This is a template, not legal advice. It has not been reviewed by a lawyer. Before relying on this for a real product — especially if you handle data from the EU/UK (GDPR), California (CCPA/CPRA), or other regulated jurisdictions — have a licensed attorney review and customize it for your business and applicable law.

Privacy policy

Last updated: [DATE] · Replace bracketed placeholders before publishing.

1. What we collect

Account information (name, email, hashed password, role, and which organization you belong to), project data you or your team enter (tasks, budgets, risks, status updates, communications, rate cards, delivery/pricing details, support incidents), and basic usage logs (timestamps, IP address, browser type) needed to operate and secure the service. Sensitive actions — approvals, rate changes, role changes, and data export/deletion — are recorded in an internal audit log with the actor, timestamp, and a description of what changed.

2. How we use it

To operate the application, authenticate users, enforce organization-level data isolation, generate the reports and AI features you request, send status-request and report emails you configure, and maintain security and reliability. We do not sell personal data.

3. AI features

Optional AI features (project planning, charter drafting, technical recommendations, delivery/pricing recommendations, status reports, idea suggestions, the AI assistant) send relevant project data to Anthropic's API to generate a response. AI-generated content may be inaccurate or incomplete — it is provided for drafting assistance only and should be reviewed by a human before being relied upon for decisions.

4. Third parties / sub-processors

Vercel (hosting), a managed Postgres provider (database), Anthropic (AI features), and an email provider (status-request and scheduled report emails, if configured). Each processes data only as needed to provide their service to us.

5. Cookies

We use a single essential session cookie to keep you signed in. We do not use tracking or advertising cookies.

6. Multi-tenancy & data isolation

If your organization is one of several client companies using Keel through the same operator, your organization's projects, users, and incidents are scoped so that no other client organization can see them. Internal-only reference data (such as the operator's staffing roster and rate cards) is never shared with any client organization.

7. Data export & deletion

An organization owner (SUPER_USER) can export a full copy of their organization's data at any time from the "My Organization" page, and can request deletion of their organization's data from the same page. Deletion requests are reviewed and confirmed by a Keel administrator before anything is permanently deleted — this two-step process exists to prevent accidental or coerced data loss. You can cancel a pending deletion request at any time before it is confirmed. You can also reach hemender.kumar@gmail.com directly to request export or deletion.

8. Data retention

Data is retained while your account or organization is active, or until a deletion request is confirmed, subject to legal or operational retention requirements (for example, audit log entries referencing a deleted organization may be retained without personal identifiers for accountability purposes).

9. Your responsibilities

Don't enter sensitive personal data about third parties (e.g. health or financial data of people outside your organization) without a lawful basis and their awareness. You're responsible for the accuracy of data your team enters.

10. Security

We use industry-standard practices (encrypted connections, hashed passwords, role-based and organization-scoped access controls, an audit log for sensitive actions) but no system is 100% secure. Report suspected security issues to hemender.kumar@gmail.com.

11. Contact

Questions about this policy: hemender.kumar@gmail.com.