KAK Cortex Services Case Studies Blog About Contact FAQ Partners Portal ↗
Book a Call →

Privacy Policy

Last updated: 2026-04-21 · Version 2.0

This Privacy Policy describes how KAK Digital LLC ("we", "us", "KAK Digital"), a Wyoming limited liability company with registered office at 30 N Gould St., Sheridan, WY 82801, USA, collects, uses, and protects personal data across:

  • This website (kakdigital.com and its subdomains)
  • Our products — KAK Cortex (Shopify marketing-intelligence platform), JOLT (creator platform), and custom AI systems delivered to clients
  • Our services — Meta ad management, Shopify development and optimization

It is drafted to satisfy the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and India's Digital Personal Data Protection Act, 2023 (DPDP).

1. Who is the controller?

For this marketing website (kakdigital.com), KAK Digital LLC is the data controller. For customer-facing product data (events collected on Shopify stores that install KAK Cortex), the customer (merchant) is the controller and KAK Digital is the processor acting on their behalf under our Data Processing Agreement.

2. What we collect on this website

On kakdigital.com we use first-party analytics only. We do not load Google Analytics, Meta Pixel, TikTok Pixel, or any third-party advertising cookies on this marketing site. Specifically, we collect:

  • Session-scoped identifiers stored in your browser's sessionStorage (cleared when you close the tab)
  • A single first-party cookie (_kak_vid) used only if you grant "marketing" consent — random UUID, no PII
  • Usage events: URL you visited, referrer, scroll depth, time on page, browser + OS family
  • UTM parameters from your inbound link
  • Form submissions: when you contact us or book a call, we collect the information you voluntarily provide (name, email, company, message)
  • No IP address is stored in plaintext — we hash + truncate to region before writing to our database

See our Cookie Policy for the full list with durations.

3. Legal basis (GDPR Art. 6)

  • Consent — for non-essential analytics and any marketing cookies, in the EU/UK/Switzerland. You can accept or reject via the banner at the bottom of the page.
  • Legitimate interest — for first-party analytics (aggregated, pseudonymized, no cross-site tracking), outside the EU/UK. You have the right to object at any time.
  • Contract — when you sign up for a service and we need to process your data to deliver it.
  • Legal obligation — for tax, accounting, and compliance records.

4. What we collect in our products (KAK Cortex, custom systems)

When KAK Cortex is installed on a merchant's Shopify store, we track visitor behavior for the purpose of ad optimization. The specific data collected is:

  • Visitor UUID (random, generated client-side)
  • Session events: page views, scroll depth, clicks, time-on-page, add-to-cart, checkout steps, orders
  • Hashed email and phone (SHA-256), only when voluntarily entered by the visitor, for Meta CAPI match quality
  • Shopify order data at the merchant's instruction (order value, product IDs, line items)
  • Hashed + truncated IP, user-agent, device fingerprint characteristics

We transmit the hashed signals to the merchant's own Meta ad account via the Conversions API (CAPI). We do not share raw email or phone with Meta — only SHA-256 hashes, as required by Meta's Data Processing Terms.

Each merchant is responsible for obtaining valid consent from their own visitors (usually via a cookie banner on their Shopify theme). KAK Cortex respects the merchant's consent signal and suppresses events from visitors who have not granted consent. CAPI deduplication ensures we do not double-count events already fired client-side.

5. Automated decision-making / AI

KAK Cortex uses AI to score visitors on a 0–100 purchase-intent scale. This score is used only to bucket visitors into audience segments that the merchant syncs to Meta Ads. No individual decision with legal or similarly significant effect on the data subject is automated under GDPR Art. 22. Visitors can opt out of this processing via the merchant's privacy controls or GPC signal.

6. International transfers

Our infrastructure is primarily in ap-south-1 (Mumbai), us-east-1 (Virginia), and{' '} ap-southeast-1 (Singapore) across Supabase, Vercel, and Cloudflare. Where data crosses borders from the EEA/UK, we rely on the EU Standard Contractual Clauses (Module Two) and the UK IDTA as incorporated by our sub-processors. See{' '} /subprocessors for the live list.

7. Retention

  • Website analytics events: 13 months, then aggregated and anonymized
  • Contact-form submissions: 24 months, then deleted unless active engagement
  • Product event data (Cortex): retention is configured per merchant (default 90 days for Pro plan, 730 days for Managed)
  • Billing records: 7 years (US tax law)

8. Your rights

You have the right to:

  • Access — ask us what personal data we hold about you
  • Rectification — have incorrect data corrected
  • Erasure ("right to be forgotten") — have your data deleted
  • Portability — receive a copy of your data in a machine-readable format
  • Object — to processing based on legitimate interest (including first-party analytics)
  • Withdraw consent — at any time, without affecting past processing
  • Do Not Sell or Share (CCPA/CPRA) — we do not sell or share personal data, but you can confirm opt-out via the cookie banner or GPC
  • Lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, Data Protection Board of India)

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request under the CCPA. Submit any other request to privacy@kakdigital.com. We respond within 30 days (CCPA: 45 days).

9. Security

All client data is processed with enterprise-grade security. Specifically: AES-256 encryption at rest (database + app-layer for sensitive tokens), TLS 1.3 in transit, per-tenant database isolation, Row-Level Security on all tables, role-based access control, full audit logging of administrative actions, and a 48-hour breach-notification SLA. See our DPA Annex II for full details.

10. Children's privacy

Our services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately and we will erase it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email (if we have your address) and via a prominent notice on this page for at least 30 days before taking effect.

12. Contact

Privacy questions, requests, or complaints:{' '} privacy@kakdigital.com
General: hello@kakdigital.com

KAK Digital LLC
30 N Gould St., Sheridan, WY 82801, USA

EU/UK representative: contact privacy@kakdigital.com to request representative details under Art. 27 GDPR.