Privacy Policy
Last updated: June 17, 2026
1. Introduction
This Privacy Policy explains how KAVE ADVISORS SAS (Colombia) and KAVE ADVISORS LLC (United States), operating together under the trade name "Kyto" ("Kyto," "we," "us," or "our"), collect, use, share, and protect personal data:
- when you visit kyto.io or engage our services, attend our Academy, or contact us; and
- when we design and operate messaging and workflow automations — including on the WhatsApp Business Platform — on behalf of our business clients.
This Policy also describes our practices as a technology provider on the WhatsApp Business Platform and how we handle data obtained through Meta's platforms ("Platform Data"). For any privacy matter, contact us at info@kyto.io.
2. Our Two Roles: Controller and Processor
Kyto handles personal data in two distinct roles. Which role applies determines who is responsible and how you exercise your rights.
As a Controller
For data about our own website visitors, leads, prospective and active clients, and Academy members, Kyto decides why and how the data is processed. We are the data controller (in Colombia, the Responsable del Tratamiento).
As a Processor / Service Provider
When we build and operate automations for a business client — for example, replying to that client's customers over WhatsApp — we process the personal data of the client's customers and contacts ("end users") only on that client's documented instructions. In this role the client is the data controller (in Colombia, the Responsable) and Kyto is the processor / service provider (in Colombia, the Encargado).
For end-user data we process on a client's behalf, that client is responsible for the lawful basis for messaging (including obtaining valid opt-in) and for its own privacy notice. End users should direct privacy requests to the relevant business; where a request reaches us, we forward it to the responsible client and assist as described in Section 11. Our processing of client end-user data is also governed by the Data Processing Addendum we enter into with each client.
3. Information We Collect
3.1 As a Controller (our website, leads, and Academy)
Information you provide:
- Name and contact details (email address, phone number)
- Company name, role/job title, and team information
- Information submitted through our contact and qualification forms, discovery-call bookings, and Academy enrollment
- Communication preferences and feedback
- Payment and billing information (processed securely by third-party payment providers; we do not store full card numbers)
Information collected automatically when you visit kyto.io:
- Device and connection data (IP address, browser type, operating system)
- Usage data (pages visited, time on page, navigation paths)
- Cookies and similar technologies (see our Cookie Policy)
- Referral source and campaign (UTM) parameters
3.2 As a Processor (client end-user data)
When operating automations for a client, we process the following on the client's instructions and for the sole purpose of providing the service:
- End-user phone numbers and WhatsApp profile names
- WhatsApp message content and metadata (timestamps, delivery/read status, message identifiers)
- Records the client chooses to sync to its CRM or business systems (e.g., order, booking, or support details)
- Opt-in and opt-out records for the client's contacts
We do not ask end users to submit, and instruct clients not to collect through our automations, sensitive or regulated data such as full payment-card or financial-account numbers, government identification numbers, or health information. The WhatsApp Business Platform (Cloud API) is not HIPAA-compliant and must not be used to transmit protected health information.
4. How We Use Information
As a controller, we use personal data to:
- Provide our services: deliver AI automation, advisory, and Academy programs
- Communicate: respond to inquiries, schedule discovery calls, and provide support
- Improve: understand and enhance our website and services
- Market (with a lawful basis): send relevant content and offers, where permitted and subject to your choices
- Comply and protect: meet legal obligations and protect our rights, users, and systems
As a processor, we use client end-user data only to provide the contracted service on the client's documented instructions. We do not use it for our own purposes, do not build or augment user profiles from it, do not sell or license it, and never share one customer's conversation with another customer.
5. WhatsApp Business Platform and Meta Platform Data
Kyto operates as an independent technology provider on the WhatsApp Business Platform and may operate WhatsApp Business Accounts on behalf of clients. Kyto is not an agent of, and is not endorsed by, Meta Platforms, Inc. or WhatsApp. To operate a client's account, we request only the permissions required for messaging and account management — namely the whatsapp_business_messaging and whatsapp_business_management permissions.
- Permitted use only. We use Platform Data only for purposes permitted by Meta's Platform Terms and Developer Policies and disclosed in this Policy. We do not use Platform Data to make eligibility decisions (such as for housing, employment, insurance, or credit), to discriminate, for surveillance, or to sell, license, or purchase it.
- Purpose limitation. Data obtained through WhatsApp is used only as reasonably necessary to support messaging with the same person, consistent with the WhatsApp Business Messaging Policy.
- Opt-in and opt-out. Business-initiated WhatsApp messages require prior opt-in. Our clients are responsible for obtaining valid opt-in; we process on that basis. Opt-out and STOP requests — whether made on or off WhatsApp — are honored promptly and the person is removed from further messaging.
- Automation and AI. Our automations may use artificial intelligence (including Google's Gemini API) to support defined business functions such as customer support, bookings, order updates, and notifications. AI is ancillary to these services and is not offered as a general-purpose AI assistant. Where a user may be interacting with an automated or AI assistant, we design flows to make this clear and to offer a path to reach a human or to stop.
- No AI training on client data. Client end-user data is processed using the paid tier of the Google Gemini API and is not used to train, develop, or improve any AI or machine-learning models; it is never routed to any free or consumer AI tier, and sub-processors are contractually prohibited from using it for model training.
6. Legal Bases for Processing
Where required by law, we rely on one or more of the following bases as a controller:
- Consent: where you have given consent (for example, marketing). In Colombia, we obtain prior, informed, and express authorization (autorización) before processing, and additional explicit consent for any sensitive data, which is always optional to provide.
- Contract: to provide services you or your organization have requested
- Legitimate interests: to run and secure our business, where not overridden by your rights (not relied upon where Colombian law requires authorization)
- Legal obligation: to comply with applicable law
As a processor, the lawful basis for messaging end users (including opt-in) is the responsibility of the client acting as controller.
7. How We Share Information
We share personal data only as follows:
- Sub-processors and service providers who process data on our behalf under written contracts (see Section 8)
- Our business clients, where we act as their processor and return or route data to them
- Legal authorities, where required by law or to protect rights, safety, and security
- Business transfers, in connection with a merger, acquisition, or sale of assets, subject to this Policy
We do not sell personal information for money. Some uses of cookies and advertising/analytics technologies (such as the Meta Pixel) may be considered "sharing" for cross-context behavioral advertising under U.S. state privacy laws; you can opt out as described in Section 11 and our Cookie Policy.
8. Sub-Processors
We engage the following categories of sub-processors. We require each to provide protections consistent with this Policy and remain responsible for their processing. The current list is available on request and is maintained in our client Data Processing Addendum.
| Provider | Purpose | Role |
|---|---|---|
| Meta Platforms / WhatsApp | Messaging infrastructure (Cloud API) | Processor-side |
| n8n; Make | Workflow automation | Processor-side |
| Google (Gemini API / Cloud) | AI message generation (paid tier — no model training) | Processor-side |
| HubSpot | CRM (where used on client data) | Processor-side |
| Vercel | Website hosting | Controller-side |
| Sanity | Content management (blog) | Controller-side |
| NeetoCal | Scheduling and bookings | Controller-side |
| Google Analytics; Meta Pixel; LinkedIn Insight Tag | Analytics and advertising measurement | Controller-side |
9. International Data Transfers
We operate in the United States and Colombia and may transfer personal data across borders, including to sub-processors. Where required, we use appropriate safeguards: the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) for transfers from the EEA/UK, and, for transfers from Colombia, a written international transmission contract or another mechanism permitted under Colombian law and current Superintendencia de Industria y Comercio (SIC) guidance. A transfer-impact assessment is conducted where applicable. Details are available at info@kyto.io.
10. Data Retention
We retain personal data only as long as necessary for the purpose for which it was collected, by category:
- Client and prospect records: for the relationship plus 3 years
- Marketing data: until you unsubscribe or withdraw consent
- Legal, tax, and accounting records: as required by law (typically 7–10 years)
- Website analytics: aggregated/anonymized after 26 months
- Client end-user data (as processor): for the term of the client engagement and deleted or returned on the client's instruction; opt-out/suppression records are retained as needed to honor opt-outs and to evidence compliance
We delete or de-identify personal data when it is no longer needed, on valid request, on account or service termination, or when received in error, except where retention is required by law or by Meta (for example, limited access records that platform rules require us to keep).
11. Your Rights and Choices
Depending on where you live, you may have the rights below. To exercise them, email info@kyto.io or use our data deletion page. We verify requests and respond within the timeframes required by law. You may use an authorized agent where permitted. We will not discriminate against you for exercising your rights.
11.1 United States (CCPA/CPRA and similar state laws)
- Know/access the personal information we collect, use, and disclose
- Delete and correct your personal information
- Opt out of the "sale" or "sharing" of personal information, and limit the use of sensitive personal information
- Non-discrimination for exercising your rights
Use the "Your Privacy Choices" link in our website footer to opt out of sale/sharing. We honor Global Privacy Control (GPC) browser signals as a valid opt-out.
11.2 Colombia (Ley 1581 de 2012 — Habeas Data)
As a titular of data, you may:
- Conocer, actualizar y rectificar (know, update, and correct) your data
- Solicitar prueba de la autorización (request proof of consent)
- Ser informado sobre el uso de sus datos (be informed of use)
- Presentar quejas ante la SIC (file complaints with the SIC)
- Revocar la autorización y suprimir el dato (revoke consent and request deletion) where permitted
We respond to consultas within 10 business days (extendable by 5) and to reclamos within 15 business days (extendable by 8), as required by Colombian law.
11.3 EEA/UK (GDPR)
- Access, rectification, erasure, restriction, portability, and objection
- Withdraw consent at any time (without affecting prior processing)
- Lodge a complaint with your local data protection authority
If your request concerns data we process on behalf of a business client (for example, your WhatsApp conversation with a company that uses Kyto), the client is the controller. We will promptly forward your request to that client and assist them in responding.
12. How to Request Deletion
You can request deletion of your personal data at our dedicated page: kyto.io/data-deletion, or by emailing info@kyto.io. No account or login is required.
- Data we control (website, leads, Academy): we action deletion directly, subject to legal retention.
- Client end-user data we only process (such as a WhatsApp conversation handled for a business): we cannot delete it unilaterally because we hold it on the client's instructions. We forward your request to the responsible business and assist them in fulfilling it.
13. Cookies and Tracking
We use cookies and similar technologies as described in our Cookie Policy. Where required, non-essential cookies (analytics and advertising, including the Meta Pixel, Google Analytics, and the LinkedIn Insight Tag) load only after you consent via our cookie banner. You can change your choices at any time and opt out of sale/sharing using the "Your Privacy Choices" link in the footer; we honor GPC signals.
14. Security
We maintain administrative, physical, and technical safeguards appropriate to the data we handle, including encryption in transit, access controls, and monitoring. We never request your account passwords. To report a security concern, email info@kyto.io. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
15. Children's Privacy
Our services are intended for businesses and adults. We do not knowingly collect personal data from children under 18 (or the minimum age in your jurisdiction). If you believe a child has provided us data, contact info@kyto.io and we will delete it.
16. Colombia — Política de Tratamiento de Datos
For data subjects in Colombia, KAVE ADVISORS SAS is the Responsable del Tratamiento. Identity and domicile: KAVE ADVISORS SAS, [REGISTERED ADDRESS — COLOMBIA], contact info@kyto.io. The purposes of processing, the rights of titulares, and the procedures to exercise them are set out in this Policy (Sections 4, 5, and 11). The area responsible for handling peticiones, consultas y reclamos can be reached at info@kyto.io. This Policy is effective as of the "Last updated" date above and remains in force for the duration of our databases. Colombian titulares may contact us in Spanish at info@kyto.io to exercise their rights or request information in Spanish about the processing of their data.
17. Changes to This Policy
We may update this Policy to reflect changes in our practices or the law. Material changes will be posted here with an updated "Last updated" date and, where appropriate, communicated directly. Your continued use of our services after an update constitutes acceptance of the revised Policy.
18. Contact Us
For any question or request regarding this Policy or your personal data:
Kyto — KAVE ADVISORS LLC / KAVE ADVISORS SAS
KAVE ADVISORS LLC (United States): [REGISTERED ADDRESS — US]
KAVE ADVISORS SAS (Colombia): [REGISTERED ADDRESS — COLOMBIA]
Email: info@kyto.io
Website: https://kyto.io
Colombian titulares may also contact the Superintendencia de Industria y Comercio (SIC). EEA/UK users may lodge a complaint with their local data protection authority.