Last updated: June 2026
This Policy explains how Keply, operated by Keply Ltd("Keply", "we"), handles personal data. We act as a processor for the customer data you connect (you are the controller), and as a controller for your account and usage data. When we process personal data on your behalf, our Data Processing Addendum governs that processing.
Account data (name, email, organization), data you connect (CRM, billing, mailbox, calendar, product-usage and survey signals — which may include personal data of your customers), AI-derived artifacts (health scores, risk flags, drafts), and product/usage logs. We do not sell personal data.
To provide the Service: normalize your data, compute health scores and risk, draft outreach, and operate the agent under your control. Connected tokens are encrypted at rest and never stored in plaintext. Customer-facing actions default to requiring human approval.
To generate scores and drafts, relevant context from your connected data is sent to our AI subprocessor (Anthropic) for inference under commercial terms that prohibit training on your data. Every agent action is recorded in an audit log. See our Subprocessors list for the providers involved.
When you connect Gmail, Keply requests read-only access (the gmail.readonly scope) to read your messages solely to detect customer-success signals — sentiment, renewal and contract mentions, payment issues, and engagement risk — and attribute them to the right customer account. Keply does not send, modify, label, or delete any mail.
Keply's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Google user data is used only to provide and improve these user-facing features; is never used for advertising; is never sold or transferred to third parties except as necessary to provide the Service, comply with law, or as part of a merger or acquisition; and is not read by humans unless you give explicit consent, it is necessary for security or to comply with law, or the data has been aggregated and anonymized.
We process personal data to perform our contract with you, on the basis of legitimate interests in operating and securing the Service, and on your instructions as processor. We comply with the EU/UK GDPR and the Israeli Privacy Protection Law. You are responsible for your lawful basis to connect customer data.
Access, rectification, erasure, restriction, portability, and objection. Where we are the processor, we assist the controller in fulfilling data-subject requests; where you are an individual end-user, we route your request to the relevant controller. Contact [email protected]; you may also lodge a complaint with your supervisory authority.
California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information. To exercise rights, contact [email protected]. We will not discriminate against you for exercising them.
We use vetted sub-processors (cloud hosting, database, AI model, integration, and email providers) under data-protection terms. Our current list is published at keply.ai/legal/subprocessors. International transfers rely on appropriate safeguards, including the EU Standard Contractual Clauses where required.
We retain data for as long as your account is active or as needed to provide the Service, then delete or anonymize it within a defined window after termination. We use encryption in transit and at rest, tenant isolation, and access controls. Our security program is summarized at keply.ai/legal/security. No method is perfectly secure.
Data controller: Keply Ltd. Data protection contact: [email protected]. We will update this Policy as needed and note the date above.