Privacy Policy

Last updated: April 25, 2026

This policy explains how Kazozo, Inc. ("Kazozo," "we," "us") collects, uses, and protects information in connection with kazozo.com and the Kazozo AI agent platform (the "Service"). For business customers, the processing of personal data about their end users is also governed by our Data Processing Agreement, where Kazozo acts as a processor.

1. Information we collect

We collect three broad categories of information:

Information you provide — name, email, phone number, company, billing address, and any content you submit through forms, support channels, or the product itself.
Information from use of the Service — conversation content processed by the AI agents you configure, event logs (logins, feature usage, errors), and metadata about sessions.
Information from your devices — IP address, browser and OS identifiers, approximate location derived from IP, and cookie or similar identifiers described in Section 7.
Information from connected platforms — when a customer authorizes Kazozo to connect to a third-party platform (such as Instagram, Facebook, LinkedIn, Google, or a CRM), we receive the data the customer authorizes through that platform's OAuth scopes. For social platforms used by the Engagement Inbox feature, this typically includes the connected business or page identifier, public mentions and comments, direct-message metadata and content sent to the connected account, and the handle and profile picture of the contact who interacted with the account. We use this data only to operate the connected feature for that customer — see Section 13 (Connected platforms).

When business customers use Kazozo to run AI agents, we process data about their end users on their behalf. For that data, we act as a processor and the customer is the controller — the DPA governs that relationship.

2. How we use information

We use information to:

Provide, operate, secure, and improve the Service.
Configure and deliver AI agents for customer workflows.
Process payments and send billing communications.
Respond to support requests and provide customer service.
Send product updates, security notices, and — with consent where required — marketing communications.
Prevent fraud, abuse, and violations of our Terms or Acceptable Use Policy.
Comply with legal obligations.

3. AI processing

When you interact with a Kazozo agent, your messages are processed by large language models ("LLMs") to generate responses. We use LLM infrastructure from Anthropic (Claude) as the primary provider and OpenAI as a fallback, under agreements that prohibit those providers from retaining your content to train their public models. See the subprocessors page for the complete list and roles.

We do not use customer content to train a shared or general-purpose Kazozo model. Conversations may be reviewed by authorized Kazozo personnel on a need-to-know basis to diagnose errors, investigate abuse, or in response to a customer support request.

Kazozo agents are deterministic in some paths and generative in others. Generative responses are grounded in sources the customer configures (knowledge base, CRM, product catalog). Kazozo is not a substitute for professional advice; outputs should be reviewed before being relied on for legal, medical, financial, or safety-critical decisions.

4. Legal bases for processing (EEA, UK, Switzerland)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

Performance of a contract — to provide the Service you or your organization has signed up for.
Legitimate interests — to secure the Service, prevent fraud, analyze product usage to improve features, and contact existing business customers about relevant offerings. We balance these against your rights and preferences.
Consent — for non-essential cookies, optional marketing emails, and any processing where consent is the applicable basis; you can withdraw consent at any time.
Legal obligation — for tax, accounting, and lawful regulatory or law-enforcement requests.

5. Data sharing

We share information only with:

Subprocessors operating the Service under contract — hosting, model infrastructure, email and SMS delivery, analytics, payments. The current list is at kazozo.com/subprocessors.html.
Integration partners you've authorized — for example, the CRM, calendar, or messaging platform you connect.
Professional advisers — accountants, auditors, and lawyers bound by confidentiality.
Corporate transactions — in the event of a merger, acquisition, or sale of assets, subject to notice and continued protection.
Law enforcement or regulators — where required by law and, where permitted, after challenging overbroad requests.

We do not sell personal information as that term is defined under the California Consumer Privacy Act (CCPA/CPRA), and we do not share personal information for cross-context behavioral advertising.

6. International transfers

Kazozo is based in the United States and processes most data there. When we transfer personal data out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and — where applicable — our certification under the EU–US Data Privacy Framework (and UK/Swiss extensions). See the DPA for details.

7. Cookies and similar technologies

We use a small number of cookies and similar identifiers:

Essential — authentication, load balancing, CSRF protection. These cannot be turned off without breaking the Service.
Analytics — aggregate usage measurement (self-hosted PostHog). Can be declined.
Functional — remembers UI preferences like theme or last-viewed page.

You can control cookies through your browser settings and, where applicable, through an in-product cookie banner. We honor Global Privacy Control (GPC) signals as a valid opt-out under the CCPA/CPRA.

8. Your rights

Depending on where you live, you may have the following rights over your personal data:

Access — a copy of the personal data we hold about you.
Correction — fix inaccurate or incomplete data.
Deletion — erase your data, subject to limited legal exceptions.
Portability — receive your data in a structured, machine-readable format.
Restriction and objection — pause or stop certain processing, including direct marketing.
Withdraw consent — where processing is based on consent.
Lodge a complaint — with your local supervisory authority (for EEA/UK residents) or state Attorney General.

California residents (CCPA/CPRA) additionally have the right to know the categories of personal information collected, the categories of sources, the business or commercial purpose, and the categories of third parties with whom it is shared; the right to correct inaccurate personal information; the right to limit the use and disclosure of sensitive personal information; and the right not to be discriminated against for exercising these rights. Kazozo does not use sensitive personal information for purposes that trigger the "right to limit" — we use it only for the purposes exempt under §7027(m).

To exercise any of these rights, email privacy@kazozo.com. We will verify your identity before responding. Authorized agents may submit requests on your behalf with written permission. We will respond within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA).

9. Data retention

We retain personal data only as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

Account data is retained for the duration of the subscription plus 30 days after termination to allow export.
Conversation content is deleted or anonymized within 90 days of account termination.
Billing records are retained for 7 years to meet tax and accounting requirements.
Security logs are retained for up to 12 months.

10. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access, logical tenant isolation, audit logging, and regular security testing. Detail is on our Trust & Security page. No method of transmission or storage is 100% secure; if we become aware of a breach affecting your personal data, we'll notify you and applicable regulators within the required timeframes.

11. Children

The Service is for business use and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@kazozo.com and we'll delete it.

12. Changes to this policy

We may update this policy periodically. The "Last updated" date at the top reflects the most recent change. For material changes, we'll provide additional notice (email to account admins or an in-product notice) at least 30 days before they take effect, where practicable.

13. Connected platforms (Meta, LinkedIn, Google, and similar)

Kazozo offers features — most notably the Engagement Inbox for the Content Agent — that operate on data Kazozo receives from third-party platforms a customer connects through OAuth. The data, retention, and deletion practices described in this section apply in addition to the rest of this policy.

13.1 What we receive

For Meta platforms (Instagram and Facebook) the data we receive through the permissions a customer grants typically includes:

The Instagram Business Account ID and connected Facebook Page ID and metadata (name, profile picture, category).
Public comments and mentions directed at the connected account, with the commenting/mentioning user's handle, display name, and profile picture.
Direct messages sent to the connected account (and our replies sent through the connected account), with the sending user's handle and display name.
Engagement metadata — timestamps, message IDs, conversation IDs, and platform-supplied signals required to thread a conversation.

For LinkedIn, Google, and other connected platforms we receive the equivalent set of identifiers, content, and metadata that the platform's authorized scopes return.

13.2 How we use it (Limited Use)

We use connected-platform data only to:

Operate the feature the customer connected the platform for — for example, surfacing inbound mentions, comments, and messages in the Engagement Inbox; bundling them by contact; scoring against the customer's Ideal Customer Profile; and drafting suggested replies for the customer to review and approve.
Send replies through the connected account when the customer explicitly approves them.
Maintain reasonable security, audit, and abuse-detection logs.

We do not use connected-platform data for advertising, do not sell it, do not share it with data brokers, do not use it to build profiles for purposes unrelated to the connected feature, and do not use it to train any general-purpose model. Where Meta Platform Terms apply, our use of Meta data complies with the Meta Platform Terms' "Limited Use" requirements and is restricted to the purposes the customer enabled the integration for.

13.3 Sharing

Connected-platform data is processed by the same subprocessors listed at kazozo.com/subprocessors.html — primarily our hosting, database, and LLM providers — under the terms described in Section 5. We do not share connected-platform data with the customer's other tenants and do not aggregate it across customers.

13.4 Retention & deletion

Connected-platform data is retained for the same periods described in Section 9. In addition:

When a customer disconnects an integration from Integrations → [platform] → Disconnect in the Kazozo dashboard, all signals ingested through that connection are queued for deletion within 30 days.
When a user revokes Kazozo's access via the platform itself (for Meta: Accounts Center → Apps and websites → Kazozo → Remove), the platform notifies Kazozo via the data deletion callback at https://api.kazozo.com/api/meta/data-deletion, and we delete all data tied to that user ID within 30 days.
End users (people who interacted with a customer's connected account but do not have a Kazozo account themselves) can request deletion through the process described in our Data Deletion Instructions page.

13.5 User control

You can review and revoke Kazozo's access to a connected platform at any time, either from the Kazozo dashboard (customer-side) or from the platform itself (end-user side). Step-by-step instructions are on the Data Deletion Instructions page.

14. Contact us

Kazozo, Inc. · privacy@kazozo.com for privacy and data subject requests · legal@kazozo.com for DPA and contract questions · security@kazozo.com for security concerns. Our EU and UK representatives' details are available on request.