Privacy Policy
This Privacy Policy describes how KnowStack ("we," "us," or "our") collects, uses, stores, and protects your information when you use our knowledge management platform.
Last updated: March 22, 2026
1. Introduction
This Privacy Policy applies to all users of KnowStack, accessible at knowstack.ai. It describes our practices regarding the collection, use, storage, sharing, and protection of your personal data.
Data Controller: Nest Artem Dolmatov, ul. Wroclawska 79, 30-017 Krakow, Poland
Contact: [email protected]
We are committed to protecting your privacy and processing your personal data lawfully, fairly, and transparently. If you have any questions about this policy, please contact us using the details above.
2. Data We Collect
Account Data
When you create an account, we collect:
- Email address
- Name
- Password (stored as a bcrypt hash — we never store plaintext passwords)
- Company/organization name
- Profile avatar (optional, stored in cloud storage)
- Two-factor authentication secret (encrypted, if you enable 2FA)
Connected Data
With your explicit authorization, we access and process data from services you connect:
- Email data (Gmail, IMAP): Email messages including subject lines, sender/recipient information, message body, and timestamps. For Gmail, we use OAuth 2.0 with read-only scope — we never see or store your Google password.
- Website content: Publicly accessible web page content from URLs you provide for crawling.
- Uploaded documents: Files you upload (PDF, DOCX, TXT, CSV, Markdown) — up to 50 MB per file.
- Slack messages: Channel messages, threads, and metadata from workspaces you connect via OAuth.
- Telegram messages: Chat messages and metadata from accounts you authenticate.
- Meeting transcripts: Transcript content and metadata (title, date, participants, duration) from files you upload.
Usage Data
We automatically collect:
- IP addresses and approximate geolocation (country/city level)
- Browser type, operating system, and device information
- Pages visited, features used, and actions taken within the Service
- AI operations performed (type, model used, tokens processed, cost)
- Timestamps of your interactions with the Service
Billing Data
When you subscribe to a paid plan, we collect and store:
- Stripe customer ID (payment processing is handled by Stripe — we do not store full credit card numbers)
- Payment method details (card brand and last 4 digits only)
- Invoice history and payment amounts
- AI usage ledger (operation type, cost, billing period)
3. Legal Bases for Processing (GDPR Article 6)
We process your personal data under the following legal bases:
| Legal Basis | Processing Activity |
|---|---|
| Contract Performance (Art. 6(1)(b)) |
Account creation and management; providing the Service including Knowledge Base generation, AI features, and data source connections; processing subscriptions and payments; customer support |
| Legitimate Interest (Art. 6(1)(f)) |
Security monitoring and fraud prevention; service improvement and debugging; activity logging for audit purposes; usage analytics to improve platform features |
| Consent (Art. 6(1)(a)) |
Analytics cookies (Google Analytics) — only with your explicit consent via our cookie banner; connecting optional third-party data sources; marketing communications (if applicable) |
| Legal Obligation (Art. 6(1)(c)) |
Maintaining billing and tax records; responding to lawful requests from authorities; complying with data protection regulations |
4. How We Use Your Data
We use the data we collect to:
- Provide, maintain, and improve the Service
- Generate and organize Knowledge Bases from your connected data sources
- Process AI requests using your Knowledge Base content as context
- Authenticate your identity and manage your account and permissions
- Process payments and manage your subscription
- Send service-related communications (account verification, security alerts, billing notifications, support ticket updates)
- Respond to your inquiries and support requests
- Monitor and analyze usage patterns to improve the platform
- Detect, prevent, and address security threats and technical issues
- Comply with legal obligations
We Do NOT:
- Sell your personal data to third parties — ever
- Use your data for advertising or ad targeting
- Use your data to train, develop, or improve general-purpose AI models
- Share your Knowledge Base content with other users or organizations
- Access your connected accounts without your explicit authorization
- Use data obtained through Google APIs for purposes beyond providing the Service
5. AI Data Processing
When you use AI-powered features, your data is processed as follows:
What data is sent to AI providers
- Text content from your connected data sources, documents, or Knowledge Bases — only the portions relevant to the specific AI operation you initiate
- Your search queries when using AI-powered search
- System prompts and configuration parameters (these do not contain personal data)
What data is NOT sent to AI providers
- Your account credentials, password, or authentication tokens
- Your billing information or payment details
- Your IP address or browser fingerprint
- Data from other Company Accounts or users
Data handling by AI providers
- Data is transmitted to AI providers over encrypted connections (TLS)
- AI providers process the data only to generate the requested output (knowledge extraction, summarization, search results, etc.)
- We require that AI providers do not retain your data beyond the processing window necessary to generate a response
- We require that AI providers do not use your data to train, improve, or develop their models
Data minimization
We apply data minimization principles by sending only the content necessary for the specific operation. For example, when generating a Knowledge Base from emails, we send the email text content but not email headers, attachment metadata, or account credentials.
6. Sub-Processors
We use the following third-party sub-processors to provide the Service. Each sub-processor has been vetted for their data protection practices:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Railway | Application hosting & infrastructure | All application data | EU |
| AWS S3 | File storage (documents, exports, avatars) | Uploaded files, KB exports | EU |
| Stripe | Payment processing | Billing data, payment method | US |
| OpenRouter | AI model routing & API gateway | Content submitted for AI processing | US |
| Anthropic | AI processing (Claude models) | Content submitted for AI processing | US |
| OpenAI | AI processing (GPT models) | Content submitted for AI processing | US |
| Google AI | AI processing (Gemini models) | Content submitted for AI processing | US |
| Meta AI | AI processing (Llama models) | Content submitted for AI processing | US |
| Firecrawl | Website content extraction | URLs provided by user | US |
| OAuth authentication & Gmail API | Email address, profile, email content | US | |
| Resend | Transactional email delivery | Email address, notification content | US |
| Sentry (optional) | Error monitoring & diagnostics | Error data, stack traces (no user content) | US |
| Google Analytics | Website usage analytics (consent-based) | Anonymized usage data, IP address (truncated) | US |
We will provide at least 14 days' advance notice via email before engaging a new sub-processor that materially changes how your personal data is processed. If you object to a new sub-processor, you may terminate your subscription within 30 days of notification.
7. International Data Transfers
Our primary application infrastructure is hosted in the European Union (Railway EU). Your account data, Knowledge Bases, and connected data sources are stored in the EU.
However, certain processing activities involve the transfer of data to sub-processors located in the United States, particularly:
- AI processing (OpenRouter, Anthropic, OpenAI, Google AI, Meta AI)
- Payment processing (Stripe)
- Email delivery (Resend)
- Website crawling (Firecrawl)
For transfers of personal data from the EEA to countries that have not received an adequacy decision from the European Commission, we rely on:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated into our agreements with sub-processors
- Adequacy decisions where applicable
- Supplementary measures including encryption in transit (TLS 1.2+) and contractual commitments from providers not to use data for model training
8. Data Retention
We retain your data for the minimum period necessary for the purpose it was collected:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Active account + 30 days post-deletion | Contract performance; deletion grace period |
| Knowledge Bases & content | Until you delete them or close your account | Contract performance |
| Connected data sources | Until you disconnect or close your account | Contract performance |
| Activity logs | 120 days; anonymized on account deletion | Legitimate interest (security, audit) |
| In-app notifications | 90 days | Contract performance |
| AI processing logs | Retained for billing; deleted on account deletion | Contract performance; legal obligation |
| Billing & tax records | 7 years from transaction date | Legal obligation |
| KB exports | 7 days after creation | Contract performance |
| Team invitations | 7 days (auto-expire) | Contract performance |
| Support tickets | Until resolved + reasonable archive period | Contract performance; legitimate interest |
When data is no longer needed for its original purpose and no legal retention requirement applies, it is deleted or anonymized.
9. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or a jurisdiction with similar data protection laws, you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you and information about how it is processed
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
- Right to Restriction (Art. 18): Request that we restrict processing of your personal data in certain circumstances (e.g., while we verify its accuracy)
- Right to Data Portability (Art. 20): Request your personal data in a structured, commonly used, machine-readable format, or request transfer to another controller
- Right to Object (Art. 21): Object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
- Automated Decision-Making (Art. 22): KnowStack does not make automated decisions with legal or similarly significant effects about you. AI features are tools that require your initiation and review.
How to Exercise Your Rights
To exercise any of these rights, contact us at [email protected] with "Privacy Request" in the subject line. We will:
- Verify your identity before processing the request
- Respond within 30 days (extendable by up to 60 days for complex requests, with notification)
- Fulfill the request free of charge, except for manifestly unfounded or excessive requests
Right to Lodge a Complaint
If you believe our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
Revoking Access to Connected Services
You can disconnect integrated services at any time through your KnowStack account settings. For Google services, you can also revoke access through your Google Account permissions.
10. Account Deletion
You can delete your account at any time through your account settings. The deletion process works as follows:
- Grace period: After you request deletion, there is a 10-day grace period during which you can cancel the deletion and restore your account
- Reminder emails: You will receive reminder emails at 3 days and 1 day before deletion
- Company decisions: If you are the sole administrator of a Company Account, you must either transfer ownership to another user or confirm that the company data should be deleted
- What is deleted: Your account data, Knowledge Bases, connected data sources, documents, AI logs, notifications, and associated company data (if marked for deletion)
- Gmail token revocation: If you connected Gmail, we will revoke our OAuth access tokens
- Activity log anonymization: Activity logs are anonymized (personal identifiers removed) rather than deleted, to maintain audit integrity
- Billing records: Transaction records are retained for 7 years as required by law
- Completion: All personal data is deleted or anonymized within 30 days of the grace period ending
11. Google API Services Compliance
KnowStack's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Gmail Integration
When you connect your Gmail account:
- We use OAuth 2.0 for secure authentication — we never see or store your Google password
- We request only the
gmail.readonlyscope — read access to your emails for knowledge extraction - Email content is processed to extract knowledge and build your Knowledge Bases
- We do not use Gmail data for advertising purposes
- We do not share Gmail data with third parties except as necessary to provide the Service (e.g., sending content to AI providers for processing at your request)
- You can revoke access at any time through your KnowStack settings or through Google Account permissions
Google OAuth (Sign-in)
If you use "Sign in with Google":
- We receive your email address and basic profile information
- We use this information only to create and authenticate your account
- We do not access any other Google services without additional explicit consent
12. Cookies & Tracking
We use cookies and similar technologies in three categories:
- Essential cookies: Required for authentication, security (CSRF protection), and core site functionality. These cannot be disabled.
- Preference storage: Remembers your settings such as theme preference (light/dark mode). Uses browser localStorage.
- Analytics cookies: Google Analytics cookies, set only with your explicit consent through our cookie consent banner. These help us understand how visitors use our site.
We do not use cookies for advertising, cross-site tracking, or selling data to third parties.
For complete details about each cookie we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
You can opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.
13. Data Security
We implement comprehensive technical and organizational security measures to protect your data:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: Sensitive data including third-party credentials and authentication tokens are encrypted using AES-256-GCM (authenticated encryption)
- Password security: Passwords are hashed using bcrypt with an appropriate work factor — we never store plaintext passwords
- Data isolation: Each Company Account's data is logically isolated. Users can only access data within their authorized Company Accounts and according to their assigned roles.
- Access controls: Granular role-based access control (RBAC) with permissions at the Knowledge Base and section level
- CSRF protection: Double-submit cookie pattern prevents cross-site request forgery attacks
- Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks
- Infrastructure: Hosted on SOC 2 compliant cloud infrastructure with regular security updates
- Session management: Authenticated sessions have a 1-hour sliding window timeout
While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability and will promptly address any vulnerabilities discovered.
14. Data Breach Notification
In the event of a personal data breach:
Notification to Supervisory Authority (GDPR Art. 33)
Where feasible, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. The notification will include:
- The nature of the personal data breach, including categories and approximate number of individuals affected
- The name and contact details of our data protection contact
- The likely consequences of the breach
- The measures taken or proposed to address and mitigate the breach
Notification to Affected Individuals (GDPR Art. 34)
If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email, describing the nature of the breach, its likely consequences, and the measures we have taken. We will also provide recommendations for steps you can take to protect yourself.
Breach Response
We maintain an incident response plan that includes containment, investigation, remediation, and notification procedures. We conduct post-incident reviews to prevent recurrence.
15. Children's Privacy
KnowStack is designed for business use and is not directed at children.
- The free tier (Starter plan) requires users to be at least 16 years of age
- Paid plans require users to be at least 18 years of age
- We do not knowingly collect personal data from anyone under 16 years of age
- If we discover that we have collected personal data from a child under 16, we will delete that data immediately
- If you believe we have inadvertently collected data from a child under 16, please contact us at [email protected]
16. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:
Categories of Personal Information Collected
- Identifiers: Name, email address, IP address, account ID
- Commercial information: Subscription plan, payment history, AI usage records
- Internet or electronic network activity: Pages visited, features used, browser type
- Professional or employment information: Company/organization name (if provided)
- Inferences: None — we do not create consumer profiles
Your Rights Under CCPA/CPRA
- Right to Know: You can request the categories and specific pieces of personal information we have collected about you
- Right to Delete: You can request deletion of your personal information, subject to legal exceptions
- Right to Correct: You can request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is needed.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise these rights, contact us at [email protected]. We will verify your identity before processing requests. You may also designate an authorized agent to make requests on your behalf.
17. Changes to This Policy
We may update this Privacy Policy at any time at our sole discretion. Changes take effect upon the date specified in the updated policy.
When we make changes:
- We will update the "Last updated" date at the top of this page
- We will notify you of any changes by sending a notification to the email address associated with your account
- The updated policy will be posted on this page and become effective on the date stated in the notification or, if no date is stated, upon posting
By continuing to access or use the Service after an updated Privacy Policy becomes effective, you agree to be bound by the revised policy. All existing users are deemed to have accepted the updated policy upon its effective date. If you do not agree with the revised policy, your sole remedy is to stop using the Service and delete your account.
18. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:
Email: [email protected]
Operator: Nest Artem Dolmatov
Address: ul. Wroclawska 79, 30-017 Krakow, Poland
For data protection inquiries, please include "Privacy Request" in your email subject line. We aim to respond within 30 days.