CCPA and CPRA

Roles under CCPA / CPRA

Under the CCPA as amended by the CPRA:

• A business determines the purposes and means of processing personal information. The enterprise customer is the business.
• A service provider processes personal information on the business's behalf, under contract. Koji B.V. is a service provider.
• A contractor is functionally similar to a service provider for CCPA purposes.

Koji's DPA contains the service-provider clauses required by CCPA section 1798.140(ag) and (ai), including the prohibition on selling or sharing personal information, the prohibition on processing for any purpose outside the contract, and the obligation to assist the business with consumer requests.

Categories of personal information Koji processes

Acting as a service provider, Koji processes the following categories of personal information on behalf of the business customer:

• Identifiers: name, email address, phone number, and any account or device identifier provided by the customer or supplied at participant intake.
• Customer records: any other personal information collected through interview intake or interview content.
• Internet or other electronic network activity: IP address, browser type, device information, and platform usage data, used for security and operational purposes.
• Geolocation data: at the IP-address level, used for security and routing.
• Audio and visual information: voice recordings and transcripts of interview conversations, where the customer enables voice interviews.
• Inferences: AI-generated themes, sentiment labels, and recommendations derived from the above.

Sources of personal information

• The business customer (directly)
• Interview participants (directly through the platform)
• The customer's own contact lists or panels (uploaded by the customer)
• Automated collection during platform use (technical data)

Purposes of processing

• Delivering the platform service to the business customer
• Operating, maintaining, and securing the platform
• Detecting and preventing security incidents and fraud
• Complying with legal obligations

Koji does not use personal information for any purpose outside these documented business purposes. Koji does not combine personal information across business customers.

No sale or sharing of personal information

Koji does not sell or share personal information within the meaning of the CCPA / CPRA. Koji does not use personal information for cross-context behavioral advertising. The standard Koji DPA contractually prohibits the sale or sharing of personal information that Koji receives as a service provider.

Consumer rights

California residents have the following rights with respect to personal information processed about them. Because Koji acts as a service provider, requests are typically directed to the business customer (the controller). Koji supports the business in fulfilling these requests within the statutory window.

• Right to know the categories and specific pieces of personal information collected about you, the sources, the purposes, and the categories of third parties with whom it has been shared.
• Right to delete personal information that has been collected from you, subject to the exceptions in 1798.105(d).
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. (Koji does not sell or share personal information, so this right has no operational consequence.)
• Right to limit the use of sensitive personal information.
• Right to non-discrimination for exercising any of the above rights.

How to exercise rights

If you are a participant or end user of a business that uses Koji, contact the business directly to exercise your rights. Koji will route your request to the business if you contact us first.

If you have used Koji directly as an account holder (for example, on the self-serve product), you can exercise your rights by emailing [email protected]. We may need to verify your identity before fulfilling the request.

Retention

Retention of personal information that Koji processes as a service provider is determined by the business customer's configuration and contract. See GDPR and the DPA for the standard retention and deletion commitments, which apply equally to California personal information.

Authorized agents

A consumer can use an authorized agent to submit a request on their behalf. We will require written documentation of the agent's authority and may verify the consumer's identity directly.

Children

Koji is not directed to children under sixteen and does not knowingly collect personal information from them.

Contact

For CCPA-related questions, email [email protected]. For contract-level questions related to service-provider clauses, email [email protected].

Related coverage

California is the deepest US privacy regime, but it is no longer the only one. Twenty US states have passed comprehensive privacy laws on the same broad template:

• US state privacy laws — comprehensive coverage of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Delaware (DPDPA), and the rest.
• HIPAA — for US healthcare personal information.
• Sector frameworks — FERPA (education), GLBA (financial), PCI DSS (payments), COPPA (children).
• International privacy laws — Canada, Brazil, Switzerland, Singapore, Australia, and more.