Socials

PRIVACY POLICY

Effective Date: January 3, 2026

Last Modified: January 4, 2026

Khao2 Limited, trading as Khao2 and K2 ("Khao2," "Company," "we," "our," "us"), a company governed under the laws of Ireland, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our image forensic analysis services ("Services").

This Privacy Policy applies to all users of our command-line interface (CLI), application programming interface (API), and web-based user interface tools. By accessing or using the Services, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.

1. LEGAL BASIS AND REGULATORY COMPLIANCE

1.1 Data Controller

Khao2 Limited acts as the data controller for personal data processed through the Services. As a company established in Ireland, we are subject to Irish and European Union data protection laws.

1.2 GDPR Compliance

We process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the Data Protection Act 2018 (Ireland), and other applicable data protection laws. Although our technical infrastructure is located in the United States, we maintain GDPR compliance for all data processing activities involving personal data of individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland.

1.3 Data Processing Addendum

For enterprise customers subject to GDPR, we provide a Data Processing Addendum (DPA) that establishes our role as a data processor and sets forth appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers.

1.4 Legal Bases for Processing

We process personal data on the following legal bases under GDPR:

  • Contractual Necessity: Processing necessary to perform our contract with you and provide the Services (Article 6(1)(b) GDPR)
  • Legitimate Interests: Processing necessary for our legitimate interests in operating, improving, and securing the Services (Article 6(1)(f) GDPR)
  • Consent: Processing based on your explicit consent where required (Article 6(1)(a) GDPR)
  • Legal Obligation: Processing necessary to comply with legal obligations (Article 6(1)(c) GDPR)

2. INFORMATION WE COLLECT

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Company or organization name (if applicable)
  • Billing address
  • Telephone number (optional)
  • Account credentials (username and cryptographically hashed password)
  • Account preferences and settings

2.2 Authentication and Identity Data

We use Auth0 (operated by Okta, Inc.) for identity and access management. Auth0 processes authentication credentials, multi-factor authentication data, session tokens, login history, IP addresses, and device information for security purposes.

2.3 Payment and Billing Information

We use Stripe, Inc. for payment processing. Stripe collects credit card information, billing address, payment history, and transaction records. Khao2 does not store complete credit card numbers on its own servers.

2.4 User Data and Service Usage

We use Supabase for storing user data including profile information, account settings, service usage records, API keys, and historical analysis records.

2.5 Image Data and Forensic Analysis Content

When you use the Services, we process uploaded images, image metadata (EXIF data, file properties, timestamps, geolocation data), analysis requests, forensic reports, and processing logs.

3. HOW WE USE YOUR INFORMATION

3.1 Service Provision

We use your information to create and manage your account, authenticate your identity, process forensic analysis requests, generate reports, provide access to our tools, and process payments.

3.2 Service Improvement

We analyze usage patterns, develop new features, optimize performance, and conduct research on forensic methodologies.

3.3 Security and Fraud Prevention

We detect and prevent fraudulent activities, identify security threats, monitor for unauthorized access, and protect our systems.

4. INTERNATIONAL DATA TRANSFERS

All of our technical infrastructure is located in the United States. We rely on Standard Contractual Clauses (SCCs) and supplementary technical measures for international data transfers.

5. CUSTOMER DATA PROTECTION

We use Customer Data solely to perform requested forensic analysis and generate reports. We do not use Customer Data to train or improve our AI models. We implement robust security measures including encryption in transit (TLS 1.3) and at rest (AES-256).

6. INFORMATION SHARING

We share information with service providers including AWS, Auth0/Okta, Stripe, Supabase, Modal Labs, Sentry, PostHog, and Vercel. We may also disclose information when required by law.

7. DATA SECURITY

We implement industry-standard technical and organizational measures including end-to-end encryption, access controls, regular security audits, and incident response procedures.

8. DATA RETENTION

We retain personal data only for as long as necessary. Active analysis data is stored for 30 days after completion, archived data for 12 months. Payment records are retained for 7 years for tax compliance.

9. COOKIES AND TRACKING

We use strictly necessary cookies, functional cookies, analytics cookies (via PostHog), and performance cookies. You can manage cookie preferences through your browser settings.

10. YOUR RIGHTS

Under GDPR, you have rights to access, rectification, erasure, restriction, data portability, objection, and to lodge complaints with supervisory authorities. California residents have additional rights under CCPA/CPRA.

To exercise your rights, contact: privacy@khao2.com

11. CHILDREN'S PRIVACY

The Services are not directed to individuals under 18. We do not knowingly collect personal data from children.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated via email and website notice with at least 30 days' notice.

13. CONTACT INFORMATION

Data Protection Officer:
Khao2 Limited
Email: privacy@khao2.com

Security Concerns: security@khao2.com

Legal Inquiries: legal@khao2.com

14. SUPERVISORY AUTHORITY

Our lead supervisory authority is the Irish Data Protection Commission:
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Phone: +353 (0)761 104 800

Last Updated: January 4, 2026