Privacy Policy

1. Who we are

Kustiq is operated by Analytics Lab S.R.L. (“we”, “us”, “our”), a company registered in Romania (CUI: RO50212590, Reg: J2024011530406), with its registered office at Int. Gheorghe Simionescu 19, 014155 Sector 1, Bucharest, Romania. Our website is kustiq.com. For any privacy-related questions, contact us at support@kustiq.com.

As of this policy’s effective date, we have not appointed a Data Protection Officer because our processing activities do not require one under GDPR Article 37. All data protection inquiries should be directed to support@kustiq.com.

2. Data we collect

• Account data: email address and display name. If you sign in via Google, GitHub, or LinkedIn, we receive your name and email from the provider. We do not access your contacts, posts, or other account data from these providers.
• Company data you submit: email addresses or domains you provide for profiling.
• Generated profiles: AI-generated company intelligence created from publicly available web data.
• Usage data: pages visited, features used, credit consumption, and performance metrics. All usage tracking is first-party only.
• Payment data: billing is processed by Stripe. We do not store credit card numbers. Stripe’s privacy policy applies to payment data.

3. Cookies and tracking

Kustiq does not use third-party cookies or tracking scripts. There is no Google Analytics, no Facebook Pixel, and no similar third-party tracking on this site. All analytics run on our own first-party infrastructure (see Section 12). The only cookies we set are strictly necessary for authentication and session management:

• sb-[project]-auth-token — Supabase auth session, persistent until logout.
• sb-[project]-auth-token-code-verifier — PKCE verification during OAuth, session only, cleared after auth.

No third-party cookies are set. You can verify this in your browser DevTools.

4. How we use your data

• To provide and maintain the Kustiq service.
• To process your profiling requests and deliver results.
• To manage your account, subscription, and credit balance.
• To improve our product based on aggregated, anonymized usage patterns.
• To communicate with you about your account or service updates.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

We apply data minimization principles: we collect only the data necessary to deliver the service, share only the minimum required with each sub-processor, and do not retain data longer than needed for the stated purposes.

5. Lawful basis for processing

In plain terms: we only process your data when we have a legal reason to. For most of what we do, the reason is that you signed up and asked us to. For analytics, we have a business reason. For marketing emails, we ask first.

We process your data under the following legal bases as defined by GDPR Article 6:

• Account data and billing: contractual necessity (Art. 6(1)(b)). We need your email and payment information to provide the service you signed up for.
• Company data you submit for profiling: contractual necessity (Art. 6(1)(b)). Processing the domains and emails you provide is the core service we deliver.
• Usage analytics: legitimate interest (Art. 6(1)(f)). We collect anonymized usage data to improve our product. You may object to this processing at any time by contacting us.
• Marketing communications: consent (Art. 6(1)(a)). We only send marketing emails if you have opted in. You may withdraw consent at any time.
• Public data about third parties: during profiling, our engine may process publicly available information about individuals associated with profiled companies (e.g., employee names, job titles found on company websites). This processing is based on legitimate interest (Art. 6(1)(f)). Such data is sourced exclusively from publicly accessible web pages. Individuals whose data is processed may exercise their rights by contacting support@kustiq.com.

6. AI processing

In plain terms: when you profile a company, we gather public web data and run it through AI models. The output is a starting point, not a verified fact. Your data is never used to train AI models.

When you submit a company email or domain for profiling, our engine collects publicly available information from the web and processes it using a combination of structured data pipelines and AI language models. The resulting profile is an AI-generated assessment and should not be treated as verified fact. We make reasonable efforts to ensure accuracy, but we do not guarantee the completeness or correctness of any generated profile.

Your data is not used to train AI models. Data submitted to the Service is processed via Anthropic’s API, which contractually prohibits the use of API inputs and outputs for model training. We do not use your data to fine-tune, train, or improve any AI model. Learn more on our Trust & Security page.

7. Data storage and security

Your data is stored in PostgreSQL databases hosted by Supabase (US East region) and on our own infrastructure. We use encryption in transit (TLS) for all connections and encryption at rest (AES-256) for databases hosted by Supabase. Access to production systems is restricted and authenticated.

In plain terms: if your data is compromised, we will tell you and the relevant authorities within 72 hours. No silent breaches.

In the event of a data breach affecting your personal data, we will notify you and any relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33 and other applicable laws. Breach notifications will include:

• The nature of the breach.
• Categories and approximate number of affected records.
• Likely consequences.
• Measures taken to address the breach.

8. International data transfers

In plain terms: your data is stored in the US and Germany. We use industry-standard legal frameworks (approved by the EU) to protect it during transfer.

Your data is stored and processed in the United States and Germany. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, this constitutes an international data transfer. These transfers are protected by the following safeguards:

• EU-US Data Privacy Framework (DPF): Supabase, Stripe, Vercel, Anthropic, Resend, and HubSpot are certified under the EU-US DPF.
• Standard Contractual Clauses (SCCs): where DPF certification is not available (Serper), we rely on EU-Commission-approved SCCs.
• No transfer required: Hetzner infrastructure is located in Germany (EU).

You may request a copy of the applicable transfer safeguards by contacting support@kustiq.com.

9. Data retention

In plain terms: your data stays as long as your account is active. Delete your account, and we remove your personal data within 30 days.

We retain your account data and generated profiles for as long as your account is active. If you delete your account, we will remove your personal data within 30 days. Anonymized, aggregated data may be retained indefinitely for product improvement.

Intermediate processing data: web pages retrieved during profiling and search results from the Serper API are used transiently to generate profiles. Cached copies may be retained for up to 90 days to improve response times. After this period, cached data is purged.

Database backups that may contain your data are automatically purged within 7 days of the primary deletion.

11. Third-party services

We use the following third-party services:

• Supabase: database hosting and authentication.
• Stripe: payment processing.
• Vercel: frontend hosting and edge delivery.
• Anthropic: AI language model inference during profiling.
• Serper: web search API for public data gathering.
• Hetzner: API server hosting and data processing infrastructure.
• Resend: transactional email delivery.
• HubSpot: CRM data synchronization (when integration enabled).
• Saleshandy: outbound email delivery for sales communications.
• Google Workspace: business email and customer support communications.

Each service has its own privacy policy. We only share the minimum data necessary for each service to function.

For details on how we process data on your behalf as a data processor, see our Data Processing Agreement. For more on how we protect your data, including how to verify our claims in your browser DevTools, see our Trust & Security page.

12. First-party analytics

All product analytics are collected and stored entirely on our own servers (Hetzner, Germany). No analytics data is sent to Google Analytics, Facebook, Mixpanel, Segment, Hotjar, or any third-party analytics provider.

For logged-in users: usage events are tied to your organization (not your individual identity) for aggregate reporting. We record your IP address, approximate location (country and city via GeoIP lookup), browser, operating system, and pages visited.

For anonymous visitors: we collect IP addresses, approximate location (country and city via GeoIP lookup), browser, operating system, referring URL, and pages visited. We also perform reverse DNS lookups on IP addresses to identify the visitor’s organization for aggregate traffic analysis. A hashed visitor identifier (SHA-256 of IP address and user agent) is used for session deduplication. Raw IP addresses are stored in our analytics database.

Analytics data is processed under our legitimate interest in understanding how the service is used and improving it (GDPR Article 6(1)(f)). You may object to this processing by contacting support@kustiq.com.

For more details, including how to verify this in your browser DevTools, see our Trust & Security page.

13. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to know: you may request details about the categories and specific pieces of personal information we have collected about you.
• Right to delete: you may request deletion of your personal information, subject to certain exceptions.
• Right to correct: you may request correction of inaccurate personal information we hold about you.
• Right to opt out of sale: we do not sell your personal information to third parties. We have not sold personal information in the preceding 12 months.
• Non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, email us at support@kustiq.com. We will respond within 45 days.

14. Children’s privacy

Kustiq is a B2B service designed for business professionals. We do not knowingly collect personal information from anyone under the age of 16 (or the applicable minimum age in their jurisdiction). If we learn that we have collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, contact support@kustiq.com.

15. Automated decision-making

Kustiq generates AI-powered company profiles, churn risk assessments, and qualification assessments using automated processing. These outputs are informational tools designed to assist your team’s decision-making, not to produce legal effects or similarly significant effects on any data subject. You retain full control over any decisions made based on these outputs. If you believe automated processing has produced a decision with legal or similarly significant effects on you, contact support@kustiq.com and we will provide meaningful human review.

16. Do Not Track

Kustiq does not use third-party trackers, so there is no tracking behavior to disable. We honor Do Not Track browser signals, but since we use no third-party analytics, there is nothing additional to turn off.

17. Changes to this policy

We may update this privacy policy from time to time. For material changes that affect how we process your data, we will notify you by email at least 30 days before the changes take effect. Non-material changes (e.g., formatting, clarifications) may be posted without advance notice. If you do not agree with a material change, you may delete your account before the change takes effect. See our Terms of Service for the full agreement governing use of Kustiq.