Kadie — AI Usage & Data Policy
Last updated: October 27, 2025
Applies to: Any Customer (organization or user) or user account using Kadie’s AI-powered functionality. This policy is to be read together with Kadie’s Terms of Service and Data Processing Addendum (DPA). It focuses on data handling, providers, and inference—not commercial billing rules.
Commercial terms for Tokens (entitlements, validity, expiry, and subscription billing) are set out in Kadie's Terms of Use (Section 5) and on the pricing page.
1. Purpose & scope
This policy explains how Kadie uses artificial intelligence (AI), which provider and model power Kadie’s AI features, how tokens are handled and billed, and how we process, store, and protect data used in AI operations. It applies to all Kadie users and to any AI-powered features provided in the Kadie platform.
2. AI purpose & legal basis
Kadie processes Customer Data via an AI Provider to perform features explicitly requested by the Customer (for example: summarization, classification, content generation, and information extraction). Processing is performed on the Customer’s instructions and in accordance with any applicable DPA.
Customers are responsible for ensuring they have a lawful basis to submit and store Customer Data (including personal data) in Kadie and for complying with applicable laws and regulations.
3. Provider & model
Kadie uses OpenAI as its AI Provider and employs a lightweight inference model selected to balance throughput, latency, accuracy and cost for typical Kadie workloads. Keenduck may change the AI Provider or model over time. Where a change may materially affect data handling, retention, or security posture, we will notify customers and provide commercially reasonable migration support where applicable.
4. Kadie’s internal prompting mechanism
Kadie uses an internal prompting mechanism that programmatically composes the system-level instructions and context required to deliver AI features efficiently and with optimized token usage. This internal mechanism is designed to reduce the need for users to craft low-level prompts while improving result consistency and cost efficiency.
Keenduck does not log or persist the internal prompts generated by Kadie’s internal prompting mechanism, nor the un-saved outputs produced by those internal prompts, except where a user explicitly saves generated content. Keenduck logs token consumption for billing and reconciliation purposes only.
5. Data sent to the AI Provider (minimization)
Kadie transmits only the minimum information necessary to the AI Provider to fulfill the requested operation. That information may include: the user prompt, selected document excerpts or context, and the system-level instructions required to generate the response. Kadie avoids sending unrelated or unnecessary Customer Data and applies redaction, pseudonymization, or client-side pre-processing where feasible to reduce exposure of sensitive fields.
Depending on the AI function invoked, Kadie’s internal prompting mechanism may append selected contextual elements from Customer Data to improve result quality. Examples of contextual elements that may be included (when relevant to the requested function) include: context-analysis labels (e.g., strengths, weaknesses, opportunities, threats), stakeholder names, applicable regulation names, objective names, KPI titles (not KPI measures), risk and control names (titles only, not measured values), proposed risk treatments (names), assets, organizational role titles, safeguards, and incident descriptions and impacts. Kadie will not append unrelated Customer Data and will not include measurement values, secret credentials, or other highly sensitive fields unless explicitly requested by the Customer and permitted by contract and law.
6. Third-party (OpenAI) data handling & retention (public statements)
OpenAI’s published documentation indicates that API inputs and outputs are not used to train OpenAI models by default, and that API request data may be retained by OpenAI for operational purposes (for example abuse detection) for a limited time (commonly a short window unless otherwise configured by the customer). OpenAI provides enterprise/business data controls (such as Zero Data Retention and Enterprise Key Management) for qualifying customers, subject to OpenAI’s terms and qualification process. Customers should consult OpenAI’s current documentation and terms for the most up-to-date details.
7. Kadie retention & logging (Kadie-controlled)
Token and billing logs: Kadie logs token consumption and billing-relevant metadata for account reconciliation and audit. These logs contain usage metrics, invoking user identifiers, the AI function invoked, and references required for billing; they do not contain full prompt or response texts by default. Retention of these logs is aligned with the Customer lifecycle and applicable legal or accounting requirements.
Saved responses (Customer-saved content): Content that a Customer explicitly saves within Kadie (for example, a generated report) is retained until deleted by the Customer or in accordance with the Customer’s subscription lifecycle and any contractually agreed retention terms.
Audit & security logs: Anonymized telemetry about AI function usage is retained for security investigations and compliance purposes (typical retention: 12 months). Aggregated or anonymized telemetry used for product improvement may be retained longer.
Operational caches and backups: Transient caches and backups used for operational continuity may contain snippets of Customer Data. Short-term caches are retained for operational necessity; backups are retained according to disaster-recovery policies. Where deletion requests are made, Kadie will take reasonable steps to remove Customer Data from backups within standard restoration windows.
8. Security measures
Keenduck implements organizational and technical measures designed to protect Customer Data, including but not limited to: TLS for data in transit, industry-standard encryption at rest for stored data, least-privilege access controls, multi-factor authentication for production access, logging and monitoring, vulnerability management, and an incident response process.
Keenduck requires contractual safeguards with third-party subprocessors used for hosting and operations.
9. Accuracy, limits & Customer responsibilities
Accuracy: AI outputs are probabilistic and may be incomplete, incorrect, or produce unexpected content (“hallucinations”). Kadie’s prompting and post-processing aim to maximize accuracy and relevance, but Customers must validate AI outputs before relying on them for critical, legal, regulated, medical, or financial decisions.
Complexity & token/context limits: AI models have inherent input/output (context window) limits. Kadie’s platform will attempt to manage and chunk large requests; however, extremely large or complex requests may need to be simplified or executed in steps.
User content guidelines: Customers should not submit data they are legally prohibited from sharing with a third-party AI Provider. For highly sensitive data (for example national ID numbers, financial credentials, unencrypted health records, or other regulated personal data), Customers should consult Keenduck’s enterprise team to define appropriate processing patterns or alternative workflows.
10. Legal requests, law enforcement & incident response
Keenduck will comply with lawful requests for data from public authorities consistent with applicable law. Where appropriate and permitted, Keenduck will challenge or narrow requests that appear overbroad and will notify Customers unless prohibited by law. In the event of a security incident materially affecting Customer Data, Keenduck will notify affected Customers without undue delay and provide reasonable information regarding the incident and remediation steps.
12. Changes & notices
Keenduck strives for transparency. This policy may be updated as models, providers, laws, and operational practices evolve. Material changes that affect data handling, retention, or security posture will be communicated to Customers in accordance with contractual notice provisions. Continued use of Kadie’s AI features after notice of a change constitutes acceptance of the revised policy unless otherwise agreed contractually.
13. Contact & support
For questions about AI usage, data handling, opt-in/opt-out choices, enterprise controls, data access or deletion requests, contact: [email protected] or use the support channel inside Kadie. For enterprise or compliance enquiries (SLA, retention, Zero Data Retention, Enterprise Key Management), contact the Enterprise team.