Your data, your control.

This Privacy Policy describes how Kapitah, Inc. ("KAPITAH®") collects, uses, and shares personal data when you visit our marketing site, sign up for an account, or use the KAPITAH® platform (the "Service"). It applies to data we control. When we process personal data on behalf of a customer (e.g. data your finance team uploads into their books), that processing is governed by our Data Processing Addendum.

We collect three categories of data:

• Account data — name, email, company, role, billing contact.
• Usage data — pages visited, features used, device, IP, approximate location, error logs.
• Customer data — the financial records, documents, and contacts you upload to the Service. We process this on your behalf.

We use personal data to:

• Operate, secure, and improve the Service.
• Authenticate accounts and enforce role-based access.
• Provide customer support and respond to inquiries.
• Bill paid subscriptions and detect payment fraud.
• Send service announcements and, with consent, product updates.
• Comply with legal obligations and enforce our Terms.

We do not sell personal data. We do not use Customer Data to train third-party AI models. AI features run against your own data, scoped to your tenant.

If you are in the EEA or UK, we rely on the following lawful bases: performance of a contract (delivering the Service), legitimate interests (securing and improving the Service), consent (for optional marketing emails), and compliance with legal obligations.

We share personal data only with:

• Sub-processors that help us run the Service (cloud hosting, email delivery, payments, error monitoring, AI inference). A current list is available at kapitah.com/security.
• Authorities when required by a valid legal request.
• An acquirer in the event of a merger or sale, subject to this Policy.

KAPITAH® is headquartered in the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses and equivalent UK/Swiss safeguards.

We retain account data for as long as your account is active and for a limited period after termination to satisfy legal and accounting requirements. Customer Data is retained for 90 days after termination to allow export, then deleted. Backups are purged on a rolling 35-day cycle.

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to withdraw consent. To exercise these rights, email privacy@kapitah.com. We respond within 30 days.

We protect data in transit with TLS 1.2+ and at rest with AES-256. Access is role-based, logged, and reviewed. See our Security overview for details.

The Service is not directed to children under 16 and we do not knowingly collect personal data from them.

Kapitah, Inc. — privacy@kapitah.com. If you are in the EEA or UK and have an unresolved concern, you have the right to complain to your local data protection authority.