Privacy Policy
Effective date: 2026-05-23 Last updated: 2026-05-23
This Privacy Policy describes how Krell ("we", "us", "the Service") collects, uses, and protects your personal data when you use krell.app. Krell is operated as a sole individual business by Erlens Rukers (the "Data Controller").
If you have questions about this policy or your data, contact: support@krell.app.
1. Who we are
Data Controller: Erlens Rukers (operating Krell as a sole individual) Contact: support@krell.app Address: Dzintaru iela 6-1, Mārupe, LV-2167, Latvia Jurisdiction: Latvia, European Union
We are not a registered company; Krell is operated by an individual. This Privacy Policy will be updated if the legal entity changes.
2. What personal data we collect
We collect only the data necessary to provide the Service.
2.1 Data you provide directly
- Account data: email address, display name, password (stored as a salted hash by our authentication provider, never in plaintext).
- Business data: information you enter into Krell about your clients, tasks, revenue, expenses, services, calendar, goals, and notes. This is the substantive data the Service is built to manage on your behalf.
- Chat history with AI: messages you send to Krell's AI coordinator, and the responses it generates. Used to provide context across sessions and improve your experience within your account.
- Payment information: when you subscribe to a paid plan, you provide payment details directly to Stripe. We never see, store, or transmit your card number. We store only a Stripe customer identifier and subscription metadata (tier, status, renewal date).
2.2 Data we collect automatically
- Technical data: IP address, browser type, operating system, device type, timezone, language preference. Used for security and to serve the application correctly.
- Usage data: which pages you visit within Krell, which features you use, error events. Used to keep the Service reliable.
- Cookies: see Section 8 below.
2.3 Data we do NOT collect
- We do not buy or rent personal data from third parties.
- We do not collect data about you from social media platforms.
- We do not engage in behavioral advertising tracking.
- We do not sell your data to anyone.
3. Why we process your data (legal basis under GDPR)
We process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR): to provide the Service you signed up for. This covers account creation, storage of your business data, AI chat functionality, and payment processing.
- Legitimate interest (Article 6(1)(f) GDPR): to keep the Service secure, debug errors, prevent abuse, and improve the product. This covers logging IP addresses, error tracking, and aggregated usage analysis.
- Legal obligation (Article 6(1)(c) GDPR): to comply with tax, accounting, and consumer protection laws. Mainly affects retention of billing records.
- Consent (Article 6(1)(a) GDPR): where applicable, such as if we add optional marketing emails. You can withdraw consent at any time.
4. How long we keep your data
- Active accounts: as long as your account is open, we retain your data so the Service works.
- Deleted accounts: when you delete your account, we hard-delete your personal and business data within 30 days. Backup copies may persist for up to a further 30 days before being overwritten.
- Billing records: we retain billing-related data (invoices, payment status) for 7 years as required by Latvian tax law.
- Error logs: retained for up to 90 days then deleted automatically.
5. Subprocessors
We use the following third-party services to operate Krell. Each is bound by contractual data protection terms (DPA or equivalent).
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, business data, technical data | EU (Frankfurt / Ireland region) |
| Vercel | Application hosting, edge network | IP address, request metadata | Global (edge network) |
| Anthropic | AI chat responses (Claude models) | Chat messages you send to AI, contextual prompts derived from your business data | United States |
| Stripe | Payment processing | Email, customer ID, payment metadata (card details handled by Stripe directly, never by us) | United States and EU |
| Sentry | Error tracking | IP address, error events, user_id reference | United States |
International transfers
Some subprocessors (Anthropic, Stripe, Sentry) are based outside the European Economic Area. Transfers to these processors rely on Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an adequate level of protection for your data.
6. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Article 15): request a copy of the personal data we hold about you.
- Right to rectification (Article 16): ask us to correct inaccurate data. You can edit most of this yourself in your Krell account.
- Right to erasure / "right to be forgotten" (Article 17): delete your account and we will remove your data within 30 days (subject to the legal retention exceptions in Section 4).
- Right to data portability (Article 20): export your data in a machine-readable format. We provide CSV or JSON export from your account settings.
- Right to restriction of processing (Article 18): ask us to pause processing of your data in certain circumstances.
- Right to object (Article 21): object to processing based on legitimate interest.
- Right to withdraw consent (Article 7(3)): withdraw any consent you've given us.
- Right to lodge a complaint: file a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija, www.dvi.gov.lv) or your local EU data protection authority.
To exercise any of these rights, email support@krell.app. We respond within 30 days as required by GDPR.
7. Security
We protect your data with industry-standard safeguards including:
- HTTPS encryption for all data in transit.
- Encrypted storage at rest (handled by Supabase).
- Row-level security policies in the database that scope every query to the authenticated user, preventing one user from accessing another user's data.
- Server-side input validation, rate limiting, and abuse protections.
- Error monitoring to detect and respond to security incidents.
- Regular security reviews of code and infrastructure.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a high risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33-34.
8. Cookies and similar technologies
Krell uses only the cookies necessary for the Service to function. We do not use marketing or behavioral tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase authentication tokens | Keep you logged in | Session and refresh, up to 7 days |
| CSRF protection token | Prevent cross-site request forgery | Session |
Because we use only strictly necessary cookies (Article 5(3) of the ePrivacy Directive), no cookie consent banner is required. If we add analytics or marketing cookies in the future, we will display a consent banner at that time.
Sentry (our error tracking subprocessor) collects your IP address when an error occurs in the application. This is technical processing under legitimate interest, not cookie-based tracking, and is necessary for us to fix bugs.
9. Children's data
Krell is intended for business users aged 18 or older. We do not knowingly collect data from anyone under 16. If you believe we have collected data from a minor, email support@krell.app and we will delete it.
10. AI processing
Krell uses Claude models from Anthropic to power the AI coordinator. When you interact with the AI:
- Your messages, plus relevant context derived from your business data (clients, tasks, revenue, etc.), are sent to Anthropic's API to generate a response.
- Anthropic processes this data to produce the response and may retain it for a limited period for abuse monitoring per their data usage policy.
- Anthropic does not train its models on data sent through the API by default. Krell does not opt into any training program.
- Your data is not shared with other Krell users or any other party as a result of AI processing.
11. Changes to this policy
We may update this Privacy Policy as the Service evolves. When we make material changes, we will notify you by email and update the "Last updated" date at the top. Continued use of Krell after an update constitutes acceptance of the revised policy.
12. Contact
For any privacy-related question or to exercise your rights:
Email: support@krell.app
We respond to all GDPR requests within 30 days.