Skip to main content
Back

Privacy Policy

Effective date: May 8, 2026

1. Who We Are

Knoq (“we”, “us”, “our”) operates the Knoq AI knowledge agent platform at knoq.one. For questions about this policy, contact our privacy team at privacy@knoq.one.

2. What We Collect

We collect the following categories of data:

  • Account data — name, email address, and organisation membership provided via your identity provider (Google/Vercel OAuth via Stytch B2B).
  • Usage data — query counts, session timestamps, feature usage events, and cost/token metrics. We do not store the content of your queries or the responses from connected tools.
  • OAuth tokens — encrypted access tokens for connected tools (Slack, Notion, GitHub, etc.). Tokens are encrypted with AES-256 using a per-deployment key and are never logged or returned in API responses.
  • Billing data — subscription tier, billing cycle, and payment method metadata. Full payment card data is handled exclusively by Dodo Payments (our Merchant of Record) and is never stored by Knoq.
  • Audit logs — append-only records of administrative actions within your organisation (member changes, settings updates, etc.).
  • Technical data — IP addresses, browser/device type, and request metadata collected by Vercel (our hosting provider) and Sentry (error tracking). See our subprocessors list for the full list of third-party processors.

3. What We Do Not Collect

Knoq is designed with a minimal data footprint. We do not:

  • Store the content of your questions or agent responses
  • Index or cache data from your connected tools (Slack messages, Notion pages, etc.)
  • Use your data to train AI models
  • Sell your data to third parties
  • Track you across other websites

4. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and improve the Service
  • Authenticate users and manage organisation access
  • Process billing and enforce subscription limits
  • Send transactional emails (invites, trial expiry warnings, billing receipts)
  • Monitor service health, debug errors, and prevent abuse
  • Comply with legal obligations

5. Legal Basis (GDPR)

For users in the European Economic Area, our legal bases for processing are:

  • Contract — processing necessary to provide the Service you subscribed to
  • Legitimate interests — security monitoring, fraud prevention, and service improvement
  • Legal obligation — compliance with applicable laws
  • Consent — where we ask for it (e.g. marketing communications)

6. Data Retention

We retain your data for as long as your account is active. After account closure:

  • Account and usage data is deleted within 30 days
  • Encrypted OAuth tokens are deleted immediately on disconnection or account closure
  • Audit logs are retained for 7 years for compliance purposes
  • Billing records are retained as required by applicable tax law (typically 7 years)

7. Data Sharing

We share data only with the subprocessors necessary to operate the Service. We do not sell data. Our current subprocessors are listed at knoq.one/security/subprocessors. We will notify you 30 days before adding a new subprocessor that processes personal data.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (“right to be forgotten”)
  • Object to or restrict processing
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email privacy@knoq.one. We will respond within 30 days.

9. Cookies and Tracking

Knoq uses session cookies for authentication (Stytch B2B session tokens). We also use Vercel Analytics (privacy-preserving, no cross-site tracking) and Sentry for error monitoring. We do not use advertising cookies or third-party tracking pixels.

You can disable non-essential cookies in your browser settings. Disabling session cookies will prevent you from signing in.

10. Security

We implement industry-standard security measures including TLS 1.3 in transit, AES-256 encryption at rest for sensitive data, and regular penetration testing. See our Security page and Trust Center for details.

11. International Transfers

Knoq is hosted on Vercel infrastructure primarily in the United States. If you are located in the EEA or UK, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for such transfers where required.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@knoq.one.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent update.

14. Contact

For privacy questions or to exercise your rights: privacy@knoq.one