Privacy Policy

1. Introduction

KYMA Tech Solutions / Sage Holdings LLC ("Company," "we," "us") operates the KYMA ICOSA platform ("Platform"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our services. We are committed to protecting your privacy and handling your data responsibly in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

We collect the following categories of information:

• Account Information: Name, email address, organization name, and billing information when you create an account or purchase services.
• Assessment Data: AI system descriptions, technical documentation, and other information submitted through the Observation Framework for compliance assessment.
• Usage Data: Pages visited, features used, assessment history, and interaction patterns collected through analytics.
• Technical Data: IP address, browser type, device information, and cookies necessary for Platform functionality.
• Communication Data: Correspondence submitted through contact forms, partnership inquiries, and support requests.

3. How We Use Your Information

We use collected information for the following purposes:

• Performing AI compliance assessments through the multi-model council
• Processing payments and managing your account
• Generating compliance reports, certificates, and blockchain attestations
• Improving the Platform, assessment methodology, and user experience
• Communicating with you about services, updates, and regulatory changes
• Complying with legal obligations and responding to lawful requests

4. Data Sharing with AI Model Providers

To perform multi-model consensus assessments, system descriptions and related assessment data are transmitted to third-party AI model providers (e.g., OpenAI, Anthropic, Google, Mistral AI, Cohere, Meta, and others). Each model provider processes this data according to their respective API terms and privacy policies. We select model providers that maintain enterprise-grade data handling practices and do not use API-submitted data for model training.

5. Blockchain Records

For Full Council Certification assessments, verdict hashes are permanently recorded on the Polygon blockchain. These records contain cryptographic hashes — not raw assessment data — and cannot be modified or deleted. The hash alone does not reveal the content of your assessment, but serves as a verification mechanism. By proceeding with certification, you consent to the creation of this immutable record.

6. Data Retention

We retain assessment data for 3 years following the assessment date, or longer if required by law. Account information is retained for the duration of your account plus 1 year. Analytics data is retained in aggregated, anonymized form. You may request deletion of your personal data at any time, subject to legal retention requirements and blockchain immutability limitations.

7. Data Security

We implement industry-standard technical and organizational security measures, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, regular security audits, and incident response procedures. Despite our efforts, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request limitation of processing of your personal data.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at privacy@kymatech.io. We will respond within 30 days.

9. Cookies

We use essential cookies necessary for Platform functionality (session management, security tokens). We may use analytics cookies to understand usage patterns. You can control cookie settings through your browser. Disabling essential cookies may impair Platform functionality.

10. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence, including the United States and jurisdictions where our AI model providers operate. Where required, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure adequate protection of your data during international transfers.

11. Children's Privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately and we will promptly delete it.

12. Third-Party Links

The Platform may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes become effective upon posting to the Platform. Material changes will be communicated via email to registered users. Your continued use of the Platform after changes are posted constitutes acceptance of the revised policy.