Privacy Policy
How Kernion collects, uses, and protects personal data on agency.kernion.io.
This Privacy Policy describes how Kernion ("we", "us") processes personal data when you visit agency.kernion.io, request a demo, start a trial, or contact us through the site. It covers only the marketing website and trial flow β once you become a paying customer, a separate Data Processing Addendum governs the end-user data you route through our platform.
1. Controller
The data controller for this website is Kernion d.o.o., Address line 1 β fill via /platform/settings, 10000 Zagreb, HR(HR).
Questions about this notice, or about how we process your data, can be sent to hello@kernion.io. We respond to verified requests within 30 days, as required by the GDPR.
2. What we collect and why
We process personal data for the following purposes:
| Category | Data | Legal basis | Retention |
|---|---|---|---|
| Site operation | IP address, user agent, session cookie, locale cookie | Art. 6(1)(f) legitimate interest (site security + language) | Session: 30 days. Access logs: 30 days. |
| Demo / trial sign-up | Email, name, company, role, intended use case | Art. 6(1)(b) contract; Art. 6(1)(a) consent for marketing | Trial data: 90 days after trial end, unless converted. |
| Demo SMS / chat interactions | Phone number, message content, chat transcript | Art. 6(1)(a) consent (you initiate the interaction) | Chat transcripts: 30 days. Phone numbers: deleted after reply. |
| Newsletter (if subscribed) | Email, opt-in timestamp, preferences | Art. 6(1)(a) consent | Until unsubscribed. |
| Support | Email, message content | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interest | 3 years from last contact. |
| Billing (post-signup) | Name, billing email, VAT ID, invoice data | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation (tax law) | 10 years (tax retention). |
3. AI on this site
The chat widget and the "text yourself a demo" flow route your message to third-party large-language-model inference providers under contract. Those providers are contractually restricted from training on data sent through the API. See our AI Disclosure for details on how AI is used.
4. Who we share data with
We use a small set of carefully chosen processors to deliver the Service. By category:
- infrastructure hosting (EU region);
- AI inference (third-party LLM providers, no training on API traffic);
- transactional email (outbound support and billing emails);
- transactional SMS / voice (only when you use the demo or a customer's agent channels);
- payments (subscription billing, invoices).
A summary list is on the Subprocessors page. A fully named list β with processor entity, region, and contact β is provided to contracted customers under NDA on request to hello@kernion.io.
We do not sell personal data. We do not share personal data with advertisers. We do not embed third-party tracking pixels on this site.
5. International transfers
Our servers are hosted in the European Union. Some processors are based outside the EEA. Transfers to those providers rely on the Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Processor agreements + SCCs are on file and available on request.
6. Your rights
If your personal data is being processed, you have the right to:
- access a copy of it (Art. 15);
- correct it if it is inaccurate (Art. 16);
- ask us to delete it (Art. 17);
- restrict how we process it (Art. 18);
- receive it in a portable format (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time (Art. 7) without affecting processing done before withdrawal.
To exercise any of these rights, visit Data Requests or email hello@kernion.io with the subject "DSR". You can also lodge a complaint with your local supervisory authority.
7. Cookies and first-party analytics
agency.kernion.io uses functional cookies for session, locale, authentication, and consent records. Tenant sites may also use privacy-first, first-party analytics for page views and conversion reporting; analytics runs only after explicit consent and does not store raw IP addresses or raw user-agent strings. See Cookies for the full list.
8. Security
Data in transit is TLS-encrypted. Data at rest is encrypted at the storage layer. Credentials (OAuth tokens, API keys, telephony auth tokens) are envelope-encrypted with a platform-owned key before being written to the database. Access is limited to named engineers on a need-to-know basis and logged.
9. Changes
We publish material changes to this notice here, and date-stamp the "Last updated" line above. For customers, we send written notice 30 days before any change that materially affects processing.
10. Contact
Email: hello@kernion.io
Legal entity: Kernion d.o.o.
Address: Address line 1 β fill via /platform/settings, 10000 Zagreb, HR