Privacy Policy

This Privacy Policy explains how Iconik collects, uses, and protects your personal information when you use our AI agent platform for hospitality and related services.

Last updated: June 10, 2026

Your Privacy Matters

This Privacy Policy explains how Iconik collects, uses, and protects your personal information when you use our AI agent platform for hospitality and related services.

By using our services, you agree to the collection and use of information in accordance with this policy. We are committed to protecting your privacy and ensuring the security of your personal information.

Kapy Pay, Inc., doing business as Iconik ("Iconik," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI agent platform for hospitality, website, mobile applications, and related services (collectively, the "Service").

By using our Service, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

This Privacy Policy applies to all users of our Service, including visitors, registered users, and customers worldwide. It describes our practices regarding the collection, use, and sharing of personal information in compliance with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable privacy legislation.

We collect several types of information from and about users of our Service, including:

• Personal Information: Name, email address, phone number, and other contact information you provide during registration and account creation.

• Profile Information: Profile pictures, biographical information, preferences, and settings you choose to share.

• Usage Data: Information about how you use our Service, including interaction with AI agents, conversation history, service requests, and feature usage.

• Technical Data: IP address, browser type, device information, operating system, and other technical details.

• Communication Data: Messages, feedback, and other communications you send to us or through our Service.

• Voice and Audio Data: When using voice features, we may collect audio recordings for speech-to-text processing.

• AI Conversation Data: Content of your interactions with AI agents on our platform, including text inputs and AI-generated responses.

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Contractual Necessity: Processing necessary to perform our contract with you, including providing the Service, managing your account, and delivering AI agent interactions.

• Legitimate Interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, preventing fraud, and conducting analytics, provided these interests are not overridden by your rights and freedoms.

• Consent: Processing based on your explicit consent, such as marketing communications, optional data collection, and the use of certain cookies and tracking technologies. You may withdraw your consent at any time.

• Legal Obligation: Processing necessary to comply with our legal obligations under applicable laws and regulations.

We use the information we collect for various purposes, including:

• Providing and maintaining our Service, including AI agent interactions and personalized experiences.

• Processing transactions and managing your account.

• Improving our Service and developing new features.

• Personalizing your experience and providing relevant content.

• Communicating with you about updates, security alerts, and support messages.

• Analyzing usage patterns and trends to enhance our platform.

• Ensuring the security and integrity of our Service.

• Complying with legal obligations and enforcing our terms.

As an AI-powered platform, transparency about how we handle data in connection with our AI agents is important to us. The following practices apply:

5.1 Training and Improvement

Your conversations with AI agents may be used to train, improve, and enhance our AI models and the quality of the Service. When conversation data is used for these purposes, it is always anonymized and aggregated so that no individual user can be identified.

5.2 Human Review

In limited circumstances, conversations may be reviewed by authorized personnel for quality assurance, safety, and model improvement purposes. Any such review is conducted strictly on an anonymized basis, meaning reviewers cannot identify the individual user associated with any conversation.

5.3 Business Customer Access

Iconik provides AI agents to hospitality businesses (such as private travel membership clubs and their operators) that use our platform to serve their members and guests. Where you interact with an AI agent operated on behalf of one of these businesses, that business is the controller of the resulting conversation data and may access those conversations, together with related member and service information, in order to provide reservations, renewals, member services, and support.

In these cases, Iconik acts as a service provider (data processor) and handles the conversation data on the business's behalf and under its instructions. That business's use of your information is also governed by its own privacy policy; if you have questions about how a specific business uses your data, please contact that business directly.

We do not sell, trade, rent, or share your personal information with third parties for their own marketing or commercial purposes. We may share your information only in the following limited circumstances:

• Service Providers: We may share information with trusted third-party service providers who assist us in operating our platform, such as cloud hosting, analytics, payment processing, and customer support services. These providers are contractually obligated to protect your data and may only use it for the purposes we specify.

• Legal Requirements: We may disclose information if required by law, court order, or government request.

• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and the choices you may have regarding your information.

• Safety and Security: We may share information to protect the safety and security of our users, employees, or the public.

• With Your Consent: We may share information with your explicit consent for specific purposes.

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest using industry-standard protocols.

• Secure data storage practices and access controls.

• Regular security audits and vulnerability assessments.

• Employee training on data protection and privacy.

• Incident response procedures and breach notification protocols.

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest standards of data protection.

7.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, providing information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

For users in California, we will comply with applicable breach notification requirements under California Civil Code Section 1798.82.

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy. The retention period depends on the type of information and the purpose for which it was collected:

• Account Information: Retained for the duration of your account and for a reasonable period after account deletion for legal and business purposes.

• Usage Data: Typically retained for up to 2 years for analytics and service improvement.

• Communication Data: Retained for the duration of our relationship and for a reasonable period thereafter.

• AI Conversation Data: Retained in identifiable form for the duration of your account. Anonymized conversation data may be retained for service improvement purposes.

• Voice and Audio Data: Processed in real-time and not stored unless explicitly requested or required for service improvement.

We will delete or anonymize your information when it is no longer needed for the purposes described in this policy, unless retention is required by law or for legitimate business purposes.

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right of Access: You have the right to request access to the personal data we hold about you and to receive a copy of that data.

• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.

• Right to Erasure: You have the right to request the deletion of your personal data, subject to certain legal exceptions.

• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

• Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

• Right to Restriction: You have the right to request restriction of processing in certain circumstances.

• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state of habitual residence, place of work, or place of the alleged infringement.

9.2 Rights Under the CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell or share about you.

• Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.

• Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information with third parties for cross-context behavioral advertising purposes.

• Right to Correct: You have the right to request correction of inaccurate personal information.

• Right to Limit Use of Sensitive Information: You have the right to limit the use and disclosure of sensitive personal information.

• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

9.3 Exercising Your Rights

To exercise any of the rights described above, please contact us at [email protected] or use the contact information provided in the Contact section of this policy. We will respond to your request within the timeframes required by applicable law (generally within 30 days for GDPR requests and 45 days for CCPA/CPRA requests).

We may need to verify your identity before processing your request. If we are unable to verify your identity, we may not be able to fulfill your request.

We use cookies and similar tracking technologies to enhance your experience on our Service. A cookie is a small text file stored on your device that helps us recognize you and remember your preferences.

10.1 Types of Cookies We Use

• Strictly Necessary Cookies: These cookies are essential for the operation of our Service. They enable basic functions such as authentication, session management, and security. These cookies do not require consent and cannot be disabled. Duration: session-based or up to 12 months.

• Functional Cookies: These cookies allow our Service to remember choices you make, such as language preferences and display settings, to provide enhanced and personalized features. Duration: up to 12 months.

• Analytics Cookies: These cookies help us understand how users interact with our Service by collecting anonymous statistical information. We use this data to improve our platform and user experience. Duration: up to 24 months.

10.2 Cookie Management

You can control and manage cookies through your browser settings. Most browsers allow you to view, delete, and block cookies from websites. Please note that disabling certain cookies may affect the functionality of our Service.

For users in the EEA, we will obtain your consent before placing non-essential cookies on your device, in accordance with the ePrivacy Directive and GDPR.

Our Service is not intended for children. We define "child" in accordance with applicable local law:

• United States: Under 13 years of age, in accordance with the Children's Online Privacy Protection Act (COPPA).

• European Economic Area: Under 16 years of age (or the lower age set by the applicable member state, which may be as low as 13), in accordance with the GDPR.

• Other jurisdictions: As defined by the applicable local data protection laws.

We do not knowingly collect personal information from children as defined above. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].

If we learn we have collected personal information from a child without appropriate consent, we will delete that information as quickly as possible. We encourage parents and guardians to monitor their children's online activities and to help enforce this Privacy Policy.

For users who are minors above the applicable age threshold but under 18, we require verifiable parental or guardian consent for the collection and use of personal information.

Your information may be transferred to and processed in countries other than your own, including the United States, where our servers and service providers may be located. These countries may have data protection laws that differ from the laws of your country.

When we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.

• Supplementary technical and organizational measures to ensure the protection of your data.

• Assessment of the legal framework of the recipient country to ensure adequate protection.

By using our Service, you acknowledge that your information may be transferred to countries outside your country of residence. You may request a copy of the safeguards we use for international transfers by contacting us at [email protected].

We have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws and to serve as a point of contact for data protection matters.

Data Protection Officer: Alejandro Bogado

Email: [email protected]

You may contact our DPO regarding any questions or concerns about our data protection practices, to exercise your data protection rights, or to lodge a complaint about the handling of your personal data.

When you connect a Google Workspace or Gmail mailbox to Iconik (for example, to run our Diagnosis tool), we request read-only access to the messages in the authorized mailbox through the Google Gmail API scope gmail.readonly.

We use this access solely to analyze recurring inquiries and produce a diagnostic report and automation suggestions for your organization. We do not send, modify, label, or delete any email.

• Email content obtained from Google APIs is stored encrypted at rest and is accessible only to your organization.

• We do not sell Google user data. We do not share it with third parties except as necessary to provide the service you requested. We do not use it for advertising purposes.

• We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.

• Only personnel strictly required to operate and support the service can access this data, and only for that purpose.

• You can disconnect the mailbox at any time from your dashboard, which revokes our access. You can also revoke access from your Google Account security settings at any time.

Limited Use: Iconik's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes to this policy, we will:

• Post the updated Privacy Policy on our website with a revised "Last Updated" date.

• Notify you by email or through a prominent notice on our Service prior to the change becoming effective.

• Where required by law, obtain your consent to any material changes in our data processing practices.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after the posting of changes constitutes your acceptance of such changes.

If you have any questions about this Privacy Policy or our data practices, please contact us:

Company: Kapy Pay, Inc. (doing business as Iconik)

Email: [email protected]

Address: 131 Continental Dr., Suite 305, Newark, DE 19713, United States

Data Protection Officer: Alejandro Bogado – [email protected]

We will respond to your inquiry within the timeframes required by applicable law and work to address any concerns you may have about our privacy practices.

If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.