Privacy Policy

Kyntra Labs ("Kyntra," "we," "us," or "our") provides a software-as-a-service platform offering business intelligence, monitoring, and automation tools for Salesforce Marketing Cloud environments (the "Services"). This Privacy Policy describes how we collect, use, disclose, and otherwise process Personal Information in connection with:

• —our website located at www.kyntralabs.io (the "Site");
• —our Services when accessed by individual users on behalf of our business customers; and
• —our marketing, sales, and business operations.

Two distinct roles. Kyntra's relationship to your information depends on the context:

• —As a Controller / Business: When we collect Personal Information directly from you—for example, when you visit the Site, create an account, communicate with us, or sign up for marketing communications—we determine the purposes and means of processing and act as a "controller" under the EU and UK General Data Protection Regulation ("GDPR" and "UK GDPR") and as a "business" under the California Consumer Privacy Act, as amended ("CCPA"). This Privacy Policy governs that processing.
• —As a Processor / Service Provider: When our business customers ("Customers") use the Services, Kyntra has technically limited access to their Salesforce Marketing Cloud environment. The Services read metadata and configuration information (such as data extension names, field names, audience counts, and automation configurations) but do not read or retrieve the record-level data in the Customer's data extensions (such as the names, email addresses, or engagement data of the Customer's marketing audiences). That record-level data remains in the Customer's Salesforce Marketing Cloud environment and is not accessed by us. To the limited extent we process personal information on a Customer's behalf — for example, the account information of the Customer's users, or any personal information that may be incidentally included in metadata, support communications, or AI prompts — that processing is governed by the Data Processing Addendum between Kyntra and the Customer, not by this Privacy Policy. If you are an individual whose information is processed through a Customer's instance of our Services, you should direct privacy inquiries to the relevant Customer.

This Privacy Policy applies in addition to our Terms of Service and any other agreements between you and Kyntra.

• —"Personal Information" or "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual or household. It does not include de-identified, anonymized, or aggregated information that cannot reasonably be associated with an identified or identifiable individual.
• —"Processing" means any operation performed on Personal Information, whether automated or not, including collection, recording, organization, storage, use, disclosure, transmission, or deletion.
• —"Sensitive Personal Information" has the meaning given in applicable law and includes, where applicable, account log-in credentials, precise geolocation, government-issued identifiers, and similar categories.

We collect the following categories of Personal Information. Where required by the CCPA, we identify each category using the statutory framework.

3.1 Information You Provide Directly

3.2 Information Collected Automatically

When you access the Site or Services, we and our service providers may automatically collect:

We do not knowingly collect precise geolocation data through the Site.

3.3 Information Collected from Third Parties

We may receive Personal Information from:

• —Authentication providers (e.g., Auth0) when you log in;
• —Payment processors (e.g., Stripe) for transaction confirmation (we do not receive or store full payment card numbers);
• —Analytics providers (e.g., Vercel); and
• —Publicly available sources and business contact databases used for sales prospecting.

We collect Personal Information from: (i) you directly; (ii) your device and browser automatically; (iii) our Customers, when they grant you access to their account; (iv) our service providers and business partners; and (v) publicly available sources.

We process Personal Information for the following purposes:

We do not use Personal Information for automated decision-making that produces legal or similarly significant effects concerning you.

We disclose Personal Information to the following categories of recipients, for the business and commercial purposes described in Section 5:

• —Service providers and processors, including:
  • ·Auth0 (Okta, Inc.) — authentication and identity management
  • ·Stripe, Inc. — payment processing
  • ·Vercel Inc. — application hosting, content delivery, and product analytics
  • ·Salesforce, Inc. (Heroku) — application hosting and infrastructure
  • ·Neon, Inc. — managed database services
  • ·Resend, Inc. — transactional and operational email delivery
  • ·Sanity.io — content management for the Site
• —Professional advisors, including legal counsel, accountants, and auditors;
• —Government authorities, law enforcement, and other parties when we believe in good faith that disclosure is required by law, legal process, or to protect our rights, your safety, or the rights, property, or safety of others;
• —Parties to a corporate transaction, including in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction or proceeding, in which case we will notify affected users where required by law; and
• —With your consent or at your direction.

A current list of the subprocessors we engage to provide the Services, including the categories of Personal Information they process and where, is maintained in our Subprocessor List.

No sale of Personal Information. Kyntra does not "sell" Personal Information for monetary consideration. Kyntra also does not "share" Personal Information for cross-context behavioral advertising as those terms are defined under the CCPA. We have not sold or shared Personal Information in the preceding twelve (12) months. We do not knowingly sell or share the Personal Information of individuals under 16 years of age.

Kyntra is headquartered in the United States, and the Personal Information we collect is processed in the United States by Kyntra and our U.S.-based service providers. We currently offer the Services only to U.S. business customers and do not actively market the Services to individuals outside the United States. If you are located outside the United States and choose to interact with the Site or contact us, you understand that your information will be processed in the United States, which may have data protection laws that differ from those of your country of residence.

We retain Personal Information for as long as necessary to fulfill the purposes for which it was collected, including to provide the Services, comply with our legal, accounting, or reporting obligations, resolve disputes, and enforce our agreements. The criteria we use to determine retention periods include:

• —the duration of our relationship with you and your continued use of the Site or Services;
• —our legal obligations (e.g., tax, accounting, and audit records are typically retained for seven (7) years);
• —the existence of any actual or anticipated legal claim or investigation; and
• —guidance from relevant data protection authorities.

As general benchmarks:

• —Account data: retained for the life of the account plus 24 months following account closure, subject to longer retention for legal or compliance purposes;
• —Marketing data: retained until you withdraw consent or object, plus a short suppression-list retention to honor your opt-out;
• —Analytics data: retained in identifiable form for no more than 24 months; and
• —Support communications: retained for 36 months following resolution.

When Personal Information is no longer needed, we will securely delete, destroy, or anonymize it.

We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized or unlawful access, use, disclosure, alteration, loss, or destruction. These include encryption of data in transit and at rest, access controls, logging, vendor security review, and incident response procedures.

No method of transmission over the Internet or method of electronic storage is completely secure, however, and we cannot guarantee absolute security. In the event of a security incident affecting your Personal Information, we will notify you and the relevant authorities as required by applicable law.

Your rights depend on the jurisdiction in which you reside. Kyntra will not discriminate against you for exercising any of these rights.

10.1 Rights of California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights:

• —Right to know what Personal Information we have collected about you, including the categories, sources, purposes, and third parties to whom it has been disclosed, and to receive a copy;
• —Right to delete Personal Information we have collected from you, subject to certain exceptions;
• —Right to correct inaccurate Personal Information;
• —Right to opt out of sale or sharing of Personal Information (as noted in Section 6, we do not sell or share Personal Information);
• —Right to limit the use and disclosure of Sensitive Personal Information (we do not use Sensitive Personal Information for purposes that would trigger this right);
• —Right to non-discrimination for exercising your privacy rights.

A summary of the categories of Personal Information we have collected, the sources, the purposes of collection, and the categories of third parties to whom we have disclosed Personal Information in the preceding 12 months is set out in Sections 3, 4, 5, and 6.

10.2 Rights of Other U.S. State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Indiana, and other states with comprehensive privacy laws have rights generally similar to those above, including rights to access, delete, correct, and obtain a portable copy of Personal Information, and to opt out of targeted advertising, the sale of Personal Information, and certain profiling. Residents of these states also have the right to appeal our refusal to act on a privacy rights request. To appeal, follow the instructions in our response to your initial request or contact us as described in Section 11. If you are dissatisfied with the outcome of your appeal, you may contact your state attorney general.

10.3 Other Jurisdictions

If you are located outside the United States and applicable law grants you privacy rights with respect to Personal Information we process about you, you may contact us using the information in Section 15 to inquire about exercising those rights. We will evaluate and respond to inquiries from individuals in other jurisdictions on a case-by-case basis, consistent with applicable law.

To exercise any of the rights described above, please submit a request through one of the following methods:

• —Email: support@kyntralabs.io
• —Mail: Kyntra Labs, Attn: Privacy Officer, 117 S Lexington St, Suite 100, Harrisonville, MO 64701
• —Web form: kyntralabs.io/privacy/request

Verification. To protect your Personal Information, we will take reasonable steps to verify your identity before responding to a request. This may include asking you to confirm information we already have on file or to log into your account. We will not use verification information for any purpose other than verification.

Authorized agents. You may designate an authorized agent to make a request on your behalf. The agent must provide proof of authorization (such as a valid power of attorney or a signed written permission), and we may require you to verify your identity directly.

Response timeline. We will acknowledge your request promptly and respond within the time required by applicable law (generally 45 days under the CCPA and most other U.S. state privacy laws, with one 45-day extension permitted in most states).

Appeals. If we deny your request in whole or in part and you are entitled to appeal under applicable law, our response will explain how to do so.

We and our service providers use cookies, pixels, local storage, and similar technologies on the Site to make it work, to remember your preferences, to analyze usage, and (where applicable) to support marketing.

Categories:

Your choices. You can manage cookies through:

• —our cookie preferences tool (available in the Site footer once deployed);
• —your browser settings, which allow you to refuse or delete cookies (though doing so may affect Site functionality); and
• —opt-out tools provided by third parties (e.g., the Network Advertising Initiative at optout.networkadvertising.org).

Global Privacy Control. We treat opt-out preference signals, including the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of Personal Information and the use of Personal Information for targeted advertising for the browser or device transmitting the signal, as required by applicable law.

Do Not Track. Because there is no consensus on how to interpret Do Not Track ("DNT") signals, we do not currently respond to DNT signals. We do respond to GPC signals as described above.

For full detail on the cookies we use, see our Cookie Policy.

The Site and Services are intended for use by businesses and their authorized representatives, who must be at least 18 years of age. We do not knowingly collect Personal Information from anyone under 18. If you believe a minor has provided Personal Information to us, please contact us at support@kyntralabs.io and we will promptly delete the information.

If you receive marketing emails from us, you may opt out at any time by:

• —clicking the "unsubscribe" link at the bottom of any marketing email;
• —adjusting your communication preferences in your account settings; or
• —contacting us at support@kyntralabs.io.

Even after you opt out of marketing communications, we may continue to send you transactional or service-related communications (such as security alerts, billing notices, and changes to our terms or policies).

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, or if you wish to exercise your rights, please contact our Privacy Officer:

Data Protection Officer. Kyntra has not appointed a Data Protection Officer. Privacy inquiries should be directed to the Privacy Officer at the contact information above.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• —update the "Effective Date" and "Last Updated" date at the top of this Privacy Policy;
• —post the revised policy on the Site; and
• —where required by law or appropriate under the circumstances, provide additional notice (such as by email or an in-product notification) and, where required, obtain your consent.

We encourage you to review this Privacy Policy periodically.