PRIVACY POLICY

Version 1.1 · Last updated: June 2, 2026

1. INTRODUCTION AND IDENTITY OF THE CONTROLLER

This Privacy Policy (the “Policy”) is an integral part of the Krellot.ai Terms and Conditions (the “Terms”) and applies to the website https://krellot.ai, its subdomains (including influencer.krellot.ai), the SaaS platform, the APIs, integrations, communications, and any other service offered by Krellot (collectively, the “Service”). The controller responsible for the processing of personal data is:

Krellot LLC

Address: 500 Paterson Plank Rd, Union City, NJ 07086, United States of America.

Legal email: [email protected]

This Policy is designed to comply with applicable data protection laws, including, without limitation: the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the New Jersey Data Privacy Act (effective January 2025), Brazil’s Lei Geral de Proteção de Dados (LGPD), the Children’s Online Privacy Protection Act (COPPA), and other applicable legislation.

Please read this Policy in full. By using the Service, you acknowledge that you have read and understood it. Where a processing activity requires consent under applicable law, such consent will be obtained separately, specifically, and through an affirmative action; mere use of the Service does not constitute consent for those activities. If you do not agree with this Policy, you must refrain from using the Service.

2. SCOPE

This Policy applies to all User interaction with the Service, including: browsing the site, account registration, use of AI content-generation features, subscription to paid plans, participation in the Associates Program, communications with support and marketing, and any other form of interaction with Krellot or its subdomains. This Policy does NOT apply to third-party sites or services linked from the Service, which have their own privacy policies.

3. INFORMATION WE COLLECT

We collect the following categories of information:

3.1 Information you provide to us directly

Account information: name, email address, password (stored in hashed form), username, profile photo, language, time zone, country.

Payment and billing information: cardholder name, billing address, last 4 digits of the card, card type, expiration date, transaction identifiers. Krellot does NOT store full card numbers; full data is processed and stored directly by Stripe, Inc. and/or authorized processors.

Company or agency information: trade name, website, industry, number of employees, tax data (where applicable), information about managed brands.

Tax identity information (Associates): W-9 forms (U.S. tax residents) or W-8BEN/W-8BEN-E (non-U.S. residents), Tax ID, EIN/SSN, tax address, and residency certifications. This information is collected only from Associates Program participants, for the sole purpose of complying with tax and payment obligations, and receives enhanced treatment as sensitive data (see Section 3.4).

Communications with Krellot: emails, support tickets, in-app chat messages, surveys, contact forms, comments, reviews, testimonials, and participation in webinars or events.

Uploaded or entered content: prompts, briefs, brand voice, content samples, files, images, audio, video, text, product descriptions, competitor information, and any other material you upload, write, or transmit to the Platform.

3.2 Information generated by your use of the Service

User Content: all inputs, prompts, briefs, instructions, configurations, brand voice, samples, edits, and material you enter into the Platform.

AI-Generated Content: all outputs, scripts, hooks, copy, descriptions, hashtags, ideas, suggestions, and materials produced by the Platform from your inputs.

Interactions with content: edits to outputs, ratings, thumbs up/down, rewrites, regenerations, clipboard copies, exports, downloads, deletions, and saves.

Product usage data: features used, credits consumed, brands created, invited seats, platforms selected (TikTok, Reels, Shorts, LinkedIn, podcast), languages used, frameworks applied (Hook-Story-Offer, AIDA, PAS, others), time on platform, frequency, and usage patterns.

Feedback and reviews: survey responses, reviews, comments, and improvement suggestions.

3.3 Information collected automatically

Device technical data: IP address, browser type and version, operating system, unique device identifiers, device model, browser language, time zone settings.

Usage and navigation data: pages visited, time on each page, clicks, scroll depth, referrer URL, navigation sequence, sessions, and errors encountered.

Approximate location data: location inferred from the IP address (city, region, country). We do not collect precise GPS unless you expressly authorize it.

Cookies, pixels, and similar technologies: see the Cookie Policy at https://krellot.ai/privacy#cookies. Includes functional, analytics, marketing, and fraud-prevention cookies (Sentry, Google Analytics, Meta Pixel, and others). Non-essential cookies are activated only with your consent where required by law.

Telemetry and error data: technical logs, error traces, performance metrics, data from Sentry and similar tools.

3.4 Information received from third parties

Social login (where applicable): if you choose to register or sign in with Google, Apple, or another provider, we receive an identifier, name, email, and profile photo according to the permissions granted.

Payment processors: transaction confirmations, charge statuses, failed attempts, chargebacks, and disputes.

Associates Program: referral codes used, attributed conversions, and commissions generated.

Fraud prevention and identity verification providers: risk signals and KYC verifications where applicable.

Marketing and advertising platforms: campaign attribution and anonymized advertising identifiers.

3.5 Sensitive data — input limitation

Except for the Associates’ tax information described in Section 3.1 (which Krellot processes with enhanced safeguards to comply with legal obligations), the Platform is NOT designed to receive or process sensitive personal data. The User agrees NOT to enter into the Platform: (i) Protected Health Information (PHI) subject to HIPAA; (ii) financial data subject to the Gramm-Leach-Bliley Act (GLBA); (iii) biometric data; (iv) data of minors without the corresponding legal authorizations; (v) Social Security numbers, passport numbers, or other sensitive government identifiers; (vi) any special category of data under Article 9 of the GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, health data, sex life, or sexual orientation).

If the User enters sensitive data in breach of this prohibition, they do so at their own responsibility. Krellot may delete or block such content and assumes no liability for consequences arising from the User’s unauthorized input. This clause does not exempt Krellot from the obligations that, as controller, apply to it by law with respect to the personal data it actually processes.

4. HOW WE USE YOUR INFORMATION

Krellot uses the collected information for the purposes described below.

4.1 Operation of the Service

Create, maintain, and manage your account and session.
Process and store the User Content you enter.
Run the AI models, generate the AI-Generated Content, and deliver it to you.
Process payments, billing, renewals, refunds where applicable, and Associates Program commissions.
Provide technical support and customer service.
Manage invitations, seats, brands, and multi-user configuration on Pro and Agency plans.
Maintain the integrity, security, and availability of the Platform.

4.2 Service improvement and development (with universal opt-out right)

Krellot seeks to continuously improve the Service. We clearly distinguish between the operation of the Service (Section 4.1), which is necessary to provide the Service you contract, and the improvement activities described in this Section 4.2, which you have the right to object to or opt out of.

Subject to your opt-out right, Krellot may use the information within the Platform to:

Refine and optimize internal prompts, generation pipelines, proprietary models, RAG systems, embeddings, classifiers, and scorers of the Service.
Develop, test, and launch new features, frameworks, formats, templates, integrations, and improvements.
Evaluate the quality, accuracy, originality, and performance of the AI-Generated Content.
Conduct internal research, statistical analysis, A/B testing, and benchmarking related to the Service.
Detect, prevent, and respond to fraud, abuse, prohibited content, vulnerabilities, and security threats (this use is necessary for operation and security and is not subject to opt-out).
Personalize the experience and suggest the most relevant frameworks, tones, hooks, and configurations.

Legal basis and right to object. For Users in the EU/EEA and the United Kingdom, the improvement processing described in this Section 4.2 is carried out on the basis of legitimate interest (Art. 6(1)(f) GDPR), supported by a documented Legitimate Interest Assessment (LIA), except where the law requires consent, in which case it will be obtained separately. Any User — regardless of plan — has the right to object to this processing at any time, free of charge and without the need for justification, in accordance with Section 9.

Universal opt-out. To exclude your identifiable Content from the improvement activities in this Section 4.2, write to [email protected] or use the controls available in your account settings. The opt-out is free and available on all plans. Pro or Agency customers may also enter into a specific Data Processing Agreement (DPA). The opt-out does not apply to: (i) uses necessary to operate the Service (Section 4.1); (ii) security and fraud prevention; or (iii) compliance with legal obligations (Section 4.6).

Aggregated, anonymized, and de-identified data. Krellot may generate aggregated, statistical, anonymized, and/or de-identified data that does not, by reasonable means, allow any individual User to be identified. Krellot commits to (i) maintaining and using anonymization/de-identification processes in accordance with applicable standards; (ii) not attempting to re-identify individuals; and (iii) contractually requiring any third-party recipient to refrain from re-identification. Such data may be used for legitimate business purposes, including research, product improvement, publications, and sector benchmarks. If in any case the data does not meet the legal standard of anonymization and remains personal data, the protections of this Policy will apply to it.

4.3 Sub-processors and third-party artificial intelligence

To operate the AI features, Krellot transmits content to third-party AI model providers (including, without limitation, OpenAI, Anthropic, Google, Meta, Mistral, and others) under data processing agreements that prohibit those providers from using the content to train their general-purpose models, unless the User expressly consents separately. Krellot publishes and maintains an up-to-date list of sub-processors at https://krellot.ai/privacy#sub-processors.

Important distinction. Krellot does NOT sell identifiable User Content to third parties and does NOT share identifiable User Content with other users. The use described in Section 4.2 is for internal purposes of operating and improving the Service and for generating aggregated/anonymized data.

4.4 Communications with the User

Send transactional emails (confirmations, password recovery, invoices, receipts, security notifications, renewal reminders, cancellations).
Respond to inquiries, support requests, and tickets.
Notify material changes to the Service, the Terms, or this Policy.

4.5 Marketing and promotions (subject to consent where required by law)

Send newsletters, product announcements, offers, case studies, webinars, and marketing communications.
Run targeted advertising campaigns on third-party platforms (Meta, Google, LinkedIn, TikTok Ads) using audiences derived from your use of the Service or customer lists. Some of these practices may constitute a “sale” or “sharing” under U.S. state laws; you may exercise the opt-out in accordance with Sections 9 and 16, including the Global Privacy Control (GPC) signal.
Measure campaign effectiveness, conversion attribution, and channel performance.
Invite you to referral programs, beta tests, surveys, and ambassador programs.

You may unsubscribe from marketing communications at any time via the “unsubscribe” link or by writing to [email protected]. Transactional and security communications are not optional while the Account is active.

4.6 Legal compliance

Comply with applicable legal, regulatory, and tax obligations.
Respond to lawful requests from authorities, subpoenas, court orders, and government requests.
Exercise, defend, and protect legal rights in judicial, arbitral, or administrative proceedings.
Comply with IRS tax reporting (Form 1099-NEC and equivalents) and applicable international tax authorities.

5. LEGAL BASIS FOR PROCESSING (GDPR / UK GDPR)

For Users in the European Economic Area and the United Kingdom, Krellot processes personal data on the following legal bases under Article 6 of the GDPR:

Performance of a contract (Art. 6(1)(b)): processing necessary to provide the Service, operate the Account, process payments, and deliver the features.

Legitimate interest (Art. 6(1)(f)): Service improvement (Section 4.2), security, fraud prevention, direct marketing to existing customers, usage analysis, and defense of legal rights. Each legitimate interest has been assessed through an LIA against the User’s rights, and the User may object in accordance with Art. 21.

Consent (Art. 6(1)(a)): marketing communications to non-customers, non-essential cookies, and other processing where the law requires it. Consent is specific, informed, and may be withdrawn at any time, without affecting the lawfulness of prior processing.

Compliance with a legal obligation (Art. 6(1)(c)): tax, accounting, regulatory, and authority-cooperation obligations.

Vital or public interest (Art. 6(1)(d) and 6(1)(e)): where exceptionally applicable.

6. WHO WE SHARE YOUR INFORMATION WITH

Krellot shares information in the following limited circumstances and subject to contractual safeguards.

6.1 Service providers and sub-processors

We share information with providers that perform services on our behalf, under confidentiality and data processing agreements:

Hosting and infrastructure: Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, or equivalents.
AI model providers: OpenAI, Anthropic, Google, Meta, Mistral, and others (see Section 4.3).
Payment processing: Stripe, Inc. (in accordance with PCI-DSS).
Transactional and marketing email: SendGrid, Postmark, Resend, Customer.io, HubSpot, Mailchimp, or equivalents.
Product analytics: Mixpanel, Amplitude, PostHog, Heap, or equivalents.
Web analytics and advertising: Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, X Pixel.
Error monitoring and observability: Sentry, Datadog, New Relic, or equivalents.
Customer support: Intercom, Zendesk, Front, HubSpot Service Hub, or equivalents.
Attribution and fraud prevention: Stripe Radar, Sift, Fingerprint, or others.
Associates Program: referral tracking, payments to Associates, and tax forms.

An up-to-date list of sub-processors is maintained in this section and is also available on request at [email protected]. Krellot will provide notice of new sub-processors at least fifteen (15) days in advance, giving customers the opportunity to object where their contract so provides.

6.2 Legal compliance and authorities

Krellot may disclose information when necessary to: (i) comply with laws, regulations, court orders, subpoenas, and valid government requests; (ii) enforce the Terms and other policies; (iii) protect the rights, property, or safety of Krellot, the Users, and the public; (iv) investigate and prevent fraud or security issues.

6.3 Business transfers

In the event of a merger, acquisition, reorganization, asset sale, financing, bankruptcy, or similar proceeding, the data may be transferred to the acquiring or successor entity, subject to privacy obligations substantially equivalent to those in this Policy. Krellot will notify Users of material transfers.

6.4 With your consent or at your instruction

Krellot may share information with third parties where the User has expressly consented or instructed (e.g., integration with third-party tools, publishing content on social media, authorizing a team member, exports).

6.5 Aggregated and anonymized data

Krellot may share or transfer aggregated, statistical, anonymized, and/or de-identified data that does not allow individual Users to be identified, in accordance with the safeguards and no-re-identification commitment in Section 4.2.

6.6 No sale of Personal Data

Krellot does NOT sell identifiable User Personal Data to third parties within the meaning of the CCPA/CPRA. Some digital advertising practices may be considered a “sale” or “sharing” under broad definitions of state laws; in such cases, Users in California and other applicable states may exercise the opt-out right in accordance with Sections 9 and 16.

7. INTERNATIONAL DATA TRANSFERS

Krellot operates from the United States. Your personal data may be transferred, stored, and processed in the United States and in other countries where Krellot or its sub-processors operate, which may have data protection laws different from those of your country of residence.

For transfers from the EU/EEA or the United Kingdom to countries without an adequacy decision, Krellot relies primarily on recognized transfer mechanisms, including: (i) the European Commission’s Standard Contractual Clauses (SCCs) (Decision 2021/914) and the UK International Data Transfer Agreement (IDTA) or its Addendum, as applicable; (ii) transfer impact assessments (TIAs) where required following Schrems II; and (iii) supplementary technical and organizational measures (encryption, segregation, access controls). Consent or the Article 49 GDPR derogations are used only on an exceptional and residual basis, not as the primary mechanism.

For Users in Brazil, international transfers are carried out in accordance with the LGPD and applicable ANPD safeguards.

8. DATA RETENTION

Krellot retains information for as long as necessary to fulfill the purposes described in this Policy and in accordance with applicable law:

Account data and User Content: for the duration of the account and up to thirty (30) days after termination, unless a longer mandatory legal retention applies.

Billing and transaction data: for the period required by tax and accounting law (minimum seven (7) years in the U.S. for Form 1099 and associated tax information).

Support communications: up to three (3) years from the last interaction, unless needed for legal defense.

Technical and security logs: up to two (2) years, or longer when necessary for incident investigation or legal defense.

Aggregated and anonymized data: indefinitely, in accordance with Section 4.2 (this data is not identifiable personal data).

Cookies: according to the periods defined in the Cookie Policy.

Data related to disputes, claims, arbitration, or litigation: until final resolution plus the applicable statute of limitations.

After the retention periods, personal data is irreversibly deleted or anonymized.

9. YOUR DATA PROTECTION RIGHTS

Depending on your jurisdiction of residence, you may have the following rights. Krellot will facilitate their exercise in accordance with applicable law.

9.1 Rights under GDPR (EU/EEA) and UK GDPR

Access (Art. 15).
Rectification (Art. 16).
Erasure / right to be forgotten (Art. 17).
Restriction of processing (Art. 18).
Data portability (Art. 20).
Objection to processing, including direct marketing and the improvement activities in Section 4.2 (Art. 21).
Not to be subject to automated decisions with legal effects (Art. 22).
Withdraw consent at any time (without retroactive effect).
Lodge a complaint with the competent supervisory authority.

9.2 Rights under CCPA/CPRA (California)

Know what personal data is collected, used, disclosed, and shared.
Access and obtain a copy of your personal data.
Delete your personal data.
Correct inaccurate data.
Limit the use and disclosure of sensitive personal information.
Opt out of the sale or “sharing” for cross-context behavioral advertising.
Non-discrimination for exercising these rights.
Designate an authorized agent to exercise rights on your behalf.

9.3 Rights under the New Jersey Data Privacy Act

Access, correction, deletion, and portability.
Opt out of sale, targeted advertising, and profiling.
Appeal decisions on requests.

9.4 Rights under LGPD (Brazil)

Confirmation, access, correction, anonymization, portability, deletion, information on sharing, withdrawal of consent, and objection (Art. 18 LGPD).

9.5 How to exercise your rights

Send a request to [email protected] indicating: (i) full name and registered email; (ii) the type of right you are exercising; (iii) jurisdiction of residence; (iv) reasonable proof of identity. Krellot will respond within the applicable legal time frames: generally up to forty-five (45) days under CCPA/CPRA and U.S. state laws; one (1) month (extendable to three (3) months depending on complexity) under GDPR; and fifteen (15) days under LGPD.

Krellot may deny requests that are manifestly unfounded, excessive, or repetitive, or that endanger the rights of third parties, in accordance with the law. In the event of denial, the User will receive a justification and, where applicable, information about the right to appeal or to lodge a complaint with the supervisory authority.

10. PROTECTION OF CHILDREN AND MINORS

The Service is intended only for individuals over eighteen (18) years of age and is not directed at minors. Krellot does not allow minors under 18 to register and does not knowingly collect their data. In particular, Krellot does not knowingly collect data from children under 13 (COPPA, U.S.) or from minors protected by specific ages under other applicable legislation (e.g., 16 years in some EU countries under GDPR; 14 years in Brazil under LGPD). If Krellot becomes aware that it has collected information from a minor without the corresponding legal authorizations, it will delete such information promptly. Parents or guardians who detect that a minor has provided data may contact [email protected] to request its deletion.

11. AUTOMATED DECISIONS AND PROFILING

Krellot may use automated processing, including profiling, for purposes such as: (i) fraud and abuse prevention; (ii) experience personalization; (iii) feature recommendation; (iv) prohibited-content detection; (v) support prioritization; (vi) Service optimization. These processes do not produce decisions with legal or similarly significant effects within the meaning of Article 22 of the GDPR. Where an automated decision could have relevant effects on the User, Krellot will offer human intervention, the possibility of contestation, and review, in accordance with applicable law.

12. SECURITY MEASURES

Krellot implements reasonable technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or accidental or unlawful disclosure, including: (i) encryption in transit (TLS) and at rest where technically appropriate; (ii) role-based access controls (RBAC); (iii) strengthened authentication; (iv) environment segregation; (v) incident monitoring and detection; (vi) periodic review of security practices; (vii) confidentiality agreements with employees and sub-processors; (viii) vulnerability management.

No system is completely secure. Krellot does not guarantee the absolute security of information. The User is responsible for maintaining the security of their credentials, devices, and network.

In the event of a security breach affecting personal data, Krellot will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours in accordance with the GDPR, and will notify affected Users without undue delay where the breach involves a high risk to their rights, in accordance with applicable breach-notification legislation.

13. COOKIES AND TRACKING TECHNOLOGIES

The site and the Service use cookies, pixels, beacons, scripts, limited fingerprinting, advertising identifiers, and similar technologies for authentication, session maintenance, fraud prevention, analytics, personalization, marketing, and operation of the Service. For details on cookie types, purposes, third parties involved, and control options, see this section, which constitutes the Service's Cookie Policy. Where required by law (ePrivacy Directive, GDPR, LGPD), we obtain prior consent for non-essential cookies through a cookie banner and we honor the Global Privacy Control (GPC) signal.

14. THIRD-PARTY LINKS AND SERVICES

The Service may contain links, integrations, or references to third-party sites or services (social networks, marketing tools, AI providers, publishing platforms, etc.). Krellot does not control and is not responsible for the privacy practices of such third parties. We recommend reviewing each third party’s privacy policy before providing them with information.

15. CHANGES TO THIS POLICY

Krellot may modify this Policy from time to time to reflect changes in the Service, legal requirements, or best practices. Material modifications will be notified through: (i) a prominent notice on the website; (ii) an in-Service notification; and/or (iii) an email to the registered address, at least fifteen (15) calendar days before they take effect, unless urgent circumstances (security, fraud, legal requirement) require a shorter period. The date of the last update appears at the beginning of this Policy. Where a change expands the purposes of processing in a way that requires consent, such consent will be obtained separately before applying it.

16. JURISDICTION-SPECIFIC NOTICES

16.1 California — Notice at Collection (CCPA/CPRA)

Categories of personal information collected in the last twelve (12) months (per Cal. Civ. Code § 1798.140): identifiers; account and commercial information; Internet and electronic activity information; approximate geolocation; inferences; User Content; professional or employment information (Associates or Agency accounts). Categories of sensitive personal information: access credentials (hashed password), financial information (processed by Stripe), and, for Associates, tax identifiers (SSN/EIN/Tax ID). Purposes of use: Section 4. Categories of third parties with whom it is shared: Section 6. Retention period: Section 8.

California residents may exercise their CCPA/CPRA rights in accordance with Section 9, by sending a request to [email protected] or to the privacy phone number available on request. Krellot does not discriminate against Users who exercise their rights. Californians may exercise “Do Not Sell or Share My Personal Information” by submitting a request or using the Global Privacy Control (GPC) signal.

16.2 European Union, United Kingdom, and EEA (GDPR)

For Users in the EU/EEA/United Kingdom, the controller is Krellot LLC, with its registered office in the U.S. (Section 1). Users may contact Krellot at [email protected] for any privacy-related matter and have the right to lodge a complaint with the supervisory authority in their country of residence (list at https://edpb.europa.eu/about-edpb/about-edpb/members_en).

16.3 Brazil (LGPD)

For Users in Brazil, the controller (controlador) of the processing is Krellot LLC. The Data Protection Officer (DPO/Encarregado) may be contacted at [email protected]. Brazilian Users may exercise their rights in accordance with Article 18 of the LGPD and lodge complaints with the Autoridade Nacional de Proteção de Dados (ANPD).

16.4 Other U.S. states

Users residing in states with applicable privacy laws (including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, Iowa, Indiana, Tennessee, Delaware, Florida, New Hampshire, Maryland, Minnesota, Kentucky, Rhode Island, and others in effect) have rights substantially similar to those described in this Policy. Krellot honors such rights in accordance with each state’s legislation.

17. CONTACT AND PRIVACY OFFICER

For questions, rights requests, complaints, or any matter related to this Privacy Policy, contact:

Krellot LLC

Attn: Privacy Officer / Privacy Department

500 Paterson Plank Rd, Union City, NJ 07086, United States of America

Legal email: [email protected]

Website: https://krellot.ai

Krellot will respond to requests within the time frames established by applicable law. If you are not satisfied with the response, you may lodge a complaint with the supervisory authority in your jurisdiction.