Privacy Policy

Kugelblitz FlexCo (“Kugelblitz”, “we”, “us”) operates the platform at kugelblitz.ai. We help experts deliver their knowledge at scale through AI-assisted Companions.

Kugelblitz FlexCo
Kegelgasse 24/25, 1030 Vienna, Austria
Email: samuel@kugelblitz.ai
Phone: +43 676 9430077
Commercial Court Vienna, FN 653502 h

We collect the following categories of personal data:

Account data. When you sign up via email, Google, or LinkedIn, we collect your name, email address, and profile information provided by the authentication provider (such as profile picture).

Profile data. Information you provide to set up your profile, including your display name, username, companion image, and bio.

Content and memories. Text content you create or upload to train your AI companion, including memories, content transcripts, and related metadata.

Conversation data. Messages and transcripts from voice sparring sessions between you and creator AI companions, including text transcripts of spoken interactions.

Voice data. Audio from your microphone during live sparring sessions is streamed in real time for speech-to-text processing. We do not store raw audio recordings of your voice.

WhatsApp messaging data. If you interact with an owner’s AI companion via WhatsApp, we collect your phone number (in international E.164 format), message text, images you send, and message timestamps. Messages are received through the Meta WhatsApp Business Platform API. Your phone number is stored to identify you across conversation sessions. You opt in by initiating a conversation with the companion’s WhatsApp number.

Usage data. Functional data such as login timestamps required to operate the service.

Analytics data. With your consent, we collect usage data through PostHog (EU-hosted), including pages visited, session duration, browser and device information, and approximate location (city-level). If you accept cookies, we may also record session replays to improve the user experience. If you decline cookies, we still collect anonymized analytics using a privacy-preserving server-side hash. Your IP address is processed transiently for geolocation and is not stored.

We process your data for the following purposes:

• Creating and managing your account (legal basis: contract performance)
• Enabling interactive voice sparring sessions with creator AI companions (contract performance)
• Creating and maintaining vector embeddings of your content for semantic search and AI context retrieval (contract performance)
• Converting your spoken words to text during voice sessions (contract performance)
• Processing WhatsApp messages to generate AI companion responses on behalf of the owner (contract performance)
• Improving our platform and debugging issues (legitimate interest)
• Analyzing website usage to improve our platform (consent for cookie-based tracking, Art. 6(1)(a) GDPR; legitimate interest for cookieless tracking, Art. 6(1)(f) GDPR)

To operate the Platform, we share data with the following third-party processors:

OpenAI (San Francisco, USA) — receives your content, conversation messages, and memories to generate AI companion responses. Also generates vector embeddings of your content for semantic search.

AssemblyAI (San Francisco, USA) — receives real-time audio streams from your microphone during voice sparring sessions for speech-to-text conversion.

ElevenLabs (New York, USA) — receives conversation text to generate voice responses for your AI companion during voice sparring sessions. No audio from your microphone is shared with ElevenLabs.

Meta (WhatsApp Business Platform) (Menlo Park, USA) — provides the messaging infrastructure for WhatsApp conversations with AI companions. Messages are encrypted in transit using the Signal protocol between end users and WhatsApp servers. At the Business API endpoint, messages are received in plaintext for processing by our system. Meta acts as a processor for message delivery and does not use message content for advertising. See WhatsApp’s privacy policy.

LiveKit — provides real-time voice communication infrastructure for sparring sessions.

Supabase — hosts our database, authentication system, and file storage.

Hetzner (Germany) — hosts our application servers within the European Union.

PostHog (EU cloud, Frankfurt, Germany) — collects website usage data (pages visited, session duration, browser and device information) to help us improve our platform. If you accept cookies, PostHog may also record session replays and set analytics cookies. If you decline, tracking uses a privacy-preserving server-side hash with no cookies. All data is processed and stored within the European Union. See PostHog’s privacy policy.

For services based in the USA, data transfers are covered by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses as applicable.

Your data is stored in a PostgreSQL database hosted by Supabase. All user data is protected by row-level security policies that ensure you can only access your own data. Vector embeddings are partitioned per user for data isolation.

File uploads are stored in secure cloud storage with access controls. All connections are encrypted in transit via TLS.

We retain your personal data for as long as your account is active. When you delete specific content (such as memories), the associated data and vector embeddings are automatically removed from our systems.

WhatsApp conversation data — including messages, images, and phone numbers — is retained for as long as the associated user account is active. When a user requests deletion, all WhatsApp conversation data is removed along with other account data.

Third-party services may retain processing logs according to their own retention policies. We select processors that minimize data retention where possible.

As a data subject under the GDPR, you have the following rights:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data via your profile settings or by contacting us
• Erasure — request deletion of your account and all associated data
• Data portability — receive your data in a structured, machine-readable format
• Restriction — request that we limit processing of your data
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at samuel@kugelblitz.ai. We will respond within 30 days. This includes the right to request deletion of all data collected through WhatsApp conversations, including your phone number, message history, and stored images.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehorde, dsb.gv.at).

We use essential cookies required for authentication and session management. When you visit our site, a cookie consent banner asks whether you accept analytics cookies.

If you accept: PostHog sets analytics cookies to track your sessions, enable session replays, and provide personalized analytics. These cookies persist across visits.

If you decline: No analytics cookies are set. We still collect anonymized usage data using a privacy-preserving server-side hash that does not store any data on your device.

You can change your preference at any time by clearing your browser’s local storage for this site, which will show the consent banner again.

Kugelblitz is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “last updated” date.

For any privacy-related questions or requests, contact us at:

Kugelblitz FlexCo
Kegelgasse 24/25, 1030 Vienna, Austria
Email: samuel@kugelblitz.ai