This Privacy Policy explains what information KAPPS LLC ("KAPPS", "we", "us") collects from users of the kapps.ai web application, why we collect it, who we share it with, and how long we keep it. It is written to be readable, not exhaustive — if anything here is unclear, email support@kapps.ai and we will answer directly.
By creating an account or continuing to use the service, you acknowledge the practices described below. This Policy is incorporated by reference into the Master Subscription Agreement & Global Terms of Service.
§1 Who We Are
KAPPS LLC is a Virginia-registered limited-liability company operating the automation tools available at https://kapps.ai. All data is controlled by KAPPS and processed on infrastructure we operate or contract from the vendors named in §4. Inquiries about this Policy can be sent to support@kapps.ai.
§2 What We Collect
We collect only the information needed to run your account and the tools you use. The table below is exhaustive for the core app — if a specific tool collects additional data, that tool's own help page says so.
| Category | Examples | How we got it |
|---|---|---|
| Account basics | Name, email address, password hash (Argon2 — never the plaintext), phone number, optional company | You type it during signup / in Profile → Identity |
| Profile photo | One image file per user | You upload it (optional). Stored in Amazon S3 under time-limited signed URLs |
| Billing identifiers | Stripe Customer ID, Subscription ID, Payment-method flag ("has card on file" — we do not see the card number itself) | Returned to us by Stripe when you check out |
| Subscription state | Which tool apps you have access to, any scheduled cancellations, the timestamp you last opened each tool | Derived from your use of the service |
| Uploaded content | Files you upload to a tool (shapefiles, DXF, CSV/TXT, PDFs, HEC-RAS models, etc.) | You upload them. Held only as long as needed to process the job — see §6 |
| Generated output | ZIPs, PDFs, DXFs and other artifacts produced by a tool run | Created by our tools from your inputs. Deleted once downloaded |
| Security telemetry | IP address (read from the AWS load balancer's X-Forwarded-For chain), failed-login counter, last-login timestamp, lockout expiry |
Captured automatically on each request |
| Admin audit log | Which admin did what to which account, when, and from which IP | Written by our internal admin tooling whenever an operator takes an action on a user account |
| Optional feedback | Idea submissions from the public Request a Program form (email, title, description) | You fill the form. Also emailed to our internal address |
Payment card numbers, CVV, or bank details — those go directly from your browser to Stripe. Location beyond what's implied by your IP. Analytics/tracking cookies. Third-party advertising identifiers. Content of any email we send you beyond what you see in your inbox.
§3 Why We Collect It
Under the Virginia Consumer Data Protection Act ("VCDPA") and similar laws elsewhere, a controller must declare a specific processing purpose. Ours, in plain language:
- Authentication and account management. The email, password hash, and phone number are used to sign you in, verify your identity, let you reset your password, and block accounts after repeated failed logins.
- Billing. Stripe IDs and subscription state are used to grant access to the tools you have paid for and to stop access when you cancel or a payment fails.
- Running the tools. Files you upload are handed to the tool's processor, converted into the requested output, and returned to you.
- Security. IP addresses, failed-login counters, and lockout timestamps are used to detect and throttle abusive traffic (rate limiting, brute-force defence, WAF signals).
- Support and abuse response. The admin audit log exists so that if something goes wrong we can tell who did what.
- Product improvement. Aggregate usage (which tool was opened, how often) is used to decide what to build next. Individual user behaviour is not cross-referenced with third-party data brokers.
We do not sell personal data, and we do not use it for targeted advertising. We do not profile users in a way that produces legal or similarly significant effects.
§4 Third Parties (Sub-processors)
We use the following service providers, each bound by its own security and privacy commitments. Each is contractually prohibited from using your data for any purpose beyond the service listed.
| Vendor | Service | What reaches them |
|---|---|---|
| Amazon Web Services | Application hosting (ECS Fargate), database (RDS PostgreSQL), object storage (S3), email delivery (SES), logging (CloudWatch), secrets (Secrets Manager), DNS (Route 53) | Everything you store or upload — AWS is the substrate we run on. Data is stored in the us-east-1 region. |
| Stripe, Inc. | Subscription billing, payment-method vaulting, tax collection | Your name, email, and the payment method you enter on Stripe's hosted checkout form. We never see raw card data. |
| Anthropic, PBC | Large-language-model inference for the AI auditor tools (Procurement Auditor, Technical Proposal Auditor) | Only the PDFs you upload to those specific tools, and only for the duration of the audit run. Outputs are not used to train Anthropic's models per their API terms. |
| USDA Soil Data Access | Public soil-survey API used by the Soil Extractor and CN Studio | Only the state and county codes you pick from the dropdown. No personal data. |
| GitHub / GitHub Actions | Source-control and continuous deployment | Source code only. No end-user data. |
A current list of sub-processors is maintained in our Terms of Service. We will update this Policy and the Terms if we add a new sub-processor that processes personal data.
§5 Cookies & Local Storage
We set only the cookies required to run the application. We do not use marketing, analytics, or third-party tracking cookies.
sessionid— keeps you signed in. HttpOnly, Secure, SameSite=Lax. Cleared on logout or after the 1-hour idle timeout.csrftoken— cross-site-request-forgery protection for form submissions. Readable by JavaScript on our own origin only.
Your browser's localStorage holds a small in-flight job tray (which tool jobs are running or ready to download). That data never leaves your browser and is cleared when you dismiss a job.
§6 Data Retention
| Data | How long we keep it |
|---|---|
| Account record (user row, profile, subscription state) | Until you delete your account. Delete happens in two stages: soft-delete (hidden, login blocked) then a permanent purge (removal from the database). |
| Profile photo (S3) | Until you replace it, delete it, or delete your account. |
| Uploaded job files + generated output | Deleted automatically when you download the result, and at most 24 hours after the job runs regardless. |
| Email-verification codes | 15 minutes after issue, or immediately on successful verification. |
| Password-reset tokens | 3 days after issue. |
| Server access logs (CloudWatch) | 14 days. |
| Admin audit log | Kept for the life of the account. Retained after account purge, with the target_user reference nulled out, so the history is preserved without the personal data. |
| RDS database backups | 1 day rolling window (to be extended as the service matures). |
§7 Your Rights
If you are a resident of Virginia, California, the EU/EEA, the UK, or another jurisdiction with comparable privacy laws, you have the following rights in respect of your personal data. KAPPS honours these rights regardless of where you live.
- Access. You can already see most of your data in Profile → Identity, Profile → Console, and Profile → Billing. For anything not shown there, email support@kapps.ai and we will respond within 30 days.
- Correction. You can edit your name, phone, company, and profile photo yourself from the Profile page. For anything else, email us.
- Deletion. Use Profile → Security → Delete Account, or email us. Soft-delete is immediate; permanent purge follows once any pending Stripe subscription has fully cancelled.
- Portability. On request to support@kapps.ai we will export a machine-readable JSON dump of everything we hold about you.
- Objection. You can ask us to stop processing your data. Doing so requires closing the account, since the data is only retained while the account is active.
- Appeal. If we decline a request, you may appeal that decision by replying to the same email thread. Virginia residents can further contact the Attorney General's Office at oag.state.va.us.
Requests are free and processed manually. We may ask you to re-authenticate before executing a deletion or export.
§8 Security
We apply proportionate safeguards throughout the stack:
- All traffic is served over HTTPS with HSTS. Modern TLS (1.2+) only.
- Passwords are hashed with Argon2id. Plaintext is never stored or logged.
- Uploaded images are re-encoded through Pillow; uploaded PDFs are validated by magic bytes; ZIP extraction is zip-slip protected.
- Rate limiting covers login, signup, password reset, subscription purchase, admin writes, and the feedback form.
- Admin actions are gated by role and written to an append-only audit log with the actor's IP address.
- Cookies are HttpOnly and Secure; CSRF is enforced on every state-changing request.
- Content Security Policy is set with a per-request nonce; subresource integrity is set on all CDN-hosted assets that support it.
- S3 access is via short-lived pre-signed URLs (one hour) — the bucket itself is not publicly listable.
- The PostgreSQL database is only reachable from our ECS tasks; no other network has ingress.
If we discover a security incident that compromises personal data, we will notify affected users by email without undue delay and within 72 hours where required by law.
§9 International Transfers
KAPPS is a US-based company and all personal data is stored and processed in the United States (AWS us-east-1, N. Virginia). If you access the service from outside the US, your data is transferred to the US where privacy protections may differ from those in your home jurisdiction. By using the service you consent to that transfer.
§10 Children
KAPPS is not directed to children under 13 and we do not knowingly collect personal data from anyone under 13. If we learn that a child has created an account, we will delete the account and associated data promptly.
§11 Changes to this Policy
We may revise this Policy as the service evolves. Material changes will be announced by email to the address on your account and by updating the Effective Date at the top of this page. Continued use after the Effective Date constitutes acceptance of the revised Policy. You can always view prior versions by asking support.
§12 Contact
Questions, requests to exercise any of the rights in §7, or complaints about our handling of your data can be sent to:
KAPPS LLC — Privacy
Email: support@kapps.ai
Mail: Richmond, Virginia, USA
We aim to respond within 30 days.
KAPPS LLC · Richmond, Virginia, USA · Effective April 21, 2026 · Version 1.0
This Privacy Policy forms part of the Master Subscription Agreement & Global Terms of Service.