Privacy policy
v1.0.0
August 6, 2025
1. Introduction
Who We Are: Keepbook (“we,” “us,” or “our”) provides an AI-powered business intelligence and productivity platform, including our website, mobile application, and related services (collectively, the “Services”). This Privacy Policy explains how we collect, use, and disclose your information when you use our Services, and it outlines your rights regarding that information. We are committed to protecting your personal information and privacy rights in line with global data protection laws (such as the GDPR in Europe, CPRA in California, and PIPA in South Korea).
Scope and Consent: By accessing or using our Services, you acknowledge that you have read and understand this Privacy Policy and agree to the collection, use, storage, and disclosure of your personal information as described herein, and as permitted by our Terms of Service. In certain jurisdictions (for example, the Republic of Korea), we will obtain your explicit consent for specific activities as required by law (see the region-specific provisions below). If you do not agree with any part of this policy, please do not use our Services.
How to Contact Us: If you have any questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise any of your privacy rights, you can reach out to us at:
Email (General Inquiries): [email protected]
Mailing Address: Keepbook AI B.V., Gerard Doustraat 228, 1017XC Amsterdam, Netherlands. (If you are a resident of certain regions like the EU or South Korea, you may also contact our designated privacy representative or Data Protection Officer as described in the region-specific sections below.)
Key Definitions: To make this policy clear, here are some key terms you’ll see throughout:
Personal Information (Personal Data): Any information that identifies, relates to, or could reasonably be linked to you or your household. This includes obvious things like your name, email address, or phone number, as well as less obvious information like IP addresses, device IDs, or content you create on the Service. (In short, if it’s data that can be tied to you, it’s likely Personal Information.)
Sensitive Personal Information: A subset of Personal Information that is given extra protection under certain laws. This includes things like account login credentials, precise location, or personal characteristics (for example, health information or ideology). We only collect a very limited amount of sensitive data – specifically, your account login credentials (username and password) to secure your account. We do not intentionally collect sensitive information like your social security number, financial account numbers, or details about your health or beliefs, unless you choose to store such information in our Service yourself. (And even then, we do not actively monitor or profile that content.)
Processing: Anything we do with your Personal Information, such as collecting it, storing it, using it, analyzing it, sharing it, or deleting it. If data is moving or being used in any way, that’s “processing.”
Controller: The entity that decides why and how Personal Information will be processed. For the purposes of this Privacy Policy, Keepbook is the controller of your Personal Information.
Processor (Service Provider): An entity that processes Personal Information on behalf of a controller, following the controller’s instructions. (For example, if we use a cloud storage company to store data or an email service to send messages, those companies are acting as our processors/service providers.)
“Sell” or “Share”: These terms have specific meanings under the California Privacy Rights Act (CPRA). “Sell” basically means exchanging Personal Information for money or other value, and “Share” means disclosing Personal Information to a third party for targeted advertising purposes (cross-context behavioral advertising). In this policy, when we say we do not sell or share your data, it means we do not exchange your data for money or allow third parties to use it for their own advertising.
Third Party: Anyone who isn’t you, us, or working for us as a processor. This could be an independent company or individual that we might disclose data to. We only disclose to third parties in the situations described in this policy. In some jurisdictions, sharing data with a third party (especially another controller) may require your explicit consent – and we will follow those rules (for instance, see the South Korea section for how we handle “provision to third parties”).
By defining these terms, we aim to be clear about our intentions and to use language consistent with legal requirements across different regions.
2. Information We Collect and How We Collect It
2.1 Overview – Why We Collect Data
We collect Personal Information in order to operate, provide, and improve the Services, to keep them secure, and to communicate with you. We follow the principle of data minimization – meaning we only collect what we really need for the purposes described in this policy. Below we explain the categories of information we collect, the sources of that information, and why we collect it. Consider this section our “notice at collection” (as California law calls it) and our effort to be transparent (as required by laws like GDPR and PIPA).
2.2 Categories of Personal Information
When you use Keepbook, we may collect the following categories of information:
Identifiers: For example, your name, email address, postal address, phone number, account username, and IP address. These help us recognize you and communicate with you (and are needed for things like account creation, login, and customer support).
Personal Records (California Customer Records categories): This includes information listed in Cal. Civ. Code § 1798.80(e) such as contact information (some of which overlaps with “Identifiers” above) and any payment information you provide. Note: If you make purchases, payment details (like credit card numbers) are handled by our third-party payment processor (e.g., Stripe) – we do not store your full financial account numbers on our servers.
Commercial Information: Records of products or services you have purchased, obtained, or considered. For instance, if you subscribe to a premium plan or purchase add-on features, we’ll have a record of that transaction.
User-Generated Content: The notes, documents, images, financial data, or any other content that you create, upload, or store in Keepbook. This is the core of what you put into our Service – and we treat it with the highest level of care and privacy.
Internet or Network Activity: Information about your interactions with our Services. This includes things like log data and analytics data – for example, when you logged in, how long you used the app, the pages or features you interacted with, your search queries within the app, and so on. We may collect this through automated means like cookies and logs (see Cookies in Section 9.2 below).
Geolocation Data: General location information inferred from your IP address (e.g. what city or country you are in). This helps us personalize content (such as language or regional settings) and for security (like recognizing if a login attempt is coming from a new country). Note: We do not collect precise GPS location from your device unless you explicitly allow it for a specific feature – and currently, our core Services do not require precise location.
Inferences: Insights we derive from the other data we collect. For example, based on your activity or content, we might infer your preferences or interests to personalize your experience (like recommending certain features or content organization tips). These inferences are used to improve your experience with Keepbook.
Sensitive Personal Information: As noted, the only sensitive data we intentionally collect is your account login credentials (passwords are stored in an encrypted form). We do not ask for sensitive personal details like your social security number, racial or ethnic origin, health information, etc. However, because Keepbook is a platform where you might store your own content, it’s possible you could include sensitive personal data about yourself or others in that content. We want to be clear that we do not actively monitor or analyze your private content to categorize it by type (for example, we aren’t scanning your notes to see if they contain health data or political opinions). Any processing of your content (like using our AI features) is only to provide the Services to you, not to build profiles about sensitive traits.
2.3 Sources of Personal Information
We collect this information from a few places:
Directly from You: Most data comes straight from you. For example, you provide identifiers and personal details when you register an account, fill out your profile, or communicate with us. The content you create or upload (notes, documents, images, financial data, etc.) is obviously provided by you. If you contact customer support or fill out a form, that’s also information you’re giving us directly.
Automatically from Your Use of the Services: When you use Keepbook, we automatically log some information about your device and activity. For instance, our systems may record your IP address, device type, operating system, the page or feature you were using, the time and date of each action, and so forth. We use cookies and similar tracking technologies to help with this (for example, to remember your preferences and to analyze how users navigate through our app or site). See our Cookie Policy for more details on these.
From Third Parties: Sometimes we receive information from third-party sources, but only where those third parties have a legal basis to share it with us. For example, we might get basic analytics data from tools like Google Analytics (which would tell us things like what country most users are in, or how many users use a particular feature). If you integrate Keepbook with another service (for example, connecting an external app or data source to our platform), with your permission we will receive data from that integration. We may also receive contact information from marketing partners if you were referred to Keepbook through a campaign, but only in accordance with applicable law. Note: In our business-focused features, you may enable integrations (such as with an ERP or accounting system) that import business data into Keepbook; in such cases, the data comes from those third-party systems based on your instructions.
2.4 Summary of What We Collect, Why, and Who We Share It With
To give you a clear picture, here is a breakdown of the categories of Personal Information we collect, the purposes for collecting them, the types of third parties (if any) we disclose them to for business purposes, whether we “sell” or “share” that information, and how long we typically keep it:
Identifiers
Purpose: To create and manage your account, provide our Services to you, communicate with you (e.g., send confirmations or important notices), offer customer support, and protect against fraud or unauthorized access.
Third-Party Disclosure: Service providers that help us run the service (e.g. cloud hosting providers, email and communication tools) and payment processors (for handling subscriptions or purchases).
Sold/Shared: No. We do not sell or share identifiers for advertising or monetary gain.
Retention: For as long as you have an active account, plus a short additional period as needed for legal compliance or legitimate business purposes (for example, keeping a record of a transaction for tax filings). If you delete your account, we will remove or anonymize these identifiers from our active systems after a set retention period, unless we are required to retain them longer by law.
Personal Records (Contact/Billing Information)
Purpose: To provide the Services and process transactions. This includes using your contact info to send invoices/receipts and using your saved preferences to streamline your experience.
Third-Party Disclosure: Service providers such as cloud infrastructure providers (for data storage) and payment processors (to handle payments securely).
Sold/Shared: No. We do not sell or share this information.
Retention: Kept as long as your account is active, and for a reasonable period afterward if necessary for legal, tax, or auditing purposes. For example, we might retain invoice records to comply with accounting laws.
Commercial Information (Purchase History)
Purpose: To maintain your subscription and purchase history, deliver the services or features you paid for, and for internal analytics (like understanding which features are most popular).
Third-Party Disclosure: Service providers that assist with cloud hosting and payment processing.
Sold/Shared: No.
Retention: Retained for the life of your account and a brief period thereafter for legal/accounting purposes. Transaction records may be kept longer if required by financial regulations, but will be deleted when no longer necessary.
User-Generated Content
Purpose: Core functionality – this is the data you entrust to us (notes, documents, journal entries, business data, etc.), so collecting it is the whole point of our Service. We use it to provide you with features like search, organization, and AI-powered assistance (e.g. summarizing your notes or analyzing your data at your request).
Third-Party Disclosure: Service providers that are essential for providing our service’s functionality. For example, cloud storage providers to securely store your content, and AI service providers (machine learning/AI engines) that help provide features like natural language processing or content summarization. These providers only process data under our instructions and never use your content for their own purposes (see Section 3.6 on AI for more details).
Sold/Shared: No. We do not sell or share your content. Important: Some AI features may involve sending your data (in a masked or pseudonymized form) to our AI technology partners for processing, but this is only to deliver the service back to you – it is not for their use beyond serving you, and it is not a sale or advertising disclosure.
Retention: We store your content until you decide to delete it or delete your account, or otherwise for as long as your account is active. You are in control – you can delete individual pieces of content at any time, and you can delete your entire account which will delete your content from our systems (after a short processing period). We also perform periodic backups of data for reliability, which means deleted content might remain in secure backups for a short time before it is fully purged (see Section 5.2 on Data Retention for more).
Internet or Network Activity
Purpose: To maintain and improve the Service’s functionality and user experience. For example, we use this data to personalize content, remember your preferences (like dark mode or language settings), and understand usage patterns (which helps us fix bugs and decide on new features). We also use some of this data for security (like detecting unusual login behavior that could indicate an unauthorized attempt) and to prevent fraud or abuse.
Third-Party Disclosure: Analytics service providers (which help us understand how users interact with our app), cloud/infrastructure providers (for logging and monitoring service health).
Sold/Shared: No. We do not sell this information. However, we want to be transparent that we do use third-party analytics cookies and similar technologies, which in a California context might be considered “sharing” for advertising or analytics. We provide ways to opt out of those tracking technologies if you wish (for instance, through our Cookie Policy or by honoring browser signals like the Global Privacy Control, see Section 8.2 for details).
Retention: Data like web server logs are kept for only a limited period (sufficient for troubleshooting and security reviews) and then are deleted or anonymized. Cookie data retention varies depending on the type of cookie — e.g. session cookies may last only until you close your browser, while persistent cookies could last a few months or as stated in our Cookie Policy. Refer to our Cookie Policy for specific lifespans of cookies and similar trackers.
Inferences
Purpose: To enhance and personalize your experience. For example, by analyzing which features you use most, we might infer that you could benefit from a new feature we’re rolling out and highlight it to you. Or we might infer preferences (like topics you frequently write about) to improve search or suggest organizational tags.
Third-Party Disclosure: Service providers that assist with analytics or personalization (for instance, a cloud AI service that helps generate a summary or recommendation for you based on your data).
Sold/Shared: No. Any inferences we draw are for internal use to benefit you and are not sold or shared with advertisers.
Retention: Inferences are generally maintained as part of your profile for as long as you use the Service, since they inform how we deliver features to you. If you delete your account or object to certain processing, we will delete or stop using these inferred preferences.
Sensitive Personal Information (Account Credentials)
Purpose: To secure your account and authenticate you when you log in. We ask you to provide a password (and we strongly encourage two-factor authentication) to protect your account access.
Third-Party Disclosure: Service providers that help with secure storage (e.g., our cloud platform for storing account data). Note that passwords are stored in a hashed or encrypted form, so even our service providers cannot read them in plain text.
Sold/Shared: No. We do not sell or share your login credentials.
Retention: We keep your account credentials for as long as your account exists. If you delete your account, or if we close it due to prolonged inactivity or per your request, we will delete or disable those credentials. (For example, if your account is closed, your login email and password hash will be removed or anonymized in our user database after the retention period.)
3. How We Use Your Information (Purposes of Processing)
We use Personal Information strictly for the reasons we collected it, and we do not use it in ways that are incompatible with those purposes. Below are the specific purposes for which Keepbook processes your information:
3.1 To Provide and Maintain Our Services
We use your information to deliver the core functionality of Keepbook. This includes creating and maintaining your user account, authenticating your login, providing you with the features of our platform (such as saving your notes or generating business reports), and processing any transactions (like subscription payments) through our third-party payment processors. Essentially, without using your data, we can’t provide the service you expect – so we use it wherever necessary to fulfill our contract with you (our Terms of Service).
3.2 To Improve and Personalize Our Services
We continually strive to make Keepbook better, more useful, and more relevant for our users. We analyze how users in general (including you) interact with the Services – for instance, what features are used most or where people seem to get stuck – to identify bugs, improve user interface and experience, and develop new tools and features. We may use your information (in aggregated or anonymized form when possible) to figure out usage trends and patterns. Additionally, we might personalize your experience by, say, suggesting features or content organization tips based on how you use Keepbook. For example, if we notice you frequently upload images, we might highlight our image-tagging feature to you. All of this is aimed at making the Services more effective and tailored to your needs.
3.3 For Security and Fraud Prevention
Your safety and the integrity of our platform are top priorities. We process certain data (like device information, IP addresses, and usage logs) to monitor for and prevent potentially harmful or illegal activities. This includes detecting fraudulent transactions or unauthorized access attempts, combating malware or phishing attempts within the app, and enforcing our Terms of Service. If we notice unusual behavior (e.g., many login attempts failing or a login from a new location), we may use your info to verify that it’s really you or to alert you to possible unauthorized access. These measures protect both you and us.
3.4 To Communicate with You
We use your contact information (like your email address or phone number, if provided) to send you communications about the Service. This can be broadly broken down into two types: (a) Service-Related Communications – these are important messages about your account or the Service, such as welcome emails, password reset messages, billing receipts, security alerts (if we detect something odd with your account), or changes to this Privacy Policy or our Terms; and (b) Promotional or Marketing Communications – things like newsletters, product updates, or special offers that we think might interest you. We will only send you marketing communications if we have a lawful basis to do so – for example, your consent (if required by law) or because you haven’t opted out, in jurisdictions where an opt-out is sufficient. You can always opt out of marketing emails by clicking the “unsubscribe” link in those emails or by adjusting your account settings. (Note: You cannot opt out of essential service-related emails, such as security alerts or password reset emails, as those are important for your account’s safety.)
3.5 For Legal Compliance and to Protect Rights
We may need to use or preserve your information to comply with legal obligations, such as tax and accounting rules, or responding to valid legal requests like subpoenas or court orders. We also use information as necessary to resolve disputes or enforce our agreements (for example, to investigate a violation of our Terms of Service). Additionally, if needed, we might use data to protect our rights or property, or the rights, property, and safety of our users or others. For instance, if someone violates the law and uses Keepbook for illegal activities, we might need to cooperate with law enforcement and that could involve using or disclosing certain information as legally permitted.
3.6 Use of Artificial Intelligence (AI) Features
Keepbook incorporates features powered by Artificial Intelligence (AI) and large language models (LLMs) to enhance your experience. For example, we offer capabilities like summarizing long notes, automatically tagging or categorizing content, generating analytical reports from your business data, or answering questions you ask about your data. We want to be fully transparent about how these AI features work and how they use your data:
Purpose of AI Features: The AI-driven functions are there to directly benefit you. When you use an AI feature (say, you ask our system to summarize a document or generate a financial forecast), our system will process your relevant data through AI algorithms to produce the result for you. We do not use the content of your private data to improve our AI models in general or to benefit other customers. The processing is specific to your request and your account.
Use of Third-Party AI Providers: We may use trusted third-party AI services (for instance, machine learning platforms or language model providers) to power some of these features. When we do so, we apply robust safeguards. This includes techniques like data masking or pseudonymization, meaning we try to avoid exposing any direct personal identifiers when your data is sent to the AI engine. For example, if you have names or other identifiers in the text you’re analyzing, our system might replace them with placeholders before processing. We also strive to send only the minimum necessary context for the AI to do its job.
No Training on Your Data: Critically, we have strict agreements in place with any AI service providers we use. They are not allowed to use your data to train or improve their general models. Your data remains your data. If an AI feature analyzes your content, the result is given back to you and the provider does not get to retain that content for their own purposes. We understand that AI services are evolving, and we choose partners who respect user privacy and allow us to enforce these restrictions.
Transparency and Control: We will let you know which features involve automated decision-making or AI processing. In the sections about your rights (see Section 7 and 8), we outline your rights regarding automated decisions. For example, in some jurisdictions you have the right not to be subject to a purely automated decision that has legal or similarly significant effects on you, or the right to an explanation of such decisions. While our AI features are generally user-initiated and meant to assist you (rather than make binding decisions about you), we still want you to be aware of these rights. If you have concerns about any AI-driven feature, you can always choose not to use it. And if you need a human to intervene or have questions about how a result was generated, you can contact us and we’ll do our best to provide insight or help.
In summary, we embrace AI to make Keepbook more powerful for you, but we do so carefully and with respect for your privacy.
4. How We Share or Disclose Information
We do not sell your Personal Information to third parties, and we do not share it for cross-context behavioral advertising purposes (as those terms are defined under California law). However, we do need to disclose some information to run our business and comply with the law. This section describes who we share information with and why.
4.1 Service Providers (Processors)
We use a number of trusted third-party companies and individuals to help us provide the Services on our behalf. These include, for example:
Infrastructure and Hosting: Companies that provide cloud storage and computing infrastructure (to host our application, databases, and backups securely). For instance, we may use services like Amazon Web Services (AWS) or other reputable cloud providers.
Payment Processors: If you make purchases or subscribe to a paid plan, an external payment processor (such as Stripe) will handle your payment information. They get the necessary billing info to process the transaction.
Analytics Providers: We might use analytics tools (like Google Analytics or others) to understand usage of our Services. These providers process limited data (often aggregated or pseudonymized) to tell us things like how often certain features are used.
Communication Tools: We may use email or messaging services (for example, an email delivery service like SendGrid or Mailgun) to send out notifications, verification codes, or newsletters.
AI and Machine Learning Partners: As mentioned, for our AI-driven features we might send data to third-party AI platforms strictly to process your requests. They act as processors by generating results based on your data, under our instructions and control.
Each of these parties is bound by a contract (often called a “Data Processing Agreement”) that limits what they can do with your data. They can only use your information to perform the specific services we’ve hired them for. They cannot use it for their own purposes, and they must keep it confidential. We also require them to implement appropriate security measures to protect your information. If any of our service providers are located outside your country, we make sure to put in place legal safeguards for international data transfer (see Section 6 on International Data Transfers for more details on that). In short, our service providers help us run Keepbook smoothly and securely, and they respect the privacy obligations we put on them.
4.2 Legal Compliance and Protection of Rights
We may disclose your information to third parties (such as courts, law enforcement agencies, regulators, or others) if we believe such disclosure is necessary to:
Comply with the law or legal process: If we receive a valid subpoena, court order, or other legal demand for information, we may have to disclose data to comply. We will evaluate each request carefully and push back when appropriate (for instance, if a request is overly broad).
Protect rights, property, and safety: We might share information if needed to enforce our terms or other agreements, to investigate potential violations or fraud, or to protect the rights, property, or safety of Keepbook, our users, or the public. For example, if we suspect someone is attempting to hack into accounts or is posting illegal content, we may need to share information with law enforcement.
Address security or technical issues: Occasionally, we may need to share limited information with security researchers or other entities to investigate and remediate vulnerabilities or incidents (for example, sharing a specific IP address with an anti-fraud service to track malicious activity).
These disclosures will only be done in accordance with applicable laws. Our policy is to notify users of any legal demands for their data unless we are prohibited by law from doing so or in rare, exigent circumstances (e.g., a life-threatening situation).
4.3 Business Transfers
As a startup and growing company, Keepbook may go through business changes such as mergers, acquisitions, raising investment, restructuring, or selling parts of the business. In the event we are involved in a merger or acquisition, or if we sell all or a portion of our business or assets, or even in the unlikely event of bankruptcy or receivership, your Personal Information could be transferred to the acquiring or succeeding entity. If such a transfer occurs, we will ensure that your information remains subject to the same protections outlined in this policy (unless, of course, you consent to new terms). We will also provide notice on our website (and, if you’ve provided an email, we may notify you via email) to inform you of the change and any choices you may have regarding your data as a result.
4.4 With Your Consent
Apart from the situations above, if we ever need to share your information for any other purpose, we will do so only with your explicit consent. For example, if you ask us to share your information with a third-party service or you use a feature that requires sending your information to an outside party that isn’t acting solely as our processor, we would either facilitate that explicitly at your direction or ask your permission. This is particularly important in certain jurisdictions like South Korea – under the Personal Information Protection Act (PIPA), providing your data to another independent company (a third-party controller) typically requires that we obtain your prior consent, specifying who and what for. Rest assured, if something isn’t covered by this Privacy Policy, we’re not just going to hand over your data unless you say it’s okay.
(In summary, we limit disclosures to what’s described here – running our service with trusted helpers, legal requirements, protecting rights, business transitions, or with your consent.)
5. Data Security and Retention
5.1 How We Protect Your Data (Security)
We take the security of your Personal Information very seriously. We implement a variety of technical, administrative, and organizational safeguards designed to protect your data from unauthorized access, use, or disclosure. For example:
We use encryption for data in transit and at rest. This means when your data is moving between your device and our servers, it’s protected by HTTPS/TLS (so eavesdroppers can’t read it), and sensitive data stored on our servers is encrypted (so it’s not easily readable even if storage were compromised).
We employ access controls so that only employees or contractors with a legitimate need to access your information (to perform their job duties) can do so. Our team is trained on privacy and security practices, and we restrict access to Personal Information on a need-to-know basis.
We regularly assess our systems for vulnerabilities and attacks. We keep our software and infrastructure up to date with security patches, and we utilize firewalls and monitoring to guard against intrusions. We may also engage third-party security experts to perform audits or penetration tests on our environment.
We have incident response plans ready. In the unlikely event of a security breach, we have procedures in place to contain the incident, mitigate harm, and notify affected users and authorities as required by law.
However, it’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. You should also play a part in protecting your data by using a strong, unique password for Keepbook, enabling two-factor authentication, and protecting your own account credentials. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel your account has been compromised), please contact us immediately.
5.2 How Long We Keep Your Data (Data Retention)
We retain Personal Information for only as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Different types of data may have different retention periods:
Active Account Data: If you have an active account with us, we will keep your information for as long as you are using the Services. This allows us to provide the Service to you continuously.
Account Closure: If you choose to delete your account (or if your account remains inactive for an extended period and we close it in line with our policies), we will initiate the process of deleting or anonymizing your Personal Information. We may retain certain minimal information for a short period after account deletion for legitimate reasons – for example, to allow us to settle transactions, to show that we complied with a deletion request, or to resolve possible disputes (say, if there’s an issue regarding a refund or a legal claim). Typically, this retention is limited to the time frame necessary for those purposes.
User-Generated Content: Content you have created (your notes, documents, etc.) will be deleted when you delete your account or, if you prefer, you can delete individual pieces of content at any time. Once deleted, the content is no longer accessible through the app. It may persist temporarily in our secure backups; however, we have processes to eventually purge deleted content from backups too, or to segregate it so it’s not readily accessible.
Legal Compliance and Legitimate Business Purposes: We might keep some information longer if required by law or if we have a legitimate business reason. For instance, financial records of purchases are kept to comply with tax and accounting laws (which might require us to keep records for a certain number of years). If there’s an ongoing legal proceeding or investigation, we would retain relevant information until it is resolved. If we retained data for such purposes, we would continue to secure it and isolate it from routine use.
Anonymized Data: In some cases, rather than delete data, we may anonymize it so that it can no longer be associated with you. For example, we might convert a log of your usage into aggregated statistics (stripping out any personal identifiers). We may keep anonymized data for analytical purposes indefinitely because it no longer represents you or any individual.
After the applicable retention period has ended, we will securely destroy or erase the Personal Information. For physical records that are no longer needed, we shred or incinerate them. For electronic records, we use technical methods that permanently delete the data so that it cannot be recovered. Our goal is to not keep your personal data around indefinitely unless there’s a good reason to (and if there is, we’ll have told you what that reason is).
6. International Data Transfers
Keepbook operates on a global scale. Depending on where you are located, your Personal Information may be transferred to and stored on servers in a country different from your own. For example, if you are in the European Union, some of your data may be processed in the United States or other countries. We understand that different countries have different data protection laws, so when we transfer personal data across borders, we take steps to ensure that your data is given an adequate level of protection.
6.1 Transfers from the European Economic Area (EEA), United Kingdom, or Switzerland
If you are located in the EEA, UK, or Switzerland, we adhere to the GDPR (and UK GDPR) requirements for transferring your personal data outside of those regions. This means:
Adequacy: Some countries are deemed by the European Commission (or UK authorities) to have laws that are “adequate,” or essentially equivalent to EU data protection standards. If we transfer data to a country with an adequacy decision (for example, as of this writing, countries like Canada, Japan, or others have such status), we rely on that decision.
Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (such as the United States, in cases where the recipient isn’t certified under an EU-approved framework), we use the European Commission’s approved Standard Contractual Clauses. These are legal contracts that bind the recipient of the data to protect it according to EU privacy standards. We have SCCs in place with our service providers as needed.
UK Addendum/IDTA: For the UK, which is no longer under the EU regime, we use the International Data Transfer Addendum or other mechanisms approved by the UK Information Commissioner’s Office, which work similarly to SCCs.
Supplementary Measures: In some cases, we might also implement additional technical measures (such as encryption in transit and at rest, which we already do) to add layers of protection when data is transferred internationally.
Our goal is that, no matter where your data is processed, the privacy protections travel with your data. If you’d like more information about our international transfer safeguards, feel free to contact us.
6.2 Transfers from the Republic of Korea
If you are in South Korea, we handle international transfers in strict compliance with the Personal Information Protection Act (PIPA). PIPA has some of the most stringent requirements for sending personal data overseas. In practice, this means:
We will obtain your explicit consent before transferring your Personal Information out of Korea, unless an exception under PIPA applies. This consent will be separate from other consents, and we will provide you with all the details you need to make an informed decision.
When seeking your consent for an international transfer, we will inform you of:
Exactly what information we are going to transfer (the types of personal data).
Which country your data will be transferred to (and even the receiving entity’s name, if required).
When and how the transfer will happen (for instance, “immediately upon collection via secure encrypted connection to our servers in X country”).
Who is receiving the data and if it’s a company, what they do (e.g., a cloud storage provider, an email service, etc.).
The purpose for which the recipient will use your data (e.g., “to store the data and enable the functioning of the service”) and how long they will retain it (e.g., “data is stored for the duration of your account”).
We will also ensure any overseas recipient of the data is contractually obligated to protect your information to standards required by PIPA and this Privacy Policy.
If you choose not to consent to an international transfer, we will do our best to accommodate that (for example, by using servers located in Korea for your data if possible). However, please be aware that some aspects of our Service might be limited or unavailable without certain cross-border data flows, since our infrastructure may be global.
(International data transfers can sound complicated, but the bottom line is we take measures to protect your data when it moves across borders, and we respect local rules about how to do it.)
7. Your Privacy Rights and Choices
You have rights regarding your personal information, and we want you to be able to exercise them. Depending on where you live, these rights may vary, but we intend to honor the core of these rights for all our users, where feasible. Here is a high-level summary of key privacy rights recognized in various laws:
Privacy Right | EU/UK (GDPR) | California (CPRA) | South Korea (PIPA) |
Access / Right to Know (what data we have about you) | Yes | Yes | Yes |
Correction / Rectification (correct inaccurate data) | Yes | Yes | Yes |
Deletion / Erasure (have your data deleted) | Yes | Yes | Yes |
Object or Opt-Out of certain processing (e.g., profiling, sale/sharing) | Yes – right to object to processing | Yes – right to opt out of sale or sharing | Yes – right to withdraw consent or object |
Limit Use of Sensitive Info | Yes – right to restrict certain processing | Yes – can limit use of sensitive personal info | Yes – strict consent rules for sensitive data |
Data Portability (get your data in a usable format) | Yes | Yes (in a portable format) | Yes (newly provided under 2023 amendment) |
Rights regarding Automated Decision-Making | Yes – right not to be subject to purely automated decisions with significant effects | Yes – right to opt out of automated decision technology | Yes – right to demand human intervention for automated decisions |
Right to Lodge a Complaint with Authority | Yes (Supervisory Authority) | Yes (California Privacy Protection Agency) | Yes (Personal Information Protection Commission) |
As the chart shows, there’s a lot of overlap. In plain language, regardless of where you are, you generally have the right to: know what information we have about you; access that information; correct it if it’s wrong; ask for it to be deleted; ask us to stop certain uses or to limit it; get a copy of it; and inquire about or object to any significant automated decisions. You also have the right to not be treated differently (no discrimination or denied service) just for exercising these privacy rights.
How to Exercise Your Rights: The easiest way to make a privacy rights request is to email us at [email protected]. Please let us know which right you want to exercise and provide us with enough information to verify your identity (we need to make sure we’re dealing with the correct person’s data). For example, we might ask you to send the request from the email address associated with your account or provide some information that only you would know. We will respond to your request as required by law – generally within 30 days for most regions (45 days for California, but extendable to 90 if needed, and we’ll let you know if we need that extension; South Korea typically expects faster initial responses). If you have an authorized agent (like an attorney or someone you’ve formally given permission to act on your behalf), they can make requests for you, but we will still take steps to verify that the request is legitimate.
We will fulfill your request to the extent required by applicable law. There may be situations where we cannot fully comply – for example, if you request deletion and we are required by law to keep certain data, or if fulfilling a request would adversely affect others’ privacy or our own legal obligations. But we will explain any such situation to you in our response.
Importantly, we will not penalize or discriminate against you for exercising any of these rights. For instance, we won’t deny you service or give you a different level of service just because you asked to see your data or have it deleted. Our service offerings and prices are the same whether or not you exercise your rights.
Finally, if you have any concerns about how we handle your data or your requests, you have the right to escalate the matter to the authorities (as described below in the jurisdiction-specific sections). But we encourage you to reach out to us first – we genuinely care about your privacy and will do our best to resolve any issues.
8. Jurisdiction-Specific Information
Privacy laws can vary by country or state. In this section, we provide some additional details specific to certain jurisdictions to ensure we’re meeting local requirements and to inform you of any additional rights or information relevant to you.
8.1 Users in the European Economic Area (EEA), United Kingdom (UK), and Switzerland
If you are in the EEA, UK, or Switzerland, the following information applies to you:
Data Controller: Keepbook AI B.V. (located in the Netherlands) is the “data controller” responsible for your Personal Data. This means we determine how and why your personal data is processed. You can contact us at the addresses in Section 1 if you have any issues or questions related to how we handle your data.
Legal Bases for Processing: We process your Personal Data under the lawful bases established by Article 6 of the GDPR (and UK GDPR). This means for each use of your data, we have identified a legal justification. The main legal bases we rely on are:
Performance of a Contract: Much of our processing is to provide you the Services as agreed in our Terms of Service. For example, when we handle your login credentials and user content, we do so to perform our contract with you (i.e., provide the features you signed up for).
Legitimate Interests: We may process data for purposes that are in our legitimate interests as a business – for instance, improving and securing our Services (Sections 3.2 and 3.3 describe many of these purposes). When we rely on legitimate interests, we ensure that our interests are not overridden by your rights and interests; we perform a balancing test to be sure. For example, it’s in our interest to track basic analytics to improve our app, but we do so in a way that minimally impacts your privacy (and you always have the right to object to any processing based on legitimate interests).
Consent: In certain cases, we will ask for your consent to process data. For instance, if we ever wanted to send you marketing emails in a country where that requires consent, or if we introduce a new feature that processes your data in a way not covered by existing bases, we will obtain your consent. You have the right to withdraw your consent at any time, and if you do, we will stop the processing that was based on consent. (Note: withdrawing consent doesn’t affect the lawfulness of processing we did up to that point.)
Legal Obligation: Sometimes we have to process or retain data to comply with laws – for example, retaining transaction records for tax purposes, or disclosing information if compelled by a court order. In these cases, the law is the basis for processing.
Your GDPR/UK Privacy Rights: As summarized in Section 7, you have several rights under GDPR: the right to be informed (that’s partly what this Privacy Policy is for!), the right of access (to get a copy of your data or more info about how we use it), the right to rectification (correcting inaccurate data), the right to erasure (“right to be forgotten,” under certain conditions), the right to restrict processing (to temporarily stop us from processing certain data), the right to data portability (to get your data in a machine-readable format and/or have it sent to another provider), the right to object (to certain processing like direct marketing, or processing based on our legitimate interests), and rights related to automated decision-making (as mentioned earlier, you can request human intervention or challenge a decision made solely by a computer if it has significant effects on you). You also have the right not to be subject to a decision based solely on automated processing if it significantly affects you, unless it’s necessary for a contract with you, authorized by law, or based on your explicit consent (and in any case, you’d have the right to have a person review it).
We have processes in place to honor these rights. If you exercise any of these rights (by contacting us as noted in Section 7), we will respond within one month (and we can extend that by two more months for complex requests, but we’ll let you know if so). There is generally no fee for making a request, unless it’s excessive or unfounded (in which case, we might charge a reasonable fee or refuse, but we would explain why).
Right to Lodge a Complaint: If you believe we have infringed your data protection rights or not adhered to the law, you have the right to lodge a complaint with a supervisory authority, particularly in the EU country where you live, work, or where you feel the violation occurred. For example, if you’re in France, you could contact the CNIL; in Germany, you’d reach out to your state’s DPA; in the Netherlands (where we are based), you can contact the Autoriteit Persoonsgegevens; in the UK, you can contact the Information Commissioner’s Office (ICO). Contact information for these authorities is readily available online (and we can help point you to the right one if you ask). We would, of course, appreciate the chance to address your concerns first, but it’s your right to go to the authorities at any time.
Note for UK/Swiss users: The above rights and bases apply similarly under the UK GDPR and the Swiss Federal Act on Data Protection. We treat user data in those jurisdictions with the same high standard of care.
8.2 Residents of California (CPRA) – Your California Privacy Rights
If you are a California resident, you are protected by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), which grants you specific rights regarding your Personal Information. Here’s what that means for you:
Right to Know: You have the right to request that we disclose to you what Personal Information we collect, use, and disclose about you specifically. This includes the categories of personal information we’ve collected, the categories of sources from which it was collected, the business or commercial purpose for collecting it, the categories of third parties we disclosed it to, and the specific pieces of personal information we collected about you. (Much of this is outlined in this Privacy Policy, but you can also request a report of your specific data.)
Right to Delete: You can request that we delete Personal Information we have collected from you, with certain exceptions. For example, if we are required to keep certain data for legal reasons (like a record of a transaction) or if the data is needed to complete the transaction you requested, we may not delete that specific data. But if you ask, we will either delete your personal data or explain the reason we cannot (due to an exception in the law).
Right to Correct: If you find that some of the Personal Information we have about you is inaccurate, you have the right to request we correct it. Provided we can verify your identity and the new information, we will correct our records.
Right to Opt-Out of Sale or Sharing: As mentioned, we do not sell your Personal Information for money. We also do not share your information for cross-context behavioral advertising (which is CPRA’s definition of “sharing”). In the event that changes (which we have no plans to do), we would update this policy and give you a clear way to opt out. We also honor the Global Privacy Control (GPC) – which is a browser setting that signals a “Do Not Sell or Share” preference. If we detect a GPC signal from your device or browser, we will treat it as an opt-out request for the device, browser, and, if we can connect it, your account. Additionally, if our site uses any third-party analytics or advertising cookies that could be considered a “sale” or “sharing,” we will provide a “Do Not Sell or Share My Personal Information” link or toggle on the site (as required by law) so you can manage those preferences.
Right to Limit Use of Sensitive Personal Information: California residents can direct businesses to limit the use of Sensitive Personal Information to only what’s necessary to provide the services. In our case, as we’ve described, we only use your sensitive information (like your account credentials) for providing the service (authentication, security, etc.), which is already a “necessary” purpose. We don’t use or disclose sensitive info like account passwords for any purpose other than the reasons you gave it to us. If we ever requested other sensitive info for an additional purpose, we would provide a way to limit its use.
Right of Non-Discrimination: We will not discriminate against you for exercising any of these rights. That means we won’t deny you our Service, won’t charge you different prices, won’t provide a different level or quality of service, and won’t suggest any of those things will happen just because you made a privacy rights request. The CCPA/CPRA explicitly prohibits this kind of retaliatory behavior, and we fully adhere to that.
How to Exercise California Rights: To exercise your rights to know, delete, or correct, you (or your authorized agent) can contact us at [email protected] with your request. We will need to verify your identity – usually by asking you to provide information that matches our records (for example, confirming your email and aspects of your recent interactions with the service). For requests to know specific pieces of information, we may apply a higher verification standard (to protect your privacy). If you have an authorized agent making the request for you, we may require proof of written permission or power of attorney, and we will still verify with you directly unless the agent has a power of attorney under the California Probate Code.
We aim to respond to California rights requests within 45 days. If we need more time (up to an additional 45 days, totaling 90), we’ll let you know the reason and extension period in writing.
“Shine the Light” Law: California Civil Code §1798.83 (the "Shine the Light" law) allows California residents to ask companies once a year what personal information they have shared with third parties for those third parties’ direct marketing purposes. Our answer to that is simple: we do not share your personal information with third parties for their own direct marketing purposes without your consent. In other words, we don’t rent or sell your info to other companies so they can spam you with their ads. If that ever changes, we would provide the appropriate opt-in or opt-out options as required by law. But currently, that’s not something we do.
8.3 Individuals in the Republic of Korea (South Korea) – PIPA Compliance
If you are a user in South Korea, the Personal Information Protection Act (PIPA) applies to how we handle your data. PIPA has very strict requirements, and we are committed to meeting them. Here are some key points for our Korean users:
Chief Privacy Officer (CPO) and Local Agent: We have appointed a Chief Privacy Officer to oversee our data protection responsibilities. Our CPO is responsible for managing personal data issues and handling user inquiries or complaints in Korea. You can reach our CPO through [email protected] (please write “Attn: Chief Privacy Officer” in the subject line). If we are required to designate a separate local representative (agent) in Korea, we will update this policy to include their contact information as well. (As of the last update of this policy, our understanding is that a local agent is required if we meet certain thresholds of data processing in Korea; we will comply with this as necessary and ensure their details are made available to you.)
Consent First: In Korea, your consent is our primary legal basis for processing personal information, especially for anything beyond what’s obviously needed to provide the service. We will obtain your consent for:
Collecting and Using Personal Information: When you sign up, we’ll present you with a consent form detailing what personal info we collect and how we use it. If we ever need to collect new types of information or use your data for a new purpose, we’ll ask for your consent for those specifically.
Handling of Sensitive Information: If we ever need to collect any sensitive personal information (as defined under Korean law, e.g. information about your ideology, health, biometrics, etc.), we will get your explicit consent for that, and we will clearly explain why we need it. (As noted, in general we don’t collect such data unless you provide it in your content, and we’re not actively pulling that out.)
Provision to Third Parties: If we intend to provide your personal information to any third-party controller (meaning another company that will use the data for their own purposes, not just to help us provide our service), we will ask for your consent and tell you exactly what is being provided and to whom. For example, if we partner with another app and you want to link your Keepbook account with them, we’ll ask your permission before sharing anything.
International Transfers: As described in Section 6.2, if your data will be transferred overseas, we will obtain your consent and give you all the details (destination, recipient, purpose, etc.) as required by PIPA.
We will present these consent requests in a clear and separate manner (no bundling consents together if not necessary), and we will also inform you of your right to refuse consent and any consequences of not consenting (if any). Importantly, if a certain collection or use is “optional” (not strictly needed for the main service), you can refuse and we will not deny you the core service – we might just disable the optional feature.
Your Rights Under PIPA: You have robust rights under Korean law, many of which overlap with those already discussed:
Right to be Informed: You can ask us to explain how your data is being used and we must inform you (hence this Privacy Policy, and we’re always updating it to ensure transparency).
Right of Access: You can request a copy of the personal information we hold about you and details about how it’s being used. We will provide this, except in very limited situations allowed by law (for example, if providing the data could violate another person’s rights or trade secrets, etc., but we would partially disclose or do our best to accommodate the request).
Right to Correction (Rectification): If any of your personal information is inaccurate or incomplete, you can request that we correct or supplement it. We will correct it upon verification (or, if we believe it’s correct, we will note your challenge in the record).
Right to Deletion: You may request that we delete your personal information. PIPA generally allows deletion when the information is no longer necessary for the purpose it was collected. If you request deletion, we will delete the data or anonymize it so it’s no longer personally identifiable. If certain data must be retained by law, we will inform you and securely isolate that data from active use.
Right to Suspend Processing: You can request that we temporarily suspend processing of your personal information in certain cases (for example, if you contest the accuracy of the data or if you believe processing is illegal). We will either suspend processing or inform you why we may refuse (as permitted by law). Do note, if you ask us to stop processing data that is essential to our service (like say, your login credentials), we might have to treat that as a request to delete your account, since we can’t practically provide the service without processing that information. We will communicate with you to clarify any such situation.
Right to Data Portability: As of recent updates to PIPA (2023), there is a notion of data portability – you might request that we transfer your data to another company or to you in a machine-readable format. We will honor this to the extent required and technically feasible.
Automated Decision Making: Similar to GDPR, if we ever implement fully automated decision-making that significantly affects you, you have the right to request an explanation or to challenge such decisions. (Currently, our AI features in Keepbook are user-initiated and assistive, rather than making autonomous decisions about you, but this is a protection we mention for completeness.)
“Provision” vs “Outsourcing”: Korean law differentiates between providing data to third parties and outsourcing data processing. To clarify:
When we use service providers to process data on our behalf (e.g., cloud hosting, email delivery, etc.), that is considered “outsourcing” (or consignment) under PIPA. We do not need your separate consent for outsourcing, but we must disclose in this Privacy Policy which tasks we have outsourced and to whom, which we have done by describing our service providers in Section 4.1. We have agreements with each of those processors to ensure they protect the data.
We will not provide your personal information to independent third parties (i.e., another controller) without your consent. “Provision” would mean, for example, selling a list of users to another company, or sharing data with a partner for their own uses – and we simply do not do that as a rule. If that ever changes or if a specific situation arises where providing data to a third party would benefit you, we will get your consent first as described above.
Data Destruction Procedures: PIPA requires that we destroy personal information once the purpose of its collection has been achieved and retention is no longer permitted. We have internal guidelines for this. When data is due for destruction, we take the following steps:
Electronic files containing personal information are permanently deleted using secure methods that ensure the data cannot be restored or recovered. (Simply deleting a file normally might leave traces, so we use wiping or shredding software techniques.)
Any paper records are shredded or incinerated.
If there’s some reason we need to keep data past the normal retention (like you agreed to a longer retention or it’s required by law), we will store that data separately from active data (for example, moving it to an archive or separate database) and then destroy it after the extended period. The data in this state isn’t used for any other purpose.
If you have any questions or concerns about how we handle personal data under Korean law, you can contact our CPO through the email provided. We will respond promptly to any user inquiries (PIPA generally expects us to respond within 10 days to such inquiries/requests, and to take action within 30 days).
9. Other Important Information
9.1 Children’s Privacy
Our Services are not intended for use by children. We do not knowingly collect personal information from anyone under the age of 16 (and we adhere to stricter age limits where required, such as 13 under U.S. COPPA, or 14 under South Korea’s regulations). If you are under the age threshold for your region, please do not use Keepbook or provide any personal information to us. If we learn that we have inadvertently collected personal information from a child without proper consent, we will take steps to delete that information as soon as possible. If you are a parent or guardian and discover that your child under the applicable age has an account with us or has provided personal data, please contact us and we will take appropriate action to remove the data and disable the account.
9.2 Cookies and Tracking Technologies
Like many online services, we use cookies and similar tracking technologies to operate and enhance our Services. Cookies are small text files that websites send to your device to recognize your device and remember some information. For example, we use essential cookies to keep you logged in as you navigate through our site, and to protect against security risks (like detecting if someone else is trying to impersonate you). We also use analytics cookies (and similar tools) to understand how users arrive at our site, which pages are popular, and how users interact with features – this helps us improve performance and develop a better product. Some of our analytics or advertising partners may set cookies on your device when you visit our site, which can be used to provide insights or personalized content. We provide details about the specific cookies and trackers we use, their purposes, and how you can control them in our Cookie Policy (available on our website). In that policy, you’ll also find instructions on how to adjust your browser settings to manage or delete cookies, and how to use opt-out mechanisms for certain trackers. You can choose not to accept cookies (aside from those strictly necessary), however, please note that if you disable cookies or other tracking, some features of our Service might not function properly (for example, you might have to log in every time or certain personalization features might not remember your preferences). We respect Do Not Track (DNT) signals and Global Privacy Control (GPC) signals as required – meaning if your browser is set to refuse tracking, we will honor that for non-essential cookies.
9.3 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the “Last Updated” date at the top of this Policy. If the changes are significant (material changes), we will provide a more prominent notice – for example, a banner on our website, an in-app notification, or an email to you – before those changes take effect. Material changes might include things like: expanding the types of personal data we collect, using data for new purposes that you wouldn’t expect, or sharing data with new types of third parties that you haven’t been informed of before. Minor changes (like grammatical fixes or clarifications) may be updated just with the new effective date. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use Keepbook after a change to the policy is in effect, that will indicate your acceptance of the updated terms (to the extent allowed by law). If you do not agree with any changes, you should stop using the Services and you may delete your account at any time.
10. How to Contact Us
We value your privacy and feedback. If you have any questions, comments, or concerns about this Privacy Policy or our practices, or if you want to exercise any of your rights (as described in Sections 7 and 8), please reach out to us. We’re here to help and will respond as promptly as we can.
Email: You can email us at [email protected] for general inquiries. For privacy-specific concerns or requests, you may email above email.
Mail: If you prefer, you can send us physical mail. Our mailing address is:
Keepbook AI B.V.
Gerard Doustraat 228
1017XC Amsterdam
NetherlandsData Protection Officer: If we have appointed a Data Protection Officer (DPO) or a specific privacy contact in your region, you can find their contact information in the relevant section above (for example, in the EU/UK section or the Korea section). As of now, privacy inquiries can be directed to our main contact points above and they will be routed appropriately.
We genuinely appreciate you trusting Keepbook with your information. Your privacy is important to us, and we are continually working to protect and respect it. Thank you for taking the time to read our Privacy Policy.