Privacy Policy

1. Information we collect

We may collect and process the following categories of information:

• Account and profile information: name, email address, job title, organization, role, profile picture, and authentication identifiers (including Google account information when you use Google Sign-In).
• Email and communications data: when your Organization connects an email account (e.g., Gmail or another supported provider), we ingest the contents of the connected mailbox, including message bodies, headers, sender and recipient addresses, timestamps, and file attachments, to power document extraction, entity resolution, quoting, and the AI assistant.
• Documents and attachments: files uploaded by users or extracted from connected email accounts, including PDFs, spreadsheets, images, RFQs, quotes, purchase orders, invoices, contracts, and specifications. We process these documents using OCR and AI classification to extract structured data.
• Business and operational data: quotes, purchase orders, pricing information, supplier and customer contact details, product catalogues, knowledge-base entries, and deal-pipeline data created or managed within the Services.
• Usage and device information: log data, browser type, device identifiers, IP address, pages visited, and how you interact with the Services.
• Support and communications: messages you send to us, feedback, and information you provide during onboarding, training, or support interactions.
• Billing and payment information: when your Organization subscribes to the Services, we collect billing-related identifiers such as subscription and customer identifiers managed by our payment processor. We do not store credit-card numbers or bank-account details on our systems.
• ERP, CRM, and business-system data: when your Organization connects external business systems (such as Salesforce, HubSpot, QuickBooks, Xero, NetSuite, SAP, and others) through our Hermes connector, we access and process business data from those systems — including contacts, accounts, transactions, invoices, and other records — as configured by your Organization. Connection credentials are encrypted at rest using AES-256-GCM.

2. How we use information

We use information for the following purposes:

• providing, operating, and maintaining the Services, including email ingestion, document processing, entity resolution, and AI-powered features;
• authenticating users and securing access to the platform;
• generating and managing quotes, purchase orders, and related business documents;
• providing AI-powered features such as document classification, data extraction, pricing intelligence, smart alerts, and the conversational AI assistant;
• analyzing usage to improve performance, reliability, and user experience;
• developing new features and capabilities;
• providing support, responding to inquiries, and communicating with you;
• meeting legal, regulatory, and compliance obligations, and enforcing our agreements.

3. How we share information

We do not sell personal data. We may share information in the following circumstances:

• With your Organization that provides you access to the Services, consistent with its internal policies and its agreement with Korso.
• With sub-processors that perform services on our behalf, including Google Cloud Platform (cloud infrastructure, AI models, and OCR via Vertex AI and Document AI), Microsoft Azure OpenAI Service and OpenAI (AI model hosting), Microsoft Bing Search (web search for AI assistant), PostHog (product analytics and error tracking), Stripe (payment processing and subscription management), Resend (transactional email delivery), and Vercel (hosting and analytics), subject to contractual obligations of confidentiality and data protection.
• With integration partners where your Organization has enabled those integrations (e.g., Gmail for email connectivity).
• For legal, safety, and security reasons: to comply with applicable law, respond to lawful requests from public authorities, protect the rights and safety of Korso, our customers, or others, or to detect and prevent fraud or security incidents.
• In a business transfer, such as a merger, acquisition, financing, or sale of all or a portion of our assets, where information may be transferred as part of the transaction, subject to the acquirer assuming the obligations set forth in this policy.

For Organizations that require a Data Processing Agreement (DPA) under the GDPR or other applicable data-protection laws, we make a standard DPA available upon request. Please contact us at the address below to request a copy.

4. Cookies, analytics, and tracking

The Services use a limited set of cookies, browser local storage, and analytics technologies:

• Session and authentication tokens: used to maintain your login session and secure access to the platform.
• Vercel Analytics: collects anonymized page-view and performance data to help us understand how users interact with the Services.
• Vercel Speed Insights: measures page-load performance to help us optimize the user experience.
• PostHog Analytics: collects product-usage events, page-view data, and error reports to help us understand how the Services are used and to diagnose issues. PostHog data is routed through a first-party proxy and is not used for advertising.
• Browser local storage: stores your authentication token, language preference, theme setting, and user-interface state so that the application does not need to be reconfigured on each visit.

We do not use third-party advertising cookies, tracking pixels, or behavioural-profiling technologies. We do not serve targeted advertisements. Where required by applicable law, we obtain your consent before placing non-essential cookies or similar technologies.

The Services do not currently respond to "Do Not Track" (DNT) browser signals. We do not track users across third-party websites.

5. AI processing and automated decisions

The Services use artificial-intelligence models hosted by Google Vertex AI, Microsoft Azure OpenAI Service, and OpenAI to perform automated processing of your data, including document classification, text extraction, entity resolution, pricing analysis, and conversational assistance. These models process your data solely to provide the requested functionality and are not used to build general-purpose training datasets.

AI outputs may inform but do not replace human decisions. No legally or financially binding decisions are made by the Services without human review. If you believe an automated process has produced an inaccurate result that affects you, you may contact your Organization or Korso to request a review.

6. Data retention

We retain information for as long as necessary to provide the Services, to support your Organization's legitimate business needs, to comply with legal or regulatory obligations, to resolve disputes, and to enforce our agreements. Retention periods vary by data type:

• Account data is retained for the duration of the account relationship and for a reasonable period thereafter to fulfil legal obligations.
• Email and document data is retained for as long as the Organization's account is active, unless earlier deletion is requested.
• Usage and log data is retained for up to twenty-four (24) months and then anonymized or deleted.

Upon termination of an Organization's account, Korso will delete or anonymize the Organization's data within ninety (90) calendar days, unless retention is required by law. Residual copies of data may persist in encrypted backup and disaster-recovery systems for an additional period as specified in the applicable agreement between Korso and your Organization. Backup data is subject to the same security controls and access restrictions as production data and is permanently removed during the normal backup-rotation cycle.

7. Security

We implement technical and organizational measures designed to protect information from unauthorized access, use, alteration, or destruction, including:

• AES-256-GCM encryption for stored email credentials;
• TLS encryption for data in transit;
• role-based access controls and row-level security within the platform;
• rate limiting and abuse-detection mechanisms on API endpoints;
• sensitivity-based data classification with role-mapped access controls, ensuring users can only access data at or below their clearance level.

No system can be guaranteed to be 100% secure. You are responsible for maintaining the security of your account credentials and authorized devices.

8. Email integration and third-party services

When your Organization connects an email account to the Services, Korso accesses the mailbox using OAuth tokens or encrypted credentials provided during the connection flow. We access only the mailbox data necessary to provide the Services (messages, attachments, and metadata) and do not access other Google or email-provider data outside the permitted scope.

Data accessed through email integrations is used solely to provide the Services and is not used for advertising or unrelated purposes. We share integration data only with our sub-processors under contracts requiring equivalent protection, and with your Organization according to its configuration.

When your Organization connects external business systems (ERPs, CRMs, accounting platforms) through our Hermes connector, Korso accesses business data from those systems using OAuth tokens or encrypted credentials provided during the connection flow. We access only the data necessary to provide the Services and do not retain a persistent copy of ERP or CRM data beyond what is needed to fulfil the current request. The Services also support the Model Context Protocol (MCP), which allows authorized third-party AI assistants to query your Organization's connected business data through Korso. MCP access requires explicit user authorization via an OAuth flow and is subject to the same data-protection controls as direct platform access.

9. Your rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. Because Korso processes most personal data on behalf of your Organization (as the data controller), many of these rights should be exercised through your Organization. However, we will assist your Organization in fulfilling such requests as required by law. Korso will respond to verifiable data-subject requests within thirty (30) calendar days for requests under the GDPR, or forty-five (45) calendar days for requests under the CCPA/CPRA, with possible extensions as permitted by applicable law. We may require verification of your identity before fulfilling a request.

• Access: you may request confirmation of whether we process your personal data and, if so, a copy of that data.
• Rectification: you may request correction of inaccurate or incomplete personal data.
• Erasure: you may request deletion of your personal data, subject to legal retention obligations.
• Data portability: you may request a machine-readable copy of the personal data you provided to us.
• Restriction or objection: you may request that we restrict processing or object to processing of your personal data in certain circumstances.
• Withdraw consent: where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, these rights are provided under the General Data Protection Regulation (GDPR) and equivalent local laws. For users in California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide additional rights, including the right to know what personal information is collected, disclosed, or sold; the right to delete personal information; the right to opt out of the sale or sharing of personal information; the right to limit the use of sensitive personal information; and the right to non-discrimination for exercising any of these rights. As stated above, Korso does not sell or share personal data for cross-context behavioral advertising. To exercise any of these rights, contact us using the information in Section 14 below.

10. International transfers

Korso processes and stores information primarily in the United States via Google Cloud Platform. If you are located outside the United States, your data will be transferred to and processed in the United States. Korso has not self-certified under the EU–U.S. Data Privacy Framework. When we transfer personal data internationally, we rely on standard contractual clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable) as our primary transfer mechanism, to ensure your data receives an adequate level of protection.

11. Children's privacy

The Services are not directed to individuals under the age of 18 and are intended for use only in a business and professional context. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will take steps to delete that data promptly.

12. Data-breach notification

In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of affected individuals, Korso will notify the affected Organization without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, where required by the GDPR or equivalent law. Where California law applies, notification will be made in the most expedient time possible and without unreasonable delay, consistent with California Civil Code section 1798.82. Korso will cooperate with affected Organizations to provide the information necessary for them to fulfil their own notification obligations.

13. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will provide at least thirty (30) days' notice through the Services or by other reasonable means before the changes take effect. Your continued use of the Services after the changes become effective indicates your acknowledgment of the updated policy.