Privacy Policy

1. Information we collect

We may collect and process the following categories of information:

• Account and profile information — name, email address, job title, organization, role, profile picture, and authentication identifiers.
• Email and communications data — when your Organization connects an email account (e.g., Gmail or another supported provider), we ingest the contents of the connected mailbox, including message bodies, headers, sender and recipient addresses, timestamps, and file attachments, to power document extraction, entity resolution, quoting, and the AI assistant.
• Documents and attachments — files uploaded by users or extracted from connected email accounts, including PDFs, spreadsheets, images, RFQs, quotes, purchase orders, invoices, contracts, and specifications. We process these documents using OCR and AI classification to extract structured data.
• Business and operational data — quotes, purchase orders, pricing information, supplier and customer contact details, product catalogues, knowledge-base entries, and deal-pipeline data created or managed within the Services.
• Usage and device information — log data, browser type, device identifiers, IP address, pages visited, and how you interact with the Services.
• Support and communications — messages you send to us, feedback, and information you provide during onboarding, training, or support interactions.

2. How we use information

We use information for the following purposes:

• providing, operating, and maintaining the Services, including email ingestion, document processing, entity resolution, and AI-powered features;
• authenticating users and securing access to the platform;
• generating and managing quotes, purchase orders, and related business documents;
• providing AI-powered features such as document classification, data extraction, pricing intelligence, smart alerts, and the conversational AI assistant;
• analyzing usage to improve performance, reliability, and user experience;
• developing new features and capabilities;
• providing support, responding to inquiries, and communicating with you;
• meeting legal, regulatory, and compliance obligations, and enforcing our agreements.

3. How we share information

We do not sell personal data. We may share information in the following circumstances:

• With your Organization that provides you access to the Services, consistent with its internal policies and its agreement with Korso.
• With sub-processors that perform services on our behalf — including Google Cloud Platform (cloud infrastructure, AI models, and OCR via Vertex AI and Document AI), Resend (transactional email delivery), and Vercel (hosting and analytics) — subject to contractual obligations of confidentiality and data protection.
• With integration partners where your Organization has enabled those integrations (e.g., Gmail for email connectivity).
• For legal, safety, and security reasons — to comply with applicable law, respond to lawful requests from public authorities, protect the rights and safety of Korso, our customers, or others, or to detect and prevent fraud or security incidents.
• In a business transfer, such as a merger, acquisition, financing, or sale of all or a portion of our assets, where information may be transferred as part of the transaction, subject to the acquirer assuming the obligations set forth in this policy.

4. Cookies, analytics, and tracking

The Services use a limited set of cookies and analytics technologies:

• Session and authentication tokens — used to maintain your login session and secure access to the platform.
• Vercel Analytics — collects anonymized page-view and performance data to help us understand how users interact with the Services.
• Vercel Speed Insights — measures page-load performance to help us optimize the user experience.

We do not use third-party advertising cookies, tracking pixels, or behavioural-profiling technologies. We do not serve targeted advertisements.

5. AI processing and automated decisions

The Services use artificial-intelligence models hosted by Google Vertex AI to perform automated processing of your data, including document classification, text extraction, entity resolution, pricing analysis, and conversational assistance. These models process your data solely to provide the requested functionality and are not used to build general-purpose training datasets.

AI outputs may inform but do not replace human decisions. No legally or financially binding decisions are made by the Services without human review. If you believe an automated process has produced an inaccurate result that affects you, you may contact your Organization or Korso to request a review.

6. Data retention

We retain information for as long as necessary to provide the Services, to support your Organization's legitimate business needs, to comply with legal or regulatory obligations, to resolve disputes, and to enforce our agreements. Retention periods vary by data type:

• Account data is retained for the duration of the account relationship and for a reasonable period thereafter to fulfil legal obligations.
• Email and document data is retained for as long as the Organization's account is active, unless earlier deletion is requested.
• Usage and log data is retained for up to twenty-four (24) months and then anonymized or deleted.

Upon termination of an Organization's account, Korso will delete or anonymize the Organization's data within ninety (90) days, unless retention is required by law.

7. Security

We implement technical and organizational measures designed to protect information from unauthorized access, use, alteration, or destruction, including:

• AES-256-GCM encryption for stored email credentials;
• TLS encryption for data in transit;
• role-based access controls and row-level security within the platform;
• rate limiting and abuse-detection mechanisms on API endpoints.

No system can be guaranteed to be 100% secure. You are responsible for maintaining the security of your account credentials and authorized devices.

8. Email integration and third-party services

When your Organization connects an email account to the Services, Korso accesses the mailbox using OAuth tokens or encrypted credentials provided during the connection flow. We access only the mailbox data necessary to provide the Services (messages, attachments, and metadata) and do not access other Google or email-provider data outside the permitted scope.

Data accessed through email integrations is used solely to provide the Services and is not used for advertising or unrelated purposes. We share integration data only with our sub-processors under contracts requiring equivalent protection, and with your Organization according to its configuration.

9. Your rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. Because Korso processes most personal data on behalf of your Organization (as the data controller), many of these rights should be exercised through your Organization. However, we will assist your Organization in fulfilling such requests as required by law.

• Access — you may request confirmation of whether we process your personal data and, if so, a copy of that data.
• Rectification — you may request correction of inaccurate or incomplete personal data.
• Erasure — you may request deletion of your personal data, subject to legal retention obligations.
• Data portability — you may request a machine-readable copy of the personal data you provided to us.
• Restriction or objection — you may request that we restrict processing or object to processing of your personal data in certain circumstances.
• Withdraw consent — where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, these rights are provided under the General Data Protection Regulation (GDPR) and equivalent local laws. For users in California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide additional rights, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. As stated above, Korso does not sell personal data.

10. International transfers

Korso processes and stores information primarily in the United States via Google Cloud Platform. If you are located outside the United States, your data will be transferred to and processed in the United States. When we transfer personal data internationally, we rely on appropriate safeguards such as standard contractual clauses approved by the European Commission, or other legally recognized transfer mechanisms, to ensure your data receives an adequate level of protection.

11. Children's privacy

The Services are not directed to individuals under the age of 18 and are intended for use only in a business and professional context. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will take steps to delete that data promptly.

12. Data-breach notification

In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of affected individuals, Korso will notify the affected Organization without undue delay and, where required by applicable law, will notify the relevant supervisory authority within the timeframes prescribed by law. Korso will cooperate with affected Organizations to provide the information necessary for them to fulfil their own notification obligations.

13. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will provide at least thirty (30) days' notice through the Services or by other reasonable means before the changes take effect. Your continued use of the Services after the changes become effective indicates your acknowledgment of the updated policy.