Privacy Policy

Effective date: May 10, 2026
Version: 2026-05-10

Draft notice: Adapted from the Basecamp open-source policies (CC BY 4.0). Operational facts (legal entity, contact, hosting, subprocessors, retention windows) are filled in. Items still requiring qualified legal review before launch are tracked in the project’s internal legal/COUNSEL_REVIEW_CHECKLIST.md. Do not rely on this policy as final legal protection until counsel sign-off.

The privacy of your data — and it is your data, not ours — is a big deal to us. In this policy, we explain what we collect and why, how we handle it, who else might touch it, and the rights you have. We do not sell your data, and we do not use it to train Knotr’s own AI models.

This policy applies to Knotr AI, LLC, 821 Jameison Road, Lutherville Timonium, MD 21093, USA (“Knotr,” “we”) in connection with the Knotr AI website, web application, MCP and HTTP API endpoints, and related services (the “Service”).

This policy applies to information about visitors to our marketing pages, prospective customers, and account holders. Where you use the Service inside a team workspace, the team that owns the workspace is the controller of the User Content stored there; we process that User Content as a processor on the team’s instructions, and our obligations to that team are set out in our Data Processing Agreement (or as otherwise agreed in writing). If you are an end user of a team workspace and you have questions about how your information is used inside it, contact the team’s administrator.

For your convenience, here is the table of contents:

What we collect and why

Our guiding principle is to collect only what we need.

Identity and access

When you sign up, we ask for your email address and a password (which we store as a one-way hash). You can also add optional profile fields. We use this information to create and secure your account, send transactional email about the Service, and (with your separate consent) optional product updates.

We will never sell your personal information, and we will not use your name or organization in marketing without your permission.

Workspace and collaboration

If you create or join a team workspace, we store the workspace name, your membership and role, and the email addresses you invite. This is so the workspace can function and so we know who can see what.

Content you submit (User Content)

You can upload files, paste rich text, define profiles, build skills, and configure knowledgebases. We store this User Content so you can use the Service as intended. We process it to:

  • Display it back to you and to teammates you invite.
  • Generate embeddings (numeric representations of your text) using OpenAI and store them in our PostgreSQL vector database, so you can search and reuse your knowledge inside skills.
  • Run AI features, such as the in-product Skill AI assistant and skill execution, by sending the necessary prompts and retrieved context to OpenAI under our API keys. Knotr uses OpenAI’s standard API only; OpenAI’s published API data-usage policy (effective since March 1, 2023) states that OpenAI does not use API inputs or outputs to train its models.

We do not use your User Content to train Knotr’s own AI models, and we do not sell it.

Billing data

If you subscribe to a paid plan, we ask for a billing email and a payment method. Card information is sent directly to Stripe, our payment processor; full card numbers do not hit our servers. We store a record of each transaction and the metadata Stripe returns to us (such as the last four digits, brand, expiration, and Stripe customer/subscription IDs) so we can show invoices, prevent fraud, and comply with tax rules.

Usage and device data

For security and to keep the Service reliable, we log:

  • Sign-in events with timestamps and IP address (Devise :trackable).
  • Application requests, including paths, status codes, and timing, in standard server logs.
  • Aggregated AI and embedding usage (an ObservabilityEvent record) so we can show you usage, enforce limits, and watch for abuse.

These logs may include your IP address, browser/user-agent, and limited request metadata.

Support communications

If you email us for help, we keep that correspondence (including your email address and what you wrote) so we can respond and so future support requests have context.

MCP and API credentials

When you use MCP or our HTTP API, we store the credentials you create (such as profile API keys and OAuth client records) and metadata about each connected client. We do not store the prompts that third-party clients send through MCP beyond what is necessary to run the request and our usual logs and observability.

How we use personal information

We use personal information to:

  • Provide and operate the Service, including authentication, search, embeddings, AI features, and the MCP and API surfaces you configure.
  • Bill for paid plans and prevent payment fraud.
  • Communicate with you about your account and (with consent) optional product updates.
  • Comply with law and enforce the Terms of Service and Acceptable Use Policy.
  • Secure and improve reliability of the Service, including monitoring with the subprocessors listed below.

When we access or disclose your information

No Knotr team member looks at your User Content except for limited reasons that we explain to you:

  • Support requests you make. We will ask for your express consent before opening your account.
  • Errors that stop an automated process. We try to fix problems from logs and metadata first; when we have to look at User Content, we look at the minimum needed and work to fix the root cause.
  • Safeguarding the Service. We may review logs and, in rare cases, accounts as part of an investigation under the Acceptable Use Policy.
  • Required by law. We comply only with valid legal process, and we tell affected users when we are not legally prohibited from doing so.
  • Aggregated or de-identified data. We may aggregate or de-identify information collected through the Service (for example, embedding-token totals across all users) and use it for any purpose, including capacity planning and product analytics.

If Knotr is acquired by or merges with another company — we don’t plan on that, but if it happens — we will notify account owners before any personal information transfers or becomes subject to a different privacy policy.

Subprocessors and third parties

We rely on a small set of vendors (subprocessors) to provide the Service. The current list is at /subprocessors, and a more detailed engineering inventory lives in our internal DATA_FLOWS_AND_SUBPROCESSORS document. The categories are:

  • DigitalOcean for the application runtime, PostgreSQL database, background jobs, and file storage via Spaces (region: NYC3, New York, USA).
  • OpenAI for embeddings and AI features.
  • Stripe for payments and the billing portal.
  • Mailgun for transactional email (where configured).
  • Scout APM for application performance monitoring (where enabled).

When you connect a third-party MCP or AI client of your own (for example, a desktop AI assistant, a coding IDE, or another AI platform), that client is not a Knotr subprocessor. It processes information under its own privacy policy. You decide which clients to connect, and you can revoke them from your account settings.

Legal bases (EEA / UK)

If the GDPR or UK GDPR applies to your use of the Service, we rely on one or more of the following legal bases for each processing activity:

  • Performance of a contract — to provide the Service and fulfill your subscription.
  • Legitimate interests — to keep the Service secure, prevent abuse, debug, and run necessary product analytics. We weigh these interests against your privacy.
  • Consent — for optional product updates, feature betas you opt into, and any analytics or marketing cookies we add later.
  • Legal obligation — to comply with tax, accounting, and other applicable laws.

International transfers

Knotr is established in the United States and processes personal information in DigitalOcean’s NYC3 region (New York, USA), including database backups. If you access the Service from elsewhere, your information will be transferred to and processed in the United States. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated into our Data Processing Agreement for team and enterprise customers.

Retention and deletion

We keep personal information for the time necessary for the purposes for which we collected it.

  • Active accounts. We keep your account data and User Content while your account is active.
  • Cancelled accounts. When you cancel your account, your User Content becomes inaccessible to you and is queued for deletion. Within 30 days, your User Content is permanently deleted from our active systems and logs. Within 60 days, it is also deleted from our routine backups.
  • Billing records. We retain billing records (such as invoices, Stripe customer/subscription identifiers, and tax metadata) for the period required by tax and accounting law in our jurisdiction, even after your account is deleted.
  • Logs and application telemetry. Performance traces and error reports collected by Scout APM are retained for up to 30 days (Scout’s standard retention). Application stdout logs from our hosting provider follow that platform’s default retention and are typically shorter than 30 days.

Security

We protect your data with technical and organizational measures appropriate to a service of our size and risk profile, including:

  • Encryption in transit (HTTPS/TLS) for all traffic between you and the Service, and between the Service and our subprocessors.
  • Encrypted database backups.
  • Access controls on production systems, with credentials limited to people who need them and rotated when staffing changes.
  • Hashed passwords (no plaintext password storage).
  • Code review and dependency monitoring (Brakeman, Bundler Audit) before deploying changes.

No Internet-based service can guarantee perfect security. If we discover a breach affecting your personal information, we will notify you in line with applicable law.

Your rights and choices

We try to apply the same data rights to all customers, regardless of location. Subject to applicable law, you have:

  • The right to know what personal information we collect and how we use it (this policy is the start of that disclosure).
  • The right of access to the personal information we hold about you.
  • The right to correction of inaccurate or incomplete information.
  • The right to deletion (“to be forgotten”). Deleting some information may prevent you from using the Service and can result in account closure.
  • The right to restrict or object to certain processing.
  • The right to data portability (a copy of your data in a portable format).
  • The right to withdraw consent at any time, where processing relies on consent.
  • The right to lodge a complaint with your local supervisory authority. If you are in the EU or UK, you can contact your data protection authority.
  • The right to non-discrimination for exercising any of these rights.

Many of these rights can be exercised by signing in and updating your account, or by deleting your account from the settings page. To make a more specific request, email privacy@knotr.ai. We may need to verify your identity before responding (for example, by confirming control of the account email).

If we deny a request, we will explain why and (where applicable) how to appeal.

Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children below that age. If you believe a child has provided us personal information, contact us at privacy@knotr.ai and we will delete it.

Cookies and similar technologies

We use strictly necessary cookies to keep you signed in (the Devise session cookie) and to protect against CSRF. We do not currently use third-party advertising cookies. See the Cookie Notice for details, and check that page when we add anything new.

Automated decision-making

We do not currently make decisions that produce legal or similarly significant effects about you using solely automated processing. AI features in the Service are tools you operate; outputs require your review.

Changes and questions

We may update this policy as our practices change or as the law requires. When we make a material change, we will refresh the Effective date and Version above and bump Legal::TERMS_VERSION in our source code so the new version is recorded the next time you sign in or accept terms. We will take other reasonable steps to notify you (for example, in-product or email) when the change is significant.

Questions, comments, or concerns about this policy or your data? Email privacy@knotr.ai. If you require a postal contact, our address is Knotr AI, LLC, 821 Jameison Road, Lutherville Timonium, MD 21093, USA.

Adapted from the Basecamp open-source policies under the Creative Commons Attribution 4.0 license. Modifications and Knotr-specific sections are © Knotr AI, LLC.