← Back to home

Privacy Policy

Last updated: March 11, 2026

1. Who We Are

Kingdom System Discovery ("KSD," "we," "us") is an AI-guided educational platform based on the Kingdom Governance framework authored by Charlie Lewis.

Contact: For privacy questions or data requests, email [email protected]

2. Data We Collect

Registration & Profile

  • Name and email address
  • Language preference (auto-detected from browser)
  • Traffic source and UTM parameters (if present)
  • Account creation date

Conversations

  • Your questions and messages during discovery sessions
  • AI-generated responses
  • Session metadata (turn count, duration, AI-generated summary)

Security & Technical

  • IP address (login attempts only, for brute-force protection)
  • Login success/failure timestamps

What We Do NOT Collect

  • Payment or financial information
  • Precise geolocation
  • Browsing history outside of KSD

3. How We Use Your Data

  • Provide the service: Power your AI-guided discovery sessions
  • Improve quality: Analyze session themes to improve content (aggregated, not individual)
  • Security: Detect and prevent unauthorized access
  • Communication: Send password reset emails (no marketing emails)

4. Legal Basis for Processing (GDPR)

  • Consent: You provide consent when creating your account
  • Contract: Processing is necessary to deliver the conversation service you requested
  • Legitimate interest: Security monitoring and service improvement

5. Third-Party Data Processing

AWS Bedrock (AI Processing)

Your conversation messages are sent to AWS Bedrock (Anthropic Claude) to generate responses. AWS processes this data under their Service Terms and does not use your data to train AI models. Data is processed in the US (us-east-1 region).

Amazon SES (Email)

Password reset emails are sent via Amazon Simple Email Service. Only your email address and the reset link are transmitted.

We do not share your data with advertisers, data brokers, or any other third parties.

6. Cookies

We use a single essential cookie (ksd_token) for authentication. This cookie is:

  • HttpOnly (not accessible to JavaScript)
  • Secure (HTTPS only in production)
  • SameSite=Strict (not sent with cross-origin requests)
  • Expires after 7 days

We do not use tracking, analytics, or advertising cookies.

7. Data Retention

  • Active accounts: Data retained while your account exists
  • Account deletion: All data permanently deleted from primary database immediately
  • Backups: Automated backups may retain data for up to 30 days
  • Login attempts: Retained for 90 days for security purposes

8. Your Rights

Under GDPR, CCPA, and similar regulations, you have the right to:

  • Access: Download all your personal data (Profile → Privacy & Data → Download My Data)
  • Portability: Export your data as JSON
  • Erasure: Delete your account and all associated data
  • Rectification: Update your name or language preference
  • Withdraw consent: Delete your account at any time

All of these can be exercised from your Profile Settings page, or by emailing [email protected].

9. Data Security

  • Passwords hashed with bcrypt (cost factor 12)
  • All traffic encrypted via HTTPS (TLS 1.2+)
  • Authentication tokens are HttpOnly, Secure, SameSite=Strict
  • Rate limiting and account lockout for brute-force protection
  • Input validation against injection attacks (SQL, XSS)

10. Complaints

If you believe your privacy rights have been violated, please contact us first at [email protected].

You also have the right to lodge a complaint with your local data protection authority:

  • EU/EEA: Your national Data Protection Authority
  • UK: Information Commissioner's Office (ICO)
  • California: California Attorney General

11. Changes to This Policy

We may update this policy from time to time. Registered users will be notified of significant changes via email. The "Last updated" date at the top reflects the most recent revision.