Skip to main content

Privacy Notice

Privacy notice details

Last Updated: May 22, 2026

Who We Are

Kaytos, LLC, a Delaware limited liability company ("Kaytos," "we," "us," or "our"), operates the paperwork.bot platform, websites, applications, APIs, and related products and services (collectively, the "Services"). We help businesses automate and manage their document workflows, data processing, and related operations.

Scope of This Privacy Notice

This Privacy Notice describes the personal information that Kaytos collects, uses, and shares when Kaytos acts as the controller of that information. That includes information we collect to create and operate accounts, process payments, communicate with you, market our Services, secure our platform, and improve our Services. Where the California Consumer Privacy Act, or another privacy law applies and uses different terminology, "controller" should be read to include the analogous concept (such as "business" under the CCPA, where applicable).

This Privacy Notice does not govern personal information that a Customer uploads into the Services for processing by Kaytos on the Customer's behalf ("Customer Content"). For Customer Content, Kaytos acts as a processor (or "service provider," where the CCPA applies) and processes the data on the Customer's documented instructions and as needed to provide the Services. The Customer's own privacy notice, instructions, and any Data Processing Agreement ("DPA") between the Customer and Kaytos govern Customer Content, including retention and deletion. A DPA is available on request at legal@paperwork.bot.

This Privacy Notice applies to personal information we collect when you use our websites (including paperwork.bot), our applications and platform services, and our APIs and integrations.

Information We Collect

We collect personal information from three sources: information you provide to us directly, information collected automatically when you use the Services, and information from third-party sources.

Information You Provide Directly

  • Account information. To create a paperwork.bot account, we require your email address, a name, and a password (or a Google Sign-In identifier if you choose Google OAuth). You may optionally provide your phone number, job title, company name, profile photo, and time zone.
  • Payment and billing information. If you purchase a subscription or paid plan, you (or our payment processor on your behalf) provide your name, billing address, payment instrument details, and tax identifiers where required. Payment instrument details are processed and stored by our payment processor; we receive and store only the information necessary to identify the transaction and the last four digits of the payment card (or equivalent token).
  • Communications with us. Support requests, demo requests, contact-form submissions, survey responses, newsletter sign-ups, and other communications you send us, including (where applicable and lawful) recorded calls.
  • Credentials and integrations. If you enable an integration with a third-party service (for example, a cloud storage provider, identity provider, or payment processor), we collect and store the credentials, tokens, or authorization data required to operate the integration on your behalf. We store these encrypted at rest and do not access integrated third-party data outside the scope of the integration you configured.
  • Consent and acceptance records. When you accept the Terms of Service, this Privacy Notice, the Cookie Policy, or other agreements, we record the version accepted, the timestamp, the IP address, and the user-agent string. We retain these records to demonstrate consent if needed.

Customer Content uploaded into the Services is not described in this Privacy Notice. See the Scope section above.

Information We Collect Automatically

  • Device and connection metadata. Browser type, IP address, unique device identifiers, language preference, referring site, date and time of access, operating system, and mobile network information.
  • Usage information. Actions you perform within your account (such as creating or updating records), session duration, and feature usage.
  • Authentication and security events. Sign-in activity including timestamps, IP addresses, known-device fingerprints, sign-in counts, failed authentication attempts, suspicious-activity flags, and administrative actions taken on your account. We retain these to protect your account, detect unauthorized access, and respond to security incidents.
  • Public-link and session acceptance data. When you access the Services through a unique invitation link or a public share link, we record the link identifier, the timestamp, the IP address, and the actions taken during that session, even if you do not create an account.
  • Billing and usage metering. Records of subscription status, token or feature usage counts, and other billing-related metering data necessary to operate Paid Services and to invoice Customers accurately.
  • Location information. We may infer the approximate location of your device from your IP address to route requests to a nearby server and to comply with applicable laws.
  • Cookies and similar technologies. We use cookies and similar technologies to identify visitors, maintain user sessions, and ensure the Services function properly. For more information, please see our Cookie Policy.

Information from Third-Party Sources

We receive information about you from the following third-party sources:

  • Google, when you sign in through Google OAuth, including the email address, name, and (if available) profile picture Google shares.
  • Payment processors (currently Stripe), which provide us transaction confirmations and the limited card information described above.
  • Customers that invite you to use the Services, including the email address used to invite you and your role in the Customer's workspace.

How and Why We Use Information

We use information about you for the following purposes:

  • To provide and operate the Services. Including creating and maintaining your account, authenticating you, processing payments, and providing customer support.
  • To improve, secure, and protect the Services. Including detecting and preventing fraud, abuse, and security incidents; monitoring performance; and developing new features.
  • To market our Services. Including targeting marketing messages, measuring campaign effectiveness, and understanding user retention. You can opt out at any time as described in Your Choices below.
  • To communicate with you. Including sending transactional notifications about your account, security, billing, and this Privacy Notice or the Terms of Service.
  • To comply with law. Including responding to lawful requests by public authorities, meeting tax and accounting obligations, and enforcing our agreements.
  • To process data using artificial intelligence. We use third-party AI service providers to power features such as document extraction, data analysis, content generation, search, and workflow automation. AI data flows are not uniform, so we describe them separately:
    • Inference (model calls). When you use an AI feature, the relevant inputs (document content, prompt context, and metadata) are sent to the applicable AI provider for processing. Provider-side retention of inference traffic is governed by that provider's terms; we do not authorize providers to use this content to train or fine-tune their models.
    • File Search, retrieval, and embeddings. Where an AI feature uses retrieval-augmented generation or a file search index (for example, embeddings generated from your documents and stored for retrieval), those embeddings and the indexed content may be stored at the AI provider for the period needed to support the feature.
    • Our debug and quality logs. We retain limited request and response metadata for debugging, abuse detection, and quality monitoring. These logs are short-lived and aged out automatically unless extended for an active investigation.
    • Token usage and billing records. Token counts, request volumes, and feature usage are retained for billing, capacity planning, and dispute resolution as described in How Long We Keep Information.
    • No training. We do not use Customer Content or your account data to train, fine-tune, or improve any AI or machine learning model, and we do not authorize our AI subprocessors to do so.

How We Share Information

We share personal information only in the circumstances listed below, and with appropriate safeguards.

  • Service providers. Vendors who process information on our behalf to provide the Services, including cloud hosting and storage, payment processing, AI and machine-learning processing, error monitoring, email delivery, customer support tooling, and security services. We require these vendors to commit to confidentiality and to process personal information only on our instructions. A current list of subprocessors is available at our Subprocessors page.
  • Legal and regulatory requirements. Disclosure in response to a subpoena, court order, or other lawful governmental request, or where we have a good-faith belief that disclosure is required by law.
  • Protection of rights, property, and safety. Disclosure where we believe in good faith that it is reasonably necessary to protect the rights, property, or safety of Kaytos, our users, or the public.
  • Business transfers. In connection with any merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, user information may be transferred or acquired. This Privacy Notice will continue to apply to your information until any successor notice is provided.
  • With your direction or consent. When you authorize a specific disclosure (for example, when you configure an integration with an external service).
  • Aggregated or de-identified information. We may share information that has been aggregated or de-identified so that it cannot reasonably be used to identify you.

What We Do Not Do

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising, as that term is defined under the CCPA. We do not embed third-party advertising networks, social-media tracking pixels, or ad-targeting analytics in the Services. We do not use Customer Content or your account data to train, fine-tune, or improve any artificial intelligence or machine learning model, and we do not authorize our AI subprocessors to do so. We honor opt-out preference signals such as the Global Privacy Control (GPC) when received from your browser.

Because we do not sell or share personal information for cross-context behavioral advertising, browser "Do Not Track" signals do not change how the Services operate. Where a browser or device sends a legally recognized opt-out preference signal, including GPC, we treat it as an opt-out of sale or sharing for that browser or device to the extent required by applicable law.

Our Role: Controller and Processor

Kaytos is the controller of the personal information described in this Privacy Notice. Where a Customer uploads Customer Content into the Services and the personal information in that Customer Content relates to individuals other than you, Kaytos acts as a processor for the Customer, and the Customer is the controller of that information. The Customer's own privacy notice, instructions, and any DPA between the Customer and Kaytos govern that processing.

How Long We Keep Information

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Notice or as required by applicable law. Unless an exception applies, we delete personal information when we no longer need it. The retention criteria below describe how we decide what to keep and for how long.

  • Account data. Retained for as long as your account is active.
  • Invitation and public-link session data. If you access the Services through a unique invitation or public share link without creating an account, your session and acceptance record is retained for the period reasonably necessary to operate the invitation, support audit of the action you took, and resolve disputes.
  • Communications with us. Support emails, contact-form submissions, demo requests, and (where applicable) recorded calls are retained for the period reasonably necessary to respond to and resolve the underlying request, and longer if needed to defend or assert legal claims, comply with legal obligations, or enforce our agreements.
  • Authentication and security event logs. Sign-in activity, failed authentication attempts, and security-event logs are retained for the period necessary to investigate incidents and to demonstrate ongoing security monitoring.
  • Server and request logs. Application logs are retained for the period necessary for debugging, performance analysis, and abuse detection.
  • AI debug and quality logs. Short-lived and aged out automatically unless extended for an active investigation.
  • AI embeddings and File Search indexes. Stored at the applicable AI provider for the period needed to support the feature you are using.
  • Billing, token usage, and tax records. Retained for the period required by applicable tax, accounting, and audit laws.
  • Consent and acceptance records. Retained for as long as the underlying agreement is in effect and afterward for the period necessary to defend or enforce that agreement.
  • Backups. Encrypted backups follow our standard rolling retention window. Residual copies of your data may persist in our backup systems during that window after deletion from active systems, but will not be actively used or accessed except for disaster recovery.

Customer Content uploaded by a Customer is not described above. Retention of Customer Content is governed by the Customer's instructions and the DPA between the Customer and Kaytos.

On a verified deletion request, we will permanently delete your personal account data within a reasonable period and as required by applicable law. We may retain a minimal set of records strictly required to comply with legal obligations (such as tax, billing, anti-fraud, and sanctions records), to defend or assert legal claims, or to enforce our agreements, and we will limit those retained records to what is necessary.

Security

While no online service is 100% secure, we work to protect personal information against unauthorized access, use, alteration, or destruction. Our current measures include:

  • Encrypting data in transit using TLS.
  • Hashing passwords using bcrypt, an industry-standard adaptive password hashing algorithm.
  • Encrypting customer-uploaded files at rest in our cloud object storage using AES-256.
  • Encrypting our primary database and database backups at rest.
  • Encrypting sensitive credentials (such as third-party integration secrets) at rest before they are stored.
  • Enforcing a strict Content Security Policy to mitigate cross-site attacks.
  • Monitoring the Services for potential vulnerabilities and attacks using error tracking and performance monitoring tools (currently Sentry).
  • Requiring email confirmation for new accounts and supporting account lockout after failed authentication attempts.

Data Breach Notification

If we become aware of a security incident that has resulted in unauthorized access to or disclosure of your personal information, we will notify affected users without undue delay and consistent with our obligations under applicable law (including U.S. state breach-notification laws such as California Civil Code §§ 1798.29 and 1798.82). The notice will describe, to the extent we are able, the nature of the incident, the categories of information affected, the steps we are taking to investigate and remediate, and a contact point for further questions.

Children's Privacy and Minimum Age

Minimum age (business policy). The Services are designed for business use and are not directed to anyone under the age of 18. You must be at least 18 to create an account or use the Services. If we learn that we have collected personal information from a person under 18 in connection with their use of the Services, we will delete it.

Children under 13 (COPPA). The Children's Online Privacy Protection Act applies to personal information collected from children under 13. We do not knowingly collect personal information from children under 13. If you believe that a child under 13 may have provided us with personal information, please contact us at legal@paperwork.bot and we will delete it.

Consumers under 16 (CCPA). We do not "sell" or "share" the personal information of consumers under 16 years of age, as those terms are defined by the CCPA.

Your Privacy Rights

Depending on your location and where the processing of your personal information takes place, you may have one or more of the following rights with respect to your personal information, subject to any exemptions provided by applicable law. These rights are intended to cover rights available under U.S. state privacy laws such as the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, where those laws apply.

  • To request access to the personal information we hold about you, including the categories of information, categories of sources, business and commercial purposes for collecting it, and categories of third parties with whom we share it.
  • To request correction of inaccurate personal information.
  • To request deletion of personal information.
  • To opt out of any sale or sharing of personal information. We do not sell or share, but you can confirm this preference at any time.
  • To limit the use of sensitive personal information to the purposes permitted under CCPA § 1798.121.
  • Not to receive discriminatory treatment for exercising your privacy rights.

To exercise these rights, contact us at legal@paperwork.bot. We will respond to verifiable requests within forty-five (45) days of receipt, with the option to extend by an additional forty-five (45) days where reasonably necessary, and we will inform you of any such extension. We may need to verify your identity before responding (for example, by confirming you can receive email at the address on file for your account). You may also designate an authorized agent to make a request on your behalf by providing us written authorization.

If we deny your privacy request and applicable law gives you a right to appeal, you may appeal by emailing legal@paperwork.bot with "privacy appeal" in the subject line and enough information for us to identify the original request. We will respond to the appeal within the time period required by applicable law. If we deny the appeal, you may have the right to contact your state attorney general or other privacy regulator.

California residents may also contact us to request information under California Civil Code Sections 1798.83-1798.84 about any disclosure of personal information to third parties for their own direct-marketing purposes. Nevada residents may submit a request to opt out of any sale of covered information under Nevada Revised Statutes Chapter 603A, although we do not currently sell covered information as defined by that law.

Sensitive Personal Information

Under the California Privacy Rights Act, certain categories of personal information are designated as "sensitive personal information" (for example, account log-in credentials and government-issued identifiers). The categories of sensitive personal information we routinely process are account credentials (used to authenticate you). We use sensitive personal information solely to provide and secure the Services, and not for the purposes that would trigger your right to limit its use under CCPA § 1798.121. You may still request that we limit such use by contacting us at legal@paperwork.bot.

Categories of Personal Information We Collect

In the last twelve (12) months, we collected the following categories of personal information, depending on the Services you used. We list these categories so users in jurisdictions with CCPA-style disclosure requirements have a single reference; their inclusion does not mean every category applies to every user.

  • Identifiers (such as your name, email address, account identifier, IP address, and device identifiers).
  • Commercial information (such as billing information, subscription status, and purchase history).
  • Internet or other electronic network activity information (such as your usage of the Services, session and authentication events, and security-event logs).
  • Geolocation data (approximate location inferred from IP address).
  • Audio, electronic, visual or similar information (such as a profile picture you upload).
  • Professional or employment-related information (such as your company name and job title if you provide them).
  • Account credentials (treated as sensitive personal information).
  • Consent and acceptance records (the version of a policy you accepted, plus the timestamp, IP address, and user-agent string).

You can find more information about what we collect in Information We Collect above, why we use it in How and Why We Use Information, and with whom we share it in How We Share Information.

Sign-In with Google

If you choose to create or access your account using Google Sign-In, we receive only the basic profile information that you authorize Google to share (typically your email address, name, and, if available, profile picture). Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

Your Choices

  • Limit the information you provide. You may choose not to provide optional information when creating an account. Certain features of the Services may not be available without it.
  • Opt out of marketing communications. You can opt out at any time by (a) using the unsubscribe link in any marketing email or (b) emailing legal@paperwork.bot with "unsubscribe" in the subject line. We will process opt-out requests within ten (10) business days. Opting out of marketing does not affect transactional communications about your account, security, billing, or legal notices.
  • Control cookies. You can set your browser to remove or reject cookies before using our websites. Certain features may not function without cookies. See our Cookie Policy for details.
  • Request deletion. You can request deletion of your personal information by emailing legal@paperwork.bot. We will process verified requests as described in How Long We Keep Information above.
  • Close your account. You can close your account at any time. After closure, we may continue to retain limited information as described in How Long We Keep Information.

How to Reach Us

If you have a question about this Privacy Notice, or you would like to contact us about any of the rights mentioned above, please email legal@paperwork.bot.

Changes to This Privacy Notice

Kaytos may update this Privacy Notice from time to time. The updated Privacy Notice will apply to personal information we collect or process after its effective date. If we make material changes, we will provide reasonable advance notice (for example, by email to the address on file for your account or by a notice within the Services) before the changes take effect. We will also update the "Last Updated" date at the top of this Privacy Notice.