Trust & Security

We built our own analytics

Kustiq does not use Google Analytics, Facebook Pixel, Mixpanel, Segment, Hotjar, or any third-party tracking service. Every usage metric is collected through our own first-party analytics infrastructure. The only cookies we set are strictly necessary for authentication and session management. No advertising cookies, no tracking pixels, no behavioral fingerprinting. Open your browser DevTools on any Kustiq page to verify.

Your data is never sold

Kustiq generates revenue from subscriptions and credits. We do not sell, rent, license, or share your data with third parties. Your account data, profiling results, outreach pipeline output, and usage patterns are yours. No data brokers, no advertising networks, no “anonymized” data sharing. No third party, including competitors, can purchase your data from us.

Your data never trains AI models

Kustiq uses Anthropic’s API for company profiling. Anthropic’s commercial API terms contractually prohibit using inputs or outputs for model training. Your company data, profiling results, and outreach intelligence are processed, returned, and not retained by the AI provider. We do not use your data to fine-tune, train, or improve any AI model. See Section 3 of our Data Processing Agreement for the full contractual language.

Infrastructure you can verify

Your data is stored in PostgreSQL databases hosted by Supabase (US East) and on Kustiq’s own dedicated server infrastructure (Hetzner, Germany). All connections use TLS encryption in transit. Databases use AES-256 encryption at rest. Stripe handles payment processing under its own PCI-DSS compliance. We do not store credit card numbers.

Database backups are performed daily with point-in-time recovery capability provided by Supabase. VPS infrastructure uses automated daily snapshots.

Security by default

We store only the fingerprint (SHA-256 hash) of your API key, never the key itself. Webhook payloads are cryptographically signed (HMAC-SHA256) so your integrations can verify every message came from Kustiq. HubSpot OAuth tokens are encrypted at rest and never exposed to third parties. Your team’s access is governed by role-based permissions with 6 granular controls (e.g., who can export data, who can manage billing).

Minimal sub-processors

Supabase

Database hosting and authentication

United States

Stripe

Payment processing

United States

Vercel

Frontend hosting and edge delivery

United States

Anthropic

AI language model inference during profiling

United States

Serper

Web search API for public data gathering

United States

Hetzner

API server hosting and data processing infrastructure

Germany

Resend

Transactional email delivery

United States

HubSpot

CRM data synchronization (when integration enabled)

United States

Saleshandy

Outbound email delivery for sales communications

United States

Google Workspace

Business email and customer support communications

United States

No third-party data providers, no third-party analytics services, no ad networks. Your data touches ten services, all with a clear purpose and under standard data processing agreements. Anthropic processes profiling requests via API and does not retain inputs or outputs beyond the processing window.

Your data rights

You have full control over your data. Under GDPR and CCPA, you can:

• Access all personal data we hold about you
• Correct inaccurate data
• Delete your account and all associated data
• Export your profile data in CSV or JSON format (data portability)
• Object to processing based on legitimate interest
• Withdraw consent at any time (e.g., marketing communications)
• Restrict processing in certain circumstances

To exercise any of these rights, email support@kustiq.com. We respond within 30 days. See our Privacy Policy for full details.

Data lifecycle

• While active: your account data and generated profiles are retained for as long as your account is active.
• After cancellation: you have 30 days to export your data through the dashboard export feature.
• Deletion: personal data is removed within 30 days of account deletion. Database backups containing your data are purged automatically within 7 days of primary deletion.
• Intermediate data: web pages retrieved during profiling are used transiently. Cached copies may be retained up to 90 days for performance, then purged.
• Aggregated data: anonymized, aggregated data that cannot identify you or your organization may be retained for product improvement.

Compliance

Kustiq is operated by Analytics Lab S.R.L. (CUI: RO50212590), registered in Romania.

GDPR: we process data under contractual necessity and legitimate interest, with full data subject rights (access, correction, deletion, portability, objection). International transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

CCPA/CPRA: for California residents, Kustiq acts as a Service Provider under CCPA. We do not sell personal information and have not done so in the preceding 12 months. Full CCPA rights are described in our Privacy Policy.

Automated decision-making: Kustiq generates AI-powered company profiles, churn risk assessments, and qualification assessments. These outputs are informational tools designed to assist your team’s decision-making, not to produce legal effects or similarly significant effects on any data subject. You retain full control over any decisions made based on these outputs.

Our security controls are documented in our DPA (Section 5: Technical Measures) and available for customer audit upon request (DPA Section 8).

Breach notification

In the event of a data breach affecting your personal data, we will notify you and any relevant supervisory authority within 72 hours of becoming aware, in accordance with GDPR Article 33. The notification will include:

• The nature of the breach
• Categories and approximate number of affected records
• Likely consequences of the breach
• Measures taken or proposed to address the breach

To date, Kustiq has had zero data breaches. For full breach notification procedures, see DPA Section 7.

Responsible disclosure

If you discover a security vulnerability in Kustiq, please report it to support@kustiq.com with the subject line “Security Report.” We will acknowledge your report within 72 hours and work with you to understand and resolve the issue. We will not take legal action against good-faith security research conducted in accordance with this policy.