EmpathyC

Privacy Policy

Effective Date: 1 February 2026

Last Updated: 2 February 2026

This Privacy Policy explains how Keido Labs Ltd ("we," "us," or "our") collects, uses, and protects your data when you use Empathyc's AI Psychological Safety Monitoring service (the "Service").

1. Overview

Who We Are:

Our Role:

  • For your account and billing data: We are the Data Controller
  • For conversation data you send us: We are the Data Processor (you are the Data Controller)

Geographic Scope:

This policy covers users in the UK, EU, US, and globally. We comply with:

  • UK GDPR and Data Protection Act 2018
  • EU GDPR (Regulation 2016/679)
  • California Consumer Privacy Act (CCPA) where applicable

2. What Data We Collect

2.1 Account and Billing Data (We Control)

When you create an account:

  • Name, email address, company name
  • Billing address, payment method details (processed via Stripe)
  • Account preferences and settings
  • Subscription plan and usage limits

Usage and technical data:

  • Login times, IP address, browser type, device information
  • Dashboard interactions and feature usage
  • API usage metrics and integration configurations
  • Support tickets and communications with us

Legal Basis (GDPR):

  • Performance of contract (account management, service delivery)
  • Legitimate interests (fraud prevention, service improvement, security)
  • Legal obligation (tax, accounting, regulatory compliance)

2.2 Conversation Data (You Control) — Zero PII by Design

IMPORTANT: By design, we do NOT collect personally identifiable information (PII) about the individuals having conversations.

What we DO collect:

  • Conversation content: Full text of messages exchanged between your users and your AI systems (or human agents)
  • Opaque conversation IDs: Identifiers YOU control (e.g., "conv_abc123", "ticket_456789")
  • Timestamps: When messages were sent
  • Integration metadata: Platform source (e.g., Intercom, Zendesk, API)

What we do NOT collect:

  • User names, email addresses, phone numbers, or contact details
  • Demographic information (age, gender, location, nationality, etc.)
  • IP addresses or device identifiers of conversation participants
  • Account information, profile data, or user identifiers from your platform
  • Payment information or financial data
  • Any data that would allow us to identify or contact individuals having conversations

Why we're structured this way:

Our zero PII architecture is intentional. By not collecting PII:

  • We cannot contact users in crisis (you retain this responsibility)
  • We have no duty of care toward individuals on your platform
  • We minimize data protection risks and liabilities
  • You retain full control over user identities and relationships
  • GDPR compliance is simplified (we process conversation content, not personal data of individuals)

What this means:

  • You send us conversation text and an opaque ID
  • We analyze the conversation and return Safety Metrics
  • We store analysis results linked to your opaque ID
  • You map opaque IDs to user identities in your own system
  • You decide whether to act on alerts (we cannot act because we don't know who the user is)

Legal Basis (GDPR):

  • Performance of contract (providing the Service you subscribed to)
  • Your instructions as Data Controller (we process on your behalf)

Your responsibility:

  • You must have lawful basis to process conversation data under GDPR
  • You must obtain necessary consents from your users to monitor conversations
  • You must comply with data protection laws in your jurisdiction
  • You must inform your users about AI monitoring and analysis

2.3 Analysis Results and Alert Data (We Generate)

We create and store:

  • Safety Metrics: Scores for Empathy, Reliability, Consistency, Crisis Detection, Advice Safety, Boundary Safety
  • Alert history: Alerts triggered, thresholds crossed, alert delivery status
  • LLM reasoning: Evidence quotes and analysis reasoning from AI models
  • Conversation timelines: Full conversation context for dashboard review (linked to opaque IDs only)

2.4 Integration Credentials (Encrypted)

When you connect an integration:

OAuth integrations (e.g., Intercom):

  • OAuth access tokens issued by the platform on your behalf
  • OAuth refresh tokens (where applicable)
  • Integration configuration (workspace/app identifiers)

Direct API integrations (e.g., Zendesk, Salesforce, or direct API):

  • API keys, access tokens, webhook secrets, app IDs you provide
  • Integration configuration data

Security measures for all credentials:

  • Encrypted using AES-256 encryption
  • Stored securely in compliance with SOC 2 and GDPR standards
  • NEVER stored in plaintext
  • Access restricted to authorized system processes only
  • Deleted within 24 hours of integration disconnection

3. How We Use Your Data

3.1 Account and Billing Data

We use your account data to:

  • Create and manage your account
  • Process payments and billing (via Stripe)
  • Send service updates, alerts, and support responses
  • Monitor for fraud and security threats
  • Comply with legal and tax obligations
  • Improve the Service and user experience

We do NOT:

  • Sell your account data to third parties
  • Use your account data for advertising or marketing to others
  • Share your account data with competitors

3.2 Conversation Data and Safety Analysis

We process conversation data to:

  • Analyze conversations for psychological safety risks using AI-based evaluation
  • Generate Safety Metrics (Empathy, Crisis Detection, Boundary Safety, etc.)
  • Trigger alerts when risks are detected
  • Display conversation timelines and analysis results in your dashboard
  • Enable human review of flagged conversations

3.3 Service Improvement and AI Model Training

With your consent (obtained when you accept our Terms of Service), we may use aggregated and anonymized conversation data to:

  • Train and improve our Safety Metrics and crisis detection models
  • Develop new psychological safety features
  • Validate accuracy of AI-based analysis
  • Conduct research on conversational AI safety
  • Create industry benchmarks (anonymized)

Protections:

  • Data is anonymized (all identifying information removed, including opaque IDs)
  • Data is aggregated across customers (no individual customer identifiable)
  • Used only for improving the Service, NOT for advertising or marketing

Opting Out:

If you do NOT consent to service improvement use:

  • Contact hello@keidolabs.com to opt out
  • We will continue providing the Service but will not use your data for model training
  • No impact on service quality or features
  • You may opt out at any time

4. Third-Party Data Processing — AI Model Providers

IMPORTANT: We use third-party AI providers to analyze conversation content.

4.1 AI Model Providers (LLM-as-a-Judge)

Our Safety Metrics are generated using large language models (LLMs) from third-party providers:

  • OpenAI (GPT-4, GPT-4o, and other models)
  • Anthropic (Claude models)
  • Google (Gemini models)
  • Other AI model providers as we continue to improve the Service

What this means:

  • Conversation data you send to Empathyc is transmitted to these AI providers for analysis
  • These providers process data according to their own privacy policies and terms of service
  • We use enterprise API agreements with data processing protections where available
  • We contractually prohibit these providers from using your data to train their own models (where possible)

Your consent:

By using the Service, you consent to your conversation data being processed by our current and future AI model providers for the purpose of providing Safety Metrics and alerts.

We may change AI providers without prior notice to improve service quality, reduce costs, or enhance capabilities.

4.2 What We Do NOT Do with AI Providers

  • We do NOT sell your data to AI providers
  • We do NOT allow AI providers to use your data for their own commercial purposes (where contractually preventable)
  • We do NOT share identifiable information about your organization with AI providers (conversations are sent without your company details)

5. Data Sharing and Disclosure

5.1 Service Providers (Subprocessors)

We share data with trusted third parties who help us operate the Service:

Payment Processing:

  • Stripe (payment processing and subscription management)
  • Data processed: Billing information, payment methods, transaction history
  • Location: US/EU (with GDPR-compliant Data Processing Agreements)

Infrastructure Hosting:

  • Amazon Web Services (AWS) — Ireland region (eu-west-1)
  • Data processed: All service data (account, conversation, analysis)
  • Location: EU for GDPR compliance
  • AWS certifications: SOC 2, ISO 27001

AI Analysis:

  • OpenAI, Anthropic, Google (conversation safety analysis via LLM-as-a-judge)
  • Data processed: Conversation content only (no PII, no account data)
  • Location: Primarily US (with GDPR safeguards via Standard Contractual Clauses)

Analytics and Monitoring:

  • Service performance monitoring, error tracking, security logging
  • Anonymized usage analytics
  • No PII shared with analytics providers

Full Subprocessor List:

A complete list of subprocessors is available at: https://empathyc.co/subprocessors

We will notify you of changes to subprocessors with 30 days' notice.

5.2 Legal Requirements and Law Enforcement

We may disclose data if required to:

  • Comply with legal obligations (court orders, subpoenas, warrants)
  • Protect our rights, property, or safety
  • Prevent fraud, security threats, or illegal activity
  • Comply with law enforcement or regulatory requests

Notice to you: Where legally permitted, we will notify you before disclosure.

5.3 Business Transfers

If we are acquired, merged, or sell assets, your data may transfer to the new entity:

  • You will receive advance notice of the transfer
  • Data will remain protected under this Privacy Policy (or you will be notified of changes)
  • You may have the right to request deletion before the transfer

5.4 No Sale of Data

We do NOT sell your data to third parties for advertising, marketing, or any other commercial purpose.

6. Data Retention

6.1 Account and Billing Data

  • Active accounts: Retained for the duration of your subscription
  • Closed accounts: Retained for 7 years (UK tax and legal compliance requirements)
  • After 7 years: Securely deleted (unless legal hold applies)

6.2 Conversation Data and Analysis Results

  • Active accounts: Retained for the duration of your subscription plus 30 days
  • Dashboard analytics: Retained for 12 months (or your subscription period, whichever is longer)
  • After termination: Deleted within 30 days
  • Data export: You may request a full data export (CSV/JSON) at any time before deletion

6.3 Anonymized Data for Service Improvement

Anonymized and aggregated data (used for AI model training and research) may be retained indefinitely, as it:

  • Cannot be linked back to you or your customers
  • Contains no PII or opaque identifiers
  • Is used solely for improving the Service

6.4 Your Right to Request Earlier Deletion

You may request deletion of specific conversations or all conversation data at any time:

  • Contact hello@keidolabs.com with your request
  • We will delete within 7 business days (subject to legal obligations)
  • Note: Deletion may impact service functionality (e.g., loss of historical analytics)

7. Your Rights (GDPR/UK GDPR)

If you are in the UK or EU, you have the following rights:

7.1 Right of Access (Subject Access Request)

Request a copy of your personal data we hold (free, within 30 days).

7.2 Right to Rectification

Correct inaccurate or incomplete data.

7.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your data (subject to legal retention requirements).

7.4 Right to Restrict Processing

Limit how we use your data in certain circumstances.

7.5 Right to Data Portability

Receive your data in a machine-readable format (CSV, JSON).

7.6 Right to Object

Object to processing based on legitimate interests or for direct marketing.

7.7 Right to Withdraw Consent

Withdraw consent for AI training or other consent-based processing (does not affect lawfulness of processing before withdrawal).

7.8 Right to Lodge a Complaint

Contact the UK Information Commissioner's Office (ICO) or your local data protection authority if you believe we have violated your rights.

To exercise these rights:

Email hello@keidolabs.com with "Privacy Request" in the subject line.

We will respond within 30 days (or 60 days for complex requests, with explanation).

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

8.1 Right to Know

Request disclosure of personal information collected, used, or shared in the past 12 months, including:

  • Categories of personal information collected
  • Sources from which information was collected
  • Business or commercial purposes for collection
  • Categories of third parties with whom we share information

8.2 Right to Delete

Request deletion of personal information (subject to exceptions for legal obligations, fraud prevention, or service provision).

8.3 Right to Opt-Out of Sale

We do NOT sell personal information. No opt-out needed.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights (e.g., denying service, charging different prices, or providing different service quality).

To exercise these rights:

Email hello@keidolabs.com with "CCPA Request" in the subject line.

We will respond within 45 days (or 90 days with explanation).

9. Data Security

We implement industry-standard security measures to protect your data:

9.1 Technical Safeguards

  • Encryption in transit: TLS 1.3 for all data transmission
  • Encryption at rest: AES-256 for stored data
  • Multi-tenant isolation: Each customer's data is logically isolated
  • Access controls: Role-based access, principle of least privilege
  • Multi-factor authentication: Required for admin accounts
  • Regular security audits: Penetration testing and vulnerability scanning
  • Security monitoring: Real-time threat detection and logging

9.2 Organizational Safeguards

  • Employee training on data protection and security
  • Confidentiality agreements with all staff and contractors
  • Incident response procedures and breach notification protocols
  • Regular backups with encryption
  • Secure development practices and code review

9.3 AWS Infrastructure Security

  • Data hosted in AWS Ireland (eu-west-1) for EU/UK data residency
  • AWS SOC 2, ISO 27001, and ISO 27018 certified infrastructure
  • DDoS protection and network security
  • Physical security at AWS data centers
  • Regular infrastructure security updates

However: No system is 100% secure. While we implement strong security measures, you use the Service at your own risk.

10. Data Breach Notification

In the event of a personal data breach:

To you (Data Controller):

  • Notification within 72 hours of discovery
  • Details of the breach (nature, affected data, estimated impact)
  • Measures taken to address the breach
  • Recommendations for mitigating harm

To authorities:

  • We will notify the ICO (UK) or relevant data protection authority as required by law

To end users:

  • You (as Data Controller) are responsible for notifying your customers if required
  • We will assist you with notification obligations as needed

11. International Data Transfers

11.1 Primary Data Location

Primary data storage: AWS Ireland (EU) — eu-west-1 region

11.2 Third-Party Processors Outside the EU/UK

Some service providers (OpenAI, Anthropic, Stripe) may process data in the US or other countries outside the EU/UK.

Safeguards for international transfers:

  • EU Standard Contractual Clauses (SCCs) — approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) — approved by the ICO
  • Privacy Shield alternatives and equivalent protections
  • Contractual commitments from processors to comply with GDPR standards

11.3 Your Consent

By using the Service, you consent to data transfers necessary to provide the Service, including:

  • AI analysis by US-based LLM providers
  • Payment processing by Stripe
  • Infrastructure services by AWS

You may withdraw consent by ceasing to use the Service, but this will prevent us from providing the Service to you.

12. Cookies and Tracking

12.1 Essential Cookies

We use cookies necessary for the Service to function:

  • Session authentication — keeps you logged in
  • Security tokens — prevents cross-site request forgery (CSRF)
  • Preference settings — remembers your dashboard settings

These cookies cannot be disabled without preventing the Service from functioning.

12.2 Analytics Cookies

We use analytics to understand service usage (anonymized):

  • Page views and feature usage
  • Performance metrics (page load times, API response times)
  • Error tracking and bug detection

Analytics providers: Google Analytics (anonymized IP addresses)

12.3 Your Choices

  • Essential cookies: Cannot be disabled (required for service operation)
  • Analytics cookies: Can be disabled in your browser settings

We do NOT use:

  • Advertising cookies
  • Cross-site tracking cookies
  • Third-party marketing cookies

13. Children's Privacy

The Service is intended for business use only. We do not knowingly collect data from children under 16 (or 13 in the US).

If you believe we have collected data from a child:

14. Third-Party Links and Integrations

Our Service integrates with third-party platforms (Intercom, Zendesk, Salesforce) and may link to external websites.

We are not responsible for:

  • Privacy practices of third-party platforms
  • Security of data stored on third-party platforms
  • Third-party terms of service or policies

Your responsibility:

  • Review privacy policies of integrated platforms
  • Ensure you have rights to share data with us from those platforms
  • Comply with third-party terms of service

15. Changes to This Policy

We may update this Privacy Policy from time to time.

How we notify you:

  • Posted on our website (https://empathyc.co/privacy)
  • Emailed to account holders at least 30 days before changes take effect
  • In-dashboard notification when you next log in

Material changes (e.g., new data uses, reduced protections, new third-party processors) require 60 days' notice and may require renewed consent.

Continued use after changes = acceptance of the updated policy.

If you don't agree to changes, you may terminate your account before they take effect.

16. Data Controller Contact and Supervisory Authority

Data Controller:

Keido Labs Ltd

31 Russell Street

Liverpool, England

L3 5LJ

United Kingdom

Privacy Inquiries:

Email: hello@keidolabs.com

Subject line: "Privacy Request" or "GDPR Request"

We will respond within 30 days (or 60 days for complex requests).

UK Supervisory Authority:

Information Commissioner's Office (ICO)

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

United Kingdom

Website: ico.org.uk

Phone: 0303 123 1113

EU Supervisory Authorities:

If you are in the EU, contact your local data protection authority. A list is available at: edpb.europa.eu

17. Data Processing Agreement (DPA)

For enterprise customers requiring a separate Data Processing Agreement under GDPR Article 28:

Standard DPA:

  • Contact hello@keidolabs.com to request our standard DPA
  • Based on EU Standard Contractual Clauses (SCCs)
  • Available for Growth, Scale, and Enterprise plan customers

Negotiated DPA:

  • Custom DPA terms available for Enterprise plan customers
  • Contact our legal team at hello@keidolabs.com

What the DPA covers:

  • Your role as Data Controller, our role as Data Processor
  • Instructions for data processing
  • Data subject rights assistance
  • Data breach notification obligations
  • Subprocessor management
  • International data transfers
  • Audit rights

Final Acknowledgment

BY USING EMPATHYC, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.

YOU SPECIFICALLY ACKNOWLEDGE AND AGREE THAT:

  • We do not collect PII about individuals having conversations on your platform
  • You are responsible for obtaining necessary consents from your users
  • Conversation data may be processed by third-party AI providers (OpenAI, Anthropic, Google)
  • You are the Data Controller for conversation data; we are the Data Processor
  • You must comply with data protection laws in your jurisdiction

If you have questions about this Privacy Policy, contact us at hello@keidolabs.com

Last Updated: 2 February 2026