Legal
Privacy Policy
Effective May 21, 2026 · Last updated May 21, 2026
01Introduction
Kaydency is a commercial-lease deal management service operated by KeyEase Inc. (“KeyEase,” “Kaydency,” “we,” “us,” “our”), a corporation registered in Vancouver, British Columbia, Canada. This Privacy Policy explains what information we collect about you when you visit kaydency.app or use the Kaydency service (the “Service”), how we use and share it, the rights you have, and how to reach us.
For the purposes of Canadian privacy law (PIPEDA and BC PIPA) and, where applicable, the EU and UK GDPR, KeyEase Inc. is the data controller for the personal information processed through Kaydency. Questions about this policy or your information can be sent to privacy@kaydency.app.
02Scope
This policy applies to:
- visitors to our marketing pages at kaydency.app;
- account holders who sign up for Kaydency, the organizations and teams they create, and the individual team members they invite;
- people whose information our customers upload into Kaydency — for example, tenant or landlord contacts, deal counter-parties, or meeting attendees. For that data our customer is the controller and we act as a service provider on their behalf.
It does not apply to third-party websites or services that Kaydency links to, or to mailbox providers (Google, Microsoft) and other integrations that you choose to connect — those are governed by their own privacy policies.
03Information we collect
Account information
Authentication is provided by Clerk, our identity sub-processor. When you sign up we receive your email address, name, profile image (if you supply one), the authentication identifiers Clerk issues, and a record of sign-in events. If you enter additional details in your profile (for example a phone number, time zone, or preferences) we store those alongside your account.
Workspace and content you create
When you use Kaydency you and your teammates create workspace content. Depending on how you use the product this can include:
- organizations, teams, and team memberships, including each member’s role;
- deals you track (property addresses, tenant and landlord names, deal type, status, phase/step timelines, dates, templates);
- documents you upload (PDF, DOC, DOCX, XLS, XLSX, JPG, PNG — up to 50 MB per file) and the structured clauses and facts our AI extracts from them;
- contact records (tenant and landlord contacts: name, email, phone, company, mailing address, industry, target size and rate, tags, free-form notes), interaction logs, meetings, and AI-generated meeting briefs;
- notice windows (renewal, termination, default, consent, assignment, relocation, estoppel) and any drafts you write against them;
- conversations with Ask Kaydency, including the questions you ask and the cited document chunks the assistant returns;
- audit logs that record actions taken in your workspace (created, updated, deleted) for security and traceability.
Mailbox connections (optional)
If you choose to connect Gmail or Outlook to your Kaydency account, we store only the encrypted OAuth tokens issued by the provider (AES-256 at rest, keyed by an environment-scoped secret we never expose to the browser). The tokens let us read message metadata and bodies live from the provider on demand; we do not copy your mailbox into our database. The two exceptions are:
- messages you (or your forwarding rule) explicitly send to your team’s capture address team-…@in.kaydency.app — those inbound messages are stored in full (sender, subject, body, timestamps) so the team can act on them; and
- transactional copies in your provider’s sent or trash folders, which are managed by the provider, not us.
For Gmail we request the scopes gmail.readonly, gmail.compose, openid, email, and profile. We deliberately do not request gmail.send. For Microsoft Graph we request Mail.Read, Mail.ReadWrite, offline_access, and User.Read; we do not request Mail.Send.
Automatically collected information
When you use Kaydency we automatically receive:
- Device and network metadata — IP address, user-agent string, language, the pages you load, and the actions you take. We use PostHog (US region, proxied through /ingest) for product analytics; once you sign in we associate these events with your Clerk user id so that we can debug and improve the product.
- Error reports and a 10% sample of session replays via Sentry (EU region). Sentry replay is configured with sendDefaultPii: true, which means your IP address and user identifier may be attached to replays of sessions that triggered an error. Replays are redacted of input field contents by default.
Cookies and similar technologies
We use a small number of cookies and local-storage entries:
- Strictly necessary cookies set by Clerk to maintain your signed-in session;
- Analytics cookies and local-storage entries set by PostHog to recognise repeat visits and to attribute events to a stable visitor identifier.
Kaydency does not currently display a cookie consent banner. Visitors who do not wish to be tracked can block third-party cookies in their browser. We will add a consent flow before general availability that lets EEA and UK visitors decline analytics before any cookies are set.
04How we use your information
We use the information described above to:
- operate, secure, support, and improve the Service, including authenticating you, syncing your workspace, sending transactional email about account, billing, and deal events, and detecting and preventing abuse;
- extract clauses and structured facts from documents you upload and generate AI summaries, briefs, and answers (see Section 5);
- understand how the product is used so we can prioritise fixes and improvements;
- comply with our legal obligations and enforce our Terms of Service.
We do not sell your personal information, and we do not run third-party advertising on Kaydency.
05AI processing
Several Kaydency features rely on large language models: clause extraction from lease documents, contact briefs, AI-drafted notices, AI-generated meeting briefs, and the Ask Kaydency assistant. To power these features we transmit the relevant portions of your workspace content — document text, contact and deal context, and the messages you send to the assistant — to large language models.
All AI requests are routed through Vercel AI Gateway, which forwards them to the underlying provider under zero-data-retention configurations where the provider supports them. The providers and models we use today are:
- Anthropic — claude-sonnet-4.6 (primary model for drafting, chat, extraction, and diff);
- OpenAI — gpt-5.2, gpt-5.2-mini (fallback chat and lighter extraction), and text-embedding-3-small (embeddings for retrieval);
- Google — gemini-2.5-flash (fallback for high-volume tasks).
We do not use your Content to train general-purpose AI models. Outputs from AI features can be inaccurate, incomplete, or out of date — see the AI disclaimer in our Terms of Service.
06Legal bases for processing
Under PIPEDA and BC PIPA we rely on your express consent when you create an account, your implied consent for the processing reasonably needed to operate the Service, and our legitimate interests in security and product improvement (subject to the reasonable-purpose test).
Where the EU or UK GDPR applies to you, our legal bases are: performance of a contract with you (account creation, delivering the Service), our legitimate interests (security, analytics, product improvement, balancing those against your rights), your consent (for optional integrations such as Gmail and Outlook, and for analytics once we deploy a consent banner), and compliance with legal obligations.
08International data transfers
Personal information processed through Kaydency is stored and processed in Canada, the United States, and the European Union, depending on the sub-processor. We rely on contractual safeguards with each sub-processor and, for transfers from the EEA and UK, on the European Commission’s adequacy decision for Canada and on Standard Contractual Clauses where adequacy does not apply.
09Google API Services — Limited Use disclosure
Kaydency’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect a Gmail mailbox to Kaydency, the OAuth scopes we request are gmail.readonly, gmail.compose, openid, email, and profile. We deliberately do not request gmail.send.
We use Gmail data only to surface email context inside your Kaydency workspace — linking messages to the right deal or contact, drafting replies for you to send from Gmail, and showing recent correspondence. We do not transfer Gmail data to third parties except as needed to provide the Service or as required by law; we do not use Gmail data for advertising; we do not allow humans to read Gmail data except for security investigations, to comply with applicable law, or with your explicit consent; and we do not use Gmail data to develop, improve, or train generalised or non-personalised AI or machine learning models. When Gmail message text is sent to an AI model for one-off summarization (for example, to draft a reply on your behalf), it is sent via Vercel AI Gateway under zero-retention configurations where supported by the provider.
You can revoke Kaydency’s access to your Gmail account at any time at myaccount.google.com/permissions and inside Kaydency’s integration settings.
10Microsoft Graph — Outlook integration disclosure
When you connect an Outlook or Microsoft 365 mailbox, the Microsoft Graph scopes we request are Mail.Read, Mail.ReadWrite, offline_access, and User.Read. We do not request Mail.Send.
We use Microsoft mailbox data only to surface email context in your Kaydency workspace; access tokens are encrypted at rest; mailbox data is not used for advertising and is not used to train AI models. You can revoke Kaydency’s access at account.live.com/consent/Manage (consumer accounts) or in your Microsoft 365 admin centre (work accounts), and inside Kaydency’s integration settings.
11Data retention
We retain account, workspace, and content data for the life of your account, plus the time reasonably needed for backups, security audits, and legal compliance.
When you delete your account in Kaydency’s Settings, we immediately soft-delete your user record so that you can no longer sign in, and we remove your team memberships. Today, authored workspace content (deals, documents, AI-extracted clauses, embeddings, chat messages, and audit logs) remains in the database until you or another team owner requests purge. On written request to privacy@kaydency.app from the email address associated with your account, we will purge your authored content within 30 days. We are actively working on extending the in-app “Delete account” flow to perform this purge automatically.
Inbound emails captured at your team capture address are retained for the life of the team unless individually deleted. Sentry retains error events and replay samples for 90 days. PostHog event data is retained per its default retention.
12Your rights
Under PIPEDA and BC PIPA you have the right to access and correct your personal information, to withdraw consent (subject to legal or contractual limits), and to complain to the Office of the Privacy Commissioner of Canada or to British Columbia’s Office of the Information and Privacy Commissioner.
If you are in the EEA or the UK, you additionally have the right to request erasure, restriction of processing, data portability, and to object to processing based on our legitimate interests. You can lodge a complaint with your local supervisory authority.
To exercise any of these rights, email privacy@kaydency.app from the address associated with your Kaydency account. We respond within 30 days. For information you uploaded about other people (for example, your contacts), the right exercise typically goes through the customer who controls that workspace; we will route requests accordingly.
13Security
We protect your information with TLS in transit, AES-256 encryption at rest for OAuth tokens, database encryption at rest provided by Neon, least-privilege access for our engineers, and Clerk-managed credentials (we never see your password). No system is perfectly secure; if we become aware of a breach that affects your personal information we will notify you as required by applicable law.
14Children
Kaydency is a business product and is not directed to children under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information to us, please contact privacy@kaydency.app and we will delete it.
15Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of the page. For material changes — for example a new sub-processor that materially expands what data is shared — we will give additional notice inside Kaydency or by email to the address on file before the change takes effect.
16Contact us
KeyEase Inc.
Vancouver, British Columbia, Canada
Privacy and data-rights requests: privacy@kaydency.app
General legal: legal@kaydency.app