Privacy Policy

1. Introduction

KernelRun, Inc. ("KernelRun," "we," "our," or "us") is committed to protecting the privacy and security of information entrusted to us by our customers and website visitors. This Privacy Policy describes how we collect, use, disclose, store, and protect personal information and cloud infrastructure data when you use our website at kernelrun.com and our cloud cost optimization platform (collectively, the "Services").

KernelRun is headquartered at 2100 Geng Road, Palo Alto, CA 94303. David Okonkwo serves as the Chief Executive Officer. For privacy-related inquiries, please contact us at info@kernelrun.com or by post at the address above.

By accessing or using our Services, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree with any aspect of this policy, please discontinue your use of the Services and contact us to discuss your concerns before submitting any personal information.

This Privacy Policy applies to all users of KernelRun's Services, including individuals who visit our website, trial users, and paying customers. It applies regardless of whether you access our Services via a web browser, API, or integrated third-party application such as Slack.

2. Data We Collect

KernelRun collects information in two primary categories: account and contact information you provide directly, and cloud infrastructure metadata collected through your connected cloud accounts.

2.1 Information You Provide Directly

When you create an account, request a demo, or contact KernelRun, we collect the following personal information:

• Identity information: First name, last name, job title, and company name.
• Contact information: Business email address, company phone number, and physical business address.
• Account credentials: Email address and hashed password for account authentication. We do not store plaintext passwords.
• Payment information: Credit card or ACH payment details processed through our payment processor (Stripe). KernelRun does not store raw payment card data. Stripe processes and stores payment information in accordance with PCI DSS requirements.
• Communications: Content of emails, support requests, and other communications you send to KernelRun.
• Demo request information: Information you provide when requesting a product demonstration, including use case description and current cloud provider.

2.2 Cloud Infrastructure Metadata

When you connect your AWS, GCP, or Azure account to KernelRun, we collect cloud resource metadata through read-only access credentials (IAM roles for AWS, service accounts for GCP, and app registrations for Azure). This metadata includes:

• Resource inventory: Instance IDs, instance types, resource names, AWS ARNs, and resource configuration data for EC2, RDS, ECS, ElastiCache, and related services.
• Utilization metrics: CPU utilization, memory utilization (where the CloudWatch Agent is installed), network throughput, and disk I/O metrics from CloudWatch and equivalent services on GCP and Azure.
• Cost and billing data: Line-item cost data from AWS Cost Explorer, GCP Billing, and Azure Cost Management APIs, including service-level cost breakdowns, reserved instance coverage, and Savings Plan utilization data.
• Tagging and attribution data: Resource tags, tag keys and values, and tag coverage statistics used for cost attribution.
• Configuration metadata: Security group names (not rules), IAM role names (not permissions), subnet and VPC names, and Auto Scaling group names used for inference-based cost attribution.

KernelRun uses read-only IAM roles with least-privilege policies. We do not collect, access, or process the data stored within your cloud databases, application logs, S3 bucket contents, or any workload data. We access only the management plane metadata and utilization telemetry necessary to provide cost optimization analysis.

2.3 Website and Usage Data

When you visit kernelrun.com or use our web application, we automatically collect:

• Log data: IP address, browser type and version, pages visited, time spent on pages, referring URL, and browser language settings.
• Device information: Device type, operating system, and screen resolution.
• Interaction data: Features used within the platform, reports viewed, optimization proposals reviewed and their approval or decline status, and Slack notification preferences.
• Cookie data: Session identifiers, preference cookies, and analytics cookies as described in our Cookie Policy.

3. How We Use Your Data

KernelRun uses the information we collect for the following purposes:

3.1 Service Delivery

• Analyzing your cloud resource utilization and generating right-sizing recommendations, scheduling proposals, and cost optimization reports.
• Identifying cost anomalies and generating alerts through your configured notification channels (email, Slack, or web console).
• Executing approved scheduling actions through AWS Lambda functions authorized by your IAM role.
• Generating spend attribution reports mapping cloud costs to teams, repositories, and Kubernetes namespaces.
• Maintaining your account, processing subscription payments, and providing customer support.

3.2 Service Improvement

• Improving our analysis models and recommendation algorithms using aggregated, anonymized patterns from connected accounts. Individual account data is not shared with or accessible to other customers.
• Developing new features and product capabilities based on aggregated usage patterns and customer feedback.
• Monitoring system performance, detecting errors, and maintaining service reliability and security.

3.3 Communications

• Sending service notifications, including optimization proposal alerts, anomaly detections, and scheduled maintenance notices.
• Responding to your support requests and inquiries.
• Sending product updates and new feature announcements. You may opt out of non-essential communications at any time by emailing info@kernelrun.com or using the unsubscribe link in our emails.

3.4 Legal and Compliance

• Complying with applicable laws and regulations, including responding to lawful requests from law enforcement or regulatory authorities.
• Enforcing our Terms of Service and other policies.
• Protecting the rights, property, and safety of KernelRun, our customers, and the public.

4. Legal Basis for Processing (GDPR)

For users located in the European Economic Area (EEA) or the United Kingdom, KernelRun processes personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Services you have subscribed to, including cloud account analysis, scheduling execution, and billing.
• Legitimate interests: Processing for service improvement, security monitoring, fraud prevention, and analytics, where our interests do not override your rights and freedoms.
• Consent: Processing for marketing communications and non-essential cookies, where you have given explicit consent. You may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable law.

5. Data Sharing and Disclosure

KernelRun does not sell personal information or cloud infrastructure data to third parties. We share data only in the following limited circumstances:

5.1 Service Providers

We share data with third-party service providers who assist us in operating the Services. These providers are contractually bound to process data only for the purposes described in this policy and to maintain appropriate security measures:

• Amazon Web Services (AWS): Cloud infrastructure hosting for the KernelRun platform. Data processed in the United States (us-east-1 and us-west-2 regions).
• Stripe: Payment processing. Stripe's privacy policy governs payment data. KernelRun does not receive or store raw card data.
• Slack Technologies: Notification delivery for customers who configure Slack integration. Only notification content you configure to be sent (optimization proposal summaries, anomaly alerts) is transmitted to Slack.
• Postmark (ActiveCampaign): Transactional email delivery for service notifications and account communications.
• Datadog: Application performance monitoring and error tracking. Logs processed for service reliability monitoring. No customer data is stored in Datadog beyond anonymized performance metrics.

5.2 Legal Requirements

KernelRun may disclose your information if required by law, court order, or governmental authority, including in response to lawful requests by public authorities for national security or law enforcement purposes. Where legally permitted, we will notify you of such a request before disclosure.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website prior to such a transfer and will provide you with the opportunity to request deletion of your data before the transfer is completed.

6. International Data Transfers

KernelRun is based in the United States. If you are located outside the United States, your personal data will be transferred to, stored, and processed in the United States. For transfers from the EEA, UK, or Switzerland to the United States, KernelRun relies on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers. Copies of our SCCs are available upon request.

7. Data Retention

KernelRun retains different categories of data for different periods based on the nature of the data and our business and legal requirements:

• Account information: Retained for the duration of your account plus 3 years after account closure, to satisfy legal obligations and resolve disputes.
• Cloud utilization metrics: Retained for 90 days for active analysis, and for up to 13 months in aggregated form for trend reporting. Raw per-minute metrics are deleted after 90 days.
• Cost and billing data from your cloud accounts: Retained for 13 months to support year-over-year comparison reports. Deleted 90 days after account closure.
• Scheduling action logs: Retained for 12 months to support audit trail requirements and rollback capabilities.
• Communications and support tickets: Retained for 3 years after closure.
• Payment records: Retained for 7 years to satisfy tax and financial reporting obligations.

Upon account closure, KernelRun will initiate deletion of your cloud metadata and utilization data within 30 days and provide confirmation of deletion upon request.

8. Your Rights Under GDPR and CCPA

8.1 Rights Under GDPR (EEA and UK Users)

If you are located in the EEA or UK, you have the following rights with respect to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction: You may request that we restrict processing of your personal data in certain circumstances.
• Right to data portability: You may request a copy of your personal data in a structured, machine-readable format for transfer to another controller.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

8.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt out of sale: KernelRun does not sell personal information. This right is not applicable, but we commit to not selling your data.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of the above rights, please contact us at info@kernelrun.com with the subject line "Privacy Rights Request." We will respond within 30 days for GDPR requests and 45 days for CCPA requests. We may require identity verification before processing your request.

9. Security

KernelRun implements administrative, technical, and physical safeguards designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher for all network communications.
• Encryption of data at rest using AES-256 for stored cloud metadata and customer account data.
• Read-only IAM access with least-privilege policies and no stored AWS credentials. Access uses temporary credentials via IAM role assumption.
• Multi-factor authentication required for all KernelRun employee access to production systems.
• Annual third-party security audits and penetration testing.
• SOC 2 Type II audit in progress. Current security posture documentation available under NDA upon request.

No system is completely secure. In the event of a security breach affecting your personal data, KernelRun will notify you within 72 hours of becoming aware of the breach, as required by applicable law, and will provide information about the nature of the breach, the data affected, and the steps we are taking to mitigate the impact.

10. Cookies and Tracking Technologies

KernelRun uses cookies and similar tracking technologies on our website. For a detailed description of the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

11. Children's Privacy

Our Services are directed to businesses and are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child under 18, please contact us at info@kernelrun.com and we will promptly delete such information.

12. Third-Party Links

Our website and application may contain links to third-party websites and services, including AWS documentation, blog references, and integration partner sites. KernelRun is not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

KernelRun may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by sending an email to the address associated with your account at least 30 days before the change takes effect. For non-material changes, we will update the "Last updated" date at the top of this policy. Your continued use of the Services after the effective date of any change constitutes your acceptance of the revised policy.

14. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact KernelRun by any of the following methods:

• Email: info@kernelrun.com
• Phone: +1 (650) 417-8263
• Post: KernelRun, Inc., Attn: Privacy Officer, 2100 Geng Road, Palo Alto, CA 94303

For complaints regarding our handling of your personal data, EEA residents may also lodge a complaint with the relevant data protection authority in your country of residence. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.