Privacy Policy
Last updated: 1 April 2026
This Privacy Policy describes how Kota (“we”, “us”, “our”) collects, uses, stores, and shares personal information when you use our website and application (together, the “Service”). We are committed to protecting your privacy in accordance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable South African law.
Note: This policy is a practical summary for transparency. It is not legal advice. You may wish to have your own legal adviser review it for your circumstances. We may update this policy from time to time; the “Last updated” date above will change when we do.
1. Who is responsible for your information?
The responsible party (operator) for personal information processed through the Service is the entity operating Kota as described on our website or in your agreement with us. For questions about this policy or your information, use the contact details at the end of this document.
2. What personal information do we collect?
Depending on how you use the Service, we may process categories of information including:
- Account and identity: name, email address, authentication identifiers, organisation details.
- Business content you provide: text you type or upload (for example messages, client notes, documents, invoices, knowledge-base entries).
- Technical and usage data: IP address, device/browser type, approximate location derived from network data, log data, and similar metadata needed to run and secure the Service.
- Billing (if applicable): billing contact details and payment-related information processed by our payment service provider (we do not store full card details on our own servers where a provider handles them).
3. How we use personal information (purpose)
We process personal information only for legitimate purposes related to the Service, including:
- creating and managing your account and organisation workspace;
- providing AI-assisted features (see section 5);
- storing, retrieving, and displaying your business data as you direct;
- billing, subscription management, and support;
- security, fraud prevention, abuse detection, and legal compliance;
- improving reliability and performance of the Service (for example error monitoring), without using your content for unrelated advertising or resale.
Where POPIA requires a lawful basis, we rely on one or more of: performance of a contract with you, compliance with law, your consent where appropriate, and legitimate interests that are not overridden by your rights (such as securing our systems).
4. Artificial intelligence and your data
Kota uses third-party AI models to generate responses, summaries, drafts, and similar outputs inside the application. We route those requests through OpenRouter (and the underlying model providers it uses).
Important: When you use AI features, relevant parts of your prompts, conversation context, and business content needed to fulfil your request are transmitted to OpenRouter and those model providers so they can process the request and return a result. That processing is essential to provide the AI functionality you are using; it is not a separate optional add-on.
We configure our integration with privacy in mind where available (for example provider settings aimed at not retaining prompts for provider-side model training, where the provider supports that). The behaviour of each underlying model provider is governed by their own terms and policies; we encourage you to review OpenRouter’s documentation and policies for current detail.
We do not use your personal information or business content for unrelated purposes such as selling your data to data brokers, building unrelated advertising profiles, or training separate AI products outside operating the Kota Service for you. Processing is for delivering and improving the Service you signed up for, security, and compliance.
5. Subprocessors and sharing
We use trusted service providers who process information on our instructions, for example:
- cloud hosting and database (for example to store accounts and your workspace data);
- authentication and identity services;
- OpenRouter and connected AI model providers (AI inference);
- payment processing (where you subscribe to paid plans);
- email or transactional messaging, analytics, or error reporting, where we use them.
Some providers may be located outside South Africa. Where personal information is transferred across borders, we take steps consistent with POPIA (for example appropriate agreements and safeguards as required by law). Cross-border transfer is inherent to using global cloud and AI infrastructure.
We may disclose information if required by law, court order, or competent authority, or to protect our rights, users, or the security of the Service.
6. Retention
We keep personal information only as long as needed for the purposes above, including legal, tax, and accounting obligations, dispute resolution, and enforcing our agreements. Retention periods may depend on the type of data and your account status (for example after closure we may retain certain records for a limited period where the law requires).
7. Security
We implement appropriate technical and organisational measures designed to protect personal information against unauthorised access, loss, or misuse. No online service can guarantee absolute security; you should use a strong password and protect your account credentials.
8. Your rights under POPIA
Subject to POPIA and any applicable exceptions, you may have the right to:
- request access to personal information we hold about you;
- request correction or updating of inaccurate information;
- request deletion or restriction of processing in prescribed circumstances;
- object to certain processing (for example direct marketing, if ever applicable);
- withdraw consent where processing is based on consent (without affecting prior lawful processing);
- lodge a complaint with the Information Regulator (South Africa).
To exercise rights, contact us using the details below. We may need to verify your identity before responding. You may also have rights under the Promotion of Access to Information Act, 2000 (PAIA); a PAIA manual may be published separately where we are required to maintain one.
9. Cookies and similar technologies
We may use cookies or similar technologies for session management, security, preferences, and (where enabled) product analytics. You can control cookies through your browser settings; blocking some cookies may affect functionality.
10. Children
The Service is intended for businesses and adults. We do not knowingly collect personal information from children without appropriate parental authority. If you believe we have collected information from a child in error, contact us and we will take steps to delete it where required.
11. Changes
We may update this Privacy Policy to reflect changes to our practices or legal requirements. We will post the updated version on this page and adjust the “Last updated” date. Where changes are material, we will provide additional notice if required by law (for example by email or in-app notice).
12. Contact and Information Officer
Kota has designated an Information Officer as required by POPIA. For any privacy-related requests — including access, correction, deletion, or objection to processing (Data Subject Access Requests) — please contact:
- Email: privacy@kota.ai
We will acknowledge your request within 3 business days and respond fully within 30 days as required by POPIA. You may be asked to verify your identity before we process your request.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator (South Africa):
- Website: www.inforegulator.org.za
- Email: inforeg@justice.gov.za
See also our Terms of Service.