Privacy Policy

Kommit AI ("Kommit," "we," "us," or "our") operates the getkommit.ai website and platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy. Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

This Privacy Policy applies to information collected through: • Our website at getkommit.ai • Our web application and platform features • Our marketing and communications • Customer support interactions This policy does not apply to information collected by third-party services you may access through our integrations (e.g., GitHub, AI providers). We encourage you to review the privacy policies of any third-party services you connect to Kommit.

We collect information in the following ways: Information you provide directly: • Account information — name, email address, and password when you register • Profile information — workspace name, team member invitations • Project content — product specifications, node data, conversations, uploaded files, and PRDs you create on the canvas • Payment information — billing details when you subscribe to a paid plan (processed by our payment provider) • Communications — messages you send to us via email or support channels Information from third parties: • OAuth data — when you sign in with GitHub, we receive your public profile information (name, email, avatar) as authorized by your GitHub settings • Repository data — when you connect a GitHub repository, we access file contents and metadata for the purpose of providing codebase context to the AI Information collected automatically: • Usage data — pages visited, features used, actions taken, timestamps • Device data — browser type, operating system, screen resolution • Network data — IP address, approximate location (country/region) • Cookies and similar technologies — session tokens, preferences, analytics identifiers

We use the information we collect to: • Provide, operate, and maintain the Service • Create and manage your account and workspaces • Process AI conversations and generate structured specifications • Generate embeddings and provide contextual AI responses (RAG) • Process payments and manage subscriptions • Send transactional communications (account verification, password resets, billing) • Respond to support requests and inquiries • Analyze usage patterns to improve the Service • Detect, prevent, and address technical issues and security threats • Comply with legal obligations We do not use your project content, uploaded files, or repository code to train AI models. Your data is used solely to provide the Service to you.

Kommit uses third-party AI services (currently Anthropic's Claude and OpenAI's embedding models) to power conversations, extract structured data, and generate PRDs. When you interact with AI features: • Your conversation messages and relevant project context are sent to the AI provider to generate responses • Structured data is extracted from conversations and stored in your project • Text embeddings are generated for semantic search across your project knowledge • Repository code (when connected) may be included as context for AI responses We select AI providers that offer enterprise-grade data handling. Your data sent to AI providers is not used to train their models. Refer to each provider's data processing terms for details on how they handle data in transit.

Your data is stored on secure infrastructure: • Application data is hosted on Vercel's platform • Database (PostgreSQL with pgvector) is hosted on Neon • Uploaded files are stored on Vercel Blob storage • All data is encrypted in transit (TLS) and at rest We retain your information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or legitimate business purposes (e.g., billing records, fraud prevention). Project data, including canvas content, conversations, and generated PRDs, is deleted when the associated project or account is deleted.

We do not sell your personal information. We may share your information in the following circumstances: • Service providers — with trusted third parties who assist us in operating the Service (hosting, payment processing, analytics, AI providers), bound by contractual obligations to protect your data • Within your workspace — project data is visible to all members of your organization workspace • Legal requirements — when required by law, regulation, or legal process • Safety and security — to protect the rights, property, or safety of Kommit, our users, or the public • Business transfers — in connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction • With your consent — when you explicitly authorize sharing with a specific third party

We use cookies and similar technologies for: • Authentication — session cookies to keep you signed in (required) • Preferences — storing your theme preference and workspace settings (functional) • Analytics — understanding how the Service is used to improve it (optional) Essential cookies are required for the Service to function. You can manage optional cookies through your browser settings. Disabling cookies may affect certain features of the Service. We use Vercel Analytics for privacy-friendly, aggregated usage analytics. We do not use invasive tracking or sell data to advertisers.

We implement appropriate technical and organizational measures to protect your information, including: • Encryption in transit (TLS/HTTPS) and at rest • Row-level security (RLS) ensuring tenant data isolation in the database • Secure authentication with hashed passwords and OAuth token management • Regular security reviews of our codebase and infrastructure • Access controls limiting employee access to user data on a need-to-know basis While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Kommit is operated from the European Union (Netherlands). Your information may be transferred to and processed in countries other than your own, including the United States, where our service providers (Vercel, Neon, Anthropic, OpenAI) operate. When we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, including: • Standard Contractual Clauses (SCCs) approved by the European Commission • Data Processing Agreements with all sub-processors • Selecting providers that participate in recognized data protection frameworks

Depending on your location, you may have the following rights regarding your personal data: • Access — request a copy of the personal data we hold about you • Correction — request correction of inaccurate or incomplete data • Deletion — request deletion of your personal data • Portability — receive your data in a structured, machine-readable format • Restriction — request that we restrict processing of your data • Objection — object to processing based on legitimate interests • Withdrawal of consent — withdraw consent at any time where processing is based on consent EU/EEA residents: You have rights under the General Data Protection Regulation (GDPR). Our legal bases for processing include contract performance, legitimate interests, and consent. To exercise your rights, contact us at privacy@getkommit.ai. We will respond to your request within 30 days.

The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@getkommit.ai.

The Service may contain links to third-party websites or services not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party services. When you connect integrations (such as GitHub), you authorize data exchange between Kommit and that service as described in Section 5. We recommend reviewing the privacy policies of all third-party services you interact with through Kommit.

We may update this Privacy Policy from time to time. We will notify you of material changes by: • Posting the updated policy on this page with a new effective date • Sending an email notification to your registered email address (for material changes) Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: Kommit AI Email: privacy@getkommit.ai General inquiries: hello@getkommit.ai