Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, password, profile photo, phone number, company name, and job title.
• Project Data: Pitch decks, business plans, financial data, market research, team information, and other startup-related documents and information you upload or enter.
• LinkedIn Profile Data: If you connect your LinkedIn account, we access your profile information, work history, education, and skills as permitted by LinkedIn's terms. We do not access your connections or network graph.
• Communications: Information you provide when contacting support, providing feedback, or communicating with us.
• Payment Information: If applicable, payment details are processed by our third-party payment processor (Stripe) and are not stored on our servers.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, actions taken, time spent on the Service, and interaction patterns.
• Device Information: Browser type, operating system, device type, screen resolution, and language preferences.
• Log Data: IP address, access times, referring URLs, and error logs.
• Cookies & Similar Technologies: We use cookies and similar tracking technologies to maintain sessions, remember preferences, and analyze usage patterns. See Section 10 for details.

1.3 Information from Third Parties

• OAuth Providers: When you sign in with Google or LinkedIn, we receive basic profile information as authorized by you.
• Publicly Available Information: We may collect publicly available business information to enhance our AI analysis capabilities.
• Team Member Profiles: We may search publicly available LinkedIn profiles of team members identified in your uploaded materials to provide team analysis features. This data is obtained from publicly available sources and is processed solely for the purpose of generating your report. No private LinkedIn data is accessed for non-users of the Service.

2. How We Use Your Information

2.1 Providing the Service

Creating and managing your account. Processing and analyzing your uploaded documents and project data. Generating AI-powered assessments, reports, and recommendations. Enabling chat and collaboration features. Providing customer support.

2.2 AI Model Training & Improvement

• Using anonymized and aggregated project data to train, improve, and develop our AI models.
• All personally identifiable information is removed or de-identified before data is used for training. Anonymization includes removal of names, email addresses, company names, financial figures, team member identities, and any other information that could reasonably identify the source project or its principals.
• We do not use individually identifiable project data for AI training. Only anonymized, aggregated data is used, and such data cannot be reverse-engineered to identify any individual user or project.
• Individual projects cannot be identified or reconstructed from training data.
• You may opt out of AI training by contacting privacy@krtr.ai. Opting out does not affect your access to the Service. Data already anonymized and incorporated into training datasets cannot be removed, as it is no longer identifiable.

2.3 Analytics & Improvement

Understanding how the Service is used to improve features and user experience. Monitoring and analyzing trends, usage, and activities. Detecting, preventing, and addressing technical issues and security threats.

2.4 Communication

Sending service-related notifications (account verification, security alerts, product updates). Responding to your requests and support inquiries. Sending marketing communications (only with your separate opt-in consent).

3. Lawful Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following lawful bases under GDPR Article 6:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service — creating and managing your account, processing uploaded documents, generating analyses and reports, and handling support requests.
• Legitimate Interests (Art. 6(1)(f)): Analytics and usage monitoring to improve the Service; security and fraud prevention; processing publicly available team member profiles to provide team analysis features. We have conducted legitimate interest assessments and concluded our interests are not overridden by your rights in these contexts.
• Consent (Art. 6(1)(a)): AI model training using your project data (you may withdraw consent at any time by contacting privacy@krtr.ai); marketing and promotional communications; non-essential cookies (analytics and preference cookies).
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including responding to lawful government requests and data breach notification obligations.

Where we rely on consent as the lawful basis, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service, including:

• Google Cloud / Firebase: Cloud infrastructure, authentication, database, and storage services.
• Google Vertex AI (Gemini): AI model API for generating analyses and recommendations.
• LinkedIn: OAuth authentication and profile data retrieval.
• Stripe: Payment processing (when applicable).

We maintain data processing agreements with our cloud infrastructure and AI model providers that require them to protect your data in accordance with applicable law, including GDPR Standard Contractual Clauses where required. These providers are contractually obligated to protect your information and may only use it to provide services to us.

4.2 With Your Consent

We may share your information with third parties when you have given explicit consent, such as when you opt in to future features like VC introductions, expert matching, or founder connections. Each sharing scenario will require separate, affirmative consent.

4.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of KRTR.ai, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Access controls and authentication mechanisms.
• Project data is stored in isolated, per-project environments within our cloud infrastructure.
• Access to user data is restricted to authorized team members on a need-to-know basis.
• Regular security assessments and monitoring.
• Secure cloud infrastructure provided by Google Cloud.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data (name, email, profile): Retained for the duration of your account; deleted within 30 days of account deletion.
• Project data and uploaded documents: Retained for the duration of your account; deleted within 30 days of account deletion or earlier if you delete individual projects.
• Usage and analytics data: Retained for up to 24 months in identifiable form, then aggregated or deleted.
• Log data and security records: Retained for up to 12 months for security and fraud prevention purposes.
• Payment records: Retained for 7 years as required by financial regulations.
• Anonymized training data: Retained indefinitely as it cannot be traced back to any individual.
• Backup copies are purged on a rolling 90-day schedule.
• Data required to be retained by law is kept for the legally mandated period.

7. Your Privacy Rights

7.1 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, business purposes, and categories of third parties with whom we have shared it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. To opt out of any sharing for cross-context behavioral advertising, contact privacy@krtr.ai.
• Right to Limit Sensitive Personal Information: Request that we limit use of sensitive personal information to purposes necessary to perform the Service.
• Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

To exercise California rights, contact us at privacy@krtr.ai. We will verify your identity before processing any request and aim to respond within 45 days as required by law.

7.2 Rights for EEA and UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the GDPR:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you and information about how we process it.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to Restrict Processing (Art. 18): Request that we limit how we use your personal data in certain circumstances, such as while a dispute about accuracy is resolved.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
• Rights Related to Automated Decision-Making (Art. 22): See Section 8 below for specific details regarding AI-generated assessments.
• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any GDPR right, contact privacy@krtr.ai or our EU Representative (see Section 16). We will respond within 30 days, extendable by a further two months for complex requests (we will notify you if an extension is needed).

You also have the right to lodge a complaint with your local data protection supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP) at autoriteitpersoonsgegevens.nl. You may also contact the supervisory authority in your country of residence or place of work.

8. AI-Generated Assessments & Automated Processing

The Service uses AI to generate scores, assessments, valuations, and other analytical outputs about your startup. We are transparent about how this works:

• Nature of processing: Our AI models analyze your uploaded materials and generate assessments across multiple dimensions (team, market, product, financials, etc.). These are produced automatically without human review of each individual output.
• Purpose: These outputs are analytical tools to help founders understand how their startup may be perceived by investors. They are not investment decisions, endorsements, or binding evaluations.
• Significance: While our assessments are informational and not binding, we acknowledge that they may influence decisions you make about your fundraising strategy.
• Human review: If you are an EEA/UK user and wish to request human review of any AI-generated assessment that you believe significantly affects you, you may contact privacy@krtr.ai. We will arrange for a team member to review the underlying data and the output.
• No solely automated consequential decisions: We do not make solely automated decisions that produce legal effects or similarly significant effects about you without the ability to request human intervention.

9. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will promptly delete that information and terminate the associated account. If you believe a minor has provided us with personal information, please contact us at privacy@krtr.ai.

10. Cookies & Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies (Session): Required for authentication, security, and basic functionality. These are Firebase session cookies that expire when you close your browser or after your session timeout. These cannot be disabled without affecting Service functionality. No consent is required for essential cookies.
• Analytics Cookies (Persistent): Help us understand how the Service is used, including page views, feature usage, and interaction patterns. These cookies persist for up to 12 months. We obtain your consent before setting analytics cookies.
• Preference Cookies (Persistent): Remember your settings and preferences, such as language and display options. These cookies persist for up to 12 months. We obtain your consent before setting preference cookies.

We do not use cookies for cross-site tracking or targeted advertising. On your first visit, you will be presented with a cookie consent banner allowing you to accept all cookies or essential cookies only. You can change your cookie preferences at any time through your account settings or by clearing your browser cookies.

EEA and UK users: our use of non-essential cookies is subject to your prior consent in accordance with the EU ePrivacy Directive and applicable national law.

10.1 Product Analytics & Behavioral Telemetry

To understand how our platform is used and to improve the post-signup experience, we capture usage events (pageviews, feature interactions, time on page, pipeline outcomes) once you are signed in. We do not capture anonymous landing-page visitors through this layer. Events carry identifiers, durations, and dimensions — they do not include the substantive content of your pitch decks, project documents, investor notes, or firm-internal comments.

• Internal analytics store (Firebase / Google Cloud Firestore): All authenticated usage events are written to our internal Firestore store under the legitimate-interest legal basis (GDPR Art. 6(1)(f)). This is our source-of-truth event store; we use it for product improvement, abuse detection, and operational health. No third party receives this data. You may request access, correction, or deletion under Section 7.
• Third-party analytics processor (PostHog EU): If you accept analytics cookies via our cookie banner, we additionally send the same events to PostHog, an EU-based analytics processor (server location: Frankfurt, Germany). Processing in the EU avoids onward transfers for EEA/UK users. PostHog is configured with autocapture off (we never harvest element text from KRTR pages), IP address capture off, and session replay off. You can review PostHog's sub-processors and security posture at posthog.com.
• Anonymous landing-page metrics (Vercel Analytics): We use Vercel's built-in, privacy-preserving Web Analytics for anonymous pageviews on our public marketing pages. It does not set tracking cookies and does not collect personal identifiers.

How to opt out of PostHog: Open the cookie banner via the link in our footer (or clear your browser cookies for this site to re-trigger it) and select "Essential only." New events will go to our internal Firestore store only. You may also request full deletion of your PostHog person record and historical events under Section 7 by emailing privacy@krtr.ai.

Backfill on opt-in: If you initially declined analytics cookies and later opt in, we will perform a one-time replay of your historical Firestore events into PostHog so your dashboards are immediately useful. Future toggles do not trigger additional replays.

11. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and primary service providers are located. The United States has not received an adequacy decision from the European Commission.

When we transfer personal data from the EEA or UK to the United States, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We have entered into the European Commission's Standard Contractual Clauses with our key data processors, including Google Cloud / Firebase and Google Vertex AI, which are incorporated into their Data Processing Agreements.
• Processor Commitments: Our service providers maintain their own compliance programs for international transfers under applicable data protection law.

You may request a copy of the relevant transfer safeguards by contacting privacy@krtr.ai.

12. Third-Party Links & Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. We currently honor Global Privacy Control (GPC) signals as required by California law. For other DNT mechanisms, there is no industry standard for how to respond, so we do not currently alter our data practices in response to non-GPC DNT signals.

15. Data Breach Notification

In the event of a personal data breach, we will act as follows:

• EEA/UK users (GDPR): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms, unless the breach is unlikely to result in such risk. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
• California residents: We will provide notice in accordance with California's data breach notification requirements (Cal. Civ. Code § 1798.82) as expeditiously as possible and without unreasonable delay.
• All users: Breach notifications will describe the nature of the breach, the types of information involved, the likely consequences, and the steps we are taking to address it and mitigate its effects.

16. EU Representative (Art. 27 GDPR)

In accordance with Article 27 of the GDPR, KRTR, Inc. has designated an EU Representative for data protection matters. EEA residents and supervisory authorities may contact our EU Representative directly:

• Name: Milan Saes
• Address: Marcus Aurelius 34, Born, 6121NX, Netherlands
• Email: milan@crossoceanfund.com

The EU Representative acts as a point of contact for supervisory authorities and data subjects in the EEA on matters relating to the processing of personal data.

17. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• KRTR, Inc., 1111B S Governors Ave, Ste 58459, Dover, DE 19904, United States
• Privacy: privacy@krtr.ai
• General: info@krtr.ai
• Support: support@krtr.ai

For EEA/UK matters, you may also contact our EU Representative listed in Section 16.