Privacy Policy
What we collect, why, how long we keep it, and how to get it out.
Last updated July 14, 2026.
1. What we collect
Knock collects only what it needs to operate the service. Specifically:
- Account info. Name, email, password (stored as a bcrypt hash — never in plain text), workspace name, plan selection, billing status.
- Contacts you upload. First name, last name, phone number (US, E.164 format), email, timezone, birthday, home anniversary, closing date, address, ZIP, freeform notes, sphere membership, consent flag and source. You upload these; we don't get them from anywhere else.
- Messages and templates. The bodies of the messages and templates you compose, plus scheduled send times and per-signal status (scheduled / sent / skipped / expired / failed).
- Compliance audit log. For each send attempt: timestamp, contact phone number, decision (sent or blocked), and reason if blocked. Kept for at least 12 months for your TCPA defense.
- Device key activity. When your iPhone polls Knock: the device-key ID (the key itself is never stored in plain text — only its SHA-256 hash), the timestamp, and the IP address.
- Server logs. Standard web-server logs (IP, user-agent, requested URL, response code, timestamp) kept up to 30 days for security and debugging.
- Billing data. If you start a subscription, our payment processor (Square) holds your card details; Knock stores only the customer ID, subscription ID, and a record of charges. Knock never sees or stores your full card number.
2. How we use it
- To operate Knock: schedule messages, run compliance gates, dispatch to your iPhone, and show you the dashboard.
- To send transactional email: password resets, billing receipts, security alerts. We do not send marketing email without your explicit opt-in.
- To prevent abuse: rate-limiting, identifying suspicious activity, and investigating reported violations.
- To respond when you contact us.
3. Who we share it with
The short answer: as little as possible. The long answer:
- Your recipients' carriers. When your iPhone sends a text, it goes from your phone number through your wireless carrier to the recipient's carrier. Knock has no role in this step.
- Square (payment processor). If you subscribe, Square processes your card per their privacy policy.
- Hosting and email infrastructure. Knock runs on a DigitalOcean droplet. Outgoing transactional email is dispatched via the server's local mail-transfer agent.
- Law enforcement. If we receive a valid legal request (subpoena, court order, etc.) we comply. We'll notify you first unless the request prohibits it.
We do not sell your data. We do not share contact lists with advertisers. We do not feed your data into AI training.
4. How long we keep it
- Account and contacts: until you delete them or close your account.
- Compliance audit log: at least 12 months (regulatory defense). May be longer if there's an open dispute.
- Server logs: up to 30 days.
- Billing records: as long as required by tax and accounting law (typically 7 years in the US).
- After account closure: data is available for export for 30 days, then deleted on request or after 12 months of dormancy. Compliance audit log and billing records survive deletion as required by law.
5. Security
- All traffic to
knock.atthespeedofthought.ai is HTTPS-only (TLS).
- Passwords are hashed with bcrypt; we cannot recover your password, only reset it.
- Device keys (the secret your iPhone presents on every poll) are stored only as SHA-256 hashes. The plain key is shown to you once at creation and never persists on our side.
- Password-reset tokens are stored as SHA-256 hashes, single-use, and expire in 60 minutes.
- Session cookies are HTTP-only, SameSite=Lax, Secure on HTTPS.
- Database access is limited to the application user; backups are encrypted at rest by the host.
No system is unbreachable. If a security event affects your data, we'll notify you within 72 hours of confirming the impact.
6. Cookies
We use one cookie — your login session. We don't use tracking cookies, advertising pixels, or analytics SDKs. We don't load fonts or scripts from third-party CDNs that could fingerprint you.
7. Your rights
- Export. Download your contacts, templates, and audit log as CSV any time from the dashboard.
- Delete. Delete individual contacts, templates, or your entire account from the dashboard. Account deletion requests are processed within 30 days.
- Correction. Update your account profile directly. For data you can't edit (audit log entries), email us.
- Stop email. Transactional email is required for security and billing; we don't send marketing email without an explicit opt-in you can revoke any time.
- California / EU residents. The same rights apply under CCPA / GDPR. We'll confirm your identity before fulfilling deletion or correction requests.
8. Children
Knock is not directed at children under 18. Don't create an account if you're under 18. Don't upload contact records for anyone under 13 except in compliance with COPPA — Knock is not designed for that use.
9. Changes to this Policy
We may update this Policy occasionally. Material changes are announced in your dashboard or by email at least 14 days before they take effect. Date of the latest update appears at the top of this page.
10. Contact
Questions, requests, or to report a privacy concern: email hello@knock.atthespeedofthought.ai.