Privacy Policy
Privacy Policy
Last updated: May 1, 2026
This Privacy Policy explains how K3X Inc. ("K3X", "we", "us", "our") collects, uses, shares, and protects personal information in connection with the K3X platform, website at k3x.ai, the application at app.k3x.ai, our APIs, and related services (collectively, the "Services").
K3X is a customer relationship management ("CRM") platform that combines lead, contact, deal, and pipeline management with goal-based AI agents. We process two distinct categories of personal information:
Account information — information about you when you visit our website, sign up, and use the Services as a customer or authorized user.
Customer Data — information that our customers (the "Customer") submit, import, or generate through the Services about their own leads, contacts, prospects, and end users.
For Account Information, K3X is the data controller. For Customer Data, K3X acts as the processor (or "service provider" under California law) on behalf of the Customer. The Customer is responsible for the lawfulness of the Customer Data they submit to the Services and for honoring data-subject requests from the individuals reflected in that data. If you are an end user, prospect, or contact of one of our Customers and want to exercise rights with respect to your data, please contact that Customer directly.
1. Information We Collect
1.1 Information you provide
Account and profile data: name, email address, phone number, profile photo, job title, company name, time zone, and authentication identifiers (Google or Microsoft account ID when you sign in via OAuth).
Customer Data you upload or generate: lead, contact, organization, and deal records; notes, files, and attachments; custom fields; emails, SMS messages, call recordings and transcripts; AI agent configurations and outputs; activity history.
Communications and support data: messages you send to our support team, survey responses, and feedback.
Billing data: company billing details and tax identifiers. Payment card details are collected and processed by Stripe; we do not receive or store full card numbers.
1.2 Information collected automatically
Usage and device data: IP address, browser type, operating system, device identifiers, pages and features accessed, timestamps, error logs, and similar telemetry.
Cookies and similar technologies: see our Cookie Policy.
Logs and security data: API call metadata, audit logs, and information needed to detect, prevent, and respond to abuse.
1.3 Information from third parties
Authentication providers: if you sign in with Google or Microsoft, we receive basic profile information (name, email, profile picture, account ID) and any scopes you authorize.
Connected services: when you connect your Gmail, Google Calendar, or Microsoft 365 account, we access your email, calendar, and contacts data with the scopes you grant. When you connect a phone number through Twilio, we receive related call and message metadata.
Enrichment and lookup data: for certain features, we may retrieve publicly available information (e.g., via Tavily web search or Google Places) to enrich CRM records.
Billing and fraud-prevention partners: Stripe and our infrastructure providers may share information with us for fraud prevention, chargeback management, and billing reconciliation.
2. How We Use Information
We use personal information to:
Provide, operate, secure, and improve the Services.
Authenticate users, manage accounts, and enforce our Terms and Acceptable Use Policy.
Power AI features — including drafting messages, summarizing calls, qualifying leads, generating embeddings for retrieval, and routing work between agents and humans.
Send transactional communications (account, security, billing, and service notifications).
Provide customer support, train our support team, and respond to inquiries.
Process payments and manage subscriptions.
Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our policies.
Comply with legal obligations and respond to lawful requests from authorities.
Conduct internal research, analytics, and product development on aggregated or de-identified data.
With your consent or where otherwise permitted by law, send marketing communications about K3X. You can opt out at any time via the unsubscribe link in any marketing email or by contacting us.
AI training. We do not use Customer Data to train K3X's own foundation models or to train models offered by our AI sub-processors. Our agreements with AI providers (including OpenAI and Anthropic) prohibit them from using Customer Data submitted via API to train their general-purpose models. We may use de-identified or aggregated data to evaluate and improve the Services, including evaluating AI agent quality.
3. Legal Bases for Processing (EEA / UK / Switzerland)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
Performance of a contract — to provide the Services to you or your employer.
Legitimate interests — to secure the Services, prevent fraud, market our products to existing customers, and improve the Services. We balance these interests against your rights.
Compliance with a legal obligation — for tax, accounting, and regulatory purposes.
Consent — for cookies (where required), marketing communications (where required), and any processing of special-category data you elect to upload.
You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. How We Share Information
We do not sell personal information. We share personal information only in the following circumstances:
4.1 Sub-processors
We use trusted third-party providers to deliver the Services. Each is bound by written agreements that include confidentiality, security, and (where required) data-processing terms. Our current sub-processors include:
Provider | Purpose | Region |
|---|---|---|
Google Cloud Platform | Hosting, compute, storage, database (Cloud Run, Cloud SQL, Cloud Storage, Cloud Tasks, Pub/Sub) | United States |
Firebase (Google) | Authentication, hosting, file storage | United States |
OpenAI | AI inference (LLMs, transcription, embeddings) | United States |
Anthropic | AI inference (Claude family models) | United States |
Tavily | Web search and content extraction for AI agents | United States |
LangSmith | AI agent observability and tracing | United States |
Twilio | SMS, voice calling, phone number provisioning | United States |
SendGrid (Twilio) | Transactional and system email | United States |
Google APIs | Gmail, Calendar, Geocoding, Time Zone, Places | United States |
Microsoft Graph | Outlook, Calendar, OneDrive integrations | United States / EU |
Stripe | Payment processing, billing | United States |
We may update this list from time to time, and we will provide notice of material additions where required by your contract with us.
4.2 Other recipients
Other users in your workspace: information you create or share within a workspace is visible to other authorized users of that workspace, subject to the workspace's permission settings.
Connected services you authorize: if you connect a third-party service, data flows to that service according to the integration's scope and the third party's own privacy practices.
Legal and safety: we may disclose information if required by law, subpoena, or court order, or where we believe disclosure is necessary to protect rights, property, or safety, prevent fraud, or address security incidents.
Business transfers: if K3X is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice of any such transfer that materially changes how your information is handled.
With your consent or direction.
5. International Data Transfers
K3X is based in the United States, and our infrastructure is hosted in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States and other countries where our sub-processors operate.
When transferring personal information out of the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by additional measures where necessary.
6. Data Retention
We retain personal information for as long as needed to provide the Services and for the additional periods described below:
Account data: retained while your account is active and for up to 90 days after termination, after which it is deleted or de-identified, except where longer retention is required by law or necessary to resolve disputes, enforce agreements, or for legitimate backup, security, or audit purposes.
Customer Data: retained according to the Customer's instructions and our Terms. On termination, Customer Data is generally deleted within 60 days, subject to backups, which are overwritten on a rolling basis.
Logs and security data: retained for up to 13 months.
Billing records: retained for the period required by tax and accounting laws (typically 7 years in the United States).
7. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including:
Encryption in transit (TLS) and at rest.
Field-level encryption for designated sensitive fields in our database.
Strong authentication, role-based access controls, and least-privilege internal access.
Logging and monitoring for unauthorized access and anomalous behavior.
Regular security reviews and dependency patching.
Vendor due diligence on sub-processors.
No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities as required by law.
8. Your Rights
Depending on where you live, you may have the following rights:
Access — request a copy of the personal information we hold about you.
Correction — request that we correct inaccurate or incomplete information.
Deletion — request that we delete personal information we hold about you, subject to legal exceptions.
Portability — request a copy of certain personal information in a machine-readable format.
Restriction or objection — request that we restrict or object to certain processing.
Withdrawal of consent — where processing is based on consent, withdraw consent at any time.
Non-discrimination — California residents have the right not to be discriminated against for exercising their privacy rights.
Opt-out of "sales" or "sharing" — California residents have the right to opt out of sales or sharing of personal information. K3X does not sell personal information and does not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
To exercise any of these rights, email hey@k3x.ai. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling certain requests.
If you are a contact, lead, or end user of one of our Customers and you would like to exercise rights with respect to data the Customer holds about you, please contact that Customer directly. We will assist them in responding to your request.
You also have the right to lodge a complaint with a data-protection authority. In the EU, you can find your local authority here. In the UK, you can contact the ICO.
9. Financial Services Data
K3X is designed for use by SMB companies in the US financial services sector. If you are a financial institution subject to the Gramm-Leach-Bliley Act ("GLBA") or similar laws, you are responsible for evaluating whether the Services are appropriate for your use, configuring the Services consistent with your obligations to your customers, and providing any required notices to your customers. We will treat nonpublic personal information you submit to the Services consistent with our Terms and Data Processing Addendum.
10. Children
The Services are not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us at hey@k3x.ai and we will take reasonable steps to delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. We will notify you of material changes by posting a prominent notice in the Services or sending you an email. Your continued use of the Services after the effective date of an update constitutes acceptance of the updated policy.
12. Contact Us
For privacy questions or to exercise your rights:
Email: hey@k3x.ai Mail: K3X Inc. – Attn: Privacy 1111B S Governors Ave., Dover, DE 19904, United States Phone: (844) 553-9462
For EU/UK matters, our data protection point of contact is reachable at hey@k3x.ai.
Previous