Privacy Policy

When you create a Kinnoo account, publish or install Agents, configure your profile, or contact us, we collect the information you choose to provide. This typically includes:

• Account identifiers: your name (or display name), email address, chosen username or tenant slug, and a hashed or federated representation of your authentication credentials.
• Authentication and access tokens: session tokens issued by Kinde Auth and any CLI access tokens, publish tokens, or API tokens that you generate or that the Service issues to you. We store these in a hashed or otherwise non-reversible form where technically feasible and use them only to authenticate your requests to the Service.
• Profile information: any optional profile fields you choose to fill in, such as a biography, links, or an avatar image.
• Content you publish: Agent archives (source code, compiled artifacts, configuration, and other files), Agent metadata (names, descriptions, tags, version numbers, dependency declarations, permission declarations, and documentation), and any other content you submit through the Service. User Content you publish is generally public, is fetched and served to other Users on request, and may be downloaded, mirrored, cached, or indexed by third parties. Do not include personal information about yourself or others, and do not include API keys, tokens, credentials, or other secrets, in published User Content unless you intend for that information to be permanently public; if you do, you must consider the secret compromised and rotate it.
• Communications: the contents of messages you send to us, including support requests, bug reports, abuse reports, and copyright complaints.

We use Kinde Auth (operated by Kinde, Inc.) to handle account registration, authentication, and session management. Kinde Auth offers the option to sign up or sign in using a social identity provider, currently including Google and GitHub. If you choose to use a social sign-in option, the relevant identity provider will share with Kinde, and Kinde will share with us, a limited profile typically consisting of your name, email address, and a stable provider-specific user identifier. We do not receive your social-account password. Information shared with us by a social provider is treated as account information under this Privacy Policy.

When you access or use the Service, we and our service providers may automatically collect:

• Log and device data: Internet Protocol (IP) address, user-agent string, device and operating-system information, CLI version (where applicable), preferred language, time zone, referring URL, and the date, time, and duration of requests.
• Usage data: the pages or API endpoints you access, the Agents you publish, install, fetch, or search for, the actions you take in the registry user interface, and similar interactions with the Service.
• Security and integrity data: records related to authentication attempts, rate limiting, abuse detection, webhook deliveries, and audit logs.
• Cookies and similar technologies: strictly necessary cookies (such as our session cookie and a CSRF token) that are required for the Service to function and to keep you signed in. We do not use third-party advertising cookies or cross-site tracking cookies. Your browser’s settings allow you to block or delete cookies, but doing so may prevent you from signing in or using parts of the Service.

We do not knowingly collect government-issued identification numbers, payment-card numbers, bank-account information, precise geolocation, biometric identifiers, information about your physical or mental health, or special categories of personal data under the GDPR. Kinnoo does not currently process payments; if and when we introduce paid features in the future, we will update this Privacy Policy and the payment information will be handled by a regulated payment processor under that processor’s own terms.

The Kinnoo command-line interface (the “CLI”) communicates with the Service when you authenticate, search the registry, publish or unpublish an Agent, install or fetch an Agent, or otherwise invoke a CLI command that maps to a registry API. When the CLI makes such a request, the same categories of log data described in Section 2.3 are recorded for that request, including IP address, user-agent string, CLI version, the API endpoint invoked, and the Agent selector or query that you provided. Where the request is authenticated, we associate it with your account or Access Token.

The CLI does not transmit telemetry to Kinnoo other than what is required to fulfill the registry API request you have invoked. It does not report on which Agents you run locally, the inputs or outputs of those Agents, your file system contents, your environment variables, or other information about your local machine. Some CLI commands may write configuration, cached archives, or log files to a directory under your home directory; that local data is stored on your machine and is not transmitted to Kinnoo.

When you use the CLI to run an Agent on your machine, the Agent executes locally with the permissions of the operating-system user that invoked the CLI. Kinnoo does not receive, store, or process the prompts, inputs, outputs, files, network traffic, or other data that the Agent generates or exchanges with any third-party service while it is running. If the Agent invokes a third-party service (for example, a large- language-model provider, search API, payment provider, or cloud-storage provider), the data sent to and received from that service is governed by the privacy notice and terms of that third-party service and not by this Privacy Policy. You are responsible for understanding the data-handling practices of any third-party service that an Agent you run is configured to use.

We share personal information with carefully selected service providers that process it on our behalf and under written contractual obligations consistent with this Privacy Policy and applicable law. These currently include, without limitation:

• Kinde, Inc. (Kinde Auth):our identity and authentication provider. Kinde processes your authentication credentials, social-sign-in information, session tokens, and related security metadata as our processor for the purpose of providing identity services to the Service. Kinde’s processing is subject to its own privacy notice and data-processing agreement, and Kinde acts strictly on our documented instructions for purposes of operating the Service.
• Cloud infrastructure providers: we host the Service on commercial cloud infrastructure providers that supply compute, storage, content-delivery, edge, and database services. These providers process personal information only to host and deliver the Service.
• Email delivery and support tooling: we use service providers to send transactional email (for example, email- verification and password-reset messages) and to manage support requests.
• Security and observability tooling: we may use providers for error monitoring, log aggregation, denial-of-service protection, and similar operational purposes.

We require each of these providers to protect personal information consistent with applicable law and to use it only for the purposes for which we share it.

By design, the registry exposes certain account-level information to other Users and to the public, including your username or tenant slug, your published Agents and their metadata, and any profile information you choose to make public. We do not disclose your email address or other contact information to other Users without your consent except as required by law.

We may disclose personal information when we have a good-faith belief that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce the Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect against harm to the rights, property, or safety of Kinnoo, our Users, or the public as required or permitted by law.

If Kinnoo is involved in a merger, acquisition, reorganization, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality obligations and to the protections of this Privacy Policy. We will notify you of any material change in the controller of your personal information.

We do not sell your personal information for monetary or other valuable consideration, and we do not “share” your personal information for cross-context behavioral advertising as those terms are defined under the CCPA. We have not engaged in such sales or sharing in the preceding twelve months.

Subject to applicable law and certain exemptions, you have the right to:

• Access the personal information we hold about you.
• Rectify personal information that is inaccurate or incomplete.
• Erase your personal information in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected).
• Restrict or object to certain processing, including processing based on legitimate interests.
• Data portability: receive a copy of personal information you provided to us in a structured, commonly used, machine-readable format.
• Withdraw consent where we are processing your personal information based on your consent.
• Lodge a complaint with your local supervisory authority. We would, however, appreciate the opportunity to address your concerns first.

Subject to applicable law and certain exemptions, California residents have the right to:

• Know the categories and specific pieces of personal information we have collected about them, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Request deletion of personal information that we have collected from them.
• Request correction of inaccurate personal information that we maintain about them.
• Opt out of the sale or sharing of personal information. As described above, we do not sell or share personal information for cross-context behavioral advertising.
• Limit the use and disclosure of sensitive personal information. We do not use sensitive personal information to infer characteristics about you and we limit our use of any such information to providing the Service and the other purposes permitted by the CCPA.
• Be free from unlawful discrimination for exercising your CCPA rights.

You may exercise these rights by contacting us using the details in Section 13. We may need to verify your identity before responding to a request, and we may be unable to fulfill a request where an exemption under applicable law applies. We will respond within the timeframes required by applicable law. You may use an authorized agent to submit a request on your behalf, subject to verification.

Many account changes can be made directly within the Service. You can update profile information, change your password through your social or Kinde-managed credentials, unpublish or deprecate Agents you have published, and request account deletion using the in-product controls or by contacting us.