Privacy Policy

Effective date: April 18, 2026  ·  Last updated: April 18, 2026

Kameleon Training Platform ("Kameleon," "we," "us," or "our") is a B2B software service provided to organizations ("Client Organizations"). This Privacy Policy describes how we collect, use, and handle information in connection with the platform.

If you are an employee accessing Kameleon through your employer (a Client Organization), your employer's own privacy policies also apply to your use of this platform. Please review them as well.

1. What Information We Collect

We collect information necessary to provide the training platform:

• Account information — Your name, work email address, and role (as provided by your organization's administrator).
• Training session data — Transcripts of your roleplay conversations with the AI-simulated member character, ADAPT dimension scores, and AI-generated feedback from each session.
• Performance data — Session scores, completion history, and behavioral signals detected during training (e.g., conversation gaps, stakeholder detection).
• Usage data — Login timestamps, session activity, and last-active timestamps used for session security and idle timeout enforcement.
• Audit data — For administrator accounts: a log of administrative actions (user creation, role changes, password resets) including IP address and timestamp.

We do not collect real member data, core banking system data, or any financial account information. The platform operates entirely on simulated training scenarios.

2. How We Use Your Information

• To operate and deliver the training platform
• To generate AI-powered evaluation and feedback on your training sessions
• To make your session history available to you and, where applicable, to your manager
• To enforce platform security controls (session management, account lockout, MFA)
• To maintain audit logs of administrative actions as required by Client Organization agreements

We do not use your data to train AI models. We do not sell or share your personal information with third parties for marketing purposes.

3. Who Can See Your Data

• You — You can view your own session transcripts, scores, and feedback from your dashboard.
• Your manager and organization administrators — Managers and admins at your Client Organization can view session replays, scores, and performance data for employees in their organization.
• Kameleon platform operators — Kameleon's superadmin accounts can access platform-level data for support, troubleshooting, and compliance purposes. Access is logged.

Data is strictly isolated by organization. Employees and managers at one Client Organization cannot access data belonging to another organization.

4. Third-Party Services (Sub-Processors)

We use the following third-party services to operate the platform:

• Anthropic (Claude API) — Processes roleplay transcripts to generate AI member responses and session evaluations. Anthropic does not retain conversation data beyond the request under standard API terms.
• Railway — Hosts the application server and PostgreSQL database. All data is stored in the United States (AWS us-west-2). TLS encryption in transit and encryption at rest.
• ElevenLabs — Converts AI-generated member dialogue to audio for voice playback (optional feature). Only the text of the AI's response is transmitted — no user data.
• Resend — Sends password reset emails. Only your email address and a time-limited reset token are transmitted.

A complete sub-processor list is available upon request.

5. Data Retention

During an active account: All training session data — transcripts, scores, feedback, audit logs, and user records — is retained for the duration of your organization's active account with Kameleon.

After account termination: Data is retained for 12 months following the termination of your organization's account. This retention period exists to support your organization in the event of an NCUA examination or audit that requires access to historical training records after account closure. After 12 months, all organizational data is permanently deleted.

Early deletion: Your organization's administrator may request deletion of all organizational data before the 12-month period has elapsed by submitting a written request to hello@kameleontraining.com. Deletion requests are processed within 30 days of receipt.

Individual user data: Individual employee records and session data may be deleted at any time by an organization administrator through the admin panel, independent of the organization's account status.

6. Security

We implement industry-standard security controls including bcrypt password hashing, TLS encryption in transit, session-based authentication with idle timeouts, multi-factor authentication for privileged accounts, and append-only audit logging. A full description of our security architecture is available to Client Organizations upon request for vendor due diligence purposes.

7. Your Rights

Depending on your location and applicable law, you may have rights to access, correct, or request deletion of your personal data. Requests should be directed to your organization's administrator in the first instance, or to us directly using the contact information below.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Client Organizations. Continued use of the platform following notice of changes constitutes acceptance of the updated policy.