[ legal ]
Privacy Policy
Last updated: May 5, 2026 — governed by LGPD (Lei 13.709/2020)
1. Who We Are
Kaion Studios is a brand identity and AI platform company incorporated in Brazil. We operate the kaionstudios.com platform, which includes services for identity calibration (Attunement), AI-assisted workspace (Echo), and brand diagnostics (Reverb).
For purposes of Lei Geral de Proteção de Dados Pessoais (LGPD — Lei 13.709/2020), Kaion Studios acts as the data controller for all personal data collected through this platform.
Data controller contact: sam@kaionstudios.com
We have not formally appointed a Data Protection Officer (Encarregado) as defined under LGPD Art. 41. Until one is designated, all data-related inquiries and rights requests are handled directly by the controller at the address above.
2. Scope
This policy governs all personal data processed by Kaion Studios in connection with:
— The kaionstudios.com website and all subpages — The authenticated platform (Field, Attunement, Echo) — The Reverb diagnostic page and waitlist — Any API surface operated by Kaion Studios
This policy is written in accordance with LGPD (Lei 13.709/2020) and applies to all data subjects whose data we process, regardless of location.
3. Data We Collect and Why
3.1 Account Data
Data collected: Full name, email address, authentication credentials (password hash or OAuth token via third-party provider).
Purpose: To create and manage your account, authenticate sessions, and enable access to platform features.
Legal basis: Performance of a contract (LGPD Art. 7, II) — this data is necessary to provide the service you have requested.
Retention: Account data is retained for the duration of your active account. Upon deletion request, account data is purged within 30 days, except where retention is required by applicable law.
3.2 Attunement Session Content
Data collected: Multi-turn AI conversation transcripts, responses to identity calibration questions, uploaded documents (text files, PDFs), submitted URLs and the content fetched from those URLs, and synthesized seed data derived from the above.
Purpose: To calibrate your identity model within the platform, generate your parametric identity seed, and provide contextually relevant AI outputs during your session and beyond.
Legal basis: Performance of a contract (LGPD Art. 7, II) — this processing is the core function of the Attunement service. Where you submit sensitive or voluntarily disclosed personal information beyond what is strictly necessary, that processing rests on your explicit consent (LGPD Art. 7, I).
Retention: Attunement transcripts and submitted content are retained for as long as your account is active. You may request deletion at any time. Derived seed data (non-identifiable identity parameters) may be retained in anonymized form for platform improvement after account deletion.
3.3 Echo Session Content
Data collected: AI chat transcripts, session summaries, session titles, and any content you introduce during Echo workspace sessions.
Purpose: To provide continuity across sessions, surface relevant context in future interactions, and generate session summaries for your review.
Legal basis: Performance of a contract (LGPD Art. 7, II).
Retention: Echo session data is retained for the duration of your active account. You may delete individual sessions at any time through your account settings.
3.4 Behavioral and Identity Signal Data
Data collected: Drift scores, axis signal values, and provocation response patterns — all derived computationally from your Attunement and Echo session content. No additional behavioral data is collected independently.
Purpose: To maintain an accurate and evolving model of your creative and strategic identity within the platform, and to surface relevant insights over time.
Legal basis: Legitimate interest (LGPD Art. 7, IX) — the derivation of these signals is the fundamental mechanism by which the platform functions. We have assessed that this interest is not overridden by your rights, given that the data is derived exclusively from content you actively provide within a session context, and is not used for advertising, scoring, or decisions with external consequences.
Retention: Retained for the duration of your active account. Deleted within 30 days of account deletion.
3.5 Waitlist Emails
Data collected: Email address submitted via the /reverb waitlist form.
Purpose: To notify you when waitlist access becomes available and to communicate relevant product updates.
Legal basis: Consent (LGPD Art. 7, I) — you voluntarily provide your email for this specific purpose. You may withdraw consent and request removal from the waitlist at any time by emailing sam@kaionstudios.com.
Retention: Retained until you request removal or until the waitlist program concludes, whichever comes first.
3.6 Scraped URL Content
Data collected: Text content fetched from URLs you submit during Attunement sessions.
Purpose: To incorporate external reference material into your identity calibration process, as directed by you.
Legal basis: Performance of a contract (LGPD Art. 7, II) and consent (LGPD Art. 7, I) — you explicitly submit these URLs for processing. We do not fetch URLs autonomously or without your direct instruction.
Retention: Treated as part of your Attunement session content. See Section 3.2.
3.7 Cookies and Session Data
Data collected: Session cookies set by Supabase Auth to maintain your authenticated state across requests. No third-party advertising cookies are currently deployed.
Purpose: Authentication and session management exclusively.
Legal basis: Legitimate interest (LGPD Art. 7, IX) — session cookies are technically necessary for the platform to function. We do not use cookies for tracking, profiling, or advertising.
Future analytics: If we introduce analytics tooling in the future, we will update this policy and implement appropriate consent mechanisms prior to deployment.
Retention: Session cookies expire when you log out or after a period of inactivity as configured by Supabase Auth.
3.8 Server-Side Logs
Data collected: Standard server-side request logs, which may include IP addresses, timestamps, request paths, and response codes.
Purpose: Security monitoring, error diagnosis, and platform stability.
Legal basis: Legitimate interest (LGPD Art. 7, IX) — server logging is a standard operational requirement for maintaining a secure and functional service.
Retention: Logs are retained for a maximum of 90 days and then purged.
4. AI Processing Disclosure
Kaion Studios uses the Google Gemini API (operated by Google LLC) to process natural language inputs during Attunement and Echo sessions. This means that content you submit — including conversation text, uploaded documents, and URL-fetched content — is transmitted to Google's infrastructure for AI inference.
Google Gemini API is accessed under a commercial API agreement. Google's data processing terms for the Gemini API govern how Google handles this data on our behalf.
By using Attunement and Echo, you acknowledge that your session content will be processed by Google Gemini as part of providing the service.
We do not instruct Google to use your data for model training. Under the terms of the Google Gemini API (as distinct from consumer products), submitted data is not used to train Google's models by default.
5. International Data Transfers
Your personal data is processed and stored outside Brazil. The following transfers occur in the course of normal platform operation:
Vercel (United States) — Our application is hosted on Vercel's infrastructure, which operates primarily on servers in the United States. Vercel maintains data processing agreements and security certifications including SOC 2 Type II.
Supabase (Amazon Web Services — United States and/or European Union) — Our primary database and authentication layer runs on Supabase, built on AWS infrastructure. Depending on region configuration, your data may be stored on AWS servers in the United States or the European Union.
Google LLC (United States) — Session content submitted during Attunement and Echo is processed by the Google Gemini API, operated by Google LLC in the United States.
Echo Central VPS (European Union — Netherlands) — Our proprietary retrieval-augmented generation system and vector store operate on a dedicated server located in the Netherlands, within the European Union.
These transfers are conducted under LGPD Art. 33 on the following grounds: where the destination country provides an adequate level of data protection as recognized by the ANPD; where the transfer is necessary for the performance of a contract (LGPD Art. 33, V); or where the transfer is made with your specific consent (LGPD Art. 33, I).
6. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data.
We share data only with the following categories of recipients, and only to the extent necessary:
Service providers and processors: Vercel (hosting), Supabase (database and auth), Google LLC (AI inference). Each operates under a data processing or service agreement.
Legal requirements: We may disclose personal data to courts, government authorities, or regulators where required by applicable law or a valid legal order, and only to the extent required.
We do not share your data with advertising networks, data brokers, or analytics companies.
7. Your Rights Under LGPD
As a data subject under LGPD Art. 18, you have the following rights:
Right of access (Art. 18, I–II): You may request confirmation that we process your personal data and obtain a copy of the data we hold about you.
Right to correction (Art. 18, III): You may request correction of inaccurate, incomplete, or outdated personal data.
Right to deletion (Art. 18, VI): You may request deletion of personal data processed with your consent. Where data is processed on other legal bases, deletion may be limited to the extent permitted by those bases.
Right to portability (Art. 18, V): You may request a copy of your personal data in a structured, commonly used, machine-readable format, to the extent technically feasible.
Right to information about sharing (Art. 18, VII): You may request information about which public and private entities we share your data with.
Right to revoke consent (Art. 18, IX): Where processing is based on your consent, you may revoke it at any time without affecting the lawfulness of prior processing.
Right to object (Art. 18, II): You may object to processing carried out on the basis of legitimate interest where you have grounds relating to your particular situation.
Right to review automated decisions (Art. 20): You may request review of decisions made solely by automated means that affect your interests. The platform's identity model and drift scores personalize your experience and are not used to make consequential decisions in legal, employment, financial, or similar contexts.
To exercise any of these rights, send a written request to sam@kaionstudios.com. We will acknowledge receipt within 5 business days and respond substantively within 15 business days as required by LGPD Art. 18, §5. We may request identity verification before processing your request.
8. Data Security
We implement technical and organizational measures appropriate to the sensitivity of the data we process. These include:
— Encrypted connections (TLS/HTTPS) across all platform surfaces — Authentication managed through Supabase Auth, with bcrypt password hashing and support for OAuth providers — Access controls limiting platform data to authenticated users and authorized personnel — Server-side logging for anomaly detection and incident response — Contractual security obligations with all third-party processors
In the event of a security incident affecting your personal data, we will notify affected data subjects and, where required by law, the ANPD within the timeframes prescribed by applicable regulation.
9. Children
The Kaion Studios platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through our platform, contact us at sam@kaionstudios.com and we will promptly review and delete the data.
10. Data Retention Summary
| Data Category | Retention Period |
|---|---|
| Account data | Duration of active account + 30 days post-deletion |
| Attunement transcripts and content | Duration of active account |
| Echo session content | Duration of active account (deletable per session) |
| Derived identity signals | Duration of active account + 30 days post-deletion |
| Waitlist emails | Until removal request or program conclusion |
| Server-side logs | 90 days |
| Session cookies | Session duration or logout |
Where retention is extended by legal obligation, we will retain only what the applicable law requires and for no longer than required.
11. Changes to This Policy
We may update this policy as our platform evolves or as legal requirements change. When we do, we will update the "Last updated" date at the top of this document. Where changes are material, we will notify you by email or through an in-platform notice before the changes take effect.
Continued use of the platform after notice of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may request deletion of your account before they take effect.
12. Contact
All data-related inquiries, rights requests, and complaints should be directed to:
Kaion Studios — Data Controller Email: sam@kaionstudios.com Website: kaionstudios.com
If you believe your rights have not been adequately addressed, you may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.