How Keel collects, uses, and protects your information.

Keel is operated by [Legal entity name] ("Keel", "we", "us", "our"), registered at [Registered office]. For privacy questions reach us at privacy@keelflow.ai. For security questions reach us at security@keelflow.ai.

This policy describes how we collect, use, and protect personal information in connection with the Keel platform and the keelflow.ai marketing site. If you are a customer of a company that uses Keel ("Customer"), Keel is a processor of your personal information; the Customer is the controller and their privacy notice governs the underlying purposes. This policy applies where Keel acts as a controller (for our marketing site, account creation, and operational use of the platform).

Three categories of information are involved when Keel is used.

2.1 Information you provide directly

Account information including name, work email, role, and the company you are associated with. Authentication information including passwords (hashed) and TOTP secrets (encrypted). Workspace configuration including the doctrine you author in the Blueprint, segment and lane definitions, and playbook content. Communications you send to us, including support requests and feedback.

2.2 Information generated by your use of the platform

Operational data including Accounts, Contacts, Opportunities, Activities, Signal events, and Vera interactions. Audit log entries recording who did what and when. Usage telemetry such as feature utilization counts and performance metrics.

2.3 Information from connected systems

Where you connect a CRM (Zoho, HubSpot), a call tool (Gong, Chorus, Otter, Fireflies, Zoom, Microsoft Teams), Slack, or calendar provider, we receive the data those systems send under the scopes you authorize. Transcripts ingested from call tools are mirrored to Keel-managed Cloudflare R2 storage in your Workspace's region for continuity if you later switch vendors.

We do not collect special categories of personal information (health, biometric, racial, sexual orientation, etc.). If a transcript or note in your Workspace contains such information because of your business context, we treat it under the heightened protections required by applicable law.

We use the information described above for the following purposes.

• Provide the platform. Render Vera's guidance, run rituals, persist the Blueprint, sync to connected systems.
• Operate and secure the platform. Detect fraud, monitor uptime, investigate security incidents, maintain audit logs.
• Improve the product. Aggregate, de-identified telemetry only. We do not train AI models on your operating data, deal contents, contacts, or transcripts.
• Communicate with you. Account notifications, security alerts, billing communications, and (with consent) product updates.
• Comply with legal obligations. Tax, audit, law-enforcement requests with valid legal process.

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases under GDPR Article 6:

• Contract. To deliver the Keel platform under the agreement with the Customer.
• Legitimate interests. To operate, secure, and improve our services, balanced against your privacy interests.
• Consent. Where consent is the appropriate basis (for example, marketing communications), withdrawable at any time.
• Legal obligation. For tax, accounting, and compulsory disclosures.

We share information with sub-processors who deliver parts of the platform on our behalf. The current list is at /sub-processors and includes cloud hosting, database, LLM providers, email delivery, observability, and (in v1.1) identity providers. Sub-processors are bound by data processing agreements.

We do not sell personal information. We do not share personal information with advertisers or for advertising purposes. We do share information when compelled by valid legal process; where we are permitted, we notify the affected Customer.

Each Workspace is provisioned in one region and data does not cross regions. v1 ships in us_east. EU and APAC regions are on the v2 roadmap. Where transfers across borders occur (for example, when a customer based outside the United States uses a v1 Workspace in us_east), we rely on the Standard Contractual Clauses adopted by the European Commission and the UK addendum where applicable. The DPA documents the specific safeguards.

Operating data is retained while your Workspace is active. Audit logs are retained for 7 years by default. LLM interaction payloads are retained for 12 months by default. Transcripts mirrored to R2 are retained for 12 months by default. Closed Workspaces retain data for 90 days, after which it is hard deleted. Customers can configure retention overrides per data class within tier-permitted bounds. See the DPA for the full retention table.

Depending on your jurisdiction, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal information.

8.1 If your information is held in a Customer Workspace

Direct your request to that Customer. They control how the information is used. We assist Customers in fulfilling these requests.

8.2 If you contact us directly

Write to privacy@keelflow.ai. We respond within 30 days. We may ask for verification before fulfilling certain requests.

8.3 California residents (CCPA / CPRA)

You have the right to know, delete, correct, and limit use of sensitive personal information. We do not sell or share personal information for advertising. You will not be discriminated against for exercising these rights.

The keelflow.ai marketing site uses Google Tag Manager for analytics. The Keel application uses essential cookies for authentication and session management; we do not use advertising cookies. Cookie preferences can be managed in your browser. Where required by law, we present a cookie consent banner before non-essential cookies are set.

Keel is a B2B product not directed to children. We do not knowingly collect personal information from anyone under 16.

We may update this policy from time to time. Material changes are announced in-product to admins and by email to designated privacy contacts. The "Last updated" date at the top of this page reflects the most recent change.

For privacy questions and data subject requests: privacy@keelflow.ai. For security questions and vulnerability reports: security@keelflow.ai (see our Vulnerability Disclosure policy). For all other inquiries: hello@keelflow.ai.