Privacy Policy

How Kontaim collects, uses, and protects data for facilitators, customer organizations, and live-session participants.

Last updated: January 14, 2026

1. Introduction

Kontaim is an enterprise platform for creating interactive training and engagement experiences. This Privacy Policy explains how we handle data on behalf of the organizations that purchase Kontaim(“Customer”) and the individuals who join their live sessions (“Participants”).

Core principle: data minimization by design. We collect only what is necessary to deliver the service, and we do not require Participants to create accounts or provide personal identifying information to join a session.

For the personal data Customers process using our Platform, the Customer is the “data controller” and Kontaim is the “data processor.” The terms of that relationship are governed by our Data Processing Addendum.

2. Information We Collect

2.1 Customer Accounts

For the people inside your organization who sign in (Facilitators, Admins), we collect:

  • Account information: email address, name, and a hashed password (or SSO identifier).
  • Organization metadata: company name, role, and authorized email domain.
  • Usage data: experiences created, sessions launched, feature usage.
  • Billing information: for paid subscriptions, billing details are processed by Stripe; we do not store full payment card numbers.

2.2 Live Session Participants (Zero-PII Architecture)

Participants join a live session via a short join code and a display name of their choice. We do not require Participants to create an account.

  • No name, email, phone number, or employer information is required.
  • The display name is whatever the Participant types — it may be a real name, nickname, or anonymous string.
  • The only data tied to a Participant record is the events they generate while playing (responses, scores, completion).
  • Participant records are scoped to the session and visible only to the Facilitator who launched it.

2.3 Automatically Collected Information

  • Technical data: browser type, device, and operating system. IP addresses are not stored against user records (see Section 5.1).
  • Cookies: session cookies for authentication and preferences (see Section 5).

3. How We Use Information

We use collected information to:

  • Provide, secure, and improve the Platform.
  • Process subscriptions and billing.
  • Communicate operational updates about Customer accounts.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

We do not:

  • Sell personal information.
  • Use Participant data for advertising or marketing.
  • Share Customer data with third parties for their own marketing.
  • Use Customer content to train AI models without explicit, separate authorization.

4. Customer Content

Activities, experiences, and session data created by a Customer (“Customer Content”) belong to the Customer. We process Customer Content solely to provide the service. The terms governing this processing — including subprocessors, security measures, and breach notification — are set out in our Data Processing Addendum.

5. Cookies & Analytics

We use cookies for:

  • Essential cookies: required for authentication and core functionality.
  • Preference cookies: remember user settings (theme, language).
  • Analytics cookies: help us understand Platform usage to improve the service.

We do not use cookies for cross-site advertising or behavioral retargeting.

5.1 Privacy-Hardened Analytics

We use PostHog for product analytics, configured in a privacy-hardened mode:

  • No IP collection: IP addresses are disabled at the SDK level and never stored.
  • Anonymous identifiers only: Users are identified by opaque database UUIDs — not by name, email, or username.
  • Masked session replays: all form inputs and screen text are masked as asterisks; copy-paste content is never captured.
  • Participant data protection: for live-session Participants we send only role-level signals; no display names, organization names, or content text.

This configuration ensures that even in the event of a downstream provider incident, no personally identifiable information about Participants could be exposed — because it was never transmitted.

6. Data Security

We apply enterprise-grade security controls:

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256 on managed Postgres).
  • Passwords hashed with industry-standard algorithms; SSO available for enterprise plans.
  • Least-privilege access controls and audit logging for administrative actions.
  • Continuous vulnerability scanning, dependency monitoring, and regular security review.

For our full security posture, including subprocessor list and breach-notification commitments, see the Security & Compliance page.

7. Data Retention

  • Active accounts: data is retained while the Customer subscription is active.
  • Deleted accounts: personal data is deleted within 30 days of account deletion, except where retention is required by law.
  • Participant records: retained alongside the session they belong to, governed by the Customer's retention configuration.
  • Backups: rolling encrypted backups are purged on a 35-day cycle.

8. Your Rights (GDPR / CCPA / Equivalent)

Depending on your jurisdiction, you (or, for Participant data, the relevant Customer) may have the right to access, correct, delete, port, or object to processing of personal data.

  • If you are a Customer user (Facilitator, Admin), contact us directly to exercise these rights.
  • If you are a Participant in a session, direct requests to the Customer organization that hosted the session — they are the data controller.

Contact us at support@kontaim.com for assistance.

9. International Transfers

Data is primarily stored in Canada. Where Customer data is transferred to processors in other jurisdictions (e.g., AI providers, payment processors), we rely on Standard Contractual Clauses and equivalent transfer mechanisms. The current subprocessor list is in our DPA.

10. Third-Party Services

We rely on the following subprocessors:

  • Stripe — billing and payment processing.
  • Supabase — database and authentication infrastructure (hosted on AWS Canada).
  • Vercel — hosting and content delivery.
  • PostHog — product analytics, in privacy-hardened mode (see 5.1).
  • AI providers — generation requests are processed but not retained for model training under our enterprise agreements.

Each subprocessor has its own privacy policy. Our configuration prioritizes privacy and minimizes data exposure. The authoritative subprocessor list lives in the DPA.

11. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated via email to account owners, or via a prominent notice in the Platform. The “Last updated” date at the top reflects the most recent revision.

12. Contact

Questions about this Privacy Policy or our data practices? Reach us at support@kontaim.com.