privacy policy

last updated: may 7, 2026

this privacy policy explains how kai (operated by rohan kulkarni from bangalore, india, doing business as getheadcount) collects, uses, and protects information when you visit kai.getheadcount.io, book a quick scan, or engage us for a paid audit.

we keep this short and specific. if anything is unclear, email rohan@getheadcount.io.

who we are

kai is a productized hubspot portal audit. it is operated by rohan kulkarni as a sole operator, based in bangalore, india. we are the data fiduciary (under india's digital personal data protection act, 2023) and data controller (under gdpr) for personal information you provide directly to us through this site or during engagement with our services.

when we audit your hubspot portal under a paid engagement, we become the data processor for the personal data inside your hubspot account. that relationship is governed by our data processing addendum, available on request before any paid engagement begins.

what we collect

we collect three categories of information.

1. information you give us directly.

  • name and email address when you book a quick scan or engage for an audit
  • company name, role, and hubspot tier when you provide them on booking forms or during sales conversations
  • payment information (handled by our payment processor — we never see card details)
  • any context you share during a quick scan call or audit kickoff

2. information from your hubspot portal during a paid audit.

if you engage us for a paid audit, you provide read-only access to your hubspot portal via a private app token that you create and revoke. this gives us visibility into:

  • contact, company, deal, and ticket records (including names, emails, phone numbers, lifecycle data)
  • workflow configurations and execution data
  • property definitions and fill rates
  • engagement events (email opens, page views, form submissions)
  • integration metadata
  • reporting and dashboard configurations

we never receive login credentials. we use read-only scopes only. we never modify anything in your portal.

3. technical information from website visits.

  • ip address and approximate location (city-level)
  • browser type and operating system
  • pages viewed and time on each
  • referring url

we use cloudflare web analytics for this, which is privacy-respecting and does not use cookies or fingerprinting.

how we use what we collect

  • to schedule and conduct quick scans and audits
  • to deliver audit findings and walkthrough calls
  • to communicate about your engagement
  • to process payments
  • to improve our services based on patterns we see across audits (always anonymized — we never reveal one customer's findings to another)
  • to comply with legal obligations

we do not use your data for advertising. we do not sell your data. we do not use your hubspot portal data to train ai models.

how long we keep it

  • website analytics: 90 days
  • booking and contact information: retained while you are an active or potential customer; deleted within 12 months of the last interaction unless legal or accounting obligations require longer retention
  • hubspot portal data accessed during an audit: deleted within 30 days of audit delivery. specifically:
    • we revoke our access to your private app token immediately on delivery
    • we delete all locally stored portal data within 30 days
    • we keep the audit deliverable document for our records for 12 months in case of follow-up questions, then delete it
  • payment records: retained for 7 years to meet indian tax and accounting requirements

before erasure of personal data subject to your rights under DPDP, we will notify you at least 48 hours in advance, allowing you to request retention if needed.

sub-processors

we use a small number of vendors to operate the service. they are bound by contractual obligations to protect data at standards no less protective than those described here.

current sub-processors:

vendor purpose location
cloudflare dns, hosting, ssl, analytics global cdn
google workspace email and calendar usa
cal.com meeting scheduling usa
stripe (or dodo payments) payment processing usa
anthropic ai-assisted analysis during audits usa

we will give you 30 days' notice before adding, removing, or replacing any sub-processor that processes your data. if you object to a new sub-processor and we cannot resolve your concern, you may terminate any active engagement with a pro-rated refund.

cross-border data transfers

our sub-processors are located in the usa. when your personal data is transferred from india, the eu, or the uk to the usa, the legal mechanisms enabling those transfers are:

  • for transfers from india: section 16 of the DPDP act read with the rules notified by the central government
  • for transfers from the eu/uk: standard contractual clauses (anthropic, google, cloudflare, cal.com, and stripe each provide signed scc-equivalent agreements)

we do not transfer data to countries the indian government has prohibited under DPDP rules.

your rights

depending on where you are, you have rights under DPDP, gdpr, the uk data protection act, ccpa, or equivalent law. these include:

  • access: request a copy of the personal data we hold about you
  • correction: ask us to fix incorrect or outdated information
  • erasure: ask us to delete your personal data
  • portability: receive your data in a machine-readable format (where applicable)
  • objection: object to specific uses of your data
  • complaint: lodge a complaint with the data protection board of india, or your local supervisory authority in the eu/uk

to exercise any right, email rohan@getheadcount.io. we will respond within 7 business days. for verified requests, we will complete the requested action within 30 days. if we cannot, we will explain why and provide an estimated timeline.

we do not charge for these requests.

security

we implement reasonable technical and organizational measures to protect personal data:

  • all data in transit is encrypted via tls
  • hubspot private app tokens are stored encrypted at rest and never logged in plaintext
  • access to customer data is limited to the operator (rohan kulkarni)
  • all systems use multi-factor authentication
  • we maintain documented incident response procedures
  • in the event of a personal data breach, we will notify affected individuals and the relevant data protection authority within 72 hours of becoming aware

no system is perfectly secure. if you believe your data has been improperly accessed, email rohan@getheadcount.io immediately.

children

kai is a b2b service. we do not knowingly collect data from anyone under 18. if you believe a child has submitted information to us, email rohan@getheadcount.io and we will delete it.

changes to this policy

we may update this policy as our practices evolve, our sub-processors change, or law requires. for material changes that affect your rights or the purposes for which we process your data, we will notify you by email and, where required, seek fresh consent.

we maintain an archive of past versions on request.

contact

rohan kulkarni
operating kai · getheadcount
email: rohan@getheadcount.io
location: bangalore, india

for data subject requests, complaints, or questions about this policy, email is the fastest way to reach us.

← back to kai