On this page · 16 sections
Privacy at a glance
6 commitments · click to jumpWho we are, and how to reach us.
Kustiq is a product of Analytics Lab S.R.L., a Romanian company registered at the Bucharest Trade Register (CUI RO50212590, Reg J2024011530406), with its registered office at Int. Gheorghe Simionescu 19, 014155 Sector 1, Bucharest, Romania. We are the controller of personal data processed through kustiq.com.
Kustiq has not appointed a Data Protection Officer because its processing activities do not require one under GDPR Article 37. All data-protection inquiries route to a single inbox monitored every business day at support@kustiq.com. The faster, ticketed route for rights requests is /support: every request gets a tracking ID and a named owner.
EU-based users may also lodge a complaint directly with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania, or with the supervisory authority in their country of residence.
What data we collect, and why.
We collect the minimum data needed to answer the questions you ask Kustiq and to keep your account secure. There are four categories. Each maps to a single legal basis under GDPR Article 6.
Account data
→ Art 6(1)(b) · Contract- Email, hashed password, optional name. Sign-in via Google, GitHub, or LinkedIn returns name and email only.
- Sign-in metadata (IP, user-agent) kept short-term for fraud review.
Company data you submit
→ Art 6(1)(b) · Contract- Domains and emails you provide for profiling.
- Free tier: 1 profile / week (anonymous), 3 / week (signed in).
Generated profiles
→ Art 6(1)(f) · Legitimate interest- Public B2B information assembled from web sources, then processed by AI classification plus deterministic verification.
- Aggregated to your workspace only. Never sold or syndicated.
Billing data
→ Art 6(1)(b) · Contract- Invoice address and VAT ID. Card numbers held by Stripe, not by us.
- Last-4 digits and expiry stored for receipt rendering.
Cookies, trackers, and what we don’t run.
Kustiq sets only the cookies strictly required for authentication and session management. We do not load Google Analytics, Meta Pixel, LinkedIn Insight, TikTok Pixel, X Pixel, or any other third-party advertising tag. You can verify this in your browser DevTools and on our Trust & Security page.
sb-[project]-auth-token· Supabase auth session, persistent until logout.sb-[project]-auth-token-code-verifier· PKCE verification during OAuth, session only, cleared after auth.
Marketing pages run a self-hosted analytics pipeline (see § 12) on our own infrastructure.
We do not sell or rent personal data.
Kustiq does not sell personal data, does not rent mailing lists, and does not run a “data co-op” where one customer’s research becomes another customer’s lead. The contents of your workspace are visible only to you and the teammates you invite. Aggregated, anonymised usage statistics may inform product improvement; nothing in those statistics can be tied back to an individual user or account.
Under CCPA / CPRA, this means Kustiq has not “sold” or “shared” personal information of California residents in the previous 12 months. We will continue not to.
Your rights under GDPR and CCPA.
You have a full set of rights over the personal data we hold about you. The fastest way to exercise any of them is to file a ticket at /support: every request gets a tracking ID, an SLA, and a named owner. You can also email support@kustiq.com directly.
- Right of accessGDPR Art 15 · CCPA § 1798.110
- Receive a copy of all personal data we hold about you, in a machine-readable JSON archive.
- Right to rectificationGDPR Art 16
- Correct any inaccurate or incomplete personal data. Most fields are self-serve in account settings.
- Right to erasureGDPR Art 17 · CCPA § 1798.105
- Delete your account and all associated data. See § 10 for the runbook and SLA.
- Right to portabilityGDPR Art 20
- Export your full workspace as JSON, CSV, or PDF. Self-serve from /dashboard/export.
- Right to objectGDPR Art 21
- Object to processing based on legitimate interest. We will stop unless we can show compelling overriding grounds.
- Right to restrictionGDPR Art 18
- Pause processing while a dispute about accuracy or lawfulness is resolved.
- Right to withdraw consentGDPR Art 7(3)
- Withdraw consent for any consent-based processing (for example marketing emails). The withdrawal does not affect prior lawful processing.
- Right to lodge a complaintGDPR Art 77
- File with the Romanian DPA (ANSPDCP) or your local supervisory authority. We would prefer you tell us first; you do not have to.
- CCPA non-discriminationCCPA § 1798.125
- Exercising any privacy right will not change pricing, throttle the service, or affect the quality of results you see.
We respond to verified requests within 30 days (GDPR) or 45 days (CCPA), whichever is shorter. Requests sent through /support typically resolve faster.
How we use AI, and what we don’t do.
When you submit a domain or company email for profiling, Kustiq gathers public B2B information from the web and runs it through a language-model inference call (a single API request to Anthropic, stateless: the model sees the input, returns the answer, and forgets). The output is paired with deterministic verification: SMTP handshake, Browserless rendering, 12-factor rule-based churn engine.
Anthropic contractually disables training on customer data for API traffic from Kustiq’s account. Kustiq itself does not train, fine-tune, or distill any models on your inputs and does not maintain a customer-data corpus. Generated profiles are AI-assisted starting points; they should not be treated as verified fact without human review.
How long we keep things.
Different categories have different lifetimes, all driven by the smallest of: legal obligation, contractual necessity, or reasonable operational need.
- Account record · kept while your account is active, removed within 30 days of deletion.
- Workspace contents · same lifetime as the account. Self-export at any time. Hard-deleted on erasure request.
- Billing records · 7 years (Romanian commercial-law obligation) for issued invoices. Card metadata held by Stripe under their retention.
- Sign-in metadata · kept short-term for fraud review.
- Cached web pages and search results · used transiently to generate profiles; cached copies kept up to 90 days for response-time reasons, then purged.
- Database backups · automatically purged within 7 days of the primary deletion.
- First-party analytics · see § 12.
International transfers.
Kustiq is operated from Romania. API-server processing runs on Hetzner infrastructure in Germany (EU). Database hosting is on Supabase in the United States, encrypted at rest under SCCs + DPF. The full sub-processor table at § 11 lists the region per vendor.
For transfers to sub-processors based in the United States, Kustiq relies on either the EU-US Data Privacy Framework, where the vendor is certified, or on the European Commission’s Standard Contractual Clauses (EU) 2021/914 Module 2 (controller to processor). The choice per vendor is shown in the § 11 table.
How we secure your data.
Encryption at rest (AES-256) for database and backup volumes hosted by Supabase. Encryption in transit (TLS) on every external connection and on internal hops, with HSTS on customer-facing endpoints. API keys are stored as SHA-256 hashes, never in plaintext. Webhook payloads are signed with HMAC-SHA256.
Access to production systems is restricted, authenticated by SSH key, and limited to personnel who require it under the principle of least privilege. Step-up auth (AAL2) is required for sensitive account mutations. Six granular permissions enforce team-level access control inside customer organisations. Kustiq is not SOC 2 or ISO 27001 certified and is not in active audit; the Trust & Security page covers the current security posture in detail.
In the event of a personal-data breach affecting your data, we will notify you and any relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
Export everything. Delete everything.
You own everything in your workspace and can take it with you, or remove it completely, at any time. Both routes are self-serve from settings; both are time-bounded.
Export produces a JSON, CSV, XLSX, or PDF archive of every research output and query. Self-serve from /dashboard/export.
How to delete your account.
Three steps, takes under a minute. Production removal proceeds on request; backups roll off on a 30-day schedule.
- Open account settings and click Delete account. The confirm dialog tells you exactly what will be removed.
- Confirm with your password (or passkey). The account is locked immediately and queued for hard-delete.
- If you cannot sign in, write to support@kustiq.com from the email address on file with subject
Account deletion request.
SLA · prod removal on request · backups 30d · Article 17 reachable via /support → Erasure
Backups roll off on a 30-day schedule. After day 30, no copy of your data remains in any Kustiq system. We do not maintain offline archives. Anonymised, aggregated data that cannot be linked back to an individual may be retained for product improvement.
The 12 sub-processors that touch your data.
Sub-processors are vendors Kustiq engages to operate the service. The list below is the complete current set, the role of each, what data they see, where they run, and the legal basis for the transfer when they sit outside the EEA. Full processor terms in the Data Processing Addendum.
| Service | Purpose | Data shared | Region | Legal basis |
|---|---|---|---|---|
| Anthropicanthropic.com | LLM inference during profiling. No model training. | single-call query body | USus-east | SCC + DPF |
| Browserlessbrowserless.io | Headless-browser rendering for JS-required public-web fetches. | public URL · page payload | EU/USmulti-region | SCC |
| Cloudflarecloudflare.com | Turnstile bot defense on public abuse-prone endpoints. | visitor IP · token | global edgeedge | SCC + DPF |
| Google Workspaceworkspace.google.com | Business email and customer-support communications. | support_thread | USmulti-region | SCC + DPF |
| Hetznerhetzner.com | API server hosting and data-processing infrastructure. | workspace · audit log | EU · Germanyown infra | EU-only |
| HubSpothubspot.com | CRM data sync (when integration enabled). | contact · company | USus-east | SCC + DPF |
| Resendresend.com | Transactional email (auth, billing, notifications). | email address · message body | USmulti-region | SCC + DPF |
| Saleshandysaleshandy.com | Outbound-email delivery for sales communications. | prospect_email · sequence_meta | USmulti-region | SCC |
| Serperserper.dev | Web-search API for public-data gathering. | search query · domain | USus-east | SCC |
| Stripestripe.com | Card processing, invoicing, customer portal. | email · billing address · VAT | USmulti-region | SCC + DPF |
| Supabasesupabase.com | Database hosting, authentication, AES-256 at rest. | login · profile_metadata | USmulti-region | SCC + DPF |
| Vercelvercel.com | Frontend hosting and edge delivery. | page_view · session_meta | USedge | SCC + DPF |
First-party analytics, surfaced in full.
All product analytics are collected and stored on our own infrastructure (Hetzner, Germany). No data is sent to Google Analytics, Meta, Mixpanel, Segment, Hotjar, or any third-party analytics provider. The two characteristics worth surfacing directly are below.
What we keep
- IP address and approximate location (country + city via GeoIP).
- Page path and event name; first-party only.
- UTM tags and referring URL.
- SHA-256 visitor identifier (IP + user-agent) for session deduplication.
- Reverse-DNS organisation lookup for aggregate traffic analysis.
What we never collect
- Form contents · no auto-capture on inputs.
- Cross-site identifiers · no Google, Meta, LinkedIn, or X tags.
- Session replay · not enabled.
- Third-party cookies · none set, none accepted.
Analytics processing relies on legitimate interest under GDPR Article 6(1)(f). You may object at any time by emailing support@kustiq.com. Verification details on the Trust & Security page.
Children, California, and other regional notes.
Kustiq is a B2B research tool intended for users 16 years of age or older. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data, contact support@kustiq.com and we will erase it.
California residents have the rights described in § 5, plus the additional CCPA right to opt out of any “sharing” for cross-context behavioral advertising. Because Kustiq does no such sharing (see § 4), there is nothing to opt out of, but we honor Global Privacy Control headers as a courtesy.
Automated decision-making: Kustiq generates company profiles, churn risk assessments, and qualification assessments using automated processing. These outputs are informational tools designed to assist your team’s decision-making, not to produce legal effects or similarly significant effects on any data subject. If you believe automated processing has produced such an effect, contact support@kustiq.com and we will provide meaningful human review.
Changes to this policy.
We update this policy when our practices, our sub-processors, or applicable law change. Substantive changes are announced by email to all account holders at least 30 days before they take effect; the effective date in the header chip is updated at the same time. The full diff for every version lives in § 16.
Cosmetic, structural, or pure-clarification edits are made without notice but always recorded in the version log. See our Terms of Service for the full agreement governing use of Kustiq.
How to contact us.
Three routes, in order of speed.
- For most things · /support. Ticketed, time-stamped, with SLAs.
- For data-protection questions · support@kustiq.com. Use this for breach notifications, complex Article 15 to 22 questions, or anything where the ticket flow is the wrong shape.
- For paper mail · Analytics Lab S.R.L., Int. Gheorghe Simionescu 19, 014155 Sector 1, Bucharest, Romania.
Version history.
The current version is v2.2 (effective ).
Quick answers.
Does Kustiq sell data?
Does Kustiq train AI on my data?
Where is my data stored?
How do I delete my account?
How do I file a GDPR subject access request?
How do California residents opt out under CCPA / CPRA?
Your data, your settings.
Privacy is not a banner. Open account settings to export everything, delete everything, or file a request through the ticketed path.