Back to Home

Privacy Policy

Last updated: March 1, 2026

Kyzos, Inc. ("Kyzos," "we," "us," or "our") operates an AI orchestration platform that routes requests to third-party AI model providers. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use our website at https://ky-zos.ai/, our SaaS platform, APIs, and related services (collectively, the "Service").

Please read this Privacy Policy in conjunction with our Terms of Service. If you do not agree with this Privacy Policy, do not access or use the Service.

1. Scope & Who We Are

Kyzos is operated from Quebec, Canada. We are the data controller for account information, security events, and platform administration.

For user-provided content (e.g., prompts, chat messages), Kyzos acts as controller for individual accounts and as processor for organization or team accounts where Kyzos processes content on the organization's instructions.

Organizations using Kyzos for teams can request a Data Processing Agreement (DPA). [ADD DPA LINK]

Privacy contact: [email protected]

Legal entity / address: [CONFIRM LEGAL ENTITY NAME] — [ADD REGISTERED ADDRESS]

Kyzos is not intended for use by anyone under 16 years of age.

2. Information We Collect

We collect only the data needed to provide, secure, and improve the Service.

Information You Provide

When you register or use the Service, you may provide:

  • Account information: name, email address, password, and organization details
  • Profile data: preferences, language settings, and notification preferences
  • Chat conversations: messages you send and receive in the Chat feature
  • Project data: project names, descriptions, configurations, and orchestration settings
  • Payment information: billing address and payment method details (processed by our third-party payment processor)

Information Collected Automatically

When you use the Service, we automatically collect:

  • Execution metadata: model used, cost, latency, quality scores, and routing decisions
  • Device and browser information: IP address, browser type, operating system, and referring URLs
  • Server logs: request metadata and error traces for debugging and reliability (designed to exclude prompt and chat content; in exceptional cases limited snippets may be captured temporarily during incident debugging)
  • Security events: login attempts, password changes, and IP addresses

Cookies

We use the following types of cookies:

  • Strictly Necessary Cookies: required for authentication, security, and core functionality; cannot be disabled
  • Functional Cookies: remember your preferences (language, theme, layout)
  • Analytics Cookies: help us understand usage patterns to improve the Service; can be opted out of

You can control cookie preferences through your browser settings and, where applicable, in-product settings.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Process orchestration requests and route them to appropriate AI model providers
  • Create and manage your account and authenticate your identity
  • Process payments and manage your subscription
  • Provide the Chat feature (storing conversations until you delete them)
  • Calculate and display cost analytics, token usage, and execution metrics
  • Maintain execution logs and audit trails for your account
  • Facilitate Blueprint orchestration and multi-step AI workflows
  • Run quality validation and expert critic reviews on orchestration outputs
  • Send technical notices, updates, security alerts, and administrative messages
  • Monitor and analyze usage patterns to improve the Service
  • Detect, prevent, and address technical issues, fraud, and security threats
  • Comply with legal obligations and enforce our Terms of Service

Aggregated and De-Identified Data

We may aggregate and de-identify your data to create statistical information that is designed not to identify you. This data may be used to:

  • Improve model routing algorithms and orchestration quality
  • Develop new features and optimize existing ones
  • Conduct research on AI model performance across task types and domains
  • Publish benchmarks and performance reports

4. How We Share Your Information

AI Model Providers

When you submit orchestration requests or chat messages, your prompts are transmitted to third-party AI model providers for processing. Where supported by the provider and configuration, Kyzos configures "no training" and "no retention" options with providers via OpenRouter. Each provider has its own privacy policy; we encourage you to review them.

Subprocessors

Our primary subprocessor is OpenRouter, which routes requests to AI model providers. Model providers may include OpenAI, Anthropic, Google, Meta, Mistral, DeepSeek, and others depending on configuration.

Current subprocessor list: [ADD SUBPROCESSOR LIST LINK]

For business customers, we will notify you of material subprocessor changes where required by contract or applicable law.

Service Providers

We share information with vendors who perform services on our behalf (e.g., payment processing, hosting). These providers are contractually obligated to protect your information.

Legal Compliance

We may disclose your information when required by law, regulation, or legal process, or to protect the rights, property, or safety of Kyzos, our users, or others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any change in ownership or control where required by law.

With Your Consent

We may share your information when you have given explicit consent.

Aggregated Data

We may share de-identified, aggregated data that is designed not to identify you with partners and researchers.

5. Data Retention

The table below summarizes how long we retain different types of data. You may request shorter retention or deletion at any time by contacting [email protected].

  • Account information: retained until account deletion (email, name, preferences).
  • Execution metadata: retained for 24 months (model, cost, latency, quality scores). Shorter retention available on request where feasible.
  • Routing decisions: retained for 24 months (selection logic per execution). Shorter retention available on request where feasible.
  • Chat conversations: retained until you delete them. Stored on Kyzos servers to provide the Chat feature. You can delete individual conversations.
  • Non-chat prompts and responses: not retained by Kyzos by default. Third-party providers may retain per their own policies.
  • Security events: retained for 90 days (login attempts, password changes, IP addresses).
  • Server logs: retained for 30 days (request metadata and error traces; designed to exclude prompt and chat content).

When you delete a conversation or account, data is removed from active systems. Backups may retain copies until the next rotation cycle.

Account deletion includes a 30-day recovery window. After that, personal data is purged. Data required for legal obligations (e.g., accounting or tax) may be retained longer.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption in transit (TLS)
  • Restricted production access (least privilege)
  • Audit logs for security-relevant actions (logins, exports, account changes)
  • Regular patching and dependency updates
  • Incident response procedures
  • A register of confidentiality incidents, where required by applicable law

Breach Notification

If a data breach occurs, we assess impact promptly. Where required, we notify the relevant supervisory authority without undue delay (generally within 72 hours under GDPR where applicable). We notify affected individuals when required (e.g., high risk under GDPR, or risk of serious injury under Quebec Law 25) and notify the Commission d'accès à l'information du Québec (CAI) where required.

No method of electronic transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

7. International Data Transfers

Data Residency

Kyzos's primary systems and storage are hosted in Canada (OVH — Beauharnois, Quebec).

LLM Processing

Kyzos does not host AI models directly. Prompts and responses are processed by third-party providers, and processing location varies by provider (e.g., US, EU, or other regions). Kyzos does not control the physical location where a provider processes data.

Transfer Safeguards

Because providers may process data outside Canada or the EEA, LLM processing can involve international transfers. Where required by applicable law, Kyzos uses appropriate transfer safeguards, such as Standard Contractual Clauses (SCCs), with relevant subprocessors. Details: [ADD TRANSFER SAFEGUARDS SUMMARY LINK]

8. Your Privacy Rights & Choices

Depending on your location, you may have rights under the GDPR, Quebec Law 25, CCPA/CPRA, or other applicable laws, including:

  • Right of Access: request a copy of your personal information
  • Right to Rectification: request correction of inaccurate or incomplete data
  • Right to Erasure: request deletion of your personal information, subject to legal exceptions
  • Right to Restrict Processing: request limitation of processing in certain circumstances
  • Right to Data Portability: receive your data in a structured, machine-readable format
  • Right to Object: object to processing for certain purposes, including direct marketing
  • Right to Non-Discrimination: we will not discriminate against you for exercising your rights

How to Exercise Your Rights

You can access, update, or delete your data through your account settings or the Privacy & Data page. To submit a formal request, email [email protected]. We may verify your identity to protect your account. We respond within 30 days unless an extension is permitted by law.

Your Choices

  • You can delete individual chat conversations from the Chat page.
  • Transcript storage for non-chat executions is disabled by default. More retention controls are planned.
  • Analytics are aggregated and not intended to identify individual prompts.
  • Where we rely on consent (e.g., optional analytics), you can withdraw it at any time in Settings.

Complaints

  • EU: You may complain to your local EU Data Protection Authority: [ADD EU DPA FINDER LINK]
  • Quebec: You may also contact the Commission d'accès à l'information du Québec (CAI): [ADD CAI LINK]

Kyzos does not sell your personal information. We have not sold personal information in the preceding twelve months and do not intend to do so.

9. Children's Privacy

The Service is not intended for use by anyone under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected information from a child without parental consent, we will delete it promptly. If you believe a child has provided us with personal information, contact us at [email protected].

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the CCPA as amended by the CPRA. This section supplements the information in this Privacy Policy.

Categories of Personal Information Collected

In the preceding twelve months, we have collected:

  • Identifiers: name, email address, IP address, account identifiers
  • Commercial information: subscription details, payment history, service usage records
  • Internet or electronic network activity: browsing history, interaction data with the Service
  • Professional information: organization name, job title (if provided)
  • Inferences: preferences and behavior patterns derived from usage data
  • Sensitive personal information: account credentials (processed securely, not used for profiling)

Business Purposes

We collect personal information to provide and improve the Service, process transactions, ensure security, communicate with you, and comply with legal obligations.

Disclosure

In the preceding twelve months, we have disclosed:

  • Identifiers — to AI model providers for service delivery, and to payment processors
  • Commercial information — to payment processors and analytics providers
  • Internet activity data — to hosting providers and analytics services

We do not sell or share personal information for cross-context behavioral advertising.

11. Changes to This Policy

We may update this Privacy Policy at any time. We will notify you of changes by updating the "Last updated" date. For material changes, we will provide notice via email or an in-product notification. Your continued use of the Service after the effective date of any update means you agree to the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, contact us:

Kyzos, Inc.

Email: [email protected]