Privacy Policy

1. Scope

AscendKit ("we", "us", "our") operates the AscendKit platform, a developer infrastructure service providing authentication, email, surveys, and content management capabilities. This Privacy Policy explains how we collect, use, and protect information when you use our platform, website, and management portal.

This policy applies to our platform users (developers and organizations who create AscendKit accounts to manage projects). It does notgovern the personal data of your application's end-users that flows through AscendKit's services. End-user data is processed by AscendKit as a data processor under your instructions, governed by our Terms of Service (Section 5: Data Processing) and any applicable Data Processing Agreement between us.

2. Information We Collect

2.1 Platform Account Information

When you create an AscendKit account to manage projects, we collect:

• Name and email address
• Password (stored securely using one-way scrypt hashing)
• Organization and team membership details
• OAuth profile data if you sign in via a third-party provider (Google, GitHub, LinkedIn, etc.)

2.2 End-User Data (Processed on Your Behalf)

When your application's users interact with AscendKit-powered services, we process the following on your behalf as data processor:

• Authentication data: Email addresses, names, passwords (hashed), authentication tokens, session data, OAuth profile information, email verification status, and waitlist/approval status
• Email data: Recipient email addresses and names for transactional emails (verification, password reset, waitlist notifications) sent through your project's configured templates
• Survey data: Survey invitation status (sent, opened, submitted), survey responses, and response analytics

This data belongs to you (the project owner). We process it solely to deliver the services you configured and do not use it for our own purposes.

2.3 Usage and Technical Data

• API request logs (endpoints accessed, timestamps, response codes)
• Browser type, IP address, and device information
• Feature usage patterns within the management portal

3. How We Use Information

3.1 To Provide Services

• Authenticate platform users and manage sessions
• Process end-user authentication on behalf of your projects
• Send transactional emails (verification, password reset, waitlist notifications) on behalf of your projects
• Deliver surveys, track invitation status, and compute response analytics
• Manage content templates and email delivery

3.2 To Maintain and Improve the Platform

• Monitor service health and performance
• Detect and prevent fraud, abuse, and security incidents
• Generate aggregated, anonymized usage statistics to improve the platform

3.3 To Communicate With You

• Account-related notifications (security alerts, billing, service changes)
• Product updates and announcements (with opt-out available)

Transactional communications related to account security, service changes, and legal notices cannot be opted out of, as they are essential to the operation of your account.

4. OAuth and Third-Party Authentication

AscendKit integrates with third-party OAuth providers (Google, GitHub, LinkedIn, Microsoft, Apple) to offer social login for both platform users and your application's end-users. When a user authenticates via an OAuth provider:

• We receive only the profile information authorized by the user (typically name, email, and profile image)
• We request only the minimum scopes necessary for authentication
• We do not access contacts, messages, or other private data beyond the authorized profile
• OAuth access tokens are used solely for authentication and are not shared with third parties
• Users can revoke access at any time through their OAuth provider's account settings

5. Data Sharing and Sub-Processors

We do not sell, rent, or trade personal information. We share data only in these circumstances:

• With project owners: End-user data is accessible to the project owner who configured the service. You control what data is collected and how it is used.
• Sub-processors: We use the following service providers to operate the platform:

We will update this list as our infrastructure evolves. Sub-processors are contractually bound to protect data in accordance with this policy.

• Legal requirements: When required by law, regulation, or valid legal process
• Safety: To protect the rights, safety, or property of AscendKit, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

6. Data Retention and Deletion

• Platform accounts: Retained for the duration of your account. You may delete your account at any time.
• End-user data: Retained as long as the associated project and environment exist. Deleted within 30 days when you delete a project or environment.
• Survey responses: Retained as long as the associated survey exists. Deletion of a survey permanently removes all responses and invitation data.
• API logs: Retained for up to 90 days for debugging and security purposes, then automatically purged.
• Post-termination: Upon account closure, all associated data (projects, environments, end-user records, templates, surveys) is permanently deleted within 90 days.

7. Data Security

We implement the following security measures:

• Passwords hashed using scrypt with secure parameters (N=16384, r=16, p=1)
• HTTPS/TLS encryption for all API and web traffic
• Environment-scoped data isolation (development and production data are fully separated)
• Per-environment API key authentication and scoping
• Session tokens with configurable expiration

8. International Data Transfers

AscendKit's services are hosted in the United States. If you access our services from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States.

9. Breach Notification

In the event of a security breach affecting personal data, we will notify affected platform users without undue delay. If the breach involves end-user data processed on your behalf, we will notify you (the project owner) promptly so you can fulfill your own notification obligations to end-users and authorities.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and associated data
• Export your data in a portable format
• Restrict or object to certain processing
• Withdraw consent for optional data processing
• Lodge a complaint with a supervisory authority (EU/UK residents)

For end-users of applications built with AscendKit: Please contact the application owner (the project operator) directly regarding your data. They are the data controller and determine how your information is used. We will cooperate with project owners to fulfill data subject requests.

11. Cookies

We use essential session cookies to maintain your authenticated state on the platform. We do not use tracking, analytics, or advertising cookies. Third-party OAuth providers may set their own cookies during the authentication flow, subject to their own policies.

12. Children's Privacy

AscendKit is a developer platform intended for business use and is not directed at individuals under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify platform users of material changes by email and by posting the updated policy with a new "Last updated" date. Continued use of the service after notification constitutes acceptance of the updated policy.

14. Contact

For questions about this Privacy Policy, to exercise your data rights, or to request a Data Processing Agreement, contact us at [email protected].