How we handle your data.

Who we are

People is a workforce-management platform from Kahloon, LLC, a Delaware limited liability company registered at 1111B S Governors Ave STE 21913, Dover, DE 19904, United States. Throughout this policy, "we", "us", and "People" refer to Kahloon, LLC as the operating entity. "You" refers to a Master, admin, or end-user of the People platform. "Your organisation" refers to the entity that owns the workspace.

Kahloon, LLC is the commercial operator of People. The Kahloon Foundation (Pakistan), a registered non-profit, funds the broader mission; the LLC handles contracts, billing, hosting and user agreements.

Our role depends on whose data it is

Data-protection law uses two words: Controller (decides what data to collect and why) and Processor (handles data on the Controller's instructions). Our role in People depends on whose data you are asking about:

• Visitors to our public pages (/, /signup, /terms, /privacy, /dpa), we are Controller.
• Signup applicants: we are Controller of the email, organisation name, IP and user-agent collected at signup.
• Workspace Masters and admins: we are Controller of their account credentials and session telemetry.
• Employees and contractors whose records live inside a workspace: your organisation is the Controller; we are the Processor. Our Data Processing Addendum governs that processing.
• People who write to us: we are Controller of the email content.

The rest of this Policy describes what we do as Controller. For data we hold as Processor on behalf of a customer organisation, please refer to the DPA and to the customer organisation's own privacy notice.

What we collect

Public site visitors

When you visit our public pages we receive standard request metadata via our hosting platform: IP address, user-agent string, referring URL, and timestamps. We log these for security and operational reasons. We do not run third-party analytics, advertising or tracking on these pages.

Signup applicants

When you request a magic link to create a workspace, we collect your email address, the organisation name you typed, your IP address, your user-agent string, and a SHA-256 hash of the one-time magic-link token. The raw token is sent to you by email and is never stored. Pending sign-up records are kept for 15 minutes and then deleted; rate-limit metadata is kept for up to 1 hour for abuse-prevention.

Workspace Masters and admins

When you complete signup we create an account for you in your workspace. We store your email address, role, and timestamps. We record session information when you sign in (session id, IP, user-agent, last-seen time) for the duration of each sign-in session.

Inside a workspace (we are Processor)

The Master and admins decide what employee data is entered. Typical fields include name, work email, government identifier (e.g. CNIC), bank account / IBAN, role, department, salary, leave balances, attendance, and uploaded documents. Sensitive identifiers (CNIC, bank account, IBAN) are encrypted at rest using a Key-Vault-managed key and only revealed to authorised roles with an audit log entry.

People who write to us

If you email us, we keep the email, its content, and our reply for as long as needed to handle the matter and to demonstrate compliance with our obligations.

How we use it

• To operate, maintain and secure People;
• To authenticate you (magic-link email delivery; session validation);
• To send transactional emails related to your workspace (sign-in confirmation, security alerts);
• To respond to your questions, feedback, or support requests;
• To detect, prevent and respond to abuse, fraud and security incidents;
• To comply with legal obligations and respond to lawful requests;
• To improve People in aggregate or de-identified form.

What we will never do

We do not sell your data. We do not rent your data. We do not share your data with advertisers. We do not use Customer Data to train AI models without your prior consent. We do not monetise personal or workforce information in any form. This commitment is non-negotiable.

Who can access your data

Access to workspace data is tightly restricted. Inside Kahloon, LLC, only a small number of technical personnel have controlled access to the systems where data is stored, and only when strictly necessary for platform operations, troubleshooting, or responding to a customer support request.

We work with a limited set of trusted service providers who help us operate the platform. They are bound by data-protection terms:

• Microsoft Azure: hosting infrastructure (App Service), database (PostgreSQL Flexible Server), document storage (Blob Storage), secret management (Key Vault), and transactional email (Communication Services, sender noreply@kahloon.com). Region: West US 3 (United States).
• Microsoft Entra ID: only for tenants that have opted in to Microsoft federated sign-in.
• GitHub, Inc. (a Microsoft subsidiary), source-code hosting and CI/CD pipelines. Repositories do not contain Customer Data; build environments briefly handle deployment secrets.
• GoDaddy Operating Company, LLC: domain registrar and authoritative DNS for kahloonfoundation.org and kahloon.com.

The current sub-processor list is also kept in our DPA, Annex 1. We will give workspaces at least 14 days' notice before adding or replacing a sub-processor.

We will disclose data to law enforcement or government authorities only when legally compelled to do so, and will notify you where permitted by law.

How your data is protected

• Encryption in transit. All traffic between your device and People is encrypted via HTTPS / TLS 1.2+.
• Encryption at rest. The database and document storage are encrypted by the platform. Selected identifier fields (CNIC, bank account, IBAN) are additionally protected with application-level envelope encryption using a Key-Vault-managed key.
• Tenant isolation. Multi-tenant separation is enforced at the database layer using PostgreSQL row-level security; the application connection role is subject to RLS policies that key off the current workspace context.
• Least-privilege roles. Session lookups use a dedicated low-privilege Postgres role; the customer-admin role used for migrations is never used for runtime traffic.
• Magic-link tokens are stored only as SHA-256 hashes; the raw token never persists in the database.
• Audit log of sensitive data access and administrative actions, kept for the life of the workspace plus 1 year.
• Rate-limiting on authentication and signup endpoints to reduce automated abuse.

No system is perfectly secure. We will notify affected customers without undue delay if we become aware of a personal-data breach affecting them, and in any event within 72 hours of confirming the breach.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, port, or object to our processing of personal data, and to lodge a complaint with a supervisory authority.

To exercise any of these rights with respect to data we hold as Controller, use our contact form. We will respond within 30 days, or sooner where the law requires.

If your data is inside a customer's workspace, please contact that organisation first. We will assist them as Processor, in line with the DPA.

Cookies

We use a single first-party cookie (__kf_session) to remember that you are signed in. It is set HttpOnly, Secure, SameSite=Lax, and expires 8 hours after sign-in (absolute: there is no sliding renewal). We do not use advertising cookies, cross-site trackers, or third-party analytics.

Retention

• Public-site request logs: up to 90 days.
• Pending signup rows: up to 15 minutes after the magic link is sent (sooner if used).
• Signup rate-limit metadata: up to 1 hour, then discarded.
• Active session records: deleted on sign-out, on revocation, or 8 hours after sign-in.
• Customer Data inside a workspace: kept while the workspace is active; deleted within 30 days of workspace closure, unless the law requires longer retention.
• Backups: managed by our cloud platform; data is purged from backups within 7 days of the underlying deletion (Azure point-in-time-recovery window).
• Audit logs: kept for the life of the workspace plus 1 year, then deleted, unless the law requires longer.

International users

People is operated from the United States. Primary infrastructure is in Microsoft Azure's West US 3 region (Phoenix, Arizona). By using People, you consent to the transfer and storage of your data in the United States and other countries where our service providers operate. We take steps to ensure your data receives an adequate level of protection wherever it is processed.

Children

People is intended for organisations and the adults who run them. We do not knowingly collect personal data from anyone under 18. If you believe a minor's data has been entered into a workspace inappropriately, please contact us and we will work with the workspace's admins to address it.

Changes to this policy

We may update this Policy from time to time. When we make material changes, we will notify the Master by email or through a prominent notice in People at least 14 days before the changes take effect. The "Effective" date at the top of this page indicates when the current version was published.