Legal

Privacy Policy

We take your privacy seriously. This policy explains who we are, what personal data we collect, how we use and share it, and the rights you have under India's DPDP Act, the GDPR, and the CCPA.

Last updated: 31 May 2026 (v2.0)

Who we are

This Service is operated by Kalcend Technologies Pvt. Ltd., a company incorporated in India with its registered office at DS-Suite 22, TC 24/3088/2, Dotspace Business Center, Kaudiar Square, Thiruvananthapuram, Kerala 695003, India ("Kalcend," "we," "us"). We are a SaaS platform for building and deploying AI agents ("AI employees") that run customer support, sales, and operations across channels including WhatsApp, Slack, web chat, and voice/phone — with knowledge bases, third-party integrations, browser automation, automations, and a developer API.

We act as a data controller (Data Fiduciary) for the account and admin data of our business customers, and as a data processor for the end-user data our customers process through the platform. For data we process on a customer's behalf, our Data Processing Addendum applies.

Data we collect

Website visitors & admin users(Controller)

  • Identifiers: name, work email, phone, company, role
  • Account & auth: password hashes, OAuth identifiers, session tokens
  • Usage & device: pages viewed, IP address, browser/OS, approximate location
  • Billing: plan, billing email and address (payment card handled by Paddle)
  • Support content: messages and attachments sent to support

Customer data & end-users(Processor)

  • Contact records: names, phone numbers, WhatsApp IDs, segments
  • Messaging data: templates, campaigns, logs, inbound messages
  • Voice: call audio and transcripts where voice agents are used
  • Knowledge base: uploaded documents, URLs, text chunks, embeddings
  • Connected accounts: credentials/tokens for integrations you authorise (stored encrypted)
  • Agent & automation activity: tasks agents perform, including web pages and data accessed via browser automation and connected integrations, plus workflow and webhook logs
Important: Our platform is not intended for special categories of data (health, biometric, financial account numbers, etc.). Customers must not upload such data unless our written DPA explicitly permits it.

How we use data & legal bases

Website/admin accounts (Controller)

Provide and secure the service
Create accounts, authenticate, prevent abuse
Contract performance, legitimate use, consent
Product operations & support
Diagnostics, logs, responding to requests
Legitimate use
Communications
Onboarding, updates, service notices
Contract / legitimate use
Analytics
Aggregate usage trends and session replay — only after you opt in (see Cookies)
Consent

Customer tenant data (Processor)

Process Contact & Messaging data
Only on the Customer's documented instructions: sending campaigns, receiving replies, routing to agents, storing logs.
AI assistant
Generate answers using Customer content via retrieval; responses stored for audit and team review (not used to train third-party models).
Security & reliability
Rate-limiting, spam detection, incident response.

OpenAI / Anthropic: We use their APIs where API data is not used to train their models.

Meta (WhatsApp): Messages are processed via Meta's infrastructure; content may be available to Meta per their terms.

Sub-processors

We rely on the third parties below to provide the Service. Each is bound by a data processing agreement and processes personal data only as needed for its stated purpose. Optional processors are engaged only when you choose to use the related feature or integration.

Sub-processorPurposeDataRegion
Google Firebase / Google CloudCore data store, authentication, compute, queues, analytics warehouse (Firestore, Cloud Storage, Functions, Pub/Sub, Tasks, BigQuery)All core account, organisation, message, contact and file dataIndia (asia-south1)
Meta Platforms (WhatsApp Business Platform)WhatsApp message deliveryPhone numbers, message content, mediaGlobal
GupshupWhatsApp Business Solution Provider — messaging and WABA managementPhone numbers, message content, media, template metadataGlobal
OpenAIAI text generation and voice transcription (Whisper). API data is not used to train OpenAI modelsConversation content, uploaded documents, voice audio converted to textUnited States
AnthropicAlternative AI model providerConversation content, promptsUnited States
BrowserbaseCloud browser automation for agent web tasksURLs visited, page content, form data, screenshots (per user-initiated task)United States
ComposioOptional, user-initiated integrations with third-party apps (40+ services)OAuth tokens and data from the connected service the customer authorisesUnited States
PaddlePayments — our Merchant of RecordName, email, billing address, payment method (card data handled directly by Paddle)Global
BrevoTransactional and notification emailEmail address, name, message contentEuropean Union
TwilioVoice phone number provisioning and routingPhone numbers, call metadataUnited States
SlackOptional, user-initiated channel integrationMessages, channel data, access tokensUnited States / EU
AlgoliaSearch indexing across the productContacts, conversations, resources, memories, template metadataGlobal
PostHogProduct analytics and session replay (only after consent)In-product actions, session recordings, identifiersUnited States
Google Analytics 4Web analytics (only after consent)User/session identifiers, page eventsGlobal
Google Cloud TranslationAutomatic message translationMessage textGlobal

International data transfers

Our core data — accounts, contacts, messages, files — is stored in India (Google Cloud asia-south1). Some sub-processors (OpenAI, Anthropic, Browserbase, Twilio, Slack, Composio, PostHog, Paddle, Algolia and Brevo) process personal data outside India.

Where data is transferred out of India, we rely on the recipient's contractual data-protection commitments. For data subject to the GDPR/UK GDPR, transfers outside the EEA/UK are made under Standard Contractual Clauses or an equivalent safeguard.

Your privacy rights

India (DPDP Act 2023)

  • Access a summary of your personal data and how it is processed
  • Correction, completion, updating, and erasure of your data
  • Withdraw consent at any time, as easily as it was given
  • Nominate another individual to exercise your rights
  • Grievance redressal via our Grievance Officer

EEA/UK (GDPR/UK GDPR)

  • Access, rectification, erasure, restriction, portability
  • Right to object and not be subject to automated decisions
  • Lodge a complaint with your local Data Protection Authority

California (CCPA/CPRA)

  • Know, access, delete, correct personal information
  • Opt-out of "sale"/"sharing" (we do not sell personal information)
  • Limit use of sensitive personal information, non-discrimination
How to exercise your rights: Email privacy@kalcend.ai or use our Grievance & Data Requests page. We verify your identity before acting and aim to respond within applicable timelines — and in any case within 90 days for grievances, as required by the DPDP Rules. If you are an end-user of one of our Customers, please direct your request to that Customer (the controller); we will assist them.

Cookies, analytics & session replay

We use strictly-necessary cookies and local storage for session continuity, theme, sidebar state, and security (Firebase App Check, reCAPTCHA). These are always on because the Service can't function without them.

We also use PostHog (product analytics and session replay) and Google Analytics 4. Session replay can record your interactions within the app. These analytics tools load only after you opt in via our cookie banner, and you can change or withdraw your choice anytime from "Cookie settings" in the footer. See our Cookie Policy for the full list.

Security

Security measures we implement

  • Encrypted transport (TLS)
  • Encryption at rest for primary stores
  • Encrypted storage of connected-account credentials
  • Role-based, organisation-scoped access controls
  • Comprehensive audit logs
  • Least-privilege key management & environment isolation
  • Regular vulnerability patching

Security disclaimer

No method is 100% secure. We maintain incident-response processes and will notify the Data Protection Board of India, other authorities, and affected Customers/users as and when required by law.

Data retention

DataRetention
Account / admin dataUp to 12 months after account closure
Message logs12 months (configurable for customers)
Voice call audio & transcriptsUp to 12 months, then deleted
Imported contacts & knowledge uploadsUntil the Customer deletes them or closes the account
Billing recordsAs required by tax and accounting law
BackupsRolling, per disaster-recovery policy
When a retention period ends or you ask us to erase data, we delete it from active systems and purge it from backups on the next cycle, unless we must keep it to meet a legal obligation.

Children

The Service is intended for businesses and adults (18+) acting in a professional capacity. We do not knowingly collect the personal data of anyone under 18. The DPDP Act treats everyone under 18 as a child and requires verifiable parental consent to process their data; because we do not target or permit child users, we do not process children's data. If you believe a child has provided us data, contact our Grievance Officer and we will delete it.

Grievance Officer & contact

For any question about this policy, or to exercise your rights or raise a grievance, contact our Grievance Officer:

  • Grievance Officer: Sanjay Pillai
  • Entity: Kalcend Technologies Pvt. Ltd.
  • Registered office: DS-Suite 22, TC 24/3088/2, Dotspace Business Center, Kaudiar Square, Thiruvananthapuram, Kerala 695003, India
  • Email: privacy@kalcend.ai
  • Phone: +917736931116
We acknowledge grievances promptly and aim to resolve them within 90 days, in line with the DPDP Rules, 2025.

We may update this policy to reflect changes to our practices or legal requirements. We will post updates here, bump the version above, and notify account owners of material changes.