How we collect, use, and protect information when you use our website and the Nexil platform.
This Privacy Policy explains how Kalion Inc. (“Kalion,” “we,” “us”) collects, uses, discloses, and protects information in connection with (a) our marketing website at kalion.ai; and (b) the Nexil platform and related services (the “Service”).
Nexil is a business-to-business product. Most personal information processed within Nexil belongs to our customers' employees, contractors, or end users; for that information, our customer is the “data controller” (or equivalent) and Kalion is the “data processor.” This Policy describes our practices in both capacities.
Kalion Inc. is a Delaware corporation that builds Nexil, a multi-tenant, white-label AI portal platform for businesses. References to “Customer” in this Policy mean an organization that has subscribed to or is evaluating the Service. References to “you” mean any person interacting with our website or the Service, including a Customer's authorized users.
This Policy applies to (a) information we collect when you visit our marketing website or contact us; (b) information we collect when an organization signs up for, evaluates, or uses Nexil; and (c) information about Customer end users that flows through Nexil while we are operating it on a Customer's behalf.
For information processed within a Customer's tenant, the Customer's own privacy notice governs the relationship between the Customer and its end users. We process that information only on the Customer's instructions, as set out in our Terms of Service and any applicable Data Processing Addendum.
The information we collect depends on how you interact with us.
| Category | Examples |
|---|---|
| Marketing & contact | Name, work email, organization, role, message content when you email us, fill out a form, or sign up for a demo. |
| Account & administrative | Customer organization details, billing contacts, administrator names and work emails, identity provider configuration (Microsoft Entra ID), tenant identifiers, role and group membership. |
| End-user authentication | Identity claims passed by your organization's identity provider (such as user principal name, display name, group memberships) when you sign in to a Nexil portal via SSO. |
| Customer Data | Documents and data ingested from connected sources, agent configurations, prompts and queries, AI-generated responses, conversation history, file uploads, feedback you submit on AI outputs. |
| Usage & telemetry | Operational logs, request and error metrics, latency, feature usage, audit events, IP address, browser and device information, approximate geolocation derived from IP. |
| Billing | Plan, billing contact, billing address, tax identifiers, transaction history. We do not store full payment card numbers; payments are processed by our payment provider. |
| Communications | Records of support tickets, emails, and other correspondence with us. |
We do not knowingly collect special categories of personal data (such as health, biometric, or government identification data) or children's data through the Service. The Service is not designed for, and Customers must not submit, regulated data categories that require a separate written agreement with us, as set out in our Terms of Service.
We use information for the following purposes:
We process personal data on the legal bases that apply under applicable law, including performance of a contract, our legitimate interests in operating and securing the Service, compliance with legal obligations, and, where required, your consent.
We do not use Customer Data, prompts, queries, or AI outputs to train, fine-tune, or otherwise improve any foundation model, base model, or shared AI model. We contractually require that the providers of the underlying AI models we use do not train their models on Customer Data.
We may use de-identified, aggregated metrics about Service operation (for example, request volumes, error rates, latency) to operate, secure, and improve the Service. These metrics do not include Customer Data content.
We use a small number of carefully selected sub-processors to deliver the Service. Each sub-processor is bound by written terms requiring data protection at least as stringent as this Policy and our agreement with our Customer.
| Sub-processor | Purpose |
|---|---|
| Microsoft Corporation (Microsoft Azure, Azure OpenAI Service, Microsoft Entra ID) | Cloud hosting, storage, networking, identity, and AI model inference. Customer Data is hosted within the Azure region(s) selected for or by the Customer. Azure OpenAI does not use Customer Data to train its models. |
If we add or change a sub-processor that processes Customer Data, we will update this list and, where required by an applicable Data Processing Addendum, give Customers advance notice and an opportunity to object.
Nexil supports regional data residency. Customer Data is hosted in the Azure region(s) selected for or by the Customer at the time of provisioning, which may include regions in the United States, Europe, Asia, or other locations supported by Microsoft Azure.
Operational metadata required to run, secure, and support the Service (for example, audit logs, telemetry, support tickets) may be processed in the United States and in other countries where Kalion or its sub-processors operate.
Where personal data is transferred outside its country of origin, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms, in addition to the technical and organizational measures described in this Policy.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We share information only as follows:
We design Nexil with security in mind. Our practices include tenant isolation, encryption of Customer Data in transit and at rest, role-based access controls, the principle of least privilege for Kalion personnel, audit logging, vulnerability management, and ongoing monitoring of the Service. Authentication is based on Microsoft Entra ID single sign-on so that Customers retain control over user identities, multi-factor authentication, and conditional access policies.
No system is perfectly secure. If we become aware of a security incident affecting Customer Data, we will notify the affected Customer without undue delay and provide information sufficient to support the Customer's own notification obligations.
We retain personal information for as long as it is needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.
Depending on where you live, you may have rights regarding your personal information, including the right to access, correct, delete, restrict, or object to processing, the right to data portability, and the right to withdraw consent. Residents of the European Economic Area, the United Kingdom, and Switzerland have rights under the GDPR and equivalent laws. Residents of California and certain other U.S. states have rights under applicable state privacy laws.
Customer end users. If you are an employee, contractor, or end user of one of our Customers, your rights are typically exercised through your organization. We will direct your request to the relevant Customer and assist them in responding.
Direct requests. For information collected by Kalion as a controller (such as marketing inquiries or administrative contacts), you can submit a request to privacy@kalion.ai. We will verify your identity and respond within the timeframes required by applicable law. We will not discriminate against you for exercising your rights.
You may also have the right to lodge a complaint with a supervisory authority in your country of residence.
Our marketing website uses a small number of cookies and similar technologies that are strictly necessary for the website to function and, where applicable, to remember your preferences. We do not use the marketing website to build advertising profiles or to share information with advertising networks for cross-context behavioral advertising.
Within the Nexil application, we use cookies and similar technologies that are strictly necessary to authenticate users, maintain sessions, secure the Service, and remember interface preferences.
You can configure your browser to refuse cookies, but parts of the Service may not function properly if you do so.
The Service is intended for use by businesses and is not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact privacy@kalion.ai and we will take appropriate steps to delete it.
We may update this Policy from time to time. When we make a material change, we will update the “Last updated” date and, where appropriate, provide additional notice (for example, by email to administrative contacts or by an in-product notice). Your continued use of the website or the Service after the update takes effect constitutes acceptance of the revised Policy.
If you have questions about this Policy or about how we handle your information, please contact us:
Kalion Inc.
Privacy: privacy@kalion.ai
Legal: legal@kalion.ai
General: hello@kalion.ai