Privacy Policy

Kismet is operated by Individual Entrepreneur Artem Tarasov, registration № 72930421, registered office at 002, 5 Deghatan str., Yerevan, Republic of Armenia (“Kismet,” “we,” “us”). Kismet is the data controller for personal data described in this policy. Contact: legal@kismetai.io.

Kismet is an independent product. It is not affiliated with, endorsed by, or sponsored by Epic Games, Inc. Unreal Engine and Blueprint are trademarks of Epic Games, Inc.

This policy applies to:

• The Kismet plugin for Unreal Engine (the “Plugin”) when it sends telemetry, error reports, or bug submissions to our servers.
• The Kismet website at kismetai.ioand the authenticated dashboard (the “Site”).

The Plugin also calls AI providers (currently Anthropic) directly from your machine using your own API key. That communication is covered by your provider’s privacy policy, not this one. See §8.

The agent loop reads and edits Blueprints on your machine. The full tool input/output (including the underlying Blueprint T3D text) is visible to the AI provider, since it is needed for the agent to reason about your graph. It is not visible to us.

Before any agent message is written to our database, our telemetry ingestion endpoint removes the body of any tool_result block whose tool was read_blueprint, write_blueprint, or edit_blueprint, replacing it with a redaction marker. We keep the agent’s intent (which tool it called, with what arguments) so we can investigate failures, but the Blueprint bytes themselves are dropped at the boundary.

The same is not true of crash reports and editor log tails — those may contain incidental file paths, asset names, or fragments of serialised data. We do not parse them for content; we read them only when investigating a specific crash you have asked us to look at.

We use the data described in §3 for the following purposes:

• To run the service — authenticate your account, issue and validate Plugin device tokens, deliver the dashboard, serve the auto-updater manifest.
• To compute and display your usage and cost — tokens, runs, models, and USD spend on your dashboard.
• To debug and improve Kismet — investigate errors, crashes, and failure patterns; reproduce bugs you report.
• To respond to you — reply to demo, contact, and support messages; send transactional emails (sign-in links, account-deletion notices).
• To prevent abuse — detect and stop automated sign-ups, scraping, and rate-limit violations.
• To comply with the law — respond to lawful requests, enforce our Terms, defend ourselves in disputes.

Legal bases (where GDPR/UK GDPR applies): performance of contract for service operation; legitimate interests for debugging, abuse prevention, and product improvement; consent for any future marketing communications.

We do not use your prompts, the assistant’s replies, or any Plugin telemetry to train, fine-tune, or evaluate AI models — ours or anyone else’s. We do not permit third parties to use this data to train their models. The only exceptions are:

• Content you explicitly report to us as feedback or as part of a bug report;
• Content flagged for security or abuse review (used to investigate the specific incident, not to train models);
• You explicitly opt in.

We may compute aggregate, de-identified statistics (e.g., “average tokens per run by model”) for our own product analytics. We do not attempt to re-identify de-identified data.

We share personal data only with vendors that operate the service on our behalf, under written terms that restrict their use of the data:

• Supabase, Inc. — managed Postgres, authentication, and serverless-functions hosting. Stores all account, telemetry, and bug-report data described above.
• Vercel Inc. — hosts the Site and processes ordinary HTTP-request metadata (IP, user agent, path) in its access logs. Vercel also collects anonymised web-vitals performance data (page load timing, route, country, anonymised IP) via Speed Insights for our own performance monitoring; no cookies are set, no cross-site identifiers are used, and the data is not sold or used for advertising.
• Upstash, Inc. — hosted Redis used to rate-limit abuse-prone endpoints (login, plugin device-code start/poll, demo and contact forms, password set). Upstash briefly processes your IP address as a rate-limit key and a counter that expires within minutes. We do not store any persistent personal data in Upstash.
• Cloudflare R2 — stores Plugin release archives (no personal data).

We may also disclose personal data:

• To a successor entity in connection with a merger, acquisition, financing, or sale of assets;
• To government, regulatory, or law-enforcement authorities when we are legally compelled, or to enforce our Terms or protect our rights;
• With your explicit consent.

We do not sell your personal data and we do not allow it to be used for cross-context behavioural advertising under U.S. state privacy laws.

Kismet uses a bring-your-own-key model. The Plugin calls Anthropic directly from your machine using the API key you provide. From a data-protection standpoint:

• Your direct relationship with Anthropic governs whether and how Anthropic processes your prompts and code. Their policies apply, not ours, to that traffic. See anthropic.com/legal/privacy.
• Your API key is not transmitted to or proxied through Kismet servers and is not logged by us.
• We are not a sub-processor of Anthropic in respect of your prompts. Anthropic is not our sub-processor for the prompt traffic either.

When the Plugin sends usage telemetry to us (separately from the call to Anthropic), the Blueprint-redaction rule in §4 applies.

Kismet operates from Armenia. Our hosting providers (Supabase, Vercel, Cloudflare) operate primarily from the United States and European Union. By using Kismet you understand your data may be stored or processed in those jurisdictions. Where required by EU/UK law we rely on Standard Contractual Clauses with our processors.

Account data, telemetry, and bug reports are retained for the life of your account. Run transcripts, events, error logs, and crash reports do not auto-expire.

Demo and contact-form submissions are deleted no later than 12 months after submission unless they have led to an ongoing customer relationship.

Account deletion. You can request deletion at any time from Settings → Account. We mark the account for deletion and immediately revoke all Plugin tokens. Hard-deletion runs on a monthly schedule, so the actual purge happens within roughly 30 to 60 days. During that window you can sign in and cancel the deletion. Once purged, the cascade removes your profile, machines, runs and run messages, events, error logs, crash reports, and tokens.

We may retain a minimal record of the deletion event itself (e.g., for fraud or legal-defence purposes) after the underlying account is gone.

Depending on where you live, you may have rights to access, correct, port, delete, or restrict processing of your personal data, to object to processing based on legitimate interests, and to withdraw consent. You can exercise most of these from the dashboard (Settings → Account). For anything else, write to legal@kismetai.io and we will respond within 30 days.

If you are in the EU/UK and unhappy with our response, you may complain to your local data-protection authority. If you are in California, you have additional rights under the CCPA/CPRA; we do not sell personal data or share it for cross-context behavioural advertising.

We use industry-standard measures to protect personal data, including row-level security on all user-data tables, hashed credentials and Plugin tokens (SHA-256), TLS in transit, encrypted storage at rest with our hosting providers, and least-privilege administrative access. See Data & Security for the technical details.

Because Kismet is currently operated by a sole proprietor, administrative database access is held by the operator alone and is not delegated to anyone else. The operator accesses stored data only when necessary for support, abuse investigation, security incidents, or legal compliance. We are working on per-query audit logging for that access; until it is in place we ask you to take this disclosure as the honest description of our current setup.

To report a vulnerability, write to legal@kismetai.io with subject “security”. We acknowledge reports within five business days.

Kismet is not intended for children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, write to legal@kismetai.io and we will delete it.

We will update this page when our practices change. The effective date at the top of the page reflects the last change. Material changes will be announced in the dashboard or by email at least 14 days before they take effect.

For privacy questions, data-subject requests, vulnerability reports, or anything else legal: legal@kismetai.io.

Postal address: Individual Entrepreneur Artem Tarasov, 002, 5 Deghatan str., Yerevan, Republic of Armenia.