Privacy Policy

Effective Date: February 16, 2026 · Last Updated: February 16, 2026

1. Introduction

Keep'em ("Keep'em," "we," "us," or "our") is a product of CheckoutJoy (Pty) Ltd. We operate the interactive AI video platform available at keepem.io and related services (collectively, the "Services"). We are committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when you visit our website, use our platform, or interact with our Services.

We designed Keep'em with privacy as a core principle — not an afterthought. All customer data is stored within the European Union, we never sell or share your personal data with third parties for their own purposes, and we collect only what is necessary to provide and improve the Services.

This Privacy Policy applies to:

• Visitors to our website (keepem.io)
• Customers who create accounts and use the Keep'em platform ("Customers")
• Viewers who watch and interact with videos hosted on Keep'em ("Viewers")

If you do not agree with the practices described in this Privacy Policy, please do not use our Services.

2. Who We Are

Keep'em is a product of CheckoutJoy (Pty) Ltd ("Company"), a company registered in the Republic of South Africa.

For the purposes of data protection law, Keep'em acts as:

• Data Controller when we collect and process personal data from website visitors and customers for our own purposes (account management, billing, marketing, and platform improvement).
• Data Processor when we process personal data on behalf of our customers. This includes viewer data (names, email addresses, chat messages) that our customers collect through their use of the Keep'em platform.

3. Data We Collect

3.1 Data from Customers (Account Holders)

When you create a Keep'em account or interact with us, we may collect:

• Account information: Name, email address, and authentication credentials managed through our authentication provider (Clerk).
• Billing information: Billing address, payment method details, and transaction history. Payment processing is handled by our payment provider; we do not store full credit card numbers.
• Organization and project data: Organization name, project names, branding assets, custom domain configurations, and settings you configure within the platform.
• Uploaded content: Videos, documents, and other files you upload to the platform for processing and delivery.
• Usage data: Service usage metrics including stream units consumed, AI messages sent, API calls made, storage used, and feature interactions.
• Communications: Records of your communications with us, including support requests, emails, and feedback.

3.2 Data from Viewers (End Users of Customer Content)

When viewers register for and watch interactive videos on the Keep'em platform, we may process the following data on behalf of our customers:

• Registration data: Name, email address, and any additional fields the customer configures on their registration form.
• Viewing data: Video session details, completion rates, chapters viewed, drop-off points, and timestamps.
• Chat data: Messages sent to the AI chat, AI responses received, and any messages escalated to the customer's team.
• Technical data: IP address, browser type, device type, operating system, and referral URL.

Viewers should refer to the relevant customer's privacy policy for information about how their data is used, as the customer is the data controller for viewer data.

3.3 Data Collected Automatically

When you visit our website or use the platform, we automatically collect:

• Log data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps.
• Device data: Device type, screen resolution, and language preferences.
• Cookies and similar technologies: See Section 9 (Cookies) below.

4. How We Use Your Data

4.1 Customer Data

We use customer data to:

• Provide, maintain, and improve the Services.
• Authenticate your identity and manage your account (via Clerk).
• Process billing and payments.
• Communicate with you about your account, service updates, and support requests.
• Monitor usage for billing, capacity planning, and enforcing plan limits.
• Detect, prevent, and address technical issues, abuse, and security threats.
• Comply with legal obligations.

4.2 Viewer Data (Processed on Behalf of Customers)

We process viewer data on behalf of our customers to:

• Enable video viewing, registration, and session management.
• Power AI chat functionality using Retrieval-Augmented Generation (RAG) from video transcripts and uploaded documents.
• Provide analytics and engagement metrics to the customer.
• Facilitate human escalation when AI confidence is low or the customer has configured escalation rules.
• Generate signed URLs for secure, time-limited video access.

4.3 Legal Bases for Processing (GDPR)

Where GDPR applies, our legal bases for processing personal data are:

• Performance of a contract: To provide the Services you have subscribed to.
• Legitimate interests: To improve our Services, ensure security, and communicate with you. We balance our interests against your rights and do not process data where your interests override ours.
• Legal obligation: To comply with applicable laws, regulations, and legal processes.
• Consent: Where we rely on consent (for example, for optional marketing communications), you may withdraw your consent at any time by contacting us at privacy@keepem.io or using the unsubscribe mechanism provided.

5. Data Storage and Security

5.1 Data Location

All customer and viewer data processed by the Keep'em cloud platform is stored within the European Union (AWS eu-west-1, Ireland). We do not transfer your data outside the EU for storage or processing purposes, except as noted below regarding sub-processors.

5.2 Authentication Provider

We use Clerk (Clerk, Inc.) as our authentication provider. Clerk is self-certified under the EU-U.S. Data Privacy Framework (DPF) and processes authentication data (email addresses, session tokens) in accordance with GDPR requirements. Clerk acts as a sub-processor under our data processing agreements.

5.3 Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher.
• Encryption at rest: All data stored in our databases and object storage is encrypted at rest using AES-256.
• Access controls: Strict role-based access controls limit who can access personal data within our organization.
• Signed URLs: Video content is delivered via time-limited, cryptographically signed URLs to prevent unauthorized access and link sharing.
• Infrastructure security: Our cloud infrastructure is hosted on AWS, which maintains SOC 2, ISO 27001, and other industry-standard certifications.
• Regular reviews: We periodically review and update our security practices to address evolving threats.

No method of transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

6. Data Sharing and Disclosure

6.1 We Never Sell Your Data

We do not sell, rent, or trade your personal data to any third party. Period. This applies to customer data, viewer data, and all other personal information we process.

6.2 We Do Not Share Data for Advertising

We do not share your personal data with advertisers, ad networks, or data brokers. We do not engage in targeted advertising based on your use of our Services.

6.3 Limited Sharing with Service Providers (Sub-Processors)

We share personal data only with trusted service providers who process data on our behalf and under our instructions. These sub-processors are contractually bound to protect your data and may only use it to provide services to us.

We will notify customers of any changes to our sub-processor list. Customers may object to new sub-processors in accordance with our Data Processing Agreement.

6.4 Disclosure Required by Law

We may disclose personal data if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.5 Business Transfers

If Keep'em is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.

• Customer account data: Retained for the duration of your account and for a reasonable period after account closure to comply with legal obligations and resolve disputes. Account data is deleted within 90 days of account deletion, unless legal retention requirements apply.
• Viewer data: Retained on behalf of the customer for the duration of the customer's account. Customers can delete viewer data at any time through the platform. When a customer's account is deleted, all associated viewer data is deleted within 90 days.
• Uploaded content (videos, documents): Deleted within 30 days of the customer deleting the content or closing their account.
• Usage and billing records: Retained for up to 7 years as required by applicable tax and accounting regulations.
• Server logs: Retained for up to 90 days for security and debugging purposes.
• AI chat transcripts: Retained for the duration of the customer's account. Customers can delete individual chat transcripts or all viewer data at any time.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EEA, UK, Switzerland)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Right to restriction: Request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time.
• Right to lodge a complaint: File a complaint with your local supervisory authority.

8.2 Rights Under CCPA/CPRA (California Residents)

• Right to know: Request information about the categories and specific pieces of personal information we collect, use, and disclose.
• Right to delete: Request deletion of your personal information.
• Right to opt out of sale: We do not sell personal information. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

8.3 Rights Under POPIA (South Africa)

As a South African company, we also comply with the Protection of Personal Information Act (POPIA). Under POPIA, you have rights including: access to your personal information, correction of inaccurate information, deletion of personal information, objection to processing, and the right to lodge a complaint with the Information Regulator (South Africa).

8.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@keepem.io. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

For Viewers: If you are a viewer of content hosted on Keep'em and wish to exercise your data rights, please contact the organization (our customer) that operates the video you interacted with. They are the data controller for your data. If you are unable to reach them, you may contact us at privacy@keepem.io and we will assist in directing your request.

9. Cookies and Tracking Technologies

9.1 Cookies We Use

We use cookies and similar technologies to operate and improve our Services. We categorize cookies as follows:

• Strictly necessary cookies: Required for the platform to function (authentication, session management, security). These cannot be disabled.
• Functional cookies: Used to remember your preferences and settings.
• Analytics cookies: Used to understand how our website and platform are used so we can improve them. We use privacy-respecting analytics that do not track you across websites.

9.2 What We Do Not Use

We do not use:

• Advertising or retargeting cookies.
• Third-party tracking pixels for ad networks.
• Cross-site tracking technologies.

9.3 Managing Cookies

You can manage or disable cookies through your browser settings. Note that disabling strictly necessary cookies may affect the functionality of the Services. We respect Do Not Track (DNT) browser signals where technically feasible.

10. AI-Specific Privacy Disclosures

Keep'em uses artificial intelligence to provide interactive chat functionality. Here is how AI interacts with your data:

10.1 How AI Chat Works

When a viewer asks a question during a video, the AI generates a response using Retrieval-Augmented Generation (RAG). This means the AI retrieves relevant passages from the video transcript and any documents the customer has uploaded, then generates a contextual answer. The AI does not have access to data outside of the specific project's content.

10.2 AI Training

We do not use your data — including chat messages, video content, uploaded documents, or viewer interactions — to train AI models. Your content remains yours and is used solely to provide responses within your project.

10.3 AI Providers

AI processing is handled through AWS Bedrock (EU region) or, for customers on the Scale plan with BYOK (Bring Your Own Key), through the customer's own API keys with their chosen provider (OpenAI or Anthropic). When BYOK is enabled, AI requests are sent directly to the customer's provider account and are subject to that provider's privacy policy.

10.4 Confidence and Escalation

The AI includes a confidence score with each response. When confidence is low, viewers are informed and the question can be escalated to a human representative via the customer's configured escalation channel (e.g., Slack, email). This ensures transparency — viewers know when they are interacting with AI and when a human is involved.

11. Children's Privacy

Keep'em is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at privacy@keepem.io and we will take steps to delete such data promptly.

12. International Data Transfers

Our primary data storage is in the EU (AWS eu-west-1, Ireland). Where personal data is transferred outside the EU (for example, to Clerk in the US for authentication), we ensure appropriate safeguards are in place, including:

• EU-U.S. Data Privacy Framework (DPF) certification of the receiving party.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Processing Agreements (DPAs) with all sub-processors.

We regularly review our sub-processors' compliance and will take appropriate action if a sub-processor fails to meet its data protection obligations.

13. Self-Hosted Deployments

Keep'em is available as an open-source, self-hosted platform. When you self-host Keep'em:

• No data is sent to Keep'em. All data remains on your own infrastructure.
• You are the data controller and processor. You are responsible for your own privacy policy, data security, and compliance with applicable laws.
• AI provider data flows are under your control. You connect your own API keys and data flows directly to your chosen providers.

This Privacy Policy applies only to the Keep'em cloud-hosted service at keepem.io and related services operated by Keep'em.

14. Data Processing Agreement (DPA)

Customers who require a Data Processing Agreement for GDPR compliance can request one by contacting us at privacy@keepem.io. Our DPA covers:

• The nature and purpose of data processing.
• Categories of data subjects and personal data processed.
• Duration of processing.
• Obligations and rights of the data controller and processor.
• Sub-processor management and notification procedures.
• Data breach notification procedures (without undue delay and within 72 hours where feasible).
• Data subject rights assistance.
• Data return and deletion upon termination.
• Technical and organizational security measures.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law.
• Notify affected customers without undue delay so they can fulfill their own notification obligations to data subjects.
• Document the breach, its effects, and remedial actions taken.

16. Third-Party Links

Our website or Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with any personal data.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

We will not reduce your rights under this Privacy Policy without your explicit consent.

Previous versions of this Privacy Policy will be archived and made available upon request.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: