Legal

Kifas Privacy Policy

Effective Date: 22 May 2026 | Last Updated: 22 May 2026

This Privacy Policy describes how Kifas Labs Ltd ("Kifas," "we," "us") collects, uses, discloses, and protects personal data in connection with kifas.io and the Services. Capitalized terms not defined here have the meanings in the Terms of Service.

GEOGRAPHIC SCOPE. The Services are not offered to residents of the European Union, the European Economic Area, the United Kingdom, or Switzerland. References below to specific U.S. state laws, the Israeli Privacy Protection Law, and similar regimes apply where the relevant law applies on its terms. Users in jurisdictions not specifically named have equivalent rights to the extent required by mandatory local law.

1. Who We Are; Contact

The controller of personal data described in this Privacy Policy is Kifas Labs Ltd, registered office Shikma 2, Dvira 8533000, Israel, Israeli Company Number 517267134, a private company limited by shares under the Companies Law, 5759-1999. For all privacy questions, requests, and exercise of rights, contact: legal@kifas.io. Where Kifas processes personal data on behalf of an Enterprise or other customer acting as a controller, Kifas acts as a processor and the DPA at kifas.io/dpa governs.

2. Personal Data We Collect

(a) Account and billing data: name, business email, password (hashed), company name and role, billing address, payment method tokens (we do not store full card numbers; payments are processed by Paddle, Stripe, or other PCI-DSS-certified processors), VAT/tax IDs, and similar.

(b) Usage and technical data: IP address, device and browser identifiers, operating system, timestamps, pages and features used, log files, performance and error data, session recordings (for Kifas-internal sessions only, i.e., recordings of how you use kifas.io itself; we do not record sessions of your test targets except as expressly described in the DPA Annex), referrer/UTM data. We do not deploy third-party session-replay or full-keystroke-capture tools on kifas.io.

(c) Customer Content as defined in the Terms (test scripts, browser session content captured by Kifas during your tests, screenshots, video, logs, prompts, AI outputs, Published Workflows).

(d) Communications: emails, support tickets, calls, chat messages.

(e) Cookies, pixels, and similar technologies (see the Cookie Policy at kifas.io/cookies).

(f) Information from third parties: identity providers (e.g., Google, Microsoft, GitHub) if you sign in via SSO; analytics providers; security and fraud-prevention services; publicly available business directories; payment processors (Paddle, Stripe) for transaction data and chargeback signals.

Biometric data. Kifas does not knowingly collect biometric identifiers as defined by the Illinois Biometric Information Privacy Act (740 ILCS 14/), the Texas Capture or Use of Biometric Identifier Act (Bus. & Com. Code § 503.001), the Washington Biometric Identifiers Act, or similar laws.

3. How We Use Personal Data

We use personal data to: (i) provide, operate, secure, and maintain the Services; (ii) authenticate users and prevent fraud and abuse; (iii) bill, invoice, and collect payment (including through merchant-of-record arrangements with Paddle); (iv) communicate with you about service, security, billing, support, product updates, and, where permitted by law, marketing (you may opt out of marketing at any time); (v) enforce our Terms and policies, defend legal claims, and comply with law; (vi) compute aggregate and de-identified analytics to understand and improve the Services; (vii) train, fine-tune, evaluate, and improve AI models, subject to the tier-specific rules in Section 11 of the Terms (Free Trial: yes; PAYG/Pro: opt-out default; Enterprise: contractually never).

4. AI Training: Tier-Specific (Summary)

  • Free Trial: Kifas uses your data for AI training. Disclosed at signup.
  • PAYG / Pro: Opt-out default; toggle in Account → Settings → AI Training. Personal data removed or pseudonymized before use. Opt-out honored within 30 days going forward; not retroactive.
  • Enterprise: Kifas does not use Enterprise Customer Content for AI training. Contractually guaranteed.

Aggregate and de-identified analytics used to operate, secure, and debug the Services are always permitted across all tiers.

5. Disclosure of Personal Data

We disclose personal data to: (a) subprocessors (hosting, payment processing including Paddle and Stripe, email and notification providers, customer-support tools, analytics, security/fraud-prevention, error-reporting; current list at kifas.io/subprocessors); (b) professional advisors (lawyers, accountants, auditors) under confidentiality; (c) authorities when legally required (court orders, subpoenas, government requests, national-security demands, where lawful); (d) business transfers (merger, acquisition, financing, sale, restructuring, bankruptcy); and (e) with your consent or at your direction. We do not sell personal data for monetary or other valuable consideration as those terms are defined under the California Consumer Privacy Act, and we do not "share" personal data for cross-context behavioral advertising. If we ever begin to do so, we will update this Privacy Policy and provide the "Do Not Sell or Share My Personal Information" mechanism required by Cal. Civ. Code § 1798.135.

Important note on B2B and employment data under CCPA/CPRA: The temporary CCPA exemptions for business-contact information and employment-related personal information under AB 1355 expired on January 1, 2023, and business-to-business and employment data have been fully in CCPA/CPRA scope since that date. We treat business-contact data of California residents as fully covered personal information.

6. International Data Transfers

Kifas is established in Israel; our hosting is provided primarily through Amazon Web Services in the United States. Personal data is transferred between Israel and the United States in the ordinary course of providing the Services. Because we do not offer the Services to residents of the EU/EEA, UK, or Switzerland, we do not implement Standard Contractual Clauses or rely on the EU-U.S. Data Privacy Framework. Customers in other jurisdictions consent to the international transfer of their personal data to the United States and Israel by using the Services.

7. Data Retention

We retain personal data for as long as necessary to provide the Services, comply with legal obligations (e.g., tax, accounting, anti-money-laundering), resolve disputes, and enforce our agreements. By default: (a) Account data is retained while your Account is active and for up to ninety (90) days after closure; (b) billing records are retained for seven (7) years (consistent with U.S. and Israeli tax-record retention obligations); (c) Customer Content for Free Trial Accounts is retained for up to fourteen (14) days after trial expiration; (d) Customer Content for paid Accounts is retained while the Account is active and for thirty (30) days after termination, then deleted or de-identified; (e) Published Workflows are removed within ninety (90) days of Account termination per Section 12 of the Terms; (f) Enterprise retention is governed by the Order Form / MSA. Aggregate or de-identified data may be retained indefinitely.

8. Your Rights

Depending on your jurisdiction, you may have rights including: access, correction, deletion, restriction, objection, portability, withdrawal of consent, opting out of automated decision-making, opting out of sale or sharing of personal information, and limiting use of sensitive personal information. To exercise rights, email legal@kifas.io with proof of identity. We will respond within the time required by applicable law (typically 30-45 days). We will not discriminate against you for exercising your rights.

For California residents (CCPA/CPRA): rights to know, access, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information; the categories of personal information collected, sources, purposes, and recipients are described above; business-contact and employment data of California residents are in full scope (the AB 1355 exemption having expired on January 1, 2023).

For residents of other U.S. states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Iowa, New Jersey, Tennessee, Montana, etc.): equivalent rights apply. The Texas Data Privacy and Security Act took effect July 1, 2024.

For Israeli residents: rights under the Privacy Protection Law, 5741-1981, as amended by Amendment No. 13, 5784-2024 (passed by the Knesset on 5 August 2024 and entered into force on 14 August 2025), apply, including the expanded rights of access, correction, and deletion, and the expanded transparency obligations under Section 11 of the PPL. Complaints may be filed with the Privacy Protection Authority (Israeli Privacy Protection Authority, רשות הגנת הפרטיות).

For Canadian residents: rights under PIPEDA and Quebec's Law 25 (where applicable) apply.

For Australian residents: rights under the Privacy Act 1988 (Cth) apply.

For residents elsewhere: equivalent rights apply to the extent required by mandatory local law.

9. Automated Decision-Making

Kifas may use automated systems (including AI-based systems) to detect fraud, abuse, suspicious access patterns, AUP violations, and similar security-relevant signals, and to suspend or terminate Accounts based on such detection. You may request human review of any such automated decision by emailing legal@kifas.io. We do not use solely-automated decision-making with legal or similarly significant effects for individual users in employment, credit, housing, insurance, or similar regulated contexts.

10. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), role-based access controls with multi-factor authentication for administrative access, secure software development, vulnerability and patch management, logging, monitoring, periodic risk assessments and penetration tests, and a documented incident-response plan. No system is impervious; you are responsible for safeguarding your credentials and endpoints. We comply with the Israeli Privacy Protection Regulations (Data Security), 5777-2017.

11. Data Breach Notification

If we become aware of a security incident that compromises personal data, we will notify affected parties as required by applicable law, including: (a) Israeli Privacy Protection Regulations (Data Security), 5777-2017, Regulation 11(d)(1): immediate notice to the Privacy Protection Authority of a "Severe Security Incident" (אירוע אבטחה חמור) and a follow-up report on the steps taken; under Amendment 13 the PPA's authority to direct notice to affected data subjects has been expanded; (b) U.S. state breach-notice laws (e.g., Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. Law § 899-aa, Tex. Bus. & Com. Code § 521.053, and analogous statutes in all U.S. states) according to their statutory timing.

12. Children

The Services are not directed to and are not intended for anyone under eighteen (18) years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact legal@kifas.io and we will delete it.

13. Cookies

See the Kifas Cookie Policy at kifas.io/cookies.

14. Changes

We will notify you of material changes by email and in-app notice at least thirty (30) days in advance (or immediately for legal or security reasons), as described in the Terms.

15. Privacy Contact

All privacy inquiries and data-subject requests should be sent to legal@kifas.io. As of the Effective Date, Kifas has assessed its scale and processing activities and has determined that it does not meet the statutory criteria for a mandatory Privacy Protection Officer (PPO) appointment under Section 17B1 of the Israeli Privacy Protection Law (e.g., we are not a public body, data broker with more than 10,000 records, large-scale systematic monitor, or a bank, insurer, hospital, or HMO processing Information of Special Sensitivity at scale). We will reassess this position as our scale and processing change.