Kuzy
previewSign inJoin the preview
◆ legal

Privacy Policy

Overview

Kuzy is a native desktop coding agent operated by [Company name TBD] (Istanbul, Türkiye). We respect your privacy and have built the product so most of your work stays on your machine. This policy explains what we collect when you use our hosted services (account, billing, and the optional gateway), how we use it, and the rights you have.

Short version:we collect the minimum needed to run your account and process payments. We don't train on your code. We don't sell your data. Your local files, sandbox state, and provider keys never leave your Mac or PC unless you explicitly send them through the gateway.

What we collect

Account information

  • Email and display name — required to create an account.
  • Authentication identifiers — when you sign in via OAuth (Google, GitHub, etc.), we receive an opaque user ID and the basic profile fields you authorise.
  • Workspace settings — preferences you save (theme, sandbox defaults, notification options).

Usage of the hosted gateway

  • Task metadata — when a task runs through our gateway, we record start time, end time, model used, token counts, and credit cost.
  • Tool call logs — names and arguments of tool calls made during a hosted task. Source files and full payloads are not persisted unless you opt in to the debug-history feature.
  • Diagnostic events — anonymous error reports if a hosted task crashes (stack trace, no payload).

Billing

  • Stripe holds your card data — we never see or store full card numbers. We receive a tokenised customer ID and the last four digits.
  • Invoices and tax IDs — billing address and any tax registration you provide for VAT/GST invoicing.

What stays local

  • Your repositories, files, and any code you ask Kuzy to read or edit.
  • Your sandbox snapshots, terminal history, and per-project memory.
  • Provider API keys you bring (BYOK mode) — stored in your operating system keychain.
  • Skills you write, drafts, and any unsent work.

How we use it

  • Provide the service — run hosted tasks, route requests to the right model, debit credits.
  • Authenticate — confirm you're you across devices.
  • Bill — process subscription payments and credit top-ups via Stripe.
  • Improve the product — anonymous performance metrics (latency, success rate). No content of your tasks.
  • Communicate — receipts, security alerts, important changes. We do not send marketing email by default.
  • Comply with law — respond to lawful requests, prevent fraud, enforce our Terms.

We do not train any model on your task content, your code, or your prompts.

Sharing & third parties

We share data with a small set of vendors that we depend on to operate the service. Each is bound by a data-processing agreement.

Sub-processors

  • Stripe (payments) — billing data only.
  • Cloud infrastructure provider — encrypted at rest, encrypted in transit.
  • LLM providers (when using hosted Kuzy) — task prompts and tool I/O are sent to the chosen provider for inference. None of them receive your account or billing data.
  • Email delivery — used only for transactional email (receipts, security alerts).
  • Auth provider — handles OAuth flows; receives the OAuth response only.

We don't share data with advertisers, brokers, or analytics networks.

Cookies

The marketing site sets no cookies. The dashboard sets one functional session cookie for authentication. We do not use any analytics or advertising cookies. See the Cookies page for the full table.

Your rights

  • Access — request a copy of the data we hold about you.
  • Correction — fix any inaccurate data.
  • Deletion — close your account and delete all server-side data.
  • Portability — export your account data as JSON.
  • Restriction & objection — limit how we process your data, including for legitimate-interest processing.
  • Complaint — lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

Data retention

  • Account data — kept while your account is active. Deleted within 30 days of account closure.
  • Billing records — retained for 7 years for tax compliance.
  • Task metadata — kept for 90 days, then aggregated and the personal identifiers stripped.
  • Diagnostic events — kept for 30 days.
  • Backups — encrypted backups are pruned on a 35-day rolling window.

Children

Kuzy is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.

International transfers

Our infrastructure is hosted in the United States and the European Union. Where we transfer personal data across borders, we rely on the EU Standard Contractual Clauses and equivalent safeguards.

Changes

When we make material changes, we'll email account holders at least 30 days before they take effect. The current version is always at this URL with a clear last-updated date. Past versions are kept in our archive on request.

Contact

Questions about this policy or how we handle your data:
[email protected]

For a Data Processing Agreement see /legal/dpa. Turkish data subjects may also see our KVKK Aydınlatma notice.

Data controller: [Company name TBD] · Istanbul, Türkiye · [email protected]