Table of Contents
- 01 Who We Are & Data Controller
- 02 Data We Collect
- 03 Why We Collect It (Legal Bases)
- 04 Chatbot & AI Disclosure
- 05 Cookies & Tracking
- 06 Data Retention
- 07 Third-Party Processors
- 08 International Transfers
- 09 Your Rights — GDPR
- 10 Your Rights — CCPA
- 11 Your Rights — India DPDP
- 12 Do Not Sell My Information
- 13 Marketing Communications
- 14 Children's Privacy
- 15 Security
- 16 Policy Updates
- 17 Contact & Grievance Officer
- 18 Version History
Plain-language summary: We collect your email, name, usage behaviour, and chatbot conversations to run our platform. We do not sell your data. You can request deletion, correction, or export at any time. This policy is governed by Indian law and also complies with GDPR (EU) and CCPA (California).
Who We Are & Data Controller
The KPI Hub ("we", "us", "our") is an intelligence platform providing AI-synthesised SaaS insights, benchmarks, and directory services to professionals. The KPI Hub is operated from Delhi, India.
For the purposes of applicable data protection law, The KPI Hub is the data controller and/or data fiduciary of personal data processed through the website thekpihub.com and its associated services.
Data Controller / Data Fiduciary: The KPI Hub, Delhi, India
Contact: info@thekpihub.com
Data We Collect
We collect personal data in the following categories:
2.1 Data You Provide Directly
- Identity data: first name, last name, professional role, company name
- Contact data: email address
- Account credentials: password (stored as a bcrypt hash; never in plaintext)
- Communication data: messages you send us via contact forms or email
- Waitlist data: email address and any optional fields submitted via our early-access form
2.2 Data We Collect Automatically
- Usage data: pages visited, features accessed, click patterns, session duration, feature flags triggered
- Device & technical data: IP address, browser type and version, operating system, screen resolution, time zone
- Referring URL: the page or source from which you arrived at thekpihub.com
- Log data: server access logs including timestamps, HTTP status codes, and request paths
2.3 Chatbot / AI Conversation Data
- Conversation logs: all text you enter into our AI-powered chatbot or intelligence assistant, including queries, follow-up messages, and session context
- Session metadata: timestamps, session identifiers, and outcome signals (thumbs-up/down ratings)
2.4 Cookie & Tracker Data
We use cookies and similar technologies. See Section 5 and our full Cookie Policy for details.
2.5 Data We Do Not Collect
- Payment card numbers or banking details (we use third-party payment processors)
- Government-issued identification numbers (Aadhaar, PAN, Social Security, passport) unless you voluntarily provide them
- Sensitive personal data such as racial or ethnic origin, health data, or biometric identifiers
Why We Collect It — Legal Bases
We process your personal data only where we have a valid legal basis. The table below maps each processing activity to its purpose and legal basis:
| Processing Activity | Purpose | Legal Basis (GDPR) | DPDP Basis |
|---|---|---|---|
| Account creation & login | Deliver platform services | Contract performance (Art. 6(1)(b)) | Consent / Legitimate use |
| Waitlist registration | Notify you of access | Contract (pre-contractual steps) | Consent |
| Platform analytics | Improve product features | Legitimate interests (Art. 6(1)(f)) | Legitimate use |
| Security & fraud prevention | Protect platform integrity | Legitimate interests (Art. 6(1)(f)) | Legitimate use |
| Marketing emails & newsletters | Inform you of updates | Consent (Art. 6(1)(a)) | Consent |
| Chatbot conversations | Deliver AI responses; improve models | Contract + Legitimate interests | Consent / Legitimate use |
| Legal compliance | Comply with applicable law | Legal obligation (Art. 6(1)(c)) | Legal obligation |
Legitimate Interests Assessment
Where we rely on legitimate interests, we have assessed that our interests (platform security, product improvement) are not overridden by your fundamental rights. You may object to legitimate-interest processing at any time (see Section 9).
Chatbot & AI Disclosure
AI-Powered Feature Notice: Our intelligence assistant and chatbot features are powered by third-party AI systems (including large language models). Conversations you have with these features are processed by AI, not exclusively by a human.
Specifically:
- Text you enter into the chatbot is transmitted to our AI inference provider(s) for processing and response generation.
- Conversation logs may be retained for up to 12 months for quality assurance, safety monitoring, and model fine-tuning, unless you request earlier deletion.
- Our AI features are designed for professional informational purposes only. Do not enter sensitive personal data, confidential business secrets, or financial credentials into the chatbot.
- AI responses may contain errors or inaccuracies. We do not guarantee the accuracy of AI-generated content.
- Conversations are not used to build individual user profiles for advertising.
For a list of third-party AI providers, see Section 7.
Cookies & Tracking Technologies
We use cookies, local storage, and similar technologies to operate our platform, understand usage patterns, and deliver personalised experiences. Categories include:
- Strictly Necessary: Essential for the platform to function (session management, security tokens). Cannot be disabled.
- Functional / Preference: Remember your settings and preferences.
- Analytics / Performance: Understand how users interact with our platform (e.g., Google Analytics).
- Marketing / Targeting: Used to deliver relevant content and measure campaign effectiveness.
For a full list of cookies, duration, providers, and opt-out instructions, see our Cookie Policy.
You may withdraw consent for non-essential cookies at any time by clicking "Cookie Settings" in the footer or clearing your browser cookies.
Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & profile data | Duration of account + 2 years post-closure | Contract; legal obligation |
| Waitlist registrations | Until launch or 2 years, whichever is earlier | Consent |
| Usage & analytics data | 26 months (Google Analytics default) | Legitimate interests |
| Chatbot conversation logs | 12 months from session date | Contract; legitimate interests |
| Marketing consent records | 5 years from consent or withdrawal | Legal obligation |
| Server access logs | 90 days | Legitimate interests (security) |
| Support communications | 3 years from closure of ticket | Legitimate interests; legal obligation |
After the applicable retention period, data is securely deleted or anonymised.
Third-Party Processors
We engage third-party service providers (data processors) who act on our instructions. All processors are bound by data processing agreements ensuring equivalent data protection standards.
| Processor | Service Category | Data Transferred | Location |
|---|---|---|---|
| Google Analytics | Web analytics | Usage, device, IP (anonymised) | USA |
| Email service provider (e.g., Mailchimp / Brevo) | Transactional & marketing email | Name, email address | USA / EU |
| AI inference provider (e.g., OpenAI / Anthropic) | AI / LLM chatbot processing | Chatbot conversation text | USA |
| Cloud hosting provider (e.g., AWS / GCP / Vercel) | Infrastructure & hosting | All platform data | USA / India |
| Payment processor (future) | Subscription billing | Billing name, email; no card data | TBD |
We do not sell, trade, or rent personal data to third parties for their own marketing purposes.
International Data Transfers
The KPI Hub is based in India. Some of our service providers are located in the United States and the European Union. When we transfer personal data outside India (or outside the EEA for EU data subjects), we implement appropriate safeguards:
- EU/EEA to India transfers: We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Decision 2021/914) or other lawful transfer mechanisms.
- India to USA transfers: We rely on contractual protections and, where applicable, the adequacy framework under the India DPDP Act 2023 as it evolves.
- Adequacy decisions: Where the European Commission has issued an adequacy decision for a recipient country, we may rely on that decision.
EU Residents: You may request a copy of the Standard Contractual Clauses governing your data transfers by contacting us at info@thekpihub.com.
Your Rights — GDPR (EU / EEA Residents)
If you are located in the European Union or EEA, you have the following rights under the General Data Protection Regulation (GDPR):
Right of Access
Obtain a copy of your personal data and information about how it is processed.
Right to Rectification
Correct inaccurate or incomplete personal data held about you.
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data where there is no compelling reason for continued processing.
Right to Restriction
Restrict processing of your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format and transfer it to another controller.
Right to Object
Object to processing based on legitimate interests or direct marketing at any time.
Automated Decision-Making
Not be subject to solely automated decisions with significant effects without human review.
Withdraw Consent
Withdraw any previously given consent at any time without affecting lawfulness of prior processing.
To exercise any GDPR right, contact us at info@thekpihub.com. We will respond within 30 calendar days (extendable by a further 60 days for complex requests). You also have the right to lodge a complaint with your local supervisory authority.
Your Rights — CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following rights:
- Right to Know: Request disclosure of personal information collected, used, disclosed, and sold about you in the past 12 months.
- Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising. See Section 12.
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information beyond what is necessary for service delivery.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will receive the same quality of service regardless.
To submit a CCPA request, email info@thekpihub.com with the subject line "CCPA Request". We will respond within 45 calendar days (extendable by a further 45 days where reasonably necessary with notice).
Authorised Agent: You may designate an authorised agent to make a CCPA request on your behalf. We may require verification of the agent's authority and your identity before processing such requests.
Your Rights — India DPDP Act 2023
Under the Digital Personal Data Protection Act, 2023 (India), you ("Data Principal") have the following rights against The KPI Hub as the Data Fiduciary:
- Right to Access Information: Obtain a summary of personal data processed and activities undertaken with it.
- Right to Correction and Erasure: Correct inaccurate or outdated data, and seek erasure where the purpose of processing is no longer served or consent is withdrawn.
- Right to Grievance Redressal: Have your complaints addressed by our Grievance Officer within a reasonable timeframe.
- Right to Nominate: Nominate any individual who shall, in the event of your death or incapacity, exercise your rights under this Act.
To exercise DPDP rights, contact our Grievance Officer (see Section 17). We will acknowledge within 48 hours and resolve within 30 days of receipt.
Do Not Sell or Share My Personal Information
The KPI Hub does not sell, rent, or share your personal information with third parties for their own independent commercial use, cross-context behavioural advertising, or financial consideration.
We share data only with:
- Service providers acting as data processors under our instructions (see Section 7)
- Law enforcement or government authorities where required by applicable law
- Successor entities in connection with a merger, acquisition, or asset sale, subject to notice to you
If you wish to opt out of any data sharing that falls within the CCPA's definition of "sale" or "sharing" (including for cross-context behavioural advertising), you may do so by emailing info@thekpihub.com with the subject line "Do Not Sell or Share My Data".
Marketing Communications
We send marketing emails and product updates only with your separate, explicit consent. By joining our waitlist or creating an account, you do not automatically consent to marketing communications. A separate opt-in is required.
Opting Out
- Click the "Unsubscribe" link in any marketing email we send you.
- Email us at support@thekpihub.com with the subject line "Unsubscribe".
- Manage your communication preferences in your account settings (when available).
Transactional emails (e.g., account confirmation, password reset, important service notices) are not marketing emails and cannot be opted out of while you have an active account.
Children's Privacy
The KPI Hub is not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If you are under 18, please do not use our platform or submit any personal data.
If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that data as promptly as possible. If you believe we have collected data from a minor, please contact us at info@thekpihub.com.
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest
- Bcrypt hashing of passwords
- Access controls and role-based permissions for staff
- Regular security assessments and vulnerability testing
- Incident response procedures, including breach notification to relevant authorities within the timeframe required by applicable law
No method of electronic transmission or storage is 100% secure. If you suspect unauthorised access to your account, contact us immediately at support@thekpihub.com.
Policy Updates
We may update this Privacy Policy from time to time. Material changes will be notified to you by:
- Email notification sent to your registered email address at least 30 days before the change takes effect
- A prominent notice on our website
Your continued use of the platform after the effective date of an updated policy constitutes acceptance of the revised terms. If you do not agree with the changes, you should stop using the platform and request deletion of your account.
The "Last Updated" date at the top of this policy indicates when it was last revised.
Contact & Grievance Officer
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact:
Grievance Officer (India DPDP Act / IT Rules 2021)
The KPI Hub
Delhi, India
Email: info@thekpihub.com
For general support queries:
Support Team
Email: support@thekpihub.com
We aim to acknowledge all data requests within 48 hours and resolve them within 30 calendar days. If you are not satisfied with our response, you have the right to escalate to the relevant supervisory authority in your jurisdiction.
Version History
| Version | Date | Summary of Changes |
|---|---|---|
| v1.0 | April 3, 2026 | Initial publication. Covers GDPR, CCPA, and India DPDP Act 2023. |