Last Updated: May 1, 2026

Privacy policy

Privacy Policy

Last Updated: May 1, 2026

This Privacy Policy explains how K3X (“K3X,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information in connection with:

  • Our website at k3x.ai

  • The application at app.k3x.ai

  • Our APIs

  • Related services (collectively, the “Services”)

K3X is a customer relationship management (“CRM”) platform that combines lead, contact, deal, and pipeline management with goal-based AI agents.

We process two distinct categories of personal information:

Account Information

Information about you when you visit our website, sign up, and use the Services as a customer or authorized user.

Customer Data

Information that our customers (“Customers”) submit, import, or generate through the Services about their own leads, contacts, prospects, and end users.

For Account Information, K3X acts as the data controller.

For Customer Data, K3X acts as the processor (or “service provider” under California law) on behalf of the Customer. Customers are responsible for the lawfulness of the Customer Data they submit and for responding to data-subject requests from the individuals reflected in that data.

If you are an end user, prospect, or contact of one of our Customers and would like to exercise rights regarding your data, please contact that Customer directly.

1. Information We Collect

1.1 Information You Provide

Account and Profile Data

We collect information such as:

  • Name

  • Email address

  • Phone number

  • Profile photo

  • Job title

  • Company name

  • Time zone

  • Authentication identifiers, including Google or Microsoft account IDs when signing in via OAuth

Customer Data You Upload or Generate

This may include:

  • Lead, contact, organization, and deal records

  • Notes, files, and attachments

  • Custom fields

  • Emails and SMS messages

  • Call recordings and transcripts

  • AI agent configurations and outputs

  • Activity history

Communications and Support Data

Including:

  • Support requests

  • Survey responses

  • Feedback submissions

Billing Data

We collect company billing details and tax identifiers.

Payment card details are processed by Stripe. K3X does not receive or store full payment card numbers.

1.2 Information Collected Automatically

Usage and Device Data

We automatically collect:

  • IP address

  • Browser type

  • Operating system

  • Device identifiers

  • Pages and features accessed

  • Timestamps

  • Error logs

  • Similar telemetry data

Cookies and Similar Technologies

Please see our Cookie Policy for more information.

Logs and Security Data

Including:

  • API call metadata

  • Audit logs

  • Information necessary to detect, prevent, and respond to abuse or security incidents

1.3 Information From Third Parties

Authentication Providers

If you sign in with Google or Microsoft, we receive:

  • Name

  • Email address

  • Profile picture

  • Account ID

  • Authorized scopes

Connected Services

When you connect third-party accounts such as Gmail, Google Calendar, Microsoft 365, or Twilio phone numbers, we may access related email, calendar, contacts, call, and message metadata based on permissions you grant.

Enrichment and Lookup Data

For certain features, we may retrieve publicly available information to enrich CRM records.

Billing and Fraud-Prevention Partners

Our billing and infrastructure providers may share information related to:

  • Fraud prevention

  • Chargeback management

  • Billing reconciliation

2. How We Use Information

We use personal information to:

  • Provide, operate, secure, and improve the Services

  • Authenticate users and manage accounts

  • Enforce our Terms and Acceptable Use Policy

  • Power AI features, including drafting messages, summarizing calls, qualifying leads, generating embeddings for retrieval, and routing work between agents and humans

  • Send transactional communications

  • Provide customer support

  • Process payments and subscriptions

  • Detect and prevent fraud, abuse, and security incidents

  • Comply with legal obligations

  • Conduct internal analytics, research, and product development

  • Send marketing communications where permitted by law or with your consent

You may opt out of marketing emails at any time using the unsubscribe link or by contacting us.

AI Training

K3X does not use Customer Data to train K3X foundation models or third-party AI provider models.

Our agreements with AI providers, including OpenAI and Anthropic, prohibit the use of Customer Data submitted through APIs for training general-purpose models.

We may use aggregated or de-identified data to improve and evaluate the Services.

3. Legal Bases for Processing (EEA / UK / Switzerland)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract To provide the Services

  • Legitimate interests To secure and improve the Services and prevent fraud

  • Legal obligations For tax, accounting, and compliance requirements

  • Consent For cookies, certain marketing communications, and special-category data where applicable

You may withdraw consent at any time.

4. How We Share Information

We do not sell personal information.

We share information only in the circumstances described below.

4.1 Sub-Processors

We use trusted third-party providers to deliver the Services. Each provider is bound by written agreements that include confidentiality, security, and, where required, data-processing terms.

Our current sub-processors include Google Cloud Platform for hosting, compute, storage, and databases; Firebase for authentication, hosting, and file storage; OpenAI for AI inference, transcription, and embeddings; Anthropic for AI inference; Tavily for web search and content extraction for AI agents; LangSmith for AI agent observability and tracing; Twilio for SMS, voice calling, and phone number provisioning; SendGrid for transactional and system email; Google APIs for Gmail, Calendar, geocoding, time zone, and Places integrations; Microsoft Graph for Outlook, Calendar, and OneDrive integrations; and Stripe for payment processing and billing.

These providers may process data in the United States and, where applicable, the European Union.

We may update this list from time to time and will provide notice of material additions where required by your contract with us.

4.2 Other Recipients

Other Users in Your Workspace

Information shared within a workspace may be visible to authorized workspace users.

Connected Services

If you authorize integrations, data may flow to those services according to their permissions and privacy practices.

Legal and Safety Purposes

We may disclose information if required by law or necessary to:

  • Protect rights or safety

  • Prevent fraud

  • Address security incidents

Business Transfers

Personal information may be transferred during mergers, acquisitions, financing events, or asset sales.

With Your Consent or Direction

We may share information where you direct us to do so.

5. International Data Transfers

K3X is based in the United States, and our infrastructure is primarily hosted there.

If you access the Services from outside the United States, your information may be transferred to and processed in the United States or other countries where our providers operate.

Where required, we rely on safeguards such as:

  • Standard Contractual Clauses (SCCs)

  • UK International Data Transfer Addendum

  • Supplementary security measures

6. Data Retention

We retain personal information only as long as necessary.

Account Data

Retained while your account is active and for up to 90 days after termination, unless longer retention is required by law or necessary for dispute resolution, audits, backups, or security purposes.

Customer Data

Retained according to Customer instructions and our Terms. Customer Data is generally deleted within 60 days after termination, subject to backup retention cycles.

Logs and Security Data

Retained for up to 13 months.

Billing Records

Retained for the period required by tax and accounting laws, typically seven years in the United States.

7. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption in transit (TLS) and at rest

  • Field-level encryption for designated sensitive fields

  • Strong authentication and role-based access controls

  • Logging and monitoring for unauthorized access and anomalous behavior

  • Regular security reviews and dependency patching

  • Vendor due diligence on sub-processors

No system is completely secure.

If we become aware of a security incident affecting personal information, we will notify affected parties and authorities as required by law.

8. Your Rights

Depending on your location, you may have rights to:

  • Access your personal information

  • Correct inaccurate information

  • Request deletion

  • Request portability

  • Restrict or object to processing

  • Withdraw consent

  • Exercise non-discrimination rights under California law

California residents may also opt out of “sales” or “sharing” of personal information. K3X does not sell personal information or share it for cross-context behavioral advertising as defined by the CCPA/CPRA.

To exercise your rights, contact:

Email:

We may need to verify your identity before fulfilling requests.

If you are an end user or contact associated with one of our Customers, please contact that Customer directly.

You may also lodge complaints with your local data protection authority.

9. Financial Services Data

K3X is designed for SMB companies operating in the U.S. financial services sector.

If you are subject to the Gramm-Leach-Bliley Act (“GLBA”) or similar laws, you are responsible for:

  • Determining whether the Services are appropriate for your use

  • Configuring the Services appropriately

  • Providing required notices to your customers

We will handle nonpublic personal information in accordance with our agreements and applicable law.

10. Children

The Services are not directed to children under 16.

We do not knowingly collect personal information from children under 16.

If you believe a child has provided personal information to us, please contact:

11. Changes to This Policy

We may update this Privacy Policy periodically.

The “Last Updated” date reflects the latest revision.

If material changes are made, we will provide notice through the Services or by email.

Continued use of the Services after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions or to exercise your rights:

Email:

Mail:
K3X Inc. Attn: Privacy
1111B S Governors Ave.
Dover, DE 19904
United States

Phone:

For EU/UK privacy matters, our data protection point of contact can be reached at: