Privacy Policy
Kentro Privacy Policy
This Privacy Policy (the "Policy") describes how Kentro Inc., a Delaware corporation ("Kentro," "we," "us," or "our"), collects, uses, shares, and protects personal information in connection with the Kentro commerce operations platform, the Kentro 3PL Services, the Kentro Copilot AI Services, and the marketing websites and communications that make up the Kentro services (collectively, the "Services"). This Policy is incorporated by reference into the Kentro Platform Terms of Service (the "Terms"). Capitalized terms used but not defined here have the meanings given to them in the Terms.
1. Scope and Our Role
1.1 Who This Policy Applies To
This Policy applies to (a) authorized users of the Kentro platform, including Tenant administrators, employees, contractors, and other individuals who access the Services under a Tenant's account ("Platform Users"); (b) visitors to Kentro's marketing websites and prospective customers who interact with our sales, support, and community channels ("Visitors"); and (c) individuals who communicate with Kentro Copilot through web chat, voice, telephone, SMS, or email in the course of interacting with a Tenant that has deployed Copilot on those channels.
1.2 Kentro as Controller
Kentro acts as a controller (or, under United States privacy laws, as a business) with respect to personal information about Platform Users and Visitors, including account and contact data, usage and telemetry data, marketing engagement data, and support communications. This Policy describes how Kentro processes that personal information as a controller.
1.3 Kentro as Processor for Tenant Data
Tenants determine the purposes and means of processing the personal information they submit to, generate within, or store on the Services, including personal information relating to their end customers, order recipients, suppliers, and their own personnel (collectively, "Tenant Personal Data"). With respect to Tenant Personal Data, the Tenant is the controller (or, under United States privacy laws, the business), and Kentro is the processor (or, under United States privacy laws, the service provider) acting on the Tenant's documented instructions. The processing of Tenant Personal Data is governed by the Terms and, where applicable, the Kentro Data Processing Addendum (the "DPA"). If you are an end customer or other individual whose personal information a Tenant has submitted to the Services, please contact the applicable Tenant with any questions, requests, or concerns about that data; Kentro will refer such requests to the Tenant.
1.4 Not Directed at Consumers
The Services are business-to-business services intended for use by commercial entities and by adults acting on their behalf. Kentro does not offer consumer-facing accounts to individuals for personal, family, or household purposes.
2. Categories of Personal Information We Collect
Depending on how you interact with the Services, Kentro may collect the following categories of personal information:
2.1 Account and Contact Data
Name, business email address, business phone number, job title, employer or Tenant affiliation, mailing address for the Tenant's business, authentication identifiers (such as user IDs and hashed credentials), profile settings, role and permission assignments, language and locale preferences, and communication preferences.
2.2 Signup and Contract-Acceptance Evidence
To evidence acceptance of the Terms and this Policy, Kentro retains signup metadata and per-user terms-acceptance records, including the accepting individual's identifier, the version of the Terms and this Policy accepted, timestamps at signup and at each subsequent acceptance or re-acceptance, IP address, and user agent (browser, device, and operating system information reported by the client). This information is retained as evidence of the contract that governs the individual's and the Tenant's use of the Services.
2.3 Tenant-Submitted Data Containing End-Customer Personal Information
Order, customer, inventory, product, purchasing, returns, and shipping records that Tenants import into the Services or that are generated within the Services on the Tenant's behalf. These records may contain personal information about a Tenant's end customers and other individuals, including name, shipping and billing address, email address, telephone number, order history, purchase details, payment reference data (such as the last four digits of a payment card or a payment processor token), delivery instructions, customer service notes, and communications with the Tenant's customers. Kentro processes this data as a processor / service provider on the Tenant's instructions and does not use it for its own purposes except as described in Section 5 (AI Processing Disclosure) and Section 4 (How We Use Personal Information) with respect to operating, securing, and supporting the Services.
2.4 Usage and Telemetry Data
Information about how Platform Users and Visitors interact with the Services, including pages viewed, features used, actions taken, session durations, click paths, referring URLs, time zone and locale, device and browser characteristics, screen size, IP address, approximate location derived from IP address, error logs, performance data, and diagnostic and security event logs.
2.5 Support and Communication Data
Content of support tickets, emails, chats, calls, screen-share sessions, and other communications between you and Kentro, including any attachments, transcripts, recordings (where permitted and disclosed at the time of the interaction), and metadata about the interaction.
2.6 AI Conversation Content
Content of interactions with Kentro Copilot, including text prompts, voice input and derived transcripts, SMS and email messages sent to or from Copilot, the context and Tenant records made available to Copilot in order to respond, tool calls and in-account actions initiated at a User's direction, and Copilot outputs. Kentro processes this content as a processor on behalf of the Tenant that deployed Copilot, subject to the AI Processing Disclosure in Section 5.
2.7 Payment and Billing Data
Billing contact details, invoice history, tax identifiers, purchase order references, and tokenized payment method identifiers. Full payment card data is collected directly by our payment processor and is not stored on Kentro systems.
2.8 Marketing and Website Data
Information you provide when you request a demo, subscribe to a newsletter, download a resource, register for an event, or otherwise interact with Kentro marketing channels, together with information collected through cookies and similar technologies described in Section 6.
3. Sources of Personal Information
We collect personal information (a) directly from you when you sign up, log in, use the Services, communicate with us, or interact with our marketing channels; (b) automatically from your device and browser when you use the Services; (c) from the Tenant that provisioned your access (for Platform Users) or from you as directed by the Tenant (for individuals interacting with Copilot on Tenant-deployed channels); (d) from Third-Party Services and integrations that a Tenant connects to the Services; and (e) from service providers and partners that support our sales, marketing, security, and analytics operations.
4. How We Use Personal Information
Kentro uses personal information for the following purposes:
- Providing the Services. Authenticating users; provisioning and configuring Tenant accounts; delivering, hosting, and supporting the Services; processing orders, inventory, fulfillment, and returns workflows on behalf of Tenants; and communicating operational messages about the Services.
- Establishing and evidencing the contract. Retaining signup metadata, IP address, user agent, and per-user acceptance records to evidence contract formation and to comply with Kentro's audit and record-keeping obligations.
- Security, fraud prevention, and abuse detection. Monitoring for unauthorized access, credential compromise, abuse of the Services, spam, malware, and violations of the Acceptable Use Policy; investigating incidents; and enforcing our terms.
- Support. Responding to support requests, troubleshooting, and providing account management.
- Billing. Invoicing, processing payments, calculating usage-based charges, managing prepaid balances, and collecting past due amounts.
- Product operation and improvement. Monitoring system performance, error rates, and usage patterns; testing and validating changes; and improving reliability, usability, and feature quality. Where feasible, Kentro uses de-identified and aggregated data for these purposes.
- Marketing and business development. Communicating with prospective customers, delivering marketing and educational content to Platform Users and Visitors who have opted in or where otherwise permitted by law, measuring the effectiveness of our marketing, and conducting research.
- Legal, compliance, and regulatory purposes. Complying with applicable law, responding to lawful requests from public authorities, defending and pursuing legal claims, and enforcing the Terms.
Where we process personal information about Platform Users and Visitors as a controller, we rely, depending on the context and applicable law, on one or more of the following legal bases: performance of a contract with you or with your Tenant, our legitimate interests (including in operating, securing, and improving the Services and in growing our business), compliance with legal obligations, and your consent.
5. AI Processing Disclosure
Kentro Copilot is delivered in part through third-party AI model providers with which Kentro has entered into commercial agreements ("Model Providers"). To generate responses and to power AI-driven features, Kentro transmits inputs (including prompts, Tenant records made available to Copilot, and communications received on Copilot-enabled channels) and receives outputs from Model Providers. Kentro's commercial agreements with Model Providers prohibit Model Providers from using Tenant inputs or outputs to train models that are made publicly available.
Kentro does not sell personal information. Kentro does not use Tenant Personal Data to train foundational AI models for its own account or for third parties. Kentro may use de-identified and aggregated usage data (such as coarse feature-usage patterns, latency, error rates, and aggregate performance metrics) to operate, monitor, secure, evaluate, and improve the Services, including to improve Copilot's ability to answer common Kentro-domain questions. De-identified and aggregated data is prepared so that it cannot reasonably be used to identify a Tenant, a Platform User, or an individual.
Voice and telephone interactions with Copilot may be recorded and transcribed to the extent necessary to generate a response, to log activity in the Tenant's account, and to comply with applicable law. Where required, the Tenant is responsible for providing notice and obtaining consent from end customers on Copilot-enabled customer-facing channels.
8. Retention
Kentro retains personal information for as long as reasonably necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Retention periods vary by category:
- Account and contact data. For the life of the Tenant's account and for a reasonable period thereafter for audit, tax, and dispute-resolution purposes.
- Signup and contract-acceptance evidence (including IP address, user agent, and per-user acceptance records). For the life of the account and for the applicable statute-of-limitations period thereafter, so that Kentro can evidence contract formation if a dispute arises.
- Tenant Personal Data. As instructed by the Tenant and as further described in the DPA. On termination, Kentro handles Tenant Personal Data in accordance with Section 12 of the Terms and Section 12 of the DPA.
- Usage, telemetry, and security logs. For the periods reasonably necessary to operate, secure, and support the Services, typically no longer than 24 months, subject to shorter or longer periods where required by security or legal considerations.
- Support and communication data. For the period reasonably necessary to service the account and evidence support interactions.
- Billing and tax records. For the periods required by applicable tax, accounting, and record-keeping laws.
- Marketing data. Until you unsubscribe or object, subject to applicable law.
Where Kentro is not required to retain personal information, it will delete it or de-identify it. De-identified and aggregated data may be retained indefinitely for the purposes described in Section 5.
9. Security
Kentro maintains a written information security program with administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of personal information. These safeguards include encryption of data in transit and, for supported data stores, at rest; role-based access controls and the principle of least privilege; tenant isolation within the multi-tenant platform; audit logging of privileged actions; secure software development and change-management practices; vulnerability management; and an incident response program. No security measures are perfect, and Kentro cannot guarantee absolute security. Kentro will notify affected parties of security incidents as required by applicable law and by the Terms and, where applicable, the DPA.
10. International Transfers
Kentro is headquartered in the United States and processes personal information in the United States and in other countries where its service providers operate. Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, Kentro relies on appropriate safeguards for the transfer, including the European Commission's Standard Contractual Clauses ("SCCs") and, where applicable, the United Kingdom's International Data Transfer Addendum to the SCCs. Where required, Kentro conducts transfer risk assessments and implements supplementary measures as appropriate. Copies of the SCCs used in respect of Tenant Personal Data are incorporated into the DPA.
11. United States Privacy Rights (CCPA/CPRA)
This Section 11 supplements the rest of this Policy for individuals whose personal information is subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and to comparable United States state privacy laws (including in Virginia, Colorado, Connecticut, Utah, Texas, and other jurisdictions as those laws come into effect). Where these laws grant rights only to consumers acting in a personal, family, or household context, they may not apply to your use of the Services in a business or employment capacity; Kentro nonetheless provides rights consistent with applicable law.
11.1 Notice at Collection
The categories of personal information Kentro collects, the sources of that information, the business and commercial purposes for which it is collected, and the categories of recipients with which it is shared are described in Sections 2, 3, 4, and 7 of this Policy. Retention periods are described in Section 8.
11.2 No Sale, No Share, No Targeted Advertising
Kentro does not sell personal information for monetary or other valuable consideration, does not share personal information for cross-context behavioral advertising, and does not process personal information for targeted advertising as those terms are defined under applicable United States privacy laws. Because Kentro does not engage in these activities, Kentro does not maintain a separate "Do Not Sell or Share My Personal Information" preference in respect of Platform Users and Tenant Personal Data. This does not apply to personal information a Tenant may separately choose to share with third parties directly, outside of Kentro's control.
11.3 Sensitive Personal Information
Kentro does not use or disclose sensitive personal information for purposes other than those permitted without a right of limitation under applicable United States privacy laws (for example, providing the Services requested, ensuring security and integrity, and other purposes identified by regulation).
11.4 Your Rights
Subject to applicable law and to verification, individuals in the United States may have the right to:
- Know what personal information Kentro has collected, used, disclosed, and (where applicable) sold or shared, including the categories, sources, purposes, and recipients;
- Access or obtain a copy of the specific pieces of personal information Kentro holds about you;
- Correct inaccurate personal information;
- Delete personal information, subject to legal exceptions;
- Opt out of the sale or sharing of personal information (Kentro does not sell or share, as described above);
- Limit the use and disclosure of sensitive personal information (Kentro does not use or disclose sensitive personal information beyond permitted purposes, as described above); and
- Not be subjected to unlawful discrimination for exercising your rights.
11.5 Service-Provider Role
With respect to Tenant Personal Data, Kentro acts as a service provider to the Tenant under the CCPA/CPRA. Kentro processes Tenant Personal Data only on the Tenant's documented instructions and for the business purposes set out in the Terms and the DPA. Requests to know, access, correct, or delete Tenant Personal Data should be directed to the applicable Tenant; Kentro will assist the Tenant in responding to verified requests as required by applicable law.
12. European, UK, and Swiss Privacy Rights (GDPR)
This Section 12 applies to individuals whose personal information is subject to the European Union General Data Protection Regulation, the United Kingdom Data Protection Act 2018 and the UK GDPR, or the Swiss Federal Act on Data Protection (collectively, "European Data Protection Law").
12.1 Your Rights
Subject to European Data Protection Law, you may have the right to:
- Access the personal information Kentro holds about you and obtain a copy;
- Rectify inaccurate or incomplete personal information;
- Erase personal information in certain circumstances (the "right to be forgotten");
- Restrict processing of personal information in certain circumstances;
- Port certain personal information to another controller in a structured, commonly used, machine-readable format;
- Object to processing based on legitimate interests, including direct marketing; and
- Withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of processing before withdrawal.
12.2 Processor Role for Tenant Personal Data
For Tenant Personal Data, Kentro acts as a processor to the Tenant. Requests to exercise data-subject rights in respect of Tenant Personal Data should be directed to the applicable Tenant as controller; Kentro will assist the Tenant in fulfilling verified requests as required by the DPA.
12.3 Complaints
You have the right to lodge a complaint with your local data protection supervisory authority if you believe Kentro has processed your personal information in a manner that does not comply with European Data Protection Law. We would, however, appreciate the opportunity to address your concerns first; please contact us using the details in Section 16.
13. How to Exercise Your Rights
You may submit a privacy request by emailing [email protected] or by using any request channel Kentro makes available in the Services. To protect your privacy, Kentro will verify your identity before responding to a request, using information reasonably necessary given the nature of the request and the sensitivity of the personal information involved. For Platform Users, verification may be conducted through the authenticated session. For other requesters, Kentro may request additional information sufficient to match the requester to the personal information held.
You may designate an authorized agent to make a request on your behalf. Kentro may require the agent to submit proof of authorization and, where applicable, may require you to verify your own identity or confirm that you have provided the agent with permission to act. Kentro will respond to verified requests within the time periods required by applicable law. There is no fee for exercising your rights, unless a request is manifestly unfounded or excessive as permitted by law.
14. Children
The Services are not directed to, and Kentro does not knowingly collect personal information from, individuals under the age of 16. If you believe that a child under 16 has provided personal information to Kentro, please contact us at [email protected] and we will take appropriate steps to delete the information in accordance with applicable law.
15. Changes to This Policy
Kentro may update this Policy from time to time to reflect changes in the Services, in law, in industry practice, or in Kentro's business. Each published version of this Policy is identified by a version number and an effective date, as shown at the top of this document. When Kentro makes material changes, it will provide advance notice through the Services, by email to Tenant administrators, or by other reasonable means, in accordance with Section 16 of the Terms (Modifications to These Terms). Your continued use of the Services after an update takes effect constitutes acceptance of the updated Policy, to the extent permitted by applicable law.
16. Contact
If you have questions, concerns, or requests about this Policy or Kentro's privacy practices, please contact us:
- Privacy inquiries and rights requests: [email protected]
- Legal notices: [email protected]
Kentro Inc. is the entity responsible for the processing of personal information described in this Policy, subject to Section 1.3 for Tenant Personal Data.