Legal

Privacy Policy

How we collect, use, and protect your information.

Effective date: February 1, 2026 · Last updated: February 2026

1. Overview

Khive AI ("Company," "we," "us," or "our") operates the khive.ai platform and related MCP services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

  • Email address: Required for account creation and communication
  • Payment information: Processed and stored by Stripe; we do not store credit card numbers directly

2.2 API and Usage Data

  • API keys: Stored as cryptographic hashes (SHA-256); we cannot recover your raw API key after creation
  • Usage metrics: API call counts, service breakdown, timestamps, and rate limit tracking
  • User-stored data: Memories, knowledge graph entities, tasks, CRM records, and other data you store through the Services

2.3 Automatically Collected Information

  • IP addresses and request metadata for security and rate limiting
  • Browser type and device information when accessing the dashboard
  • Cookies: We use essential cookies for session management only. We do not use advertising or tracking cookies.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Services
  • Authenticate your identity and manage your account
  • Process payments and manage subscriptions
  • Enforce rate limits and usage quotas
  • Communicate service updates, security alerts, and billing notifications
  • Detect, prevent, and address fraud, abuse, and security issues
  • Comply with legal obligations

We do not use your stored data (memories, knowledge graph entries, tasks, etc.) for training machine learning models, advertising, or any purpose other than providing the Services to you.

4. Data Sharing and Third Parties

We do not sell your personal information. We share data only with the following service providers, strictly as needed to operate the Services:

  • Stripe: Payment processing. Stripe's privacy policy governs their handling of your payment data.
  • Fly.io: Infrastructure hosting. Our servers run in the sjc (San Jose, CA) region. Fly.io acts as a data processor under our instructions.

We may also disclose information if required by law, subpoena, or court order, or to protect our rights, property, or safety.

5. Tenant Isolation and Security

Every API key maps to an isolated tenant namespace. Your data is strictly separated from other tenants at the storage layer using namespace-scoped composite keys. There is no shared database between tenants.

We employ the following security measures:

  • API keys hashed with SHA-256 at rest
  • TLS encryption for all data in transit
  • Namespace-level access control enforced at the engine layer
  • Rate limiting and abuse detection
  • Regular security audits and dependency updates

6. Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active and for 30 days after deletion
  • User-stored data: Retained while your account is active; deleted within 30 days of account termination
  • Usage logs: Retained for 90 days for operational and billing purposes
  • Payment records: Retained as required by tax and financial regulations

7. Your Rights

All Users

You have the right to:

  • Access your personal data through the dashboard or API
  • Correct inaccurate information in your account
  • Delete your account and associated data
  • Export your data before account deletion
  • Revoke API keys at any time

EEA/UK Residents (GDPR)

In addition, you have the right to:

  • Restrict or object to processing of your personal data
  • Data portability in a machine-readable format
  • Lodge a complaint with your local data protection authority
  • Withdraw consent at any time where processing is based on consent

Our legal basis for processing is: (a) performance of our contract with you (providing the Services), (b) legitimate interests (security, fraud prevention), and (c) compliance with legal obligations.

California Residents (CCPA)

Under the CCPA, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell data)
  • Non-discrimination for exercising your rights

8. International Data Transfers

Our servers are located in the United States (San Jose, California). If you are accessing the Services from outside the United States, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for data transfers from the EEA/UK to the US.

9. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at contact@khive.ai and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or by posting a notice on our website. Your continued use of the Services after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Khive AI

Email: contact@khive.ai

Website: khive.ai