Privacy Policy

Kipper Inc. (“Kipper,” “Company,” “We,” “Our”) respects your privacy and is committed to protecting it through our compliance with this policy. This document details the types of information we may collect or that you may provide when you access, use, or register with any of our services, including the Kipper conversational finance intelligence platform (collectively, “Services”), and our practices for using, maintaining, protecting, and disclosing that information.

Please read this carefully to understand our policies and practices regarding your information and how we will treat it. By using or registering with our Services, you agree to this Privacy Policy. Your continued use of our Services after we make changes is deemed to be acceptance of those changes, so please check this policy periodically for updates.

This policy is organized in two parts. Part 1 applies to all Kipper services. Part 2 contains additional terms specific to the Kipper platform.

Part 1: General Privacy Policy

Information We Collect and How We Collect It

We collect information from and about users of our Services:

• Directly from you when you provide it to us.
• Automatically when you use the Services.

Information You Provide to Us

When you use or register with the Services, we may ask you to provide information by which you may be personally identified, such as your name, email address, postal address, phone number, and any other identifier by which you may be contacted or identified online or offline (“Personal Information”).

This information includes:

• Information that you provide by filling in forms in the Services, including at the time of registering to use the Services.
• Details of transactions you carry out through the Services and of the fulfillment of your orders and requests.
• Records and copies of your correspondence, including email addresses and phone numbers, if you contact us or report a problem with the Services.
• Your responses to surveys that we might ask you to complete for research purposes.

Automatic Information Collection

When you access or use the Services, we may automatically collect:

• Usage Details. Certain details of your access to and use of the Services, including traffic data, location data, logs, and other communication data and the resources you access through the Services.
• Device Information. Information about your device and internet connection, including IP address, operating system, and browser type.
• Session Recordings. We use session recording tools, which may include PostHog and other similar services, to record activity for logged-in users of the Kipper platform, including clicks, navigation, and interactions within the Service. This data is used to improve the Service, diagnose issues, and provide support. Sensitive fields such as passwords and payment information are masked and excluded from recording. Session recordings are not used for advertising purposes and are not sold or shared with third parties except as necessary to operate the Service. By using the Service, you consent to this recording as described in our Terms of Service.

Cookies and Tracking

Our website and Services use cookies and similar tracking technologies. We use the following categories of tools:

Analytics. We use Google Analytics and product analytics tools, which may include PostHog and similar services, to understand how visitors use the Site and how customers use the Service. These tools collect information such as pages visited, time spent, referral source, and device type. Google Analytics data is processed by Google subject to their privacy policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Advertising and Retargeting. We may run advertising and retargeting campaigns through third-party advertising platforms, such as Google Ads and Meta (Facebook). Rather than loading third-party scripts directly in your browser, we use AWS CloudFront as a first-party data collection layer — meaning tracking data is collected through our own infrastructure before being forwarded to advertising platforms. This approach means no third-party pixel scripts run in your browser. However, certain browsing data may be shared with advertising platforms for the purpose of showing relevant advertisements to previous Site visitors. You can opt out of interest-based advertising through:

• Google Ads Settings
• Meta Ad Preferences
• Network Advertising Initiative opt-out
• Digital Advertising Alliance opt-out

Cookie Controls. Most browsers allow you to refuse or delete cookies. Doing so may affect the functionality of the Site. You can also use browser extensions or privacy tools to limit tracking.

California Residents. The use of advertising and retargeting pixels may constitute “sharing” of personal information for cross-context behavioral advertising under the CCPA. See Your Data Protection Rights under the CCPA below for how to opt out.

Use of Personal Information We Collect

We may use the information we collect in the following ways:

• To set up and manage your account with us.
• To provide the Services and perform transactions on your behalf.
• To deliver service messages, including confirmations, invoices, technical notices, security alerts, and support and administrative messages.
• To personalize your experience and deliver content in which you are most interested.
• To conduct aggregated analysis of the performance of our Services.
• To comply with our legal obligations.

All data we collect is necessary for us to deliver the Services you use. The amount we collect has been minimized wherever possible to respect your privacy.

How We May Share Information We Collect

We may share personal information as follows:

• With third-party service providers that perform services on our behalf, such as payment processing, hosting, and analytics.
• In connection with a business transaction such as a merger, acquisition, financing, or sale of all or part of our business or assets. We will notify you before your personal information becomes subject to a different privacy policy.
• To respond to lawful requests and legal processes.
• To protect the rights and property of Kipper, our agents, customers, and others, including enforcing our agreements and policies.
• In an emergency, to protect the safety of our employees, customers, or any person.

We do not sell, trade, or otherwise transfer your personally identifiable information to outside parties except as described in this policy.

Sub-Processors

We use the following categories of third-party sub-processors to operate the Service. These providers process data only as necessary to deliver their services and are bound by appropriate data protection obligations. You may request our current sub-processor list by contacting us at legal@kipper.com.

• Cloud infrastructure: Amazon Web Services (AWS) — hosting, databases, storage, and compute
• Error monitoring: Sentry — application error tracking and diagnostics
• Product analytics and session recording: PostHog and similar tools — usage analytics and session recording for logged-in users
• Payment processing: as applicable — billing and subscription management

We will notify you of material changes to our sub-processors that may affect the processing of your personal data.

SMS Communications

We may collect your mobile phone number when you voluntarily provide it via a web form or account registration. Mobile numbers are used solely for transactional SMS communications, such as account notifications, security alerts, onboarding assistance, and customer care messages.

Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator data and consent; this information will not be shared with any third parties.

Providing a mobile number and opting in to SMS communications is entirely optional and is not a condition of purchasing or using our Services. If you opt in, you may opt out at any time by replying STOP to any message. Reply HELP for assistance. Message frequency varies. Message and data rates may apply. For full SMS terms including consent procedures, see our Terms of Service.

Data Retention

We retain personal information we collect from you where we have an ongoing legitimate business need to do so — for example, to provide you with the Services, or to comply with applicable legal, tax, or accounting requirements.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or securely store it and isolate it from any further processing until deletion is possible.

Product-specific data retention practices are described in Part 2 of this policy.

Security of Your Personal Information

The security of your Personal Information is important to us. We encrypt sensitive information in transit using industry-standard protocols and take reasonable security measures to protect your Personal Information against loss, misuse, unauthorized access, disclosure, alteration, and destruction.

Data Residency. Customer data, including financial data connected through the Service, is stored on AWS infrastructure in the United States by default. Enterprise customers may request a dedicated database instance in an alternative region where available. Please contact support@kipper.com for more information.

Please be aware that despite our efforts, no security measures are impenetrable. If you use a password on the Services, you are responsible for keeping it confidential. If you believe your credentials have been compromised, please notify us immediately.

Data Breach Notification

In the event of a data breach that is reasonably likely to result in a risk to your rights or freedoms, we will notify affected customers without undue delay and, where required by applicable law, notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Notification will include, to the extent known: the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address it.

Legal Basis for Processing Personal Information under the General Data Protection Regulation (GDPR)

References in this Privacy Policy to “GDPR” include both the European Union General Data Protection Regulation (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”), where applicable.

Our legal basis for collecting and using personal information will depend on the information concerned and the specific context in which we collect it.

We will normally collect personal information from you only (i) where we need it to perform a contract with you; (ii) where the processing is in our legitimate interests and not overridden by your rights; or (iii) where we have your consent to do so. We have a legitimate interest in operating our Services and communicating with you as necessary to provide them, including responding to your queries, improving our platform, and detecting or preventing illegal activities.

In some cases, we may also have a legal obligation to collect personal information, or may need it to protect your vital interests or those of another person. Where we ask you to provide personal information to comply with a legal requirement or to perform a contract, we will make this clear at the relevant time.

Your Data Protection Rights Under the General Data Protection Regulation (GDPR)

If you are a resident of the European Union, you have the following data protection rights:

• The right to access, correct, update, or request deletion of your personal information.
• The right to object to processing, request restriction of processing, or request portability of your personal information.
• The right to opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email we send you.
• Where we rely on your consent to process personal information, the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• The right to complain to your local data protection authority.

We respond to all requests from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

If you are a resident in the European Economic Area and believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority.

If you are a resident in Switzerland, the relevant authority is the Federal Data Protection and Information Commissioner.

To exercise your GDPR rights, please contact us.

Your Data Protection Rights under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have the right to:

• Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we have shared it.
• Request deletion of personal information we have collected from you, subject to certain exceptions recognized by the CCPA.
• Opt out of the sale or sharing of your personal information. We do not sell personal information. However, our use of advertising and retargeting pixels (such as Google Ads and Meta Pixel) may constitute “sharing” of personal information for cross-context behavioral advertising under the CCPA. You may opt out by using the advertising opt-out links listed in the Cookies and Tracking section above, or by contacting us at legal@kipper.com.

We will not charge you different prices or provide a different quality of service based on your exercise of CCPA rights. To exercise your CCPA rights, please contact us.

Your Rights under Canada’s Anti-Spam Legislation (CASL)

If you are located in Canada, we comply with Canada’s Anti-Spam Legislation (CASL). We will only send you commercial electronic messages — including emails and SMS messages — with your express or implied consent. Every commercial message we send will include a clear and easy mechanism to withdraw consent. You may withdraw consent at any time by using the unsubscribe link in any email, by replying STOP to any SMS message, or by contacting us directly. We will honor all withdrawal requests promptly.

Updating and Accessing Your Personal Information

If your Personal Information changes, we invite you to correct or update it. We will retain your information for as long as your account is active or as needed to provide you Services. If you wish to cancel your account or request deletion of your Personal Information, please contact us. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Choices About Use of Your Information

• You may request that your account be deleted. Certain financial recordkeeping information may be retained where we have a legitimate legal or financial interest in doing so.
• You may unsubscribe from promotional emails by following the instructions at the end of any such email. Even if you unsubscribe, we may still contact you for transactional, account-related, or administrative purposes.
• Most browsers allow you to disable cookies. Please note that disabling cookies may affect the functionality of our Services.

Third-Party Disclosure and Links

The Services may include links to third-party websites whose privacy practices may differ from ours. If you submit Personal Information to any of those sites, your information is governed by their privacy policies. We encourage you to review the privacy policy of any third-party website you visit.

Notice Concerning the Information of Children

Our Services are not directed to children under the age of 18 and we do not intentionally collect information from children under 18. Please contact us if you believe a child has provided Personal Information to us and we will delete it.

Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will update the “Last Updated” date at the top of this page and may notify you by email. We encourage you to review this Policy periodically.

Questions About This Policy

If you have any questions about this Policy or our privacy practices, please contact us.

Part 2: Kipper Platform

This section applies to users of the Kipper conversational finance intelligence platform, including its Slack, Microsoft Teams, and other integrations. It supplements Part 1 and prevails in the event of any conflict with respect to the Kipper platform specifically.

Finance Data

To provide the Kipper platform, we connect to finance systems you authorize and store a copy of relevant financial data on our servers. This stored data is read-only — we cannot use it to make changes to your finance system. It is used solely to respond to queries submitted through the platform and is not sold or shared with third parties.

All queries submitted through the platform are logged for security, audit, and service improvement purposes.

Data Retention

Stored finance data is retained for as long as your account remains active. Upon account closure or disconnection of a finance system, data associated with that connection is deleted within a reasonable period. Query logs are retained for a period consistent with our security and audit obligations and are then deleted or anonymized.

Access Controls

Access to finance data within the Kipper platform is governed by data access configurations set by your organization’s account administrator. Different users or teams within your organization may be granted access to different subsets of data in accordance with these configurations.