Table of Contents
Part I — Privacy Policy
1. Introduction and Scope
2. Information We Collect
3. Information Collected Through Zoom Integration
4. How We Process Your Information
5. Legal Bases for Processing
6. Data Sharing and Third Parties
7. Cookies and Tracking Technologies
8. AI-Based Services
9. International Data Transfers
10. Your Privacy Rights
11. U.S. State-Specific Privacy Rights
12. Children's Privacy
Part II — Data Retention and Protection Policy
13. Data Retention Schedule
14. Data Protection and Encryption
Part III — Security Policy
15. Information Security Program
16. Access Controls
17. Encryption Standards
18. Network and Application Security
Part IV — Incident Management and Response Policy
19. Incident Classification
20. Incident Response Process
21. Notification Procedures
Part V — Infrastructure Dependency Management Policy
22. Third-Party Service Dependencies
23. Zoom Integration Dependencies
24. Vendor Risk Management
Part VI — Vulnerability Management Policy
25. Vulnerability Identification and Assessment
26. Remediation Standards
27. Responsible Disclosure
Part VII — General Provisions
28. Policy Updates
29. Contact Information
PART I — PRIVACY POLICY
1. Introduction and Scope
This Privacy and Data Protection Policy (this "Policy") describes how Kendo.ai ("we," "us," or "our") collects, uses, stores, shares, and protects personal information when you use our Services. Kendo.ai is a sales role-play and training platform powered by artificial intelligence, designed to help sales teams improve their performance through simulated sales conversations and coaching.
This Policy applies when you:
Visit our website at https://kendo.ai or any website that links to this Policy.
Use our sales role-play and training platform, including any AI-powered features.
Connect our Services through third-party integrations, including Zoom.
Engage with us in sales, marketing, support, or events.
By using our Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use our Services.
2. Information We Collect
2.1 Personal Information You Provide
We collect personal information that you voluntarily provide when registering for our Services, expressing interest in information about us, or contacting us. This includes:
Names and contact information (email addresses, phone numbers)
Company name and job title
Account credentials (passwords, stored in hashed form)
Billing and payment information (processed through secure third-party payment processors)
Communications you send to us (support requests, feedback)
We do not intentionally collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data for identification purposes.
2.2 Information Automatically Collected
When you visit or use our Services, we automatically collect certain technical information, including:
Internet Protocol (IP) address
Browser type, version, and device characteristics
Operating system and language preferences
Referral URLs and pages visited
Approximate location data (derived from IP address)
Usage data (features used, session duration, interaction patterns)
Log data and diagnostic information
2.3 Information From Third Parties
We may receive information from public databases, marketing partners, social media platforms, and other third-party sources to enhance our ability to provide relevant services.
3. Information Collected Through Zoom Integration
When you authorize the Kendo.ai integration with Zoom, we may access and process the following data from your Zoom account, subject to the permissions you grant:
3.1 Zoom Meeting Data
Meeting Recordings: Audio and/or video recordings of Zoom meetings that you choose to share with Kendo.ai for sales training analysis and role-play review.
Meeting Transcripts: Text transcriptions of meeting audio, used to analyze sales conversations and provide coaching insights.
Meeting Metadata: Meeting titles, dates, times, duration, and meeting IDs associated with recordings you share.
Participant Information: Names and email addresses of meeting participants, as provided by Zoom, to associate training data with the appropriate team members.
3.2 How We Use Zoom Data
Data obtained through the Zoom integration is used exclusively for the following purposes:
Analyzing sales conversations to provide coaching feedback and performance insights.
Powering AI-driven role-play scenarios based on real-world sales interactions.
Generating training recommendations and skill improvement reports.
Providing aggregated (non-identifiable) analytics to team administrators.
3.3 Zoom Data Restrictions
We are committed to responsible handling of Zoom data:
We do not sell, rent, or share Zoom meeting data with third parties for advertising or marketing purposes.
We do not use Zoom data to train general-purpose AI models. AI analysis is performed solely to deliver our Services to you.
We do not retain Zoom recordings or transcripts beyond the retention periods described in Section 13 of this Policy.
We do not access Zoom data beyond the specific scopes and permissions you authorize.
We comply with Zoom's Marketplace Developer Agreement and API Terms of Use at all times.
3.4 Zoom User Consent and Controls
You may revoke our access to your Zoom data at any time by:
Removing the Kendo.ai app from your Zoom account via the Zoom App Marketplace.
Contacting us at support@kendo.ai to request deletion of Zoom-sourced data.
Upon revocation or disconnection, we will cease collecting new data from Zoom and delete previously collected Zoom data in accordance with our retention schedule (see Section 13), unless legally required to retain it.
4. How We Process Your Information
We process personal information for the following purposes:
Account Management: Creating, authenticating, and managing user accounts.
Service Delivery: Providing, operating, and improving our sales training platform, including AI-powered analysis and role-play features.
Zoom Integration: Processing meeting recordings and transcripts to deliver coaching insights and training content.
Customer Support: Responding to inquiries, troubleshooting, and providing technical assistance.
Communications: Sending administrative notifications, product updates, and (with consent) promotional communications.
Analytics: Understanding usage patterns to improve our Services and user experience.
Security: Detecting, preventing, and responding to fraud, abuse, and security incidents.
Legal Compliance: Fulfilling legal obligations, responding to lawful requests, and enforcing our terms.
5. Legal Bases for Processing
We process personal information based on the following legal grounds:
Consent: Where you have given clear consent for us to process your personal information for a specific purpose. You may withdraw consent at any time by contacting us at support@kendo.ai.
Contractual Necessity: Where processing is necessary to fulfill our contract with you or to take steps at your request prior to entering a contract.
Legitimate Interests: Where processing is necessary for our legitimate interests (e.g., improving services, ensuring security), provided those interests are not overridden by your rights.
Legal Obligations: Where processing is necessary to comply with applicable laws and regulations.
6. Data Sharing and Third Parties
6.1 Categories of Recipients
We may share your data with the following categories of recipients:
Service Providers: Third-party companies that support our operations, including cloud hosting, data analytics, payment processing, and customer support tools. These providers are contractually bound to protect your data and use it only as directed by us.
Zoom: In connection with the Zoom integration, certain data is exchanged with Zoom Communications, Inc. in accordance with Zoom's API Terms of Use and our integration requirements.
Business Partners: Trusted partners for joint marketing efforts, where you have consented to such sharing.
Legal Authorities: Government agencies, law enforcement, or other authorities when required by law, regulation, legal process, or enforceable governmental request.
Corporate Transactions: In connection with a merger, acquisition, reorganization, or sale of assets, where your data may be transferred as part of the transaction.
6.2 No Sale of Personal Information
We do not sell or rent your personal information to third parties. We do not use data obtained through the Zoom integration for advertising, marketing to third parties, or any purpose unrelated to delivering our Services.
7. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (such as pixels, beacons, and local storage) for the following purposes:
Essential Cookies: Required for the operation of our website and Services (e.g., authentication, session management).
Analytics Cookies: Help us understand how users interact with our Services to improve functionality and performance.
Preference Cookies: Remember your settings and preferences for a more personalized experience.
You can manage your cookie preferences through your browser settings or our cookie consent mechanism. For details, see our Cookie Policy at https://kendo.ai/cookies.
8. AI-Based Services
Kendo.ai provides AI-powered sales training and coaching services. Our AI features:
Analyze sales conversations (from recordings, transcripts, and role-play sessions) to provide feedback, scoring, and coaching recommendations.
Generate simulated sales scenarios for practice and training purposes.
Produce aggregated performance analytics for team leads and administrators.
Important safeguards regarding our AI services:
We do not use customer data (including Zoom data) to train general-purpose AI or machine learning models that are used outside of delivering our Services to you, unless we obtain your explicit consent.
AI-generated insights are intended as training aids and recommendations, not as sole decision-making tools for employment or compensation decisions.
We maintain human oversight of AI-driven processes and regularly audit AI outputs for accuracy and fairness.
We comply with applicable ethical AI standards and do not use AI to make automated decisions that produce legal or similarly significant effects on individuals without human review.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. When we transfer personal data internationally, we implement appropriate safeguards, including:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Compliance with applicable data protection frameworks.
Ensuring that recipients provide adequate levels of data protection.
10. Your Privacy Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to certain exceptions.
Right to Restriction: Request that we restrict processing of your data under certain conditions.
Right to Data Portability: Receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at support@kendo.ai. We will respond to your request within 30 days (or as required by applicable law).
11. U.S. State-Specific Privacy Rights
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other U.S. states with comprehensive privacy laws, you have additional rights, including:
The right to know what personal data we collect, use, disclose, and sell.
The right to request deletion of your personal data.
The right to opt out of the sale or sharing of personal data for targeted advertising. (Note: Kendo.ai does not sell personal data.)
The right to non-discrimination for exercising your privacy rights.
The right to correct inaccurate personal information.
To make a request under state privacy law, email support@kendo.ai. We may need to verify your identity before fulfilling your request.
12. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at support@kendo.ai.
PART II — DATA RETENTION AND PROTECTION POLICY
13. Data Retention Schedule
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The following table summarizes our retention periods:
Data Category | Retention Period | Justification |
|---|---|---|
Account Information | Duration of account + 90 days | Contractual necessity; allows grace period for reactivation |
Zoom Meeting Recordings | 90 days after processing | Deleted after AI analysis is complete and insights are delivered |
Zoom Transcripts | 90 days after processing | Retained only for active coaching cycles; deleted on schedule |
AI-Generated Insights | Duration of account + 90 days | Training analytics retained for user benefit during subscription |
Usage / Log Data | 12 months | Security monitoring, debugging, and service improvement |
Payment Records | 7 years | Legal / tax compliance requirements |
Security Incident Logs | 3 years | Forensic analysis, regulatory compliance, and legal defense |
Support Communications | 2 years after resolution | Quality assurance and dispute resolution |
Upon expiration of the retention period, data is securely deleted or anonymized. Users may request earlier deletion of their data at any time by contacting support@kendo.ai, subject to legal retention requirements.
14. Data Protection and Encryption
14.1 Encryption Standards
Data in Transit: All data transmitted between users, our Services, and third-party integrations (including Zoom) is encrypted using TLS 1.2 or higher.
Data at Rest: All stored data, including Zoom recordings, transcripts, and personal information, is encrypted using AES-256 encryption.
Key Management: Encryption keys are managed through a dedicated key management system with access restricted to authorized personnel. Keys are rotated on a regular schedule.
14.2 Data Backup and Recovery
Automated backups are performed daily and stored in geographically separate, encrypted locations.
Backup integrity is verified through automated checksums and periodic restoration testing.
Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and tested quarterly.
14.3 Data Disposal
When data is no longer needed, it is disposed of securely:
Electronic data is overwritten using industry-standard methods or cryptographically erased.
Backup copies are purged according to their respective rotation schedules.
Disposal activities are logged for audit purposes.
PART III — SECURITY POLICY
15. Information Security Program
Kendo.ai maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all data processed by our Services. Our program includes:
Documented security policies and procedures, reviewed and updated at least annually.
A designated security lead responsible for overseeing the security program.
Regular security awareness training for all personnel with access to customer data.
Annual risk assessments to identify and address emerging threats.
Compliance with industry standards and best practices, including OWASP guidelines and SOC 2 principles.
16. Access Controls
16.1 Authentication
All user accounts require strong passwords meeting minimum complexity requirements (12+ characters, mixed case, numbers, and symbols).
Multi-factor authentication (MFA) is required for all administrative and privileged accounts.
Session tokens are time-limited and invalidated upon logout.
OAuth 2.0 is used for Zoom API authentication, with tokens securely stored and refreshed.
16.2 Authorization
Access to systems and data follows the principle of least privilege.
Role-based access control (RBAC) is implemented across all internal systems.
Access permissions are reviewed quarterly and promptly revoked upon role changes or termination.
Administrative access to production systems requires approval and is logged.
17. Encryption Standards
In addition to the encryption measures described in Section 14:
All API communications with Zoom use HTTPS with TLS 1.2 or higher.
Zoom OAuth tokens and API credentials are encrypted at rest and never stored in plaintext.
Database connections use encrypted channels.
Sensitive configuration data (API keys, secrets) is stored in a dedicated secrets management system, not in source code repositories.
18. Network and Application Security
18.1 Network Security
Production environments are segmented from development and staging environments.
Firewalls and intrusion detection/prevention systems (IDS/IPS) are deployed and actively monitored.
Network traffic is logged and analyzed for anomalous activity.
Remote access to production infrastructure requires VPN with MFA.
18.2 Application Security
We follow a secure software development lifecycle (SSDLC) incorporating security at every phase.
Code reviews include security-focused review for all changes touching authentication, authorization, data handling, and API integrations.
Static Application Security Testing (SAST) is integrated into our CI/CD pipeline.
Dynamic Application Security Testing (DAST) is performed regularly against staging and production environments.
Dependency scanning is performed to identify vulnerable third-party libraries.
Input validation and output encoding are enforced to prevent injection attacks and cross-site scripting (XSS).
PART IV — INCIDENT MANAGEMENT AND RESPONSE POLICY
19. Incident Classification
Security incidents are classified by severity to determine the appropriate response:
Severity | Description | Example | Response Time |
|---|---|---|---|
Critical (P1) | Active data breach or system compromise affecting customer data | Unauthorized access to Zoom recordings or user credentials | Immediate (within 1 hour) |
High (P2) | Significant vulnerability or attempted breach with potential impact | Exploitation attempt on API endpoints; suspicious access patterns | Within 4 hours |
Medium (P3) | Security event requiring investigation but no confirmed data exposure | Failed authentication spikes; misconfiguration detected | Within 24 hours |
Low (P4) | Minor security event or policy violation with minimal risk | Single failed login; minor policy deviation | Within 72 hours |
20. Incident Response Process
Our incident response process follows these phases:
20.1 Detection and Identification
Automated monitoring and alerting systems continuously scan for anomalies.
Team members can report potential incidents through dedicated internal channels.
All potential incidents are logged in our incident tracking system.
20.2 Containment
Immediate actions are taken to limit the scope and impact of the incident.
Affected systems or access points are isolated as needed.
Zoom API tokens are revoked and re-issued if a compromise involving the Zoom integration is suspected.
20.3 Investigation and Eradication
Root cause analysis is conducted to determine the origin and extent of the incident.
Affected systems are remediated and verified before being returned to service.
Evidence is preserved for potential legal or regulatory proceedings.
20.4 Recovery
Systems are restored from verified clean backups where necessary.
Enhanced monitoring is applied during and after recovery.
Functionality is validated before full service restoration.
20.5 Post-Incident Review
A post-incident review is conducted within 5 business days of resolution.
Lessons learned are documented and incorporated into security improvements.
Policies and procedures are updated as needed based on findings.
21. Notification Procedures
21.1 User Notification
In the event of a confirmed data breach affecting personal information, we will:
Notify affected users without unreasonable delay and no later than 72 hours after becoming aware of the breach (or as required by applicable law).
Provide details about the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
Provide guidance to affected users on steps they can take to protect themselves.
21.2 Regulatory Notification
We will notify relevant supervisory authorities as required by applicable data protection laws (e.g., GDPR, CCPA).
Notifications will include all information required by the applicable regulatory framework.
21.3 Zoom Notification
If a security incident involves data obtained through the Zoom integration, we will:
Notify Zoom in accordance with the Marketplace Developer Agreement and API Terms of Use.
Cooperate with Zoom's security team in any investigation related to the incident.
Implement any remedial measures required by Zoom.
PART V — INFRASTRUCTURE DEPENDENCY MANAGEMENT POLICY
22. Third-Party Service Dependencies
Kendo.ai relies on third-party services and infrastructure to deliver our platform. We manage these dependencies through:
Inventory: We maintain a current inventory of all third-party services, libraries, and infrastructure components used in our platform.
Risk Assessment: Each third-party dependency is assessed for security, reliability, compliance, and business continuity risk before adoption and on an ongoing basis.
Contractual Protections: Agreements with third-party providers include data protection obligations, security requirements, service level agreements (SLAs), and incident notification provisions.
Monitoring: We monitor the availability, performance, and security posture of critical third-party services.
23. Zoom Integration Dependencies
Our Zoom integration depends on the following components:
Zoom API: We use the Zoom REST API and webhooks to access meeting data as authorized by users. We monitor Zoom's API status and changelogs for updates that may affect our integration.
OAuth 2.0 Authentication: User authorization is handled through Zoom's OAuth 2.0 flow. We securely store and manage access and refresh tokens.
Zoom Marketplace: Our application is published on the Zoom App Marketplace and complies with Zoom's Marketplace Developer Agreement, API Terms of Use, and security requirements.
In the event of Zoom API changes, deprecations, or outages:
We monitor Zoom's developer communications and changelogs for advance notice of breaking changes.
We maintain compatibility testing procedures to validate integration functionality after Zoom updates.
We provide users with timely communication regarding any service disruptions related to the Zoom integration.
We implement graceful degradation so that core Kendo.ai features remain available even if the Zoom integration is temporarily unavailable.
24. Vendor Risk Management
24.1 Vendor Assessment
Before engaging a new third-party vendor that will process or have access to customer data, we conduct a vendor risk assessment covering:
Security practices and certifications (e.g., SOC 2, ISO 27001).
Data handling and privacy practices.
Business continuity and disaster recovery capabilities.
Regulatory compliance and jurisdiction considerations.
24.2 Ongoing Monitoring
Critical vendors are reviewed at least annually for continued compliance with our requirements.
We track vendor security advisories and incidents that may affect our Services.
Vendor access to data is limited to the minimum necessary and monitored.
24.3 Contingency Planning
For critical infrastructure dependencies, we identify alternative providers or fallback mechanisms.
Business continuity plans address scenarios where key vendor services become unavailable.
Data portability considerations are factored into vendor selection and contract negotiation.
PART VI — VULNERABILITY MANAGEMENT POLICY
25. Vulnerability Identification and Assessment
25.1 Identification Methods
Automated Scanning: Regular automated vulnerability scans are conducted on our infrastructure, applications, and dependencies using industry-standard tools.
Penetration Testing: Third-party penetration testing is conducted at least annually, and after significant infrastructure or application changes.
Dependency Monitoring: We use automated tools to monitor third-party libraries and dependencies for known vulnerabilities (CVEs).
Threat Intelligence: We subscribe to relevant threat intelligence feeds and monitor security advisories for technologies in our stack.
25.2 Risk Assessment
Identified vulnerabilities are assessed and prioritized based on:
CVSS (Common Vulnerability Scoring System) score.
Exploitability and exposure (is the vulnerability reachable from the internet or internal network).
Potential impact on customer data, including data obtained through the Zoom integration.
Availability of patches or mitigations.
26. Remediation Standards
We follow strict remediation timelines based on vulnerability severity:
Severity | Remediation Target | Actions |
|---|---|---|
Critical (CVSS 9.0–10.0) | 24 hours | Immediate patching or mitigation; emergency change process; escalation to security lead |
High (CVSS 7.0–8.9) | 7 days | Prioritized patching; temporary mitigations applied if patch is not immediately available |
Medium (CVSS 4.0–6.9) | 30 days | Scheduled patching in next maintenance cycle; risk acceptance requires documented approval |
Low (CVSS 0.1–3.9) | 90 days | Addressed in regular update cycles; tracked in vulnerability register |
All remediation activities are tracked, documented, and verified. Exceptions to remediation timelines require written approval from the security lead with a documented risk acceptance.
27. Responsible Disclosure
Kendo.ai supports responsible disclosure of security vulnerabilities. If you discover a potential vulnerability in our Services:
Report it to support@kendo.ai with sufficient detail to reproduce the issue.
Allow us reasonable time to investigate and remediate before public disclosure.
Do not access, modify, or delete data belonging to other users during your research.
We commit to acknowledging receipt of vulnerability reports within 2 business days and providing an initial assessment within 5 business days. We will not pursue legal action against researchers who comply with this disclosure policy.
PART VII — GENERAL PROVISIONS
28. Policy Updates
We review and update this Policy periodically to reflect changes in our practices, Services, legal requirements, and industry standards. Changes will be indicated by an updated "Last Updated" date at the top of this Policy.
For material changes that significantly affect how we process your personal information, we will provide notice through:
Email notification to affected users.
A prominent notice on our website or within our application.
Continued use of our Services after the effective date of any changes constitutes your acknowledgment of the updated Policy.
29. Contact Information
If you have questions, concerns, or requests regarding this Policy or our data practices, please contact us:
Email: support@kendo.ai
Website: https://kendo.ai