Privacy Policy

Entity Kango Labs LLC
Product Umbravi — Shadow AI Discovery
Effective April 2026

Kango Labs LLC (“we,” “us,” or “Umbravi”) operates umbravi.io. This Privacy Policy explains what information we collect when you visit our website or use our services, how we use it, and your rights with respect to it.

For information specific to how we handle your technology spend data submitted as part of a Shadow AI Discovery report purchase, please refer to the Service Terms & Data Governance document, which governs that process in full.

Section 01

What We Collect

Information You Provide

When you contact us, submit an inquiry, or purchase a service, we may collect:

  • Name and work email address
  • Company name, company size, and your role
  • Any information you voluntarily include in messages to us

Information Collected Automatically

When you visit umbravi.io, we may automatically collect basic technical data including:

  • Browser type and version
  • Pages visited and time spent on each page
  • Referring URL
  • General geographic region (country or region level only)

We do not use invasive tracking, build personal profiles of website visitors, or sell any visitor data.

Section 02

How We Use It

We use the information we collect to:

  • Deliver Shadow AI Discovery reports and communicate about your order
  • Respond to inquiries and provide customer support
  • Improve our website and services based on aggregate usage data
  • Send service-related communications (delivery confirmations, follow-up on reports)
  • Comply with applicable legal obligations

We do not use your information for targeted advertising. We do not sell, rent, or license your personal information to any third party for commercial purposes.

Section 03

How We Store & Protect It

All data transmitted to and from umbravi.io is encrypted in transit using TLS 1.2 or higher. Data stored on our systems is encrypted at rest using AES-256 encryption.

We apply a minimal-retention approach: we collect only what is necessary, retain it only as long as required to deliver our services, and delete it on a defined schedule. Technology spend data submitted as part of a report purchase is deleted from our active systems within 14 days of report delivery.

In addition to the raw-data retention described above, Umbravi maintains an internal Shadow AI Index — an aggregated, de-identified dataset drawn from the reports we produce. The Index supports sector-level research and regulatory trend analysis. No individual customer is identifiable from Index-derived output. Full scope, inclusions, and exclusions are detailed in our AI Governance Statement.

We maintain reasonable administrative, technical, and physical safeguards designed to protect the information we hold. No method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

Section 04

Third Parties

We work with a small number of third-party service providers to operate our business. These providers access your information only as necessary to perform their functions and are not permitted to use it for other purposes.

  • Stripe — Payment processing. PCI-DSS Level 1 certified. We do not store your payment card information. Stripe’s privacy policy governs payment data handling.
  • Tally.so — Intake form processing and file upload. GDPR-compliant. Files are accessed only by authorized Umbravi personnel and deleted within 24 hours of download.
  • Microsoft OneDrive / Google Drive — Report delivery. Your report is delivered to your chosen platform and remains under your organization’s existing security controls.
  • Anthropic — AI analysis. Our report generation pipeline uses Claude, Anthropic’s AI model, under terms that prohibit use of submitted data for model training.

We do not share your personal information with any other third parties except as required by law.

Section 05

Cookies & Tracking

umbravi.io uses minimal cookies necessary for the website to function. We do not use third-party advertising cookies, cookie-based retargeting, or behavioral profiling.

We use Google Analytics 4 (GA4) to understand aggregate website usage — page views, form submissions, and conversion events. GA4 sets first-party cookies on your browser to distinguish between unique visitors. IP addresses are anonymized before being sent to Google. We do not use GA4’s advertising features and do not share GA4 data with advertisers.

Our site displays a consent banner on first visit. You may accept or decline analytics cookies at that time. Your choice is stored locally in your browser and respected on all subsequent visits. To change your choice later, clear your browser’s local storage for umbravi.io and the banner will reappear on your next visit.

Visitors from the European Economic Area, United Kingdom, and Switzerland have analytics cookies denied by default until they explicitly opt in. Visitors from other jurisdictions have analytics cookies granted by default with the option to decline.

We do not use Google Analytics advertising features, Google Ads remarketing, Facebook Pixel, LinkedIn Insight, or any other third-party advertising or profiling pixel at this time. If we add any of these in the future, we will update this policy and adjust the consent banner accordingly.

Section 06

Your Rights

Regardless of your location, you may contact us to exercise the following rights with respect to your personal information:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request correction of inaccurate personal information
  • Deletion — Request deletion of your personal information
  • Objection — Object to our processing of your personal information
  • Portability — Request your personal information in a machine-readable format

To exercise any of these rights, contact us at hello@umbravi.io. We will respond within 1–2 business days.

For organizations with EU data obligations, a Data Processing Agreement is available upon request. Contact us at hello@umbravi.io to discuss your requirements.

Section 07

Data Retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected or as required by law:

  • Technology spend export files — deleted within 14 days of report delivery
  • Intake form responses — deleted within 14 days of report delivery
  • Report delivery links — expired and deleted within 14 days of delivery
  • Contact and inquiry information — retained for up to 12 months, then deleted
  • Transaction records — retained for 7 years as required for tax and accounting purposes

Section 08

Children

Umbravi is a business-to-business service intended for use by organizations and their authorized representatives. This website is not directed to children under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at hello@umbravi.io.

Section 09

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. We encourage you to review this policy periodically. Your continued use of umbravi.io following any update constitutes acceptance of the revised policy.

For material changes that affect how we handle personal information you have already provided, we will make reasonable efforts to notify you directly.

Section 10

Contact

For questions about this Privacy Policy or to exercise your data rights:

Kango Labs LLC — Umbravi

hello@umbravi.io

umbravi.io