Legal
Privacy Policy
Effective April 23, 2026 · Last updated April 23, 2026
// 011. Who we are
The Kite service is operated by Kismet Career Paths LLC, a South Carolina limited liability company doing business as Alpha-Centauri-Cyberspace ("Alpha-Centauri-Cyberspace", "we", "us", or "our"). This Privacy Policy explains how we collect, use, share, and protect personal information in connection with the Kite platform at getkite.sh, our command-line interface (kite), our API, and our dashboard (together, the "Service").
By using the Service you acknowledge this Privacy Policy. If you do not agree, do not use the Service.
// 022. Scope
This Policy applies to personal information we process as a data controller — primarily information about you as an account holder, prospect, or visitor.
When you use Kite to relay webhook events, those event payloads may contain personal information about your end users or third parties. For that data, you are the controller and we are a processor acting on your behalf. The way we handle that data is governed by your agreement with us and, where applicable, a Data Processing Addendum.
// 033. Information we collect
Account information
Collected via our authentication provider (Clerk) when you sign up or sign in:
- Name and email address
- Profile photo, if you provide one
- OAuth provider identifiers (e.g. GitHub, Google) if you sign in with SSO
- Organization and team memberships
Service configuration
Data you create while using Kite:
- API key metadata (we store a one-way hash of the secret, never the plaintext)
- Webhook endpoints and subscription rules you configure
- Team and billing settings
- Audit records for sensitive actions (key creation, rotation, revocation)
Event data
Webhook payloads and associated metadata that flow through Kite on your behalf. This data may include personal information about your users (e.g. email addresses in a user.created event from your source system). We process this data strictly as your processor, retain it for a limited period (see Section 9), and apply encryption at rest and in transit.
Usage and log data
- IP address, user-agent, and request metadata for API and dashboard traffic
- Delivery attempt logs (status codes, latency, retry counts)
- Error traces (we exclude payload contents from error reports where technically feasible)
Billing information
When you pay for a paid plan:
- Payment identifiers and transaction IDs from our payment processor(s)
- For
x402settlements: on-chain wallet addresses and transaction hashes - Invoice history and tax information necessary to issue receipts
We do not store full payment card numbers. Card processing is handled by PCI-compliant processors.
Cookies and similar technologies
- Essential cookies — session cookies issued by our authentication provider to keep you signed in.
- Analytics — aggregate, IP-truncated usage metrics via Vercel Analytics. No cross-site tracking, no advertising cookies.
- We honor the
Sec-GPC(Global Privacy Control) signal as a request to opt out of any "sale" or "sharing" of personal information under applicable law.
// 044. How we use personal information
We process personal information to:
- Provide, operate, and secure the Service
- Authenticate and authorize access
- Deliver events according to your configuration
- Bill you and process payments
- Detect, investigate, and prevent fraud, abuse, or violations of our Terms
- Send administrative and service-related communications (e.g. security notices, billing)
- Respond to support requests
- Produce aggregate, non-identifying analytics to improve the Service
- Comply with legal obligations
We do not sell personal information, and we do not use it for third-party advertising or profiling.
// 055. Legal bases for processing (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and equivalent laws:
| Purpose | Legal basis |
|---|---|
| Providing the Service under our Terms | Contract (Art. 6(1)(b)) |
| Authentication and account security | Contract (Art. 6(1)(b)) |
| Billing, payments, and tax records | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Abuse detection, fraud prevention, platform security | Legitimate interest (Art. 6(1)(f)) |
| Service-related communications | Legitimate interest (Art. 6(1)(f)) |
| Optional marketing communications | Consent (Art. 6(1)(a)) |
| Responding to lawful government requests | Legal obligation (Art. 6(1)(c)) |
You can object to legitimate-interest processing or withdraw consent at any time (see Section 11).
// 066. How we share personal information
We share personal information only as described here:
- Subprocessors — vendors that help us operate the Service (see Section 7). Each is bound by a written data processing agreement.
- Legal requirements — when required by law, subpoena, or other valid legal process, or to protect rights, safety, or property.
- Business transfers — if we are involved in a merger, acquisition, or asset sale, information may be transferred, subject to this Policy. We will notify you of any material change.
- With your direction — when you integrate third-party services (e.g. GitHub for webhook installation) you direct us to share limited data with them.
We do not sell personal information, and we do not share it for cross-context behavioral advertising.
// 077. Subprocessors
We use the following subprocessors to operate the Service:
| Subprocessor | Purpose | Primary region |
|---|---|---|
| Clerk, Inc. | Authentication and user management | United States |
| Vercel, Inc. | Web hosting, edge delivery, analytics | United States / global |
| Neon, Inc. | Managed PostgreSQL database | United States |
| Hetzner Online GmbH | Application server hosting | Germany |
| Cloudflare, Inc. | CDN, DNS, object storage (R2) | Global |
| x402 facilitator | On-chain payment verification | United States |
We publish a current list of subprocessors and will notify you before we add or replace one if your subscription entitles you to that notice.
// 088. International transfers
Kite operates in the United States and the European Union. When we transfer personal information from the EEA, UK, or Switzerland to the United States or another country outside those regions, we rely on:
- The European Commission's Standard Contractual Clauses and equivalent UK and Swiss addenda;
- The UK International Data Transfer Agreement where required;
- Supplementary technical and organizational measures, including encryption in transit and at rest.
A copy of the relevant transfer mechanism is available on request from [email protected].
// 099. Data retention
We retain personal information only as long as necessary for the purposes described in this Policy:
| Data category | Retention |
|---|---|
| Account information | While your account is active, plus up to 30 days after deletion |
| Event payloads (by default) | 30 days from ingestion |
| API and delivery logs | 90 days |
| Audit records | 12 months |
| Billing records | 7 years (to meet tax and accounting obligations) |
| Backups | Up to 35 days before overwrite |
You can request earlier deletion of your personal information subject to our legal and operational obligations.
// 1010. Security
We maintain technical and organizational measures designed to protect personal information, including:
- TLS 1.2+ in transit; AES-256 at rest for persisted data
- API key secret values stored only as one-way hashes
- Webhook secret values encrypted with a rotating key
- HMAC-SHA256 signatures on outbound webhook deliveries
- Per-team authorization scoping and rate limiting
- Least-privilege access control for our own staff
- Audit logging of sensitive administrative actions
- Regular backups with tested restoration
No method of transmission or storage is perfectly secure. If we learn of a security incident affecting your personal information, we will notify you as required by applicable law.
// 1111. Your rights (GDPR)
If you are located in the EEA, UK, or Switzerland, you have the following rights:
- Access — obtain a copy of the personal information we hold about you
- Rectification — correct inaccurate or incomplete information
- Erasure — request deletion of your personal information ("right to be forgotten")
- Portability — receive your information in a structured, machine-readable format
- Restriction — restrict processing in certain circumstances
- Objection — object to processing based on legitimate interests, including profiling
- Withdraw consent — where processing is based on consent
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email [email protected]. We will respond within 30 days. We may need to verify your identity before acting on a request.
// 1212. Your rights (California)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you the following rights:
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information we have collected from you
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond those expected by a reasonable consumer
- Right to non-discrimination for exercising any of these rights
To exercise these rights, email [email protected] with the subject line "CCPA Request". You may designate an authorized agent to act on your behalf; we will verify their authority.
We also honor the Global Privacy Control signal as an opt-out preference signal.
// 1313. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact [email protected] and we will delete it.
// 1414. Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide advance notice by email to the contact on your account and by posting a prominent notice in the dashboard. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after the effective date of a change constitutes acceptance.
// 1515. Contact
For any question about this Policy or your personal information, or to exercise any of the rights described above, contact us:
- Email —
[email protected] - Mail — Kismet Career Paths LLC (d/b/a Alpha-Centauri-Cyberspace), [Company address to be added], South Carolina
Please use the subject line "GDPR Request" or "CCPA Request" if your request is governed by one of those laws, so we can route it appropriately.