Privacy Policy

1. Who is responsible for your data

Kontext plays two distinct roles depending on whose data is involved:

a. Controller — for accounts and direct users. We are the data controller for personal data of users who sign up for a Kontext account, browse our website, or contact us. This includes information you provide when registering, configuring an organisation, or communicating with us.

b. Processor — for personal data inside ingested feedback. When a Kontext customer connects a third-party integration (Slack, Fathom, Crisp, Intercom, Grain, GitHub, Linear, and similar), feedback is ingested into Kontext for analysis. That feedback typically contains personal data about end users — names, email addresses, message content, transcripts. For this data, the Kontext customer is the controller and Kontext is the processor. We process this data only on the customer's instructions and according to the Data Processing Addendum signed with that customer.

If you are an end user whose data has been ingested into a Kontext customer's organisation (for example, because you sent a support message that the customer routed into Kontext), the customer is the entity responsible for that data. Contact them first. We will assist them in handling your request.

Controller contact:
The Big Labasky SAS
6 rue des Prairies, 64110 Gelos, France
Email: privacy@getkontext.io

Kontext is established in France. Our lead supervisory authority for GDPR purposes is the Commission Nationale de l'Informatique et des Libertés (CNIL).

2. What personal data we collect

2.1 Data you provide directly

• Account data. Name, email address, password (hashed), organisation name, role.
• Billing data. When paid plans launch, billing details handled by our payment processor. Kontext stores only what the processor returns (last four digits, billing country, invoice metadata).
• Support communications. Anything you send to support@getkontext.io or via the in-app Crisp widget, including message contents and attachments.
• Configuration data. Product taxonomies, prompt overrides, integration credentials and OAuth tokens, watch lists, and similar settings you create inside Kontext.

2.2 Data we collect automatically when you use the Service

• Device and connection data. IP address, browser type and version, operating system, device identifiers, language, referrer, timestamps.
• Usage data. Pages viewed, features used, actions taken, search queries, and timing of those events. Collected via PostHog (see Sub-processors).
• Cookies and similar technologies. We use strictly necessary cookies for authentication and session management. Analytics cookies (PostHog) are set only after account login on signed-in product pages, not on the marketing site.
• Error and diagnostic data. Stack traces, request metadata, and error context captured by our error monitoring and logging systems. We make a best effort to scrub personal data from these payloads but cannot guarantee complete removal.

2.3 Data ingested from connected integrations

When a Kontext customer connects a third-party source, we ingest feedback content from that source. Depending on the integration this can include:

• Names, email addresses, profile pictures, and identifiers of end users
• Message content, support ticket bodies, comment threads
• Meeting transcripts and call recordings metadata
• Issue titles and descriptions
• Timestamps, channel and thread identifiers
• Any other personal data the customer has chosen to route into Kontext

For this data, Kontext acts as a processor. We process it on behalf of the customer to detect problems, classify actors and contexts, and surface analysis. We do not use ingested feedback for our own purposes, and we do not use it to train AI models — neither our own nor those of our AI sub-processors. See section 4.

2.4 Notice when data comes from a third party (GDPR Article 14)

If your personal data was provided to Kontext by one of our customers via an integration rather than by you directly, the relevant categories and source are listed in section 2.3 above. The controller is the customer who connected the integration; we will help you identify them on request.

3. How we use personal data

3.1 As controller

We use account, usage, and support data to:

• Provide, operate, and secure the Service
• Authenticate you and manage your organisation
• Communicate with you about the Service, including service announcements, security notices, and replies to support requests
• Improve the Service through aggregate usage analysis
• Detect and prevent abuse, fraud, and security incidents
• Comply with legal obligations (tax, accounting, lawful requests from authorities)
• Bill you for paid plans, when applicable

3.2 As processor

We process integration-ingested feedback exclusively to:

• Run the Kontext analysis pipeline (problem, actor, context, and solution detection; deduplication; contextualization)
• Surface results in the customer's organisation in Kontext
• Make those results available to the customer through the Kontext UI, public API, MCP server, and other authorised access surfaces

3.3 Lawful basis (EEA, UK, Switzerland)

For controller activities, we rely on:

• Contractual necessity for providing the Service to you under our Terms of Service.
• Legitimate interest for security, fraud prevention, and product improvement, where these interests are not overridden by your rights.
• Legal obligation for tax, accounting, and lawful disclosure requirements.
• Consent for non-essential cookies, marketing communications, and any processing where consent is the only valid basis.

For processor activities, the lawful basis is established by the customer (the controller) and documented in our Data Processing Addendum.

4. AI processing

Kontext's core function is AI analysis of feedback content. The way that processing reaches an AI provider is important to understand, because it determines who is responsible for what.

4.1 Bring your own provider — no defaults

Kontext does not contract with any large language model provider, and Kontext does not ship with default AI provider credentials. No feedback content is sent to any AI provider until a customer explicitly configures their own API credentials inside their Kontext organisation.

Kontext currently supports the following providers as configurable options:

• OpenAI (US)
• Anthropic (US)
• Mistral (EU, France)
• DeepSeek (China)

When a customer configures credentials for one of these providers, that provider becomes a sub-processor of the customer, accessed through Kontext on the customer's instructions. The contractual relationship — including data processing terms, model training opt-outs, and acceptable use — exists between the customer and the provider directly. The customer is responsible for ensuring their use of the chosen provider is compatible with their own privacy obligations.

4.2 What this means in practice

• If you do not configure any AI provider, no feedback content leaves Kontext's EU infrastructure for AI analysis. The Service will simply not run analysis on your data until you do.
• If you configure only Mistral, no feedback content is sent outside the EU.
• If you configure OpenAI or Anthropic, feedback content is sent to that provider's US infrastructure under your account with that provider.
• If you configure DeepSeek, feedback content is sent to DeepSeek under your account, which means transfers to China governed by the terms you have accepted with DeepSeek.

You can change or remove provider credentials at any time from your organisation settings. Removing credentials stops further AI processing immediately.

4.3 What Kontext does and does not do with feedback content

Kontext does not use feedback content, problem detections, or analysis output to train any model — neither models we operate nor models operated by anyone else. Feedback content is processed only to produce analysis results for the customer organisation that ingested it, and is not shared across organisations.

5. Sub-processors

Kontext relies on the following sub-processors to operate the Service. These are sub-processors that Kontext directly contracts with, on its own behalf, and that handle personal data regardless of what an individual customer configures. AI providers are listed separately in section 4 because they are customer-configured and not Kontext sub-processors.

We notify customers of material changes to this list via email or in-app notification.

6. How we share personal data

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

We disclose personal data only to:

• Sub-processors, as listed in section 5, under contract and only to the extent necessary to deliver the Service.
• Other users in the same Kontext organisation, where the data is part of the organisation's shared workspace (for example, a problem you flagged is visible to your colleagues).
• Authorities and legal recipients, when required by law, court order, or to protect rights, property, or safety.
• Acquirers, in the event of a merger, acquisition, or sale of assets, subject to the protections of this policy.

7. Retention

• Account and organisation data is retained while your organisation is active. When an organisation is deleted, all associated data — accounts, configuration, ingested feedback, analysis output — is purged from active systems immediately. Encrypted backups containing the deleted data are rotated out within 30 days.
• Ingested feedback lives inside the customer's organisation and is purged together with that organisation on deletion. Customers can also delete individual feedback items, problems, and analysis output through the Kontext UI or API at any time before that.
• Logs and error data (Grafana Cloud, Sentry) are retained for 15 days then purged automatically.
• Billing records, when paid plans launch, will be retained for 10 years as required by French commercial law (Code de commerce art. L123-22).

When we delete data we render it irrecoverable through standard deletion procedures of the underlying systems.

8. International transfers

Kontext is operated from France, and all infrastructure that Kontext directly contracts with — application hosting, primary storage, queues, logging, error monitoring, analytics, email, and support — runs in EU regions of our sub-processors. By default, personal data handled by Kontext does not leave the European Economic Area.

The only personal data flows that may leave the EEA are those a customer initiates by configuring an AI provider in their organisation settings (see section 4). Those transfers happen under the customer's account with the chosen provider and are governed by the terms the customer has accepted with that provider. Kontext is not a party to that contractual relationship and does not control the destination.

Where Kontext itself acts as data exporter for any cross-border transfer (for example, a sub-processor in section 5 changes its hosting region), we will rely on the European Commission's Standard Contractual Clauses and notify customers in advance.

9. Your rights

Depending on where you live, you may have the following rights over your personal data:

• Access the data we hold about you
• Correct inaccurate or incomplete data
• Delete your data, subject to legal retention obligations
• Restrict or object to certain processing
• Data portability — receive your data in a machine-readable format
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with a supervisory authority. In France, this is the CNIL (cnil.fr). In other EU member states, this is your local data protection authority. In the UK, this is the ICO.

To exercise any of these rights, email privacy@getkontext.io. We will respond within one month, extendable by two further months for complex requests as permitted by GDPR Article 12(3). We may need to verify your identity before acting on a request.

If your data was ingested into Kontext through one of our customers' integrations, we will forward your request to the relevant customer (the controller) and assist them in responding.

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. Kontext does not sell or share personal information as those terms are defined under the CCPA.

10. Security

We use technical and organisational measures to protect personal data, including:

• TLS for data in transit
• Encryption at rest for the primary database
• Role-based access control inside the Service
• Authentication via email and password
• Logging and monitoring of access and errors
• Regular dependency updates and security patching

No system is perfectly secure. We cannot guarantee the absolute security of personal data, but we will notify affected users and authorities of any data breach as required by applicable law (within 72 hours under GDPR Article 33).

11. Children

Kontext is not directed at children under 16 and we do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@getkontext.io and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top reflects the most recent revision. For material changes, we will notify customers via email or in-app notification before the changes take effect.

13. Contact

For privacy questions, requests, or complaints:

Email: privacy@getkontext.io
Postal: The Big Labasky SAS, 6 rue des Prairies, 64110 Gelos, France