What we collect, why, and who else touches it.

We collect only the data we need to run the product:

• Account.The email address you sign in with, your display name, and any profile fields you fill in. If you sign in with Google we receive your name, email, and avatar from Google's OAuth response.
• Workspace content. Anything you create or connect inside a workspace: sources (URLs, repository clone targets, uploaded files), brand profile fields, topics, cadence definitions, generated drafts, and edit history.
• Connected publishers. When you connect LinkedIn, an Instagram Business account, or a Facebook Page, we store the access tokens and the public identifiers (person URN, organization URN, Page ID, IG user ID) required to post on your behalf. Tokens live encrypted in Supabase Vault — never in plaintext columns.
• Billing. If you subscribe, Stripe processes your payment. We receive your subscription state, plan, and billing email; we never see or store card numbers.
• Usage analytics. Server-side events for product actions (source ingested, draft generated, draft approved, publish attempted) and client-side funnel events (first source added, first draft approved). Captured through PostHog and tied to your user ID.
• Operational logs. HTTP request logs from Vercel and Supabase that include IP address, user-agent, and request path, retained on the standard rolling window of each provider.

• Run the product. Ingest your sources, embed them, generate drafts on your cadence, route drafts to the review inbox, publish on your behalf when you approve.
• Talk to you. Sign-in codes, draft-ready notifications, publish results, and billing receipts via Resend. You can mute non-essential notification kinds in workspace settings.
• Charge you. If you subscribe, Stripe processes the recurring charge against the plan you picked.
• Improve the product. Aggregate analytics to understand which surfaces get used. We do not sell this data and we do not use your content to train models.

Kiln is small and built on the shoulders of other services. Each is contractually bound to the same baseline of confidentiality, and none receives more than they need to do their part of the pipeline.

LLM providers receive prompts that contain your brand profile and selected source chunks. By default OpenAI and Anthropic do not train on API content; we rely on their published commitments and revisit if those terms change.

Primary storage is Supabase in the region we provisioned (United States by default). Background workers run on Modal in the United States. If you connect a LinkedIn or Meta publisher, those providers process your publish payload in whichever region their infrastructure routes through; we have no control over that.

• Account + workspace data: for as long as your account is active.
• Sources, drafts, brand profile: until you delete them or delete the workspace. Deletes are immediate and irreversible.
• OAuth tokens: until you disconnect the publisher or LinkedIn/Meta invalidate them. Disconnect also fires a revoke request to the upstream provider when their API supports it.
• Operational logs:30 days at Vercel, 7 days at Supabase by default. Aggregated analytics in PostHog are retained per their plan's defaults.
• Billing records: retained per applicable accounting regulations (typically 7 years).

Depending on where you live (GDPR, UK GDPR, CCPA, and similar) you have the right to:

• Access the personal data we hold about you.
• Correct it if it's wrong.
• Export it in a portable format.
• Delete your account and the workspace data associated with it.
• Object to or restrict certain kinds of processing (analytics, email).

Most of this is self-service inside the app: edit your account in settings, mute notifications per kind, disconnect publishers, delete sources and workspaces. For anything we can't cover from the UI, email hello@usekiln.app and we will respond within 30 days.

Traffic is HTTPS end to end. Database is encrypted at rest. OAuth tokens (LinkedIn, Meta) and BYOK keys (your own OpenAI key on the BYOK plan) are stored in Supabase Vault, encrypted with a separate key from the rest of the database. The shared secret used to authenticate the Vercel ↔ Modal hop is rotated on a yearly cadence. No system is unbreakable; if we detect a breach that affects you we will notify you within 72 hours of confirmation.

Kilnis not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has signed up, email us and we'll delete the account.

We'll update the "last updated" date at the top of this page when we change anything substantive. Material changes (new sub-processors, expanded data collection, changes to retention) will also be announced by email at least 30 days before they take effect, so you have time to export your data or close your account if you disagree.

The data controller is Right Up There Limited, registered in Ireland. Email hello@usekiln.app with any privacy question, data request, or concern. EU/EEA users also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.