EmpathyC
Try EmpathyC

Privacy Policy

Effective Date: 1 December 2025

Last Updated: 30 November 2025

This Privacy Policy explains how Keido Labs Ltd ("we," "us," or "our") collects, uses, and protects your personal data when you use EmpathyC (the "Service").

1. Overview

Who We Are:

  • Company Name: Keido Labs Ltd
  • Company Number: 16805440
  • Registered Address: 31 Russell Street, Liverpool, England, L3 5LJ
  • Email: hello@keidolabs.com
  • Website: https://keidolabs.com
  • Service Website: https://empathyc.co

Our Role:

  • For your account and billing data: We are the Data Controller
  • For your customer conversation data: We are the Data Processor (you are the Data Controller)

Geographic Scope:

This policy covers users in the UK, EU, US, and globally. We comply with:

  • UK GDPR and Data Protection Act 2018
  • EU GDPR (Regulation 2016/679)
  • California Consumer Privacy Act (CCPA) where applicable

2. What Data We Collect

2.1 Account and Billing Data (We Control)

When you create an account:

  • Name, email address, company name
  • Billing address, payment method details (processed via Stripe)
  • Account preferences and settings

Usage and technical data:

  • Login times, IP address, browser type
  • Dashboard interactions and feature usage
  • Support tickets and communications

2.2 Customer Conversation Data (You Control)

Data processed on your behalf:

  • Conversation text between your customers and your AI systems
  • Customer service interaction metadata (timestamps, integration source)
  • Empathy and quality scores generated by our analysis

You are responsible for:

  • Having lawful basis to process this data
  • Complying with data protection laws in your jurisdiction
  • Obtaining necessary consents from your customers

2.3 Third-Party Integration Credentials

When you create an integration:

  • API credentials and access tokens (e.g., Intercom API keys, Zendesk tokens, webhook secrets)
  • Integration configuration data (app IDs, workspace identifiers)

Security measures for credentials:

  • Encrypted using AES-256 encryption
  • Stored securely in compliance with SOC 2 and GDPR standards
  • NEVER stored in plaintext
  • Access restricted to authorized system processes only
  • Deleted within 24 hours of integration disconnection

3. How We Use Your Data

3.1 Account and Billing Data

We use this data to:

  • Provide and manage your account
  • Process payments and billing
  • Send service updates and support responses
  • Detect and prevent fraud
  • Comply with legal obligations

Legal Basis (GDPR):

  • Performance of contract (account management, service delivery)
  • Legitimate interests (fraud prevention, service improvement)
  • Legal obligation (tax, accounting records)

3.2 Customer Conversation Data

We process this data to:

  • Analyze conversation quality and generate empathy scores
  • Display analytics and reporting in your dashboard
  • Improve our AI analysis models (with your consent)

Legal Basis (GDPR):

  • Performance of contract (providing the Service)
  • Your consent (for service improvement via AI model training)

3.3 AI Model Processing

IMPORTANT: We use third-party AI providers to analyze conversations:

  • OpenAI (GPT models)
  • Anthropic (Claude models)
  • Google (Gemini models)
  • Any other foundational LLM (AI) providers if they serve improvement of provided services

What this means:

  • Conversation data is transmitted to these providers for analysis
  • These providers process data under their own privacy policies
  • We use AI-providers’ API agreements with data processing protections where available
  • By using the Service, you consent to this processing

We do NOT:

  • Allow these providers to use your data for training their own models (where contractually possible)
  • Share identifiable customer data with competitors
  • Sell your data to third parties

4. Service Improvement and AI Training

4.1 Aggregated and Anonymized Data

With your consent (obtained when you accept our Terms of Service), we may use conversation data to:

  • Train and improve our empathy detection AI models
  • Develop new quality metrics and features
  • Create industry benchmarks and research

Protections:

  • Data is anonymized (personally identifiable information removed)
  • Data is aggregated across customers (no individual customer identifiable)
  • Used only for improving the Service, not for advertising or marketing

4.2 Opting Out

If you do NOT consent to this use:

  • Contact hello@keidolabs.com to opt out
  • We will continue providing the Service but will not use your data for model training
  • No impact on service quality or features

5. Data Sharing and Disclosure

5.1 Service Providers

We share data with trusted third parties who help us operate the Service:

Payment Processing:

  • Stripe (payment processing and subscription management)
  • Location: US/EU (with GDPR-compliant data processing agreements)

Infrastructure Hosting:

  • Amazon Web Services (AWS) - Ireland region (eu-west-1)
  • Data stored in EU for GDPR compliance

AI Analysis:

  • OpenAI, Anthropic, Google (conversation quality analysis)
  • Data processed via official SaaS APIs

Analytics and Monitoring:

  • Service performance and error tracking tools
  • Anonymized usage analytics

5.2 Legal Requirements

We may disclose data if required to:

  • Comply with legal obligations (court orders, subpoenas)
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Comply with law enforcement requests

5.3 Business Transfers

If we are acquired or merged, your data may transfer to the new entity (with notice to you and continued protection under this policy).

6. Data Retention

6.1 Account Data

We retain account and billing data for:

  • Active accounts: Duration of your subscription + 7 years (for tax and legal compliance)
  • Closed accounts: 90 days (then deleted unless legal hold applies)

6.2 Conversation Data

  • Real-time analysis: Processed and discarded immediately after scoring
  • Dashboard analytics: Retained for 12 months (or your subscription period, whichever is longer)
  • After termination: Deleted within 30 days (you may request export before termination)

6.3 Anonymized Data

Anonymized and aggregated data (used for AI training) may be retained indefinitely as it cannot be linked back to you.

7. Your Rights (GDPR/UK GDPR)

If you are in the UK or EU, you have the following rights:

7.1 Right of Access

Request a copy of your personal data we hold (free, within 30 days).

7.2 Right to Rectification

Correct inaccurate or incomplete data.

7.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your data (subject to legal retention requirements).

7.4 Right to Restrict Processing

Limit how we use your data in certain circumstances.

7.5 Right to Data Portability

Receive your data in a machine-readable format (CSV, JSON).

7.6 Right to Object

Object to processing based on legitimate interests or for direct marketing.

7.7 Right to Withdraw Consent

Withdraw consent for AI training or other consent-based processing (does not affect lawfulness of processing before withdrawal).

7.8 Right to Lodge a Complaint

Contact the UK Information Commissioner's Office (ICO) or your local data protection authority.

To exercise these rights: Email hello@keidolabs.com with your request.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

8.1 Right to Know

Request disclosure of personal information collected, used, or shared in the past 12 months.

8.2 Right to Delete

Request deletion of personal information (subject to exceptions).

8.3 Right to Opt-Out of Sale

We do NOT sell personal information. No opt-out needed.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

To exercise these rights: Email hello@keidolabs.com with "CCPA Request" in the subject line.

9. Data Security

We implement industry-standard security measures:

9.1 Technical Safeguards

  • Encryption in transit: TLS 1.3 for all data transmission
  • Encryption at rest: AES-256 for stored data
  • Multi-tenant isolation: Each customer's data is logically isolated
  • Access controls: Role-based access, multi-factor authentication
  • Regular security audits: Penetration testing and vulnerability scanning

9.2 Organizational Safeguards

  • Employee training on data protection
  • Confidentiality agreements with staff
  • Incident response procedures
  • Regular backups with encryption

9.3 AWS Infrastructure

  • Data hosted in AWS Ireland (eu-west-1) for EU/UK data residency
  • AWS SOC 2, ISO 27001 certified infrastructure
  • DDoS protection and network security

However: No system is 100% secure. You use the Service at your own risk.

10. Data Breach Notification

In the event of a personal data breach:

  • To you (Data Controller): Notification within 72 hours of discovery
  • To authorities: We will notify the ICO/relevant DPA as required by law
  • To end users: You are responsible for notifying your customers (we will assist as required)

11. International Data Transfers

11.1 Data Location

Primary data storage: AWS Ireland (EU)

11.2 Third-Party Processors

Some service providers (OpenAI, Anthropic, Stripe) may process data in the US. We ensure adequate safeguards:

  • EU Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreement (IDTA)
  • Privacy Shield alternatives or equivalent protections

11.3 Your Consent

By using the Service, you consent to data transfers necessary to provide the Service (including AI analysis by US-based providers).

12. Cookies and Tracking

12.1 Essential Cookies

We use cookies necessary for the Service to function:

  • Session authentication
  • Security tokens
  • Preference settings

12.2 Analytics Cookies

We use analytics to understand service usage (anonymized):

  • Page views and feature usage
  • Performance metrics
  • Error tracking

12.3 Your Choices

  • Essential cookies: Cannot be disabled (required for service operation)
  • Analytics cookies: Can be disabled in your browser settings

We do NOT use cookies for advertising or cross-site tracking.

13. Children's Privacy

The Service is intended for business use only. We do not knowingly collect data from children under 16. If you believe we have collected data from a child, contact us immediately for deletion.

14. Third-Party Links

Our Service may link to third-party integrations (Intercom, Zendesk, Salesforce). We are not responsible for their privacy practices. Review their privacy policies separately.

15. Changes to This Policy

We may update this Privacy Policy with 30 days' notice:

  • Posted on our website (https://empathyc.co/privacy)
  • Emailed to account holders
  • Continued use after changes = acceptance

Material changes (e.g., new data uses, reduced protections) require 60 days' notice and may require renewed consent.

16. Data Controller and Contact

Data Controller:

Keido Labs Ltd

31 Russell Street

Liverpool, England

L3 5LJ

Privacy Inquiries:

Email: hello@keidolabs.com

Subject line: "Privacy Request"

Supervisory Authority (UK):

Information Commissioner's Office (ICO)

Website: ico.org.uk

17. Data Processing Agreement (DPA)

For enterprise customers requiring a separate Data Processing Agreement under GDPR Article 28:

  • Contact hello@keidolabs.com
  • We will provide our standard DPA (based on EU SCCs)
  • Negotiated DPAs available for Enterprise plan customers

Last Updated: 30 November 2025

By using EmpathyC, you acknowledge that you have read and understood this Privacy Policy.