01Overview
Khotan (“Khotan,” “we,” “us,” or “our”) provides enterprise data pipelines that are built, tested, and maintained by software agents and shaped in plain language. This Privacy Policy describes our practices for handling personal information in connection with our website, applications, APIs, and related services (collectively, the “Services”).
This policy applies to personal information we handle as a controller. When we process data on behalf of our customers as part of operating their pipelines, we act as a processor; that processing is governed by our agreement with the customer and described in Customer data we process.
02Who we are
For the purposes of applicable data protection laws, the data controller is Khotan. You can reach us using the details in Contact us. If we have appointed a Data Protection Officer or an EU/UK representative, their contact details will be listed there.
03Information we collect
Information you provide
We collect information you give us directly, such as when you request a demo, create an account, contact support, or subscribe to updates. This may include your name, business email, company, role, and the contents of your communications with us.
Information collected automatically
When you use the Services we automatically collect certain information, including IP address, device and browser type, pages viewed, referring URLs, and timestamps. We collect this using cookies and similar technologies described in Cookies & tracking.
Information from third parties
We may receive information about you from third parties such as analytics providers, marketing partners, and identity or authentication providers you use to sign in.
04Customer data we process
As part of operating pipelines, the Services connect to source systems our customers authorize and move data to destinations they designate. That data (“Customer Data”) may contain personal information about a customer’s own users, employees, or contacts.
We process Customer Data only to provide and maintain the Services in accordance with the customer’s instructions and our agreement with them. The customer is the controller of that data and is responsible for its lawful collection and use. If you are an individual whose data is processed through a customer’s pipeline, please direct privacy requests to that customer.
05Google user data & Limited Use
Khotan lets you connect your Google account so our agents can build and run pipelines on data you authorize. When you connect Google, we request access to the Gmail messages and metadata you explicitly authorize, solely so the Services can read, extract, and move that content into the destinations you configure, the same pipeline workflow we apply to every other connected source.
We request only the scopes needed to deliver the features you turn on. You can review and revoke Khotan’s access at any time from your Google Account permissions page.
Limited Use.Khotan’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve the user-facing features you have requested;
- We do not transfer or sell Google user data, and we do not use it for advertising, credit assessment, or any unrelated purpose;
- We do not allow humans to read your Google user data unless we have your explicit consent for specific messages, it is necessary for security purposes or to comply with applicable law, or the data has been aggregated and de-identified;
- We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine-learning models.
06How we use information
We use personal information to:
- Provide, operate, secure, and improve the Services;
- Build, test, monitor, and maintain data pipelines;
- Respond to demo requests, inquiries, and support requests;
- Communicate with you about products, features, and security updates;
- Detect, investigate, and prevent fraud, abuse, and security incidents;
- Comply with legal obligations and enforce our terms and policies.
07Legal bases (GDPR)
Where the GDPR or UK GDPR applies, we rely on the following legal bases: performance of a contract; our legitimate interests (such as operating and securing the Services); your consent (which you may withdraw at any time); and compliance with legal obligations.
09Sub-processors
We use a vetted set of sub-processors (for example, cloud hosting, infrastructure, and analytics providers) to deliver the Services. We require each sub-processor to provide an adequate level of data protection. A current list is available on request via the contacts below.
10International transfers
We may transfer, store, and process personal information in countries other than your own. Where required, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses and equivalent mechanisms to protect transferred data.
11Data retention
We retain personal information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Customer Data is retained and deleted in line with the customer’s configuration and our agreement with them.
12Security
We maintain administrative, technical, and organizational safeguards designed to protect personal information, including encryption in transit, access controls, and least-privilege practices. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
13Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing or withdraw consent. Residents of the EEA, UK, and California (among others) may have specific rights under the GDPR, UK GDPR, and CCPA/CPRA.
To exercise any of these rights, contact us using the details in Contact us. We will respond consistent with applicable law. You also have the right to lodge a complaint with your local supervisory authority.
15Children's privacy
The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us so we can delete it.
16Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Services after an update means you accept the revised policy.
17Contact us
If you have questions about this Privacy Policy or our data practices, contact us at adeep@khotan.com. For general inquiries, email adeep@khotan.com.