← Back to home

Privacy Policy

Effective date: April 7, 2026

This Privacy Policy describes how Kent ("we," "us," or "our"), a Delaware company, collects, uses, shares, and protects information when you use the Kent desktop application, mykent.app, and related services (collectively, the "Service").

1. Our Privacy Commitment

Kent is designed with privacy as a core architectural principle. Our local-first approach means the vast majority of your data never leaves your device by default. We do not sell your data. We do not use your data to train AI models. We do not profile you for advertising.

2. Data Categories

2.1 Account Data (cloud)

Name and email address collected when you create an account. Payment details are processed by Stripe; we do not store your full payment card number.

2.2 Local Data (on your device by default)

The following data is created through your use of the Service and stored only on your local device unless you enable cloud synchronization. We cannot access this data unless cloud sync is enabled:

  • The Brain: documents, files, emails, calendar events, contacts, tasks, reminders, and other content you ingest
  • Conversation history between you and Kent
  • Workspace configurations, settings, and custom preferences
  • Personal facts and context you share with Kent
  • Data retrieved from Connected Services you authorize
  • Screen captures (processed locally or via your AI Provider; never sent to our servers)
  • Audio recordings (stored locally; never sent to our servers)
  • Agent task history and outputs
  • Custom skills, templates, and workflows

2.3 Cloud Data (only when cloud sync is enabled)

  • Knowledge graph sync: Brain data encrypted with AES-256-GCM before transmission. We cannot read or access the decrypted content.
  • Usage metrics: feature used; AI Provider and model used; estimated token counts (from text length, not content); response time; workspace identifier. Usage metrics do not include the content of your text or AI responses.
  • Error and diagnostic data: crash reports, error logs, and performance metrics.

2.4 Automatically Collected Data

  • Device type, OS version, application version
  • License activation data: a hash of device characteristics, IP address at activation
  • Periodic license heartbeat (every 4 hours): last-seen timestamp and app version only
  • Authentication session tokens

2.5 Data We Do Not Collect

  • The content of your conversations with AI, your text inputs, or AI outputs (except as described in Section 6 for high-severity security incidents)
  • Clipboard contents (accessed temporarily for text capture; never transmitted)
  • Keystrokes or continuous screen activity
  • Third-party API keys or OAuth credentials (stored locally, encrypted; never transmitted)
  • Audio recordings (never transmitted to our servers)
  • Your contacts, precise location, or device camera

3. Private Mode

When you enable Private Mode (local Ollama processing):

  • All AI processing occurs on your device
  • No text, prompts, or AI responses are transmitted to any external service
  • No usage analytics or feature telemetry are collected or transmitted
  • Security incident monitoring logs are stored locally only

Minimal network activity in Private Mode: license validation and heartbeat checks (if you have an active license); application update checks via GitHub (version metadata only); one-time model downloads on first use of certain features.

4. How We Use Your Data

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Process subscription payments and manage your account
  • Enforce license terms and manage device activations
  • Display usage analytics on your account dashboard
  • Send transactional communications including receipts, security alerts, and service updates
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Comply with applicable legal obligations

We do NOT:

  • Sell your personal data to any third party
  • Use your data for advertising, marketing, or profiling
  • Use your AI interaction content to train, fine-tune, or evaluate any AI model
  • Disclose your data to AI Providers beyond what you direct us to transmit

5. Connected Services

Kent allows you to connect and interact with Connected Services of all kinds -- email, file storage, productivity tools, calendar, databases, CRMs, communication platforms, and any other service you authorize. By default, data from Connected Services is retrieved and processed locally on your device and is not transmitted to our servers unless you enable cloud sync.

OAuth tokens, access credentials, and API keys for Connected Services are stored encrypted on your local device. We do not access or store these credentials on our servers. You may revoke any Connected Service's access at any time through Settings > Connections.

6. Security Monitoring

Kent includes automated security monitoring to detect prompt injection attacks and other adversarial inputs:

  • Low Severity: Content is neutralized locally. Incident record stored in your local database only. No data sent to our servers.
  • Medium Severity: Attack type, source identifier, a SHA-256 hash of the content, and a brief excerpt (up to 500 characters) are reported to our servers for security pattern analysis.
  • High Severity: Attack type, content hash, and up to 10,000 characters of flagged content may be transmitted to and stored on our servers for up to 90 days for security inspection only, then automatically and permanently deleted.

Private Mode: All security monitoring logs remain on your device and nothing is reported to our servers.

7. Third-Party AI Providers

When you use cloud AI Providers through Kent, your queries and content are sent directly from Kent to the AI Provider. This data does not pass through our servers. Current AI Providers and their privacy policies:

In Private Mode, all AI processing occurs locally via Ollama. No content is transmitted to external AI Providers. We do not use your personal data or AI interaction content to train any AI or machine learning models.

8. Data Sharing

We do not sell your personal data.

We share data only in the following limited circumstances:

8.1 Service Providers

  • Supabase: cloud infrastructure, authentication, and database hosting (AWS US East)
  • Stripe: payment processing
  • Resend: transactional email delivery
  • GitHub: application update distribution

8.2 Legal Requirements

We may disclose information to comply with applicable law, regulation, legal process, or governmental request. Where permitted by law, we will attempt to notify you first.

8.3 Business Transfers

If Kent is involved in a merger, acquisition, or asset sale, your data may be transferred to the successor entity. We will notify you before your data is transferred.

9. Data Security

  • AES-256-GCM encryption for all cloud-synced Brain data
  • TLS 1.2 or higher for all data in transit
  • Ed25519 signed JWT tokens for desktop authentication
  • Row-level security policies on all database tables
  • Encrypted storage of OAuth credentials on local devices
  • Rate limiting on all API endpoints
  • Access controls limiting employee access to data to those with a legitimate operational need

No security measure is absolute. In the event of a data breach likely to result in risk to your rights, we will notify you and applicable data protection authorities as required by law.

10. Data Retention

  • Local data: Retained on your device until you delete it or uninstall the Service
  • Account and cloud data: Retained for the duration of your account plus 90 days after deletion
  • Payment records: Retained for the period required by applicable tax and financial regulations (typically 7 years)
  • Usage metrics: Retained for the duration of your account plus 30 days after deletion
  • Security incident data: Up to 90 days, then automatically and permanently deleted
  • Support communications: Up to 2 years after the conversation is resolved

Upon account deletion, we will delete or anonymize your personal data on our servers within 30 days, except where retention is required by law. We do not delete data from your local device; you remain in control of your local data.

11. Your Privacy Rights

Subject to applicable law, you have the following rights regarding your personal data. Contact us at info@mykent.app to exercise them.

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete personal data
  • Deletion: Request deletion of your personal data, subject to legal retention obligations
  • Portability: Request a copy of your data in a structured, machine-readable format
  • Restriction: Request that we restrict processing in certain circumstances
  • Objection: Object to processing for specific purposes
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time
  • Analytics Opt-Out: Opt out of usage analytics through Settings > Privacy > Analytics
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

12. California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act. We do not sell personal information or share it for cross-context behavioral advertising. We do not use sensitive personal information for purposes requiring a right to limit. Exercise of CCPA/CPRA rights will not result in discriminatory treatment. To exercise your California rights, contact info@mykent.app.

13. European Residents (GDPR/UK GDPR)

13.1 Data Controller

Kent is the data controller responsible for your personal data.

13.2 Legal Bases

  • Contract performance (Art. 6(1)(b)): Providing the Service, account management, license activation, payment processing
  • Legitimate interests (Art. 6(1)(f)): Fraud prevention, security monitoring, product improvement
  • Legal obligation (Art. 6(1)(c)): Compliance with applicable laws
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as enabling cloud sync

13.3 International Transfers

Your personal data may be transferred to the United States. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or other appropriate safeguards.

13.4 EU AI Act

Kent operates as a general-purpose AI application. We do not deploy the Service as a high-risk AI system as defined in Annex III of the EU AI Act.

13.5 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority.

14. Other Jurisdictional Rights

Canadian Residents (PIPEDA): You have rights of access to and correction of personal information under applicable Canadian privacy legislation.

Australian Residents (Privacy Act 1988): You have rights under the Australian Privacy Principles.

Contact info@mykent.app to exercise your rights.

15. Children's Privacy

The Service is not directed to anyone under 18. We do not knowingly collect personal information from minors. If you believe someone under 18 has provided us with personal information, please contact us and we will promptly delete that information.

16. Cookies and Tracking

We use only essential authentication session cookies strictly necessary to maintain your logged-in session on mykent.app. We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party cookie-based tracking technologies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and in-app notification at least 30 days before they take effect.

18. Contact

For all privacy inquiries, data subject requests, complaints, or questions:

info@mykent.app | mykent.app