operating system, referring URLs, pages viewed, feature usage, crash logs, and security audit events.
• Marketing site: cookie identifiers and analytics events as described in our Cookie Policy.

We do not intentionally collect sensitive categories of data (e.g., health, biometric, children's data) unless you voluntarily include them in user content — please avoid doing so.

• Directly from you when you register, connect accounts, build workflows, or contact us.
• Automatically when you use the Services (logs, cookies, device data).
• From identity providers (e.g., Google Sign-In) per their policies.
• From payment processors confirming transaction status.
• From platform APIs (YouTube, Meta) when you authorize integrations.

We use personal information for the following purposes:

• Provide, operate, and maintain the Services, including executing workflows and publishing content to connected accounts.
• Authenticate users, manage sessions, and prevent fraud or abuse.
• Process subscriptions, credit purchases, and wallet ledger operations.
• Send transactional communications (run completed, billing receipts, security alerts).
• Provide customer support and respond to inquiries.
• Improve the Services, develop features, and conduct aggregated analytics.
• Comply with legal obligations, enforce our terms, and protect rights and safety.
• With consent, send product updates or marketing (you may opt out anytime).

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract: processing necessary to perform our agreement with you (account, workflows, billing).
• Legitimate interests: security, fraud prevention, product improvement, and B2B marketing to business contacts (balanced against your rights).
• Consent: non-essential cookies, optional marketing emails, and certain analytics where required.
• Legal obligation: tax, accounting, regulatory requests, and law enforcement where applicable.

We do not sell personal information. We share information only as follows:

• Service providers (processors): cloud hosting, object storage (e.g., Cloudflare R2), email delivery, analytics, payment processing, and AI/media vendors invoked by your workflows.
• Platform partners: YouTube/Google and Meta/Instagram when you connect accounts or publish content — governed by their terms and privacy policies.
• Professional advisors: lawyers, accountants, and auditors under confidentiality obligations.
• Business transfers: merger, acquisition, or asset sale, with notice where required by law.
• Legal & safety: to comply with law, court orders, or protect users, the public, or Kellexa.

A current list of sub-processors is available on request at info@kellexa.com. Enterprise customers may receive advance notice of material sub-processor changes under a DPA.

We may process and store information in India, the United States, the European Union, and other countries where we or our providers operate. When transferring personal data from the EEA, UK, or Switzerland, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), UK IDTA addenda, or other mechanisms recognized under applicable law.

• Account data: retained while your account is active and for a reasonable period after closure for legal, tax, and dispute resolution (typically up to 7 years for billing records where required).
• Workflow run logs: retained per product settings (e.g., 90 days for detailed node execution logs unless otherwise configured).
• Media files: retained until you delete them or your account is terminated, subject to backup cycles.
• Marketing analytics: per Cookie Policy retention schedules.

We may retain anonymized or aggregated data that cannot reasonably identify you.

We implement administrative, technical, and organizational measures designed to protect personal information, including encryption in transit (TLS), encryption at rest for sensitive credentials, access controls, and monitoring. See our Security Policy at https://kellexa.com/security. No method of transmission or storage is 100% secure; report concerns to info@kellexa.com.

Depending on your location, you may have the following rights (subject to exceptions):

• Access: request a copy of personal information we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of personal information, subject to legal retention requirements.
• Portability: receive data in a structured, machine-readable format where applicable.
• Restriction & objection: object to certain processing or request restriction.
• Withdraw consent: where processing is based on consent, without affecting prior lawful processing.
• Opt out of sale/sharing (California): we do not sell personal information; see CCPA section below.

Submit requests to info@kellexa.com. We will verify your identity before responding. We aim to respond within 30 days (or the period required by applicable law). You may lodge a complaint with your local supervisory authority (e.g., EU DPA, UK ICO, India Data Protection Board when operational).

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by CPRA:

• Right to know categories and specific pieces of personal information collected, sources, purposes, and third parties.
• Right to delete personal information, with exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — Kellexa does not sell or share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — we use sensitive data only as necessary to provide the Services.
• Right to non-discrimination for exercising privacy rights.

Categories collected in the last 12 months may include identifiers, commercial information, internet activity, and professional information related to your creator business. Submit requests via info@kellexa.com or call [toll-free number — add before launch]. Authorized agents must provide written authorization.

Where the DPDP Act applies, you may have rights to access, correction, erasure, grievance redressal, and nomination. You may withdraw consent for consent-based processing. Contact our Grievance Officer at info@kellexa.com. We process data lawfully for specified purposes and implement reasonable security safeguards.

The Services are not directed to individuals under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will delete it promptly.

Kellexa does not make solely automated decisions with legal or similarly significant effects about you. Workflow execution follows rules you configure; AI outputs are generated per your workflow design and third-party model policies.

The Services integrate with third-party platforms and may link to external sites. Their privacy practices govern data they collect. Review Google/YouTube, Meta/Instagram, and payment provider policies before connecting accounts.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date and, where required, notified via email or in-app notice. Continued use after the effective date constitutes acceptance.

• Privacy: info@kellexa.com
• DPO / Grievance Officer: info@kellexa.com
• Postal: Kellexa Technologies Pvt. Ltd., [Registered office address — update before launch]