1. Information We Collect
a. Information You Provide
Account Information: Name, email address, organization information, and login credentials when you create an account. Payment Information: Billing details if you purchase a paid plan. Communication Data: Feedback, support requests, or other messages you send us.b. Automatically Collected Information
Usage Data: We log how you interact with our Services, including API requests, browser session start/end times, script execution logs, URLs visited by automated sessions, user agent strings, and success/failure status of automation tasks. Device Information: IP address, browser type, operating system, device identifiers, and connection metadata. Cookies and Tracking: We use cookies and similar technologies for authentication, session persistence, product analytics (e.g., feature usage, latency), and improvement. See Section 12 (Cookie Policy) for more detail. Browser Automation Data: When you run automated sessions via Kernel, we may collect metadata and logs related to the activity performed, such as the DOM structure accessed, screenshots, timing data, input/output events, and error traces. Unless explicitly configured by the customer, we do not store page content or full session video. Users are responsible for configuring privacy-sensitive automation appropriately.2. How We Use Your Information
We use the information we collect to:- Provide and maintain our Services
- Respond to your inquiries and support requests
- Analyze usage patterns and improve the platform
- Communicate with you about product updates, security alerts, or important notices
- Prevent abuse, fraud, and ensure security and compliance
3. Sharing and Disclosure
We do not sell your personal information. We may share information with:- Service Providers who help operate our infrastructure (e.g., cloud providers, analytics vendors)
- Subprocessors who process data on our behalf (see our Subprocessor List if applicable)
- Legal Authorities if required by law or to protect our rights, users, or the public
a. Third Party Data Sharing requirements
Service Providers and Subprocessors: We share personal information with third-party vendors who provide infrastructure, analytics, logging, and support services. These subprocessors may receive log metadata, account identifiers, or automation telemetry as needed to operate the Service. A list of our current subprocessors is available here. Customer-Controlled End-User Data: If you use Kernel to automate workflows involving end-user data (e.g., filling forms), you are the data controller of that information. Kernel only processes this data as instructed via your automations and does not persist it beyond session scope unless you explicitly request storage or logging.4. Data Retention
We retain your data as long as necessary to provide the Services and comply with legal obligations. You may request deletion of your account and associated data by contacting us at privacy@onkernel.com. We retain different categories of data for different periods:- Account Data: Retained until account deletion or 90 days after prolonged inactivity.
- Automation Logs & Metadata: Retained for up to 30 days unless configured otherwise by the user.
- Billing Records: Retained for 7 years to comply with financial regulations.
- Backups: Encrypted backups containing metadata are retained for up to 35 days before being purged.
5. Your Rights
Depending on your location, you may have rights under applicable data protection laws (e.g., GDPR, CCPA), including:- Access to the data we hold about you
- Request correction or deletion
- Object to or restrict processing
- Data portability
a. Privacy Rights Process
To exercise your privacy rights, please contact us at privacy@onkernel.com with the subject line “Privacy Request”. We may require verification, such as confirming your account details or providing proof of identity.- We respond within 30 days for GDPR/UK requests and within 45 days for CCPA/CPRA requests.
- We may extend the response period by another 30 days (GDPR) or 45 days (CPRA) where necessary, in which case you will be notified.
6. Notice for California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with certain rights regarding your personal information.a. Categories of Personal Information We Collect
In the past 12 months, we may have collected the following categories of personal information:- Identifiers (e.g., name, email address, IP address)
- Commercial information (e.g., billing data, records of products purchased)
- Internet or other electronic network activity (e.g., logs, session metadata)
- Geolocation data (approximate IP-based location)
- Professional or employment-related information (e.g., company name, role)
b. Your Rights Under CCPA/CPRA
As a California resident, you have the right to:- Know what categories of personal information we collect and use
- Access the personal information we have about you
- Delete your personal information (subject to certain exceptions)
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information (we do not sell your data)
- Limit the use and disclosure of sensitive personal information (if collected)
7. Notice for Users in the EU, EEA, and UK (GDPR)
If you are located in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), you have certain rights under the General Data Protection Regulation (GDPR) and UK GDPR.a. Legal Basis for Processing
We process your personal data on one or more of the following legal bases:- Contractual necessity — to provide and maintain the Services you’ve signed up for
- Legitimate interests — to improve the platform, prevent abuse, and secure our systems
- Consent — for optional features like marketing communications
- Legal obligation — when required to comply with the law
b. Your Rights
Under GDPR, you may have the right to:- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion of your data (“right to be forgotten”)
- Restrict or object to certain processing
- Receive a copy of your data in portable format
- Withdraw consent (for any processing based on consent)
c. International Data Transfers
If you use our Services from the EU/EEA or UK, your data may be transferred to and processed in countries outside of your jurisdiction, including the United States. Where applicable, we rely on:- Standard Contractual Clauses (SCCs)
- Other lawful transfer mechanisms recognized under GDPR
d. Children’s Privacy
Our Services are not intended for children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If we learn we have collected such data, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@onkernel.com.8. HIPAA Considerations
While Kernel is not a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), we may act as a Business Associate to customers who are Covered Entities or Business Associates themselves. Kernel is capable of supporting HIPAA-compliant use cases and can sign Business Associate Agreements (BAAs) with enterprise customers upon request. If your organization intends to process Protected Health Information (PHI) using Kernel, please request more information to initiate a BAA or learn more about our safeguards.9. Security
We implement technical and organizational security measures, including:- Encryption in Transit and at Rest (TLS 1.2+ and AES-256)
- Role-Based Access Controls for internal systems
- Audit Logging and regular review of admin actions
- Vulnerability Management and dependency scanning
- Isolated Environments per customer