How we handle your data.
Effective May 18, 2026.
This Privacy Policy explains what personal data Thalient Labs, LLC ("Knack", "we", "us") collects when you use the Knack website, web app, CLI, API, and related services (the "Service"), why we collect it, who we share it with, and the rights you have over it.
We've written this in plain English. Where a clause is required by GDPR, UK-GDPR, or CCPA / CPRA, we've called it out so you can find what you need.
Quick summary
- We collect what you give us (account info, interview transcripts, files you upload, the Skills you create) and a small amount of operational data (logs, run metadata, error reports).
- We use it to run the Service, support you, bill you, and improve the product. We do not sell personal data. We do not train AI models on your private (Personal- or Team-scope) Skills.
- We share data only with the subprocessors listed on the Subprocessors page — auth, hosting, AI inference, storage, email — and only as needed to run the Service.
- You can access, export, correct, or delete your data at any time. Email support@getknack.ai.
Who we are; controller
For data-protection purposes, the controller of your personal data is:
Thalient Labs, LLC c/o Legalinc Corporate Services Inc. 131 Continental Dr, Suite 305 Newark, DE 19713, USA support@getknack.ai
If you are in the EU, UK, or Switzerland, this address also serves as our point of contact for data-protection inquiries. We are not required to appoint an EU/UK representative under GDPR Article 27 (our processing does not meet the thresholds that trigger that requirement); if that changes we will update this page.
Data we collect
From you, when you sign up and use the Service
- Account data. Your name, email address, and the password hash held by our authentication provider (Clerk). Profile fields you choose to add. Billing identifiers and the last four digits of any payment method on file — full payment-card numbers are never seen by us; they are held by Clerk and its payment partners.
- Skill content. The interview transcript, your answers, captured rules, the SKILL.md and supporting files, and any artifacts you upload (e.g., examples, screenshots, CSVs, PDFs, code snippets). When the CLI saves a new version of a Skill, the contents of the Skill itself (the SKILL.md text and any files generated by your agent during creation, such as scripts or templates) are uploaded as part of that version.
- Communications. Anything you send us — support emails, feedback, bug reports.
From the Service, automatically
- Authentication and session data. Sign-in events, IP address at sign-in, browser/user-agent string, session tokens. Held primarily by Clerk; we receive enough to associate sessions with your account.
- Run telemetry from the Knack CLI. Each time the CLI runs a Skill, we receive metadata about the run: timestamp, Skill version run, model used, success or failure, latency, and the names (not contents) of files the Skill touched on your machine. The CLI does not upload the contents of files the Skill reads on your machine to us. Telemetry is on by default to make the feedback loop work; you can toggle it off in
~/.knack/config. - Error and performance logs. Crash and error reports captured by our error-tracking subprocessor (Sentry). These include stack traces, the browser/app version, and the URL where the error happened. They occasionally include user-supplied input where that input caused the error; we configure the SDK to scrub obvious secrets (tokens, passwords).
- Web analytics. We use the minimum analytics needed to understand which marketing pages work. This is currently limited to server-side request logs hosted by our infrastructure provider (Render). We do not use third-party advertising trackers and we do not sell or share data for cross-context behavioural advertising as defined under CCPA / CPRA.
From third parties
- Authentication and billing identifiers from Clerk when you sign in or upgrade.
- Payment-method status (success, failure, chargeback) from Clerk's payment processor.
Why we use it; lawful bases (GDPR / UK-GDPR)
We process personal data only where we have a lawful basis. The bases below correspond to GDPR Article 6:
| Purpose | Lawful basis |
|---|---|
| Provide and operate the Service (account creation, hosting your Skills, running your interview, processing your runs, displaying the marketplace) | Contract — necessary to perform our agreement with you (Art. 6(1)(b)) |
| Charge you and process payments | Contract (Art. 6(1)(b)) |
| Communicate operational and security notices, respond to support requests | Contract / legitimate interest (Art. 6(1)(b) / 6(1)(f)) |
| Detect and prevent abuse, fraud, security incidents; enforce the Terms | Legitimate interest in running a safe Service (Art. 6(1)(f)) |
| Comply with legal, accounting, and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Improve features, fix bugs, build aggregated usage analytics — excluding training models on private content | Legitimate interest in product improvement (Art. 6(1)(f)) |
| Marketing emails to existing users about new features | Legitimate interest (Art. 6(1)(f)) — you can opt out at any time |
| Marketing to people who aren't customers yet | Consent (Art. 6(1)(a)) — given via newsletter signup |
For special-category data (GDPR Article 9) we do not knowingly process it. Don't put it into the Service unless you have to; if you do, the lawful basis is your explicit consent (Art. 9(2)(a)).
How we use Skill content
- Personal and Team-scope Skills are private. We host and run them for you. We do not use them to train AI models — ours or our subprocessors'. We do not display them publicly.
- Public-scope Skills, which you affirmatively choose to publish to the marketplace, may be used by us for benchmarks, evaluations, demonstrations, examples, and (where useful) as training data for our or our subprocessors' models. By publishing publicly you're making the Skill broadly available; this is consistent with the Apache 2.0 license granted on publication (see the Terms).
- AI inference at creation time. When you build a Skill, the interview transcript and any files you uploaded are sent to our language-model inference provider (and, on the PRO tier, our video-understanding provider) to generate the Skill. These providers see only the prompt text needed for the call; we do not send them your name, email, or account identifiers, and we have configured the providers' "no training on customer prompts" mode where it is available.
Who we share with
We share personal data only with the categories of recipients below, and only where required to run the Service. The current named list of vendors in each category is on the Subprocessors page, which we keep up to date.
- Authentication and billing provider (currently Clerk) — sign-in, sessions, plan management, payments.
- Hosting and database provider (currently Render) — application hosting and managed Postgres.
- Object-storage provider (currently Cloudflare R2) — file storage for uploaded artifacts and Skill bundles.
- Language-model inference provider — generates the Skill content during the interview.
- Video-understanding provider (PRO tier only) — transcribes and understands video walkthroughs.
- Speech-recognition provider (currently Deepgram) — converts your interview audio to text when you opt in to live transcription.
- Transactional email provider (currently Resend) — sends sign-in emails, billing receipts, security and product notices.
- Error-tracking provider (currently Sentry) — captures crash reports for debugging.
- Government and law-enforcement agencies — only where required by law, valid legal process, or to protect rights, safety, and the integrity of the Service.
- Successors in a corporate transaction — if Knack is acquired, merged, or sells assets, your data may be transferred to the successor, subject to this Policy (or a successor policy that is no less protective).
We do not sell personal data, and we do not "share" it for cross-context behavioural advertising as those terms are defined under CCPA / CPRA.
International transfers
We are based in the United States. Several of our subprocessors operate globally. Where personal data is transferred from the EU, UK, or Switzerland to a country that lacks an adequacy decision, the transfer is covered by the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) signed with that subprocessor, plus the technical and organizational measures described below. You may request a copy of the relevant transfer mechanism by emailing support@getknack.ai.
Security
- In transit: all connections to the Service are encrypted with TLS 1.2 or higher.
- At rest: uploaded files in object storage are encrypted at rest with per-object envelope encryption (each artifact has its own data key, wrapped with an app-level master key). The application database is encrypted at rest by the managed-database provider.
- Access: access to production data is restricted to a small number of staff under role-based controls, with audit logging.
- Secrets: we do not log the contents of uploaded files or the substance of interview transcripts to our application logs.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@getknack.ai.
How long we keep data
| Type of data | Retention |
|---|---|
| Account profile, Skills, transcripts, uploaded artifacts | Until you delete the Skill or your account, then up to 30 days in object storage and up to 90 days in encrypted backups |
| Billing records | 7 years, as required by US tax and accounting law |
| Run telemetry | 24 months, then aggregated and anonymized |
| Error and access logs | 90 days |
| Marketing email contacts (newsletter) | Until you unsubscribe |
| Records relating to a legal claim, dispute, or investigation | For the duration of the matter and any applicable statute of limitations |
When you delete a Skill, the file objects are removed from object storage within 30 days, and the database row is soft-deleted then purged on the next quarterly purge cycle. Encrypted backups age out within 90 days.
Your rights
Wherever you live, you can:
- Access the personal data we hold about you.
- Export your data in a portable format.
- Correct inaccurate data.
- Delete your account and the data tied to it (subject to the retention table above).
- Opt out of telemetry from the CLI (toggle in
~/.knack/config) and marketing emails (link in every marketing email).
If you are in the EU, UK, or Switzerland, GDPR / UK-GDPR additionally gives you the right to:
- Restrict processing or object to processing based on legitimate interests.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your supervisory authority. (You're welcome to contact us first; we'd like a chance to fix it.)
If you are a California resident, CCPA / CPRA additionally gives you the right to:
- Know the categories of personal information collected, the sources, the purposes for collection, and the categories of third parties with whom it's shared. (Listed above.)
- Request deletion of personal information, with limited exceptions.
- Request correction of inaccurate personal information.
- Limit use of sensitive personal information. Knack does not use sensitive PI for purposes beyond what is necessary to run the Service.
- Be free from retaliation for exercising your CCPA rights. We won't deny you the Service, charge a different price, or give you a lower-quality experience for asserting them.
Knack does not sell or share personal information for cross-context behavioural advertising. We honour Global Privacy Control signals.
To exercise any of these rights, email support@getknack.ai from the address on your account. We will respond within 30 days (we may extend by up to 60 additional days for complex requests, with notice). You can also designate an authorized agent to make a CCPA request; we will verify the authorization.
Children
The Service is not directed to anyone under 18, and you must be 18 or older to use it. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email support@getknack.ai and we will delete it.
Cookies and similar technologies
The Knack web app uses a small number of strictly-necessary cookies and similar storage:
- Authentication / session. Set by Clerk to keep you signed in.
- CSRF protection. Anti-forgery tokens for form submissions.
- Preferences. Local browser storage for UI preferences (theme, sidebar state).
We do not use advertising cookies, behavioural-tracking cookies, or third-party analytics that fingerprint you. Where required by law (e.g., EU/UK), the strictly-necessary cookies fall outside the consent requirement; if we ever add cookies that don't, we will add a consent banner.
Changes to this Policy
We may update this Policy. For changes that materially reduce your rights, we will give at least 30 days' notice by email and by posting the updated version with a new "Effective" date. Material edits are highlighted in the corresponding announcement.
Contact
Privacy questions, data-subject requests, and complaints: support@getknack.ai.