Privacy Policy
Last updated: May 26, 2026
Introduction
KYFEX (“we,” “our,” or “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you visit kyfex.com, use our public website features, subscribe to email updates, schedule a call, contact us, or interact with our AI chatbot.
KYFEX is the controller for personal data we collect through the Website. For service engagements, client data may also be governed by a separate services agreement, statement of work, confidentiality agreement, or data processing agreement. This Website Privacy Policy does not replace those written agreements.
Do not submit confidential, proprietary, regulated, sensitive, or client-owned information through public Website forms or the chatbot unless KYFEX has separately agreed in writing to receive it under appropriate terms.
Data We Collect and Why
The table below summarizes the main categories of personal data we collect, why we use it, the legal basis we rely on where GDPR applies, and how long we keep it.
| Activity | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Newsletter, status alerts, and assessment emails | Email address, locale, subscription status, confirmation/unsubscribe/erasure tokens, delivery status, and optional AI Readiness scores and dimensions if you ask us to email them to you. | Send requested emails, manage confirmations and unsubscribes, preserve deliverability, and route confirmed high-intent assessment leads. | Consent; legitimate interests for security, deliverability, suppression, and service administration. | Active subscriptions are kept while subscribed. Pending confirmations expire after 72 hours. Newsletter unsubscribes are deleted after 30 days. Bounced or complained newsletter addresses are kept 6-12 months for suppression. Status alert unsubscribes are deleted after 30 days. |
| Booking calls | Name, email, company, notes, selected time, meeting type, Zoom meeting details, and related delivery metadata. | Schedule and manage calls, prevent double-booking, send confirmations, and evaluate a potential engagement. | Steps before entering into a contract; legitimate interests in operating the booking workflow and responding to business inquiries. | Booking records are automatically deleted after 90 days. |
| Contact form and direct email | Name, email, company, timeline, budget range, message content, locale, and related delivery metadata. | Respond to your inquiry, evaluate fit, route the request internally, and maintain a short-term record of the conversation. | Legitimate interests in responding to business inquiries; steps before entering into a contract when your message concerns a potential engagement. | Contact form submissions are automatically deleted after 180 days. Email threads may be retained as normal business records unless you ask us to delete them and no legal or operational reason requires retention. |
| AI chatbot | Chat messages, session identifier, locale, and short-lived server-side context. | Answer questions about KYFEX, maintain conversation continuity, prevent abuse, and improve the site experience. | Consent when you send a message; legitimate interests in operating and securing the chatbot. | Browser chat history remains in your local storage until you reset the chat or clear browser storage. Server-side chatbot context expires after 24 hours. Rate-limit IP records expire after 1 hour. |
| Security, anti-abuse, and API rate limiting | IP address, request metadata, user agent in limited security logs, Cloudflare Turnstile verification tokens, and hidden honeypot-field signals when bots submit forms. | Protect the Website, enforce rate limits, verify human submissions, detect spam, and troubleshoot reliability issues. | Legitimate interests in security, fraud prevention, service reliability, and abuse prevention. | Rate-limit records expire after 1 hour. Honeypot and operational logs are retained only as needed for security, debugging, and aggregate monitoring. |
| Analytics and Core Web Vitals | Page views, referrer, browser and device information, coarse geographic region, event names, performance metrics, and cookie consent state. | Understand site usage, measure reliability and performance, and improve content and UX. | Consent for GA4/GTM analytics cookies and analytics events; legitimate interests for strictly necessary service diagnostics. | Analytics runs only after you accept analytics cookies. GA4 retention follows the configured Google Analytics settings. Cookie preferences remain in your browser until you change them or clear browser storage. |
You are not legally required to provide personal data through the Website. If you do not provide required fields, we may not be able to send requested emails, schedule a call, respond to an inquiry, or operate the chatbot. Analytics cookies are optional.
Information You Provide
- Newsletter subscriptions: Your email address, locale, confirmation status, and delivery status. Emails are stored in Amazon DynamoDB and sent via Amazon SES.
- Status alert subscriptions: Your email address and locale so we can send incident and recovery emails if you confirm the subscription.
- AI Readiness assessment: Your answers are processed in your browser to calculate results. If you request results by email, we receive your email address and a trimmed copy of the result scores and dimensions.
- Booking information: Your name, email, company, selected time, meeting type, and any notes you provide. Meetings are created through Zoom.
- Contact information: Your name, email, company, timeline, budget range, message, and any other details you choose to share through the contact form or by email.
- Chatbot messages: The messages you send, the locale you use, and a session identifier for conversation continuity.
Information Collected Automatically
- Essential technical data: Request metadata, IP address, browser and device information, user agent, API route, and security events needed to operate and protect the Website.
- Analytics data: Pages visited, referral source, events, Core Web Vitals, browser type, device type, and general geographic region, only after you accept analytics cookies.
- Local browser storage: Cookie preference, theme or language preferences, chatbot history, and assessment result hash data may be stored in your browser.
- Cookies: See the Cookies section below.
AI Chatbot
If you interact with our AI chatbot, your messages are processed through Amazon Bedrock and hosted foundation models so the chatbot can respond. We do not use chatbot conversations to train AI models.
Chat messages and your session identifier are stored in your browser's local storage so your conversation history is available if you return to the site. You can clear this data at any time by resetting the chat or clearing your browser storage.
On the server side, session context is stored in DynamoDB with a 24-hour time-to-live; it expires after 24 hours and is scheduled for automatic deletion. Please avoid sending secrets, credentials, client data, regulated data, or sensitive personal information through the chatbot.
Cookies and Local Storage
By default, we use only essential cookies and local storage that are necessary for the Website to function, remember your preferences, support security, and preserve local chatbot or assessment state.
If you accept analytics cookies through our cookie banner, we may load Google Analytics 4 (GA4) and Google Tag Manager if configured. GA4 helps us understand how visitors use the site, measure Core Web Vitals, and improve performance. We anonymize IP data where supported and do not enable Google advertising features.
When you accept analytics cookies, only analytics_storage is enabled. Advertising features (ad_storage, ad_user_data, ad_personalization) remain denied at all times.
If you choose to play an embedded YouTube video, YouTube (via youtube-nocookie.com) may set cookies. You will see a notice before any YouTube content loads.
You can change your cookie preferences at any time using the “Cookie Settings” link in the footer of our Website.
Third-Party Services
We use the following third-party services that may process data for the purposes described above:
- Amazon Web Services (AWS): Hosting, API Gateway, Lambda, DynamoDB, SES, Secrets Manager, CloudWatch, and Amazon Bedrock for chatbot processing.
- Cloudflare: DNS, security services, and Turnstile human verification for protected forms and API submissions.
- Google Analytics 4 and Google Tag Manager: Consent-gated website analytics and performance measurement.
- Zoom: Appointment scheduling, video meetings, calendar availability, and meeting invitations.
- YouTube: Embedded videos loaded in privacy-enhanced mode when you choose to play them.
Where these services act as processors or service providers, we use their applicable data processing terms, including the AWS Data Processing Addendum, Google Data Processing Terms, and Zoom Global Data Processing Addendum (PDF).
We do not sell personal data. We do not use Website data for advertising, cross-context behavioral advertising, or targeted advertising.
Data Storage, Transfers, and Security
Website data is stored primarily on AWS infrastructure in the US East region. If you access the Website from outside the United States, your data may be transferred to, stored in, or processed in the United States and other locations where our providers operate.
For international transfers, we rely on processor data processing terms and safeguards such as standard contractual clauses, adequacy mechanisms, or other lawful transfer mechanisms where applicable.
We use industry-standard security practices, including TLS encryption in transit, encryption at rest where supported, access controls, rate limiting, Cloudflare Turnstile, hidden honeypot fields, monitoring, and regular security reviews. No method of transmission or storage is perfectly secure, but we design the Website to minimize retained data and limit access.
California Notice at Collection
For California residents, this section describes the categories of personal information we may collect through the Website. We use these categories for the purposes and retention periods described in this policy.
Sources include you, your browser or device, cookies or local storage, Website infrastructure, and the service providers listed in this policy.
| Category | Examples |
|---|---|
| Identifiers | Name, email address, IP address, subscription tokens, booking identifiers, and chatbot session identifiers. |
| Internet or network activity | Pages visited, referral source, browser and device information, API request metadata, cookie consent state, and Core Web Vitals events. |
| Commercial or professional information | Company name, project notes, timeline, budget range, booking details, and business inquiry content. |
| Approximate location | General geographic region inferred by analytics or infrastructure providers. We do not collect precise GPS location through the Website. |
| Inferences and assessment results | AI Readiness assessment scores and dimensions only if you submit them with your email address. |
| Sensitive personal information | We do not intentionally collect sensitive personal information through the Website. If you include sensitive information in a free-text message, we use it only to respond, secure the service, or delete it on request where possible. |
We do not sell or share personal information as those terms are used by the California Consumer Privacy Act, and we do not knowingly sell or share personal information of anyone under 16. We do not offer financial incentives in exchange for personal information.
Your Rights
Regardless of where you are located, we extend the following privacy rights to users where we can reasonably identify the relevant data:
- Access: You can request a copy of the personal data we hold about you.
- Correction: You can ask us to correct inaccurate personal data.
- Deletion: You can ask us to delete personal data, subject to legal, security, or operational exceptions.
- Portability: You can request your data in a machine-readable format where applicable.
- Restriction or objection: You can object to certain processing or ask us to restrict processing where applicable law provides that right.
- Consent withdrawal: Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect processing that happened before withdrawal.
- Opt out of sale or sharing: We do not sell or share your personal information, but you can contact us to confirm this.
- Non-discrimination: We will not discriminate against you for exercising privacy rights.
- Complaint: If GDPR or similar law applies, you may have the right to lodge a complaint with your local data protection authority.
Newsletter and status subscribers can use the unsubscribe or delete-my-data links in emails. For immediate permanent deletion or any other rights request, email info@kyfex.com. We may ask for information needed to verify your identity and locate your data, and we will use that information only to process the request. We aim to respond within 30 days, or within the timeframe required by applicable law.
Automated Decision-Making
We do not use Website data for automated decision-making that produces legal or similarly significant effects. The AI Readiness assessment and chatbot are informational tools only.
Children's Privacy
Our Website and services are not directed at children under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
Accessibility
We are committed to making kyfex.com accessible to users of all abilities. For details on our conformance targets, implementation practices, known limitations, and how to report accessibility barriers, please see our Accessibility page.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top of this page. If a material change requires consent or a different notice under applicable law, we will handle that change accordingly.
Contact
If you have any questions about this Privacy Policy or how we handle your data, contact us at:
- Email: info@kyfex.com
- Website: kyfex.com
We have not appointed a separate Data Protection Officer for the Website. Privacy requests should be sent to the email address above.