Privacy Policy

Last Updated: 30 March 2026

Kapsule Ltd (“Kapsule,” “we,” “our,” or “us”) provides Kapsule Terminal and related websites, applications, dashboards, APIs, and services (together, the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect Personal Data when you use the Services.

If you use the Services through an organization, that organization may also have its own privacy notice and may control certain data submitted into the Services. If a separate signed agreement applies, that agreement controls to the extent of any conflict.

1. Scope and who we are

This Privacy Policy applies to Personal Data we collect or process when you:

  • visit our website;
  • create, access, or use an account;
  • use the Services through your organization;
  • contact us for support, sales, or other business purposes;
  • submit information, files, prompts, datasets, or other content to the Services.

In this Privacy Policy, “Personal Data” means information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable person.

Depending on the context, Kapsule may act as:

  • a controller or similar role for website, account, billing, support, security, and business operations data; and
  • a processor, service provider, or similar role for certain data submitted by a Customer or Organization through the Services under that Organization’s instructions.

2. Categories of Personal Data we collect

We may collect the following categories of Personal Data:

2.1 Account and identity data

Examples include name, work email address, organization name, department, title, role, username, account identifiers, and account settings.

2.2 Usage, device, and security data

Examples include IP address, browser type, device type, operating system, timestamps, session data, feature usage, audit logs, authentication events, and diagnostic or security-related data.

2.3 Billing and transaction data

Examples include billing contact details, subscription status, invoices, payment status, and payment-related metadata provided by payment providers.

2.4 Communications and support data

Examples include emails, chat messages, support requests, meeting notes, attachments, survey responses, and feedback.

2.5 Marketing and website analytics data

Examples include page views, referral data, campaign data, clicks, cookie identifiers, and interactions with our public website or marketing emails.

2.6 Submitted content and service interaction data

Examples include prompts, queries, uploaded files, reports, exports, comments, settings, configurations, and related metadata submitted through the Services.

2.7 Organization administration data

Examples include administrator actions, user provisioning records, permissions, workspace ownership records, and account management activity.

3. Sensitive or health-related data rules

Kapsule Terminal is designed for business and analytics use. It is not a general-purpose system for uploading identifiable personal or patient data. Self-serve customers must not upload identifiable personal data, including patient data or protected health information. Enterprise customers may do so only where expressly authorized under signed enterprise documentation.

Customers and data partners are responsible for ensuring that they have all rights, permissions, consents, and lawful bases needed to provide data to us. Detailed upload rules, permitted data types, and data-partner obligations are set out in our Data Upload and Data-Partner Addendum.

You must not submit identifiable personal, patient, or health data into AI or free-text features unless that use has been expressly approved by Kapsule in writing under signed enterprise terms.

4. Sources of data

We collect Personal Data:

  • directly from you;
  • from your Organization or account administrator;
  • from Customers, approved enterprise users, or approved data partners;
  • from service providers that support hosting, authentication, billing, analytics, communications, security, or similar operations;
  • from your interactions with our website, Services, support channels, and marketing communications;
  • through cookies and similar technologies used on our public website and, where lawful and appropriate, limited analytics or service functionality tools in the product.

5. Purposes of processing

We use Personal Data to:

  • provide, operate, maintain, and secure the Services;
  • authenticate users and manage accounts, permissions, and workspaces;
  • process queries, reports, exports, dashboards, uploads, and other service functions;
  • provide support, onboarding, and account management;
  • process billing, payments, renewals, and related records;
  • detect abuse, prevent fraud, investigate incidents, and protect the Services;
  • monitor usage and improve reliability, usability, and performance;
  • communicate about product updates, service notices, support matters, and business opportunities;
  • measure website traffic and marketing performance;
  • comply with legal obligations and enforce our agreements;
  • protect our rights, systems, users, and business.

Where we process Customer-submitted data on behalf of an Organization, we do so to provide the Services, protect the Services, and comply with law and contract.

6. Legal bases for EU/UK users

If UK GDPR or EU GDPR applies, we rely on one or more of the following legal bases, depending on the context:

  • Contract: to provide the Services, manage accounts, process payments, and fulfill our obligations.
  • Legitimate interests: to secure the Services, prevent abuse, improve performance, support ordinary business operations, and conduct proportionate B2B communications where permitted.
  • Consent: where required, including for certain cookies or marketing activities.
  • Legal obligation: where we must retain records, respond to lawful requests, or comply with legal requirements.
  • Legal claims: where necessary to establish, exercise, or defend legal claims.

Where restricted or health-related data is processed at all, we do so only where permitted by applicable law, contract, and any required written approvals.

7. Cookies, analytics, advertising, and remarketing

We use cookies and similar technologies on our public website for purposes such as:

  • essential site functionality and security;
  • preferences and user experience;
  • website analytics and performance measurement;
  • campaign attribution and marketing effectiveness;
  • advertising and remarketing on public-facing pages, where lawful.

We do not use logged-in product surfaces for remarketing.

Where required by law, we seek consent for non-essential cookies or similar technologies through our website banner or similar consent mechanism. You can also manage cookies through your browser or device settings. Disabling some cookies may affect site functionality.

8. AI features and prompt/result handling

The Services may include AI-assisted, natural-language, or model-assisted features.

To provide those features, we and our service providers may process prompts, queries, surrounding context, outputs, uploaded files, and related logs or metadata. We may use this information as needed to provide the Services, maintain security, prevent abuse, troubleshoot issues, support users, enforce our terms, and improve the Services, subject to applicable law and contract.

We aim to use privacy-protective configurations where feasible, but provider capabilities and technical implementations may vary over time. Enterprise arrangements may include additional AI-related handling terms.

AI-generated or AI-assisted outputs may be incomplete, inaccurate, or unsuitable for high-risk uses. The Services do not provide medical advice and are not intended for diagnosis, treatment, emergency use, or clinical decision-making.

9. How data is shared

We may share Personal Data with:

  • your Organization and its administrators or authorized users;
  • service providers and subprocessors that help us operate the Services, including infrastructure, storage, authentication, billing, analytics, communications, support, security, and AI providers;
  • professional advisers such as lawyers, accountants, auditors, and insurers;
  • regulators, law enforcement, courts, or other third parties where required by law or legal process;
  • counterparties in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction.

We may also use or disclose de-identified, aggregated, or statistical information that does not identify you, your Organization, or any individual.

We do not sell Personal Data for money.

10. International transfers

We may process Personal Data in countries other than the country where it was collected.

Where required by law, we use appropriate safeguards for international transfers, which may include:

  • adequacy regulations or adequacy decisions;
  • the European Commission’s Standard Contractual Clauses;
  • the UK International Data Transfer Agreement or UK Addendum;
  • other lawful transfer mechanisms permitted under applicable law.

You can contact us at privacy@kapsuletech.com for more information about applicable transfer safeguards.

11. Retention by data type

We retain Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, subject to contractual commitments, operational needs, and legal obligations.

In general:

  • Account and profile data are retained while the account remains active and for a reasonable period afterward.
  • Billing and transaction data are retained as needed for accounting, tax, audit, fraud prevention, and dispute handling.
  • Usage, security, and audit data are retained as needed to maintain service integrity, investigate incidents, and support compliance and recordkeeping.
  • Support and communications data are retained as needed to resolve issues, improve support, and maintain business records.
  • Marketing and website analytics data are retained for as long as needed for the relevant purpose or until consent is withdrawn where applicable.
  • Submitted content, prompts, outputs, and uploaded files are retained based on service configuration, customer instructions, contractual terms, and applicable legal obligations.
  • Residual backup copies may remain for a limited period until overwritten or deleted in the ordinary course.
  • De-identified, aggregated, or statistical information may be retained longer where it no longer reasonably identifies any person.

12. User rights and how to exercise them

Depending on your location and applicable law, you may have rights to:

  • access Personal Data we hold about you;
  • correct inaccurate Personal Data;
  • delete certain Personal Data;
  • receive a copy of certain Personal Data;
  • object to or restrict certain processing;
  • withdraw consent where processing depends on consent;
  • lodge a complaint with a supervisory authority or regulator.

To make a request, contact privacy@kapsuletech.com.

We may ask you to verify your identity and authority before acting on a request. If your request relates to data controlled by your Organization, we may direct you to that Organization or act only on its instructions.

13. Security

We use reasonable technical and organizational measures designed to protect Personal Data, taking into account the nature of the data and the risks involved. These measures may include access controls, encryption in transit and at rest where appropriate, logging, monitoring, backups, and vendor oversight.

No method of transmission, storage, or processing is completely secure, and we cannot guarantee absolute security.

14. Children/minors

The Services are not directed to children under 13 and are not intended for general consumer use by minors.

If an Organization authorizes access by a minor, that Organization is responsible for ensuring that the access and use are lawful and appropriate.

15. Region-specific disclosures

15.1 EEA and UK users

If you are in the EEA or UK, you may have additional rights under applicable data protection law, including rights relating to access, correction, erasure, restriction, objection, portability, and complaints to your local supervisory authority.

15.2 California and certain other US state residents

Residents of California and certain other US states may have additional rights, subject to applicable exceptions, including rights to know, access, correct, delete, and obtain a portable copy of Personal Data, as well as rights to opt out of certain targeted advertising or similar activities where applicable.

We do not sell Personal Data for money. Where required by law, we offer relevant opt-out choices through our website consent tools, browser-based choices, or by request to privacy@kapsuletech.com.

16. Contact details

For privacy questions or requests, contact:

Kapsule Ltd
Kemp House, 124 City Road, London, EC1V 2NX, UK
General: info@kapsuletech.com
Legal: legal@kapsuletech.com
Privacy: privacy@kapsuletech.com

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice where required by law. The “Last Updated” date above shows when this Privacy Policy was last revised.