Privacy Policy
Oct 25, 2025
At Kaigen.inc ("Kaigen Labs," "we," "our," or "us"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our voice AI automation services, website (kaigenlabs.com), and related platforms (collectively, the "Services").
By accessing or using our Services, you agree to the terms outlined in this Privacy Policy. If you do not agree with these terms, please do not use our Services.
This Privacy Policy should be read in conjunction with our Terms of Service and any applicable Data Processing Agreement (DPA). For enterprise clients requiring a DPA, please contact support@kaigenlabs.com.
1. About Kaigen Labs
Kaigen.inc is a Delaware corporation with its principal place of business at:
Kaigen.inc
208 RiverCrest Drive
Phoenixville, PA 19460
United States
For privacy-related inquiries, please contact us at: support@kaigenlabs.com
2. Information We Collect
We collect several types of information to provide and improve our Services:
a. Information You Provide Directly
Account Information: Name, email address, company name, phone number, billing address, and payment details
Business Information: Details about your business processes, workflow requirements, and automation objectives shared during consultations
Communications: Messages, support requests, and feedback you send to us
Integration Data: Credentials and configuration data necessary to integrate with your CRM, calendar, helpdesk, and other third-party tools
b. Voice AI and Call Data
Voice Recordings: Audio recordings of calls made through our voice AI systems (inbound and outbound)
Voice Biometric Data: Voice characteristics and patterns that may constitute biometric identifiers under applicable law (see Section 4B)
Call Transcripts: Text transcriptions of voice interactions
Caller Information: Phone numbers, names, and any information provided during voice interactions
Call Metadata: Call duration, timestamps, outcomes (booked, qualified, transferred, etc.), and routing information
Multi-Channel Data: Messages and interactions via WhatsApp, SMS, and email conducted through our platform
c. Automatically Collected Information
Usage Data: Pages visited, features used, time spent, clicks, and interaction patterns on our website and dashboard
Device Information: IP address, browser type, operating system, device identifiers, and network information
Analytics Data: Performance metrics, conversion rates, answer rates, average handle time (AHT), and other operational statistics
Cookies and Tracking: Information collected through cookies, web beacons, and similar technologies (see Section 9)
3. How We Use Your Information
We use the collected information for the following purposes:
Service Delivery: To provide, operate, and maintain our voice AI automation services, including inbound receptionist, outbound calling, multi-channel automation, and workflow integrations
Consultation and Implementation: To understand your business needs, design custom solutions, and implement AI-powered automation systems
Dashboard and Analytics: To provide you with real-time dashboards showing call minutes, costs, bookings, qualification rates, CSAT scores, and other metrics
System Integration: To connect your CRM (HubSpot, Salesforce, etc.), calendars, helpdesk systems, and other third-party tools with our platform
Improvement and Optimization: To monitor, analyze, and improve the performance, reliability, and user experience of our Services (without using your data to train AI models—see Section 4D)
Customer Support: To respond to your inquiries, provide technical support, and resolve issues
Communication: To send you service updates, maintenance notifications, security alerts, and administrative messages
Billing and Payment: To process payments, manage subscriptions, and maintain billing records
Security and Fraud Prevention: To detect, prevent, and address security incidents, fraud, and illegal activity
Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests, including TCPA, BIPA, GDPR, CCPA, and other privacy laws
4. Voice AI Data Processing and Ownership
4A. TCPA Compliance and Call Recording
Telephone Consumer Protection Act (TCPA) Compliance:
Our voice AI services comply with the Telephone Consumer Protection Act (TCPA) and related federal and state telecommunications regulations. By using our Services for outbound calling:
Marketing Calls Require Prior Express Written Consent: We do not initiate marketing or promotional calls on your behalf without prior express written consent from recipients, as required by TCPA
Do Not Call (DNC) Registry Compliance: You are responsible for maintaining compliance with the National Do Not Call Registry and any applicable state DNC lists. Our platform supports DNC suppression features that you must configure appropriately
Automatic Telephone Dialing Systems (ATDS): Our Services may utilize automated dialing technology. You must obtain proper consent before using our automated calling features to contact individuals
Voicemail Drop Technology: Our platform includes voicemail detection and drop capabilities. Use of these features must comply with TCPA regulations
Client Responsibility: You are ultimately responsible for ensuring your use of our voice AI services complies with TCPA and all applicable telemarketing laws
Call Recording Consent and Notification:
We record voice calls processed through our Services for quality assurance, training, analytics, and service delivery purposes. Important disclosures:
One-Party vs. Two-Party Consent States: Call recording laws vary by state. In "one-party consent" states, only one party to the conversation must consent to recording. In "two-party consent" (or "all-party consent") states, all parties must consent. Two-party consent states include: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington
Pre-Call Notification: Our voice AI systems provide verbal notification at the beginning of calls that the conversation may be recorded. This serves as constructive consent in one-party consent jurisdictions
Affirmative Consent: In two-party consent states and for heightened compliance, callers are prompted to provide affirmative consent to recording or are given the option to opt-out before the conversation proceeds
Opt-Out Mechanism: Callers may request that recording stop at any time during the call. In such cases, the call may be transferred to a human representative or terminated, depending on your configuration
Configuration Responsibility: You are responsible for configuring appropriate recording consent mechanisms based on the jurisdictions in which you operate and the jurisdictions of the individuals you contact
4B. Biometric Privacy and Voice Data
Biometric Identifiers—Voice Prints:
Under certain state laws, voice recordings and voiceprints may be considered "biometric identifiers" or "biometric information." This section addresses compliance with biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act, and Washington biometric privacy law.
Collection of Voice Biometrics: Our Services collect and process voice recordings that may include unique voice characteristics, patterns, pitch, tone, and other biometric features. These voice characteristics may constitute biometric identifiers under applicable law
Purpose of Collection: We collect voice biometric data for the following purposes: (1) to enable voice AI interactions and conversations; (2) to generate call transcripts and summaries; (3) to improve call routing and quality; (4) to provide analytics and quality assurance; and (5) to comply with your business requirements and service configuration
Written Notice and Consent (BIPA Compliance): Before collecting biometric identifiers from Illinois residents or when otherwise required by law, we or you (depending on configuration) will: (a) inform the individual in writing that biometric identifiers are being collected or stored; (b) inform the individual in writing of the specific purpose and length of time for which biometric identifiers are being collected, stored, and used; and (c) receive a written release from the individual (or employ legally valid constructive consent mechanisms)
Retention Schedule: Voice recordings containing biometric data are retained according to the schedule specified in Section 7A. Unless otherwise agreed in writing with you (our client), voice biometric data is retained for a maximum of 90 days or until the purpose for collection is satisfied, whichever comes first
Permanent Destruction: Upon expiration of the retention period or upon your request, voice biometric data will be permanently destroyed in a manner that renders it unrecoverable
No Sale or Disclosure: We do not sell, lease, trade, or otherwise profit from voice biometric identifiers. We do not disclose voice biometric data to third parties except: (a) as directed by you for service integrations; (b) to subprocessors necessary for service delivery (under strict confidentiality and data protection obligations); or (c) as required by law
Security of Biometric Data: We store, transmit, and protect voice biometric data using industry-standard security measures that are the same as or more protective than those used for other confidential and sensitive information (see Section 7B)
Client Responsibility for Biometric Consent: If you configure our Services to collect voice biometric data from individuals, you are responsible for obtaining all required consents and providing all required notices under applicable biometric privacy laws
4C. Client Data Ownership
You retain full ownership and all intellectual property rights to the data you input into our Services, including voice recordings, call transcripts, business information, and customer data. We process this data solely as your service provider to deliver the Services you have contracted. This is a data processing relationship, and you are the data controller (or "business" under CCPA) while we act as the data processor (or "service provider" under CCPA).
4D. AI Model Training—We Do Not Use Your Data
We do NOT use your data to train AI models. Your voice recordings, call transcripts, customer interactions, and business data are strictly isolated and never used to train, improve, or develop our AI models or any third-party AI systems. Each client's data remains confidential and separate. We may use aggregated, anonymized, and de-identified data (that cannot reasonably be used to identify individuals or your business) for internal analytics and service improvement, but such data does not constitute personal information.
4E. Consent Mechanisms and Withdrawal
Pre-Call Consent: For outbound calls, consent is obtained through your existing relationship with call recipients or through consent mechanisms you implement (e.g., opt-in forms, prior express written consent)
During-Call Consent: Our voice AI systems provide notice and, where required, obtain affirmative consent for recording and data processing at the start of each call
Inbound Call Consent: Individuals who call phone numbers associated with our Services are notified that calls may be recorded and handled by AI systems
Withdrawal of Consent: Individuals may withdraw consent for data processing at any time by: (a) requesting during a call that recording stop; (b) opting out via provided mechanisms (e.g., "press 1 to opt-out"); (c) contacting us directly at support@kaigenlabs.com; or (d) submitting a deletion request under Section 8. Withdrawal of consent does not require account deletion and will not result in discriminatory treatment
Granular Consent: Where feasible and required by law, we support granular consent mechanisms that allow individuals to consent to specific processing activities separately
4F. Regulated Data (HIPAA, PCI DSS, GLBA)
HIPAA Compliance: Kaigen Labs is not a healthcare provider and does not provide healthcare services. However, if you use our Services to process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), we may act as a Business Associate. In such cases, a separate Business Associate Agreement (BAA) must be executed before processing PHI. Please contact support@kaigenlabs.com to request a BAA. Do not use our Services to process PHI without a signed BAA in place.
PCI DSS Compliance: Our Services are not designed or intended to process payment card information (credit card numbers, CVV codes, etc.) via voice calls. We strongly recommend that you do not configure our voice AI systems to collect payment card details. If payment collection is necessary, calls should be transferred to human agents or secure payment processing systems that comply with Payment Card Industry Data Security Standard (PCI DSS). Kaigen Labs is not responsible for PCI DSS compliance related to your use of our Services
GLBA Compliance: If you use our Services to process personal financial information subject to the Gramm-Leach-Bliley Act (GLBA), you are responsible for ensuring compliance with GLBA's privacy and security requirements. Please configure appropriate data handling policies and notify us if you process GLBA-regulated data
Client Responsibility for Regulated Data: You must inform us if you intend to process regulated data types (PHI, PCI, GLBA, etc.) through our Services. Failure to obtain appropriate agreements (e.g., BAA) or configure proper safeguards may result in suspension or termination of Services
4G. Data Processing Activities
We process voice and interaction data to:
Execute real-time voice conversations with callers
Generate call transcripts and summaries
Route calls based on intent, language, or other criteria
Create and update records in your CRM and other integrated systems
Provide analytics, reporting, and quality assurance
Comply with your configured workflows and business rules
4H. Sensitive Personal Information (PII) Handling
Our Services support client-configurable policies for handling sensitive personal information such as Social Security numbers, driver's license numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, health information, and other regulated data categories. Depending on your configuration:
PII may be automatically redacted or masked from transcripts and logs
Calls involving sensitive data may be escalated to human agents
Specific fields may be excluded from data retention or export
Enhanced encryption and access controls may be applied
We recommend configuring appropriate PII handling policies based on your industry requirements and applicable regulations. Under CCPA/CPRA, you have the right to limit the use and disclosure of your sensitive personal information (see Section 8C).
5. How We Share Your Information
We do not sell your personal information. We have not sold personal information in the preceding 12 months and do not have actual knowledge of selling personal information of individuals under 16 years of age. We may share your information only in the following circumstances:
a. Service Providers and Subprocessors
We engage trusted third-party service providers and subprocessors to help us deliver our Services, including:
Payment Processing: Stripe (for payment and billing services)
Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure (for hosting and data storage)
Analytics: Google Analytics, Mixpanel (for website and service analytics)
Communication Tools: Telephony providers, WhatsApp Business API, SMS gateways
CRM and Integrations: As directed by you, we integrate with HubSpot, Salesforce, Intercom, Zendesk, Freshdesk, and other platforms you authorize
These service providers are contractually obligated to protect your data, use it only for the purposes we specify, and comply with applicable data protection laws.
Subprocessor List and Notifications:
We maintain a current list of subprocessors involved in processing personal data. For enterprise clients with Data Processing Agreements (DPAs), we will:
Provide access to the current subprocessor list upon request
Notify you at least 30 days in advance before adding new subprocessors or replacing existing subprocessors
Provide you with the opportunity to object to new subprocessors on reasonable grounds related to data protection
To request the current subprocessor list or to object to a new subprocessor, contact support@kaigenlabs.com.
b. Client-Authorized Integrations
When you authorize integrations with third-party services (CRM systems, calendars, helpdesk platforms), we share relevant data as necessary to fulfill your integration requirements. You control which integrations are enabled and what data is shared. These third-party services have their own privacy policies, and we are not responsible for their data practices.
c. Legal Requirements and Protection
We may disclose your information if required to do so by law or in response to:
Valid legal processes (subpoenas, court orders, warrants)
Enforceable governmental or regulatory requests
Protection of our rights, property, or safety, or that of our users or the public
Detection and prevention of fraud, security incidents, or illegal activity
Enforcement of our Terms of Service or other agreements
d. Business Transfers
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity as part of the transaction. We will notify you via email and/or prominent notice on our website at least 30 days before your information is transferred and becomes subject to a different privacy policy. You will have the opportunity to delete your account and data before the transfer if you do not agree to the new privacy policy.
6. International Data Transfers
Kaigen.inc is based in the United States and operates globally. We process and store data in the United States and may transfer data to other countries where we or our service providers operate, including countries outside the European Economic Area (EEA), United Kingdom, and your country of residence.
If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, please be aware that your information may be transferred to, stored in, and processed in countries that may have different data protection laws than your jurisdiction, including countries that may not provide the same level of data protection as your home country.
We implement appropriate safeguards for international data transfers, including:
Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission for transfers of personal data from the EEA and UK to countries outside those regions
Data Processing Agreements (DPAs): Enterprise clients may request a DPA that includes appropriate cross-border transfer mechanisms
Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission or UK authorities
Supplementary Measures: We implement organizational and technical security measures to protect data in transit and at rest, including encryption, access controls, and contractual safeguards with subprocessors
For more information about our international data transfer mechanisms or to request a copy of the safeguards we have in place, contact support@kaigenlabs.com.
7. Data Retention and Security
7A. Data Retention
We retain your data for different periods depending on the type of information and applicable agreements:
Default Retention Periods:
Voice Recordings and Transcripts: Unless otherwise specified in your service agreement, voice recordings and transcripts are retained for 90 days from the date of the call. You may configure shorter or longer retention periods based on your business needs, compliance obligations, and contractual agreements. Maximum retention period is 7 years unless required by law
Voice Biometric Data: Voice biometric identifiers (as defined in Section 4B) are retained for the same period as voice recordings, with a maximum of 90 days unless you have a specific contractual agreement for extended retention. Biometric data is permanently destroyed upon expiration of the retention period
Account Information: Retained for the duration of your account plus a reasonable period (typically 90 days) to comply with legal obligations, resolve disputes, and prevent fraud. You may request earlier deletion (see Section 8)
Analytics and Aggregated Data: Aggregated, anonymized, and de-identified data that cannot reasonably identify individuals may be retained indefinitely for analytics, research, and service improvement purposes
Billing Records: Retained as required by tax, accounting, and financial regulations (typically 7 years in the United States)
Security Logs: System logs, access logs, and security event logs are retained for 12 months for security monitoring, incident response, and compliance purposes
Automatic Deletion:
We implement automated data deletion processes to ensure timely removal of personal data upon expiration of applicable retention periods. Voice recordings and biometric data are automatically and permanently deleted according to configured retention schedules unless legal obligations require extended retention.
Data Deletion Requests:
You may request deletion of your data at any time, subject to our legal and contractual obligations (see Section 8). Upon termination of your account, we will delete or anonymize your personal data within 90 days unless retention is required by law, ongoing legal proceedings, or to enforce our agreements.
7B. Security Measures
We implement industry-standard technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction, including:
Technical Security:
Encryption of data in transit using TLS 1.2 or higher (SSL/HTTPS)
Encryption of data at rest using AES-256 or equivalent industry-standard encryption
Encrypted backups with secure key management
Network security controls including firewalls, intrusion detection/prevention systems (IDS/IPS), and DDoS protection
Secure configuration and hardening of systems and applications
Access Controls:
Role-based access control (RBAC) and principle of least privilege
Multi-factor authentication (MFA) for administrative and privileged access
Strong password requirements and regular password rotation policies
Access logging and monitoring for audit trails
Immediate revocation of access upon employee termination or role change
Organizational Security:
Regular security awareness training for employees and contractors
Confidentiality and non-disclosure agreements (NDAs) with all personnel
Background checks for employees with access to sensitive data
Incident response plan and procedures for data breaches
Business continuity and disaster recovery plans
Testing and Auditing:
Regular security audits and assessments (at least annually)
Vulnerability assessments and penetration testing by third-party security firms
Code reviews and security testing in development lifecycle
Continuous monitoring and logging of security events
Compliance audits for applicable standards (SOC 2, ISO 27001, as applicable)
Infrastructure Security:
Secure cloud infrastructure with enterprise-grade providers (AWS, Google Cloud, Azure) that maintain certifications including SOC 2 Type II, ISO 27001, and compliance with industry standards
Geographic redundancy and data replication for availability and disaster recovery
Isolated production environments with strict change control procedures
Limitations:
While we strive to protect your information using commercially reasonable security measures that meet or exceed industry standards, no system is 100% secure. No method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.
Your Responsibilities:
You are responsible for maintaining the security of your account credentials, including passwords and API keys. Please:
Use strong, unique passwords for your account
Enable multi-factor authentication where available
Do not share your account credentials with others
Notify us immediately at support@kaigenlabs.com if you suspect any unauthorized access to your account or any security breach
7C. Data Breach Notification
In the event of a data breach involving personal information that poses a risk of harm to individuals, we will:
Internal Response: Immediately initiate our incident response procedures to contain, investigate, and remediate the breach
Regulatory Notification: Notify applicable regulatory authorities without undue delay and, where required by law, within 72 hours of becoming aware of the breach (as required by GDPR and other applicable regulations)
Client Notification (B2B): Notify affected business clients (account holders) without unreasonable delay, typically within 72 hours of confirming the breach
Individual Notification: Notify affected individuals (end users, callers) as required by applicable law and as soon as practicable after determining that their personal information was involved in the breach
Notification Content: Breach notifications will include: (a) description of the nature of the breach; (b) categories and approximate number of individuals affected; (c) categories and approximate number of records affected; (d) likely consequences of the breach; (e) measures taken to address the breach and mitigate harm; (f) contact information for further inquiries; and (g) recommendations for individuals to protect themselves
Notification Method: Notifications will be provided via email to the address on file, and/or through prominent notice on our website or dashboard, and/or through direct communication channels as appropriate and required by law
State-Specific Requirements: We will comply with state-specific breach notification laws, including expedited notification timelines where required (e.g., certain states require notification without unreasonable delay or within specific timeframes)
If you believe your personal information has been compromised, please contact us immediately at support@kaigenlabs.com with the subject line "Security Incident."
8. Your Privacy Rights
Depending on your location, you may have certain rights regarding your personal information. This section describes the rights available to you and how to exercise them.
8A. Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
Right of Access (Article 15): Request a copy of the personal data we hold about you, including information about how we process it
Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data
Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your personal data, subject to certain legal exceptions (e.g., compliance with legal obligations, establishment of legal claims)
Right to Restriction of Processing (Article 18): Request that we limit how we use your data in certain circumstances (e.g., while we verify accuracy or assess your objection to processing)
Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and transmit it to another data controller
Right to Object (Article 21): Object to processing of your personal data for certain purposes, including direct marketing, automated decision-making, and processing based on legitimate interests
Right to Withdraw Consent (Article 7): Where processing is based on consent, withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal
Right to Lodge a Complaint (Article 77): File a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights
Automated Decision-Making: Our Services may involve automated decision-making, including AI-driven call routing, qualification scoring, and response generation. You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. If you wish to challenge an automated decision or request human review, please contact us.
8B. Rights Under UK GDPR (UK Residents)
If you are located in the United Kingdom, you have the same rights as described in Section 8A under the UK GDPR, which mirrors the EU GDPR. To exercise your rights or lodge a complaint, you may contact the UK Information Commissioner's Office (ICO) at https://ico.org.uk.
8C. Rights Under U.S. State Privacy Laws
If you are a resident of certain U.S. states, you have rights under state privacy laws. This section consolidates rights under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and Montana Consumer Data Privacy Act (MTCDPA).
California Residents (CCPA/CPRA):
Right to Know: Request information about the categories and specific pieces of personal information we have collected about you in the preceding 12 months, including: categories of sources; business or commercial purposes for collection; categories of third parties with whom we share personal information; and specific pieces of personal information collected
Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., completing transactions, detecting security incidents, complying with legal obligations)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. If our practices change, you will have the right to opt out via a "Do Not Sell or Share My Personal Information" link
Right to Limit Use and Disclosure of Sensitive Personal Information: Request that we limit our use and disclosure of sensitive personal information (e.g., precise geolocation, racial/ethnic origin, health data) to purposes necessary to perform services you requested. To exercise this right, contact us at support@kaigenlabs.com
Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights, including denial of services, different prices or rates, or different levels of service quality
Authorized Agent: You may designate an authorized agent to submit requests on your behalf by providing written authorization. We may require verification of the agent's authority
Virginia, Colorado, Connecticut, Utah, and Montana Residents:
Right to Confirm: Confirm whether we are processing your personal data
Right to Access: Access your personal data
Right to Delete: Request deletion of your personal data
Right to Correct: Request correction of inaccuracies in your personal data
Right to Data Portability: Obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format
Right to Opt-Out: Opt out of: (a) targeted advertising; (b) sale of personal data; and (c) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in these activities. If our practices change, we will provide opt-out mechanisms
Right to Appeal: If we deny your privacy rights request, you have the right to appeal our decision. We will provide appeal instructions in our response to your request
8D. How to Exercise Your Rights
To exercise any of the privacy rights described in this section, please contact us using one of the following methods:
Email: support@kaigenlabs.com
Subject Line: "Privacy Rights Request" or specify the type of request (e.g., "GDPR Access Request," "CCPA Deletion Request")
Mail: Kaigen.inc, Attn: Privacy Team, 208 RiverCrest Drive, Phoenixville, PA 19460, United States
Verification:
To protect your privacy and security, we must verify your identity before fulfilling privacy rights requests. We will request information sufficient to verify that you are the person about whom we collected personal data, such as:
Email address associated with your account
Phone number associated with your account
Recent interaction details (e.g., recent call dates, account activity)
For sensitive requests, we may require additional verification such as government-issued ID (which we will delete after verification)
Response Timeframes:
GDPR/UK GDPR: We will respond within 30 days (extendable by 60 additional days for complex requests)
CCPA/CPRA: We will respond within 45 days (extendable by 45 additional days with notice)
Other State Laws: We will respond within 45 days (extendable as permitted by applicable law)
No Fees:
We do not charge fees to process or respond to verifiable privacy rights requests unless they are excessive, repetitive, or manifestly unfounded. If we determine that a request warrants a fee, we will notify you of the fee and provide a cost estimate before completing your request.
9. Cookies and Tracking Technologies
We use cookies, web beacons, pixels, and similar tracking technologies to enhance your experience, analyze usage patterns, and improve our Services.
Types of Cookies We Use:
Strictly Necessary Cookies: Essential for the website to function properly, including authentication, security, and session management. These cannot be disabled without impacting functionality
Analytics Cookies: Help us understand how visitors use our website and Services (Google Analytics, Mixpanel). These collect information about pages visited, time spent, clicks, and user journeys
Functional Cookies: Remember your preferences and settings (e.g., language preferences, dashboard configurations)
Performance Cookies: Collect information about website performance, loading times, and user interactions to help us optimize the user experience
Third-Party Cookies:
Some cookies are placed by third-party services that appear on our pages, including:
Google Analytics (analytics and usage tracking)
Mixpanel (product analytics)
Stripe (payment processing—only on payment pages)
These third parties have their own privacy policies governing their use of your information.
Cookie Control:
You can control and manage cookies through your browser settings. Most browsers allow you to:
View cookies stored on your device
Delete cookies (individually or all)
Block third-party cookies
Block all cookies (not recommended as it may limit functionality)
Receive notifications when cookies are set
Please note that disabling certain cookies may limit your ability to use some features of our Services, such as staying logged in or saving preferences.
Opt-Out of Analytics:
To opt out of Google Analytics tracking across all websites, install the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
Additional Tracking Opt-Out Resources:
Network Advertising Initiative: www.networkadvertising.org/choices/
Digital Advertising Alliance: www.aboutads.info/choices/
European Interactive Digital Advertising Alliance (EU): www.youronlinechoices.eu/
10. Third-Party Services and Links
Our Services may contain links to third-party websites, applications, or services (such as CRM platforms, calendar systems, helpdesk tools, and other integrations) that are not operated by Kaigen Labs. We are not responsible for the privacy practices, content, or security of these third parties.
When you integrate third-party services with our platform, authorize connections, or follow links to external sites, you will be subject to those third parties' privacy policies and terms of service. The information you provide to third-party services is governed by their privacy policies, not this Privacy Policy.
We encourage you to review the privacy policies of any third-party services you use or visit. We do not control and are not responsible for the data practices of third parties.
Integrated Third-Party Services:
Our platform integrates with various third-party services that you may choose to connect, including but not limited to:
CRM platforms (HubSpot, Salesforce, etc.)
Calendar services (Google Calendar, Microsoft Outlook, etc.)
Helpdesk and customer support platforms (Zendesk, Freshdesk, Intercom, etc.)
Communication platforms (WhatsApp Business, Twilio, etc.)
Other business tools as you configure
When you authorize these integrations, you are permitting us to share data with those services as necessary to provide the integration functionality you requested. You control which integrations are enabled and can revoke access at any time through your dashboard settings.
11. Children's Privacy
Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are under 16, please do not use our Services or provide any information to us.3
If you are a parent or guardian and believe that your child under 16 has provided us with personal information, please contact us immediately at support@kaigenlabs.com with the subject line "Child Privacy Concern." We will take steps to investigate and, if confirmed, delete such information from our systems as quickly as possible.
Under the California Consumer Privacy Act (CCPA), we do not sell personal information of individuals we have actual knowledge are under 16 years of age.
12. Do Not Track Signals
Some web browsers include a "Do Not Track" (DNT) feature or setting that signals to websites that you do not want to be tracked across websites you visit. Because there is not yet a common understanding of how to interpret DNT signals or a uniform standard for responding to them, our Services do not currently respond to browser DNT signals.
Instead, you can use the range of other tools to control data collection and use, including:
Cookie controls in your browser settings (Section 9)
Opt-out of analytics tracking (Section 9)
Privacy rights requests (Section 8)
Account settings and dashboard preferences
We will continue to monitor developments in DNT technology and may implement DNT recognition in the future if industry standards are established.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons. When we make changes, we will revise the "Effective Date" at the top of this Privacy Policy.
Material Changes:
When we make material changes to this Privacy Policy that significantly affect your rights or how we process your personal information, we will provide prominent notice, including:
Updating the "Effective Date" at the top of this Privacy Policy
Posting a prominent notice on our website homepage and/or dashboard
Sending email notification to the address associated with your account (if you have an account)
For certain significant changes (e.g., changes in data use purposes, new categories of data collected, changes in data sharing practices), we may require your affirmative consent before the changes take effect
Notice Period:
We will provide at least 30 days' advance notice of material changes before they take effect, giving you the opportunity to review the changes and exercise your rights (e.g., object to changes, delete your account) if you do not agree with the updated Privacy Policy.
Review Responsibility:
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our Services after changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree with the updated Privacy Policy, you must stop using our Services and may request deletion of your account and data.
14. Contact Us
If you have questions, concerns, comments, or requests regarding this Privacy Policy or our data practices, please contact us:
Kaigen.inc
Privacy Team
208 RiverCrest Drive
Phoenixville, PA 19460
United States
Email: support@kaigenlabs.com
Website: kaigenlabs.com
Privacy Rights Requests: For data subject access requests, deletion requests, or other privacy rights inquiries, please email support@kaigenlabs.com with the subject line "Privacy Rights Request."
Data Protection Officer (DPO) / Privacy Contact: For GDPR-related inquiries, you may contact our privacy team at the email address above.
For EU/EEA Residents:
If you are located in the European Economic Area and have concerns about our data processing that we have not adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA data protection authorities can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
For UK Residents:
If you are located in the United Kingdom, you may contact the UK Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Phone: 0303 123 1113
15. Artificial Intelligence and Emerging Regulations
Kaigen Labs uses artificial intelligence (AI) and machine learning technologies to power our voice automation services. As AI regulations continue to evolve globally, we are committed to responsible AI development and deployment.
EU AI Act Compliance:
Our voice AI systems may be classified as "high-risk AI systems" under the European Union Artificial Intelligence Act (EU AI Act). We are monitoring the implementation of the EU AI Act and will comply with applicable requirements, including:
Risk management systems and ongoing monitoring
Data governance and training data quality assurance
Technical documentation and record-keeping
Transparency obligations and information to users
Human oversight and intervention capabilities
Accuracy, robustness, and cybersecurity measures
Algorithmic Transparency:
Our AI systems use large language models (LLMs), speech recognition, text-to-speech, and natural language processing technologies to:
Understand and respond to voice inputs
Route calls based on intent, language, and context
Qualify leads and extract information from conversations
Generate call summaries and transcripts
Provide recommendations and analytics
Human Oversight:
Our Services include human oversight capabilities:
Warm transfers to human representatives when the AI system is uncertain or when requested by callers
Quality assurance review of AI-generated outputs
Manual review and intervention options for critical decisions
Escalation procedures for complex or sensitive situations
AI Decision-Making:
To the extent our AI systems make automated decisions that may significantly affect individuals (e.g., call routing, qualification scoring, response generation), you have the right to:
Be informed that automated decision-making is taking place
Request information about the logic involved
Challenge automated decisions and request human review
Object to solely automated decision-making where it produces legal or similarly significant effects (under GDPR)
Responsible AI Commitments:
We do not use client data to train our AI models (Section 4D)
We implement fairness testing and bias mitigation strategies
We maintain vendor-agnostic architecture with failover capabilities for reliability
We conduct ongoing monitoring of AI system performance and accuracy
We provide transparency about AI capabilities and limitations to clients
As AI regulations continue to develop in various jurisdictions (including the EU, UK, U.S. states, and other countries), we will update our practices and this Privacy Policy to maintain compliance.
16. Additional Legal Information
Relationship to Terms of Service:
This Privacy Policy is incorporated into and subject to our Terms of Service. Capitalized terms not defined in this Privacy Policy have the meanings given in the Terms of Service. In the event of a conflict between this Privacy Policy and the Terms of Service, the Terms of Service shall govern.
Data Processing Agreements (DPAs):
Enterprise clients and clients subject to GDPR or other data protection regulations may request a Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) and other data protection terms. To request a DPA, contact support@kaigenlabs.com.
Business Associate Agreements (BAAs):
If you intend to use our Services to process Protected Health Information (PHI) subject to HIPAA, you must execute a Business Associate Agreement (BAA) before processing PHI. To request a BAA, contact support@kaigenlabs.com. Do not use our Services to process PHI without a signed BAA in place.
Limitation of Liability:
Our liability for privacy-related claims is subject to the limitations of liability set forth in our Terms of Service.
Governing Law:
This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law principles. However, data protection rights under GDPR, UK GDPR, CCPA, and other applicable privacy laws shall be governed by those respective laws and regulations.
Severability:
If any provision of this Privacy Policy is found to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be severed, and the remaining provisions shall remain in full force and effect.
Entire Agreement:
This Privacy Policy, together with our Terms of Service and any applicable DPA or BAA, constitutes the entire agreement between you and Kaigen.inc regarding the privacy and security of your personal information and supersedes all prior or contemporaneous communications and proposals regarding such subject matter.
This Privacy Policy was last updated on October 25, 2025.
© 2025 Kaigen.inc. All rights reserved.