Privacy

This Privacy Policy contains all the information that we, Kugelblitz FlexCo, FN 653502h ("Kugelblitz" or "we"), are required to provide under Austrian and European data protection laws – in particular the General Data Protection Regulation ("GDPR") – when processing personal data in connection with the operation of the Platform.

Please note: The definitions set forth in the Platform Terms of Use, available at kugelblitz.ai/terms, also apply to this Privacy Policy.

1. Contact information of the controller and contact person

Controller and contact person for data protection matters:

Kugelblitz FlexCo, FN 653502h
Address: Kegelgasse 24/25, 1030 Vienna
Contact person: Samuel Koch
E-Mail: samuel.koch@kugelblitz.ai
Telephone: +43 676 9430077

You can reach us at the address listed above, as well as by email or phone.

2. Purposes and legal basis of data processing

We process your personal data in connection with the operation of the Platform for the following purposes:

• Account registration and Account administration (point 2.1);
• Administration of Companion Subscription (point 2.2);
• Verification of compliance with the Terms of Use (point 2.3);
• Product analysis – page views and events (point 2.4);
• To assert legal claims and defend against legal disputes (point 2.5).

We generally collect the personal data necessary to fulfil the purposes mentioned above directly from you. The provision of personal data for the processing purpose described in point 2.1 is necessary for the conclusion and performance of the contractual relationship between you and Kugelblitz. Without this data, we generally cannot conclude or fulfil a contract with you.

We do not process your data based on a decision that relies solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

2.1. Account registration and Account administration

You can create an Account by completing the registration process on the Platform. For this purpose, we process the following (categories of) personal data in particular: your first and last name, email address, password and profile picture. Once the registration process has been completed, the Account must be verified via a confirmation link sent by email. In this context we process the time the confirmation link was accessed and the verification time.

You may also create an Account using a social-login mechanism provided by Google or LinkedIn. If you choose this option, the respective provider will transmit your first and last name and email address to us on the basis of your consent pursuant to Article 6 (1) (a) of the GDPR. We process this personal data for the Account registration and Account administration.

When you log in on the Platform, we process the most recent log in time in each case and your login data. Besides, we process personal data for account administration purposes, for example to enable password reset. For this purpose, we process the time of the password reset, your login data and new password.

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract or pre-contractual measures).

In the context of Account registration and Account administration, data may be transferred to the following recipients or categories of recipients: Supabase, Inc. (USA; data hosted in the EU – Frankfurt, Germany); Hetzner Online GmbH (Germany); Amazon Web Services EMEA SARL (Luxembourg; for sending the confirmation email).

2.2. Administration of Companion Subscription

When you purchase a Companion Subscription from the Owner, we process the following (categories of) personal data in particular for the management of the Companion Subscription: first and last name, email address, payment/credit-card details, and subscription data (subscription status, billing interval, trial and renewal dates, and the payment-provider customer identifier).

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract or pre-contractual measures to which you are party).

In the context of administering the Companion Subscription, data may be transferred to the following recipients or categories of recipients: Stripe, Inc. (USA; the Owner is the merchant of record via Stripe Connect); Supabase, Inc. (USA; data hosted in the EU – Frankfurt, Germany); Hetzner Online GmbH (Germany). We provide information regarding any potential data transfers to third countries in point 3.

2.3. Verification of compliance with the Terms of Use

To ensure compliance with the Terms of Use, we may review Member Content on a case-by-case basis. In doing so, the following personal data may be processed: any input, message, text, voice input, file, image, profile data, Memory, feedback or other content submitted by a Member or Guest to or through the Platform or a Companion.

The processing is carried out on the legal basis of Article 6 (1) (f) of the GDPR (to safeguard our legitimate interests). Our legitimate interest lies in ensuring compliance with our Terms of Use, applicable laws and third-party rights and mitigating legal, security, reputational and operational risks for us, the Platform, Owners or other Users or third parties.

In the context of verifying compliance with the Terms of Use, data may be transferred to the following recipients or categories of recipients: OpenAI, L.L.C. (USA; automated content-moderation check); Supabase, Inc. (USA; data hosted in the EU – Frankfurt, Germany); Hetzner Online GmbH (Germany). We provide information regarding any potential data transfers to third countries in point 3.

2.4. Product analysis – page views and events

Subject to your consent, we process personal data relating to your use of the Platform for product analysis purposes. This includes, in particular, information on page views and events, such as the pages you view and your navigation path within the Platform, the features and buttons you use and links you click, key product events (e.g. sign-up, log-in, starting or ending a call or chat, starting a checkout or trial), and the date, time and duration of your visits. For identified users we also process your user ID and email address. We process this data in order to better understand how Users interact with the Platform, to analyze and improve the functionality, performance and usability of the Platform, to identify usage trends, to further develop our products and services and to provide general abstract information to Owners on how their Companions perform.

The processing is carried out on the legal basis of Article 6 (1) (a) of the GDPR (your consent). In this context, please note your right to withdraw your consent (see point 5.6).

In the context of product analysis, data may be transferred to the following recipients or categories of recipients: PostHog, Inc. (USA; EU Cloud, Frankfurt). We provide information regarding any potential data transfers to third countries in point 3.

2.5. Legal claims and legal disputes

In order to assert legal claims and to defend ourselves in legal disputes (both in and out of court), we process your personal data on the legal basis of Article 6 (1) (f) of the GDPR (to safeguard our legitimate interests). Our legitimate interest lies in the effective assertion, exercise and defence of legal claims, as well as in safeguarding our legal positions.

In the context of asserting legal claims and defending against legal disputes, data may be transferred to the following categories of recipients: legal and tax advisors, courts, public authorities.

3. Transfer of your personal data

In order to fulfil the processing purposes set out above, it is necessary, amongst other things, for us to transfer your personal data to specific recipients. We provide information about the relevant recipients or categories of recipients in point 2.

In connection with the transfer of your personal data to the recipients listed above, personal data may (occasionally) also be transferred to third countries (i.e. countries outside the EU/EEA). In all cases, we ensure that European data protection standards are upheld. Personal data is only transferred to countries for which the European Commission has determined that they have an adequate level of data protection (Article 45 GDPR), or we implement measures in accordance with Article 46 GDPR to ensure that recipients have an adequate level of data protection (e.g. by entering into standard contractual clauses). Data may be transferred to third countries in the case of the following recipients:

• Stripe, Inc. (USA); Legal basis: EU-US Data Privacy Framework, Article 45 of the GDPR.
• OpenAI, L.L.C. (USA); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• PostHog, Inc. (USA; EU Cloud, Frankfurt); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.

We are happy to provide further information on data transfers to third countries upon your request.

The service providers we engage, who qualify as data processors, process your personal data solely on our behalf and in accordance with our instructions in order to fulfil the processing purposes set out above. Where personal data is transferred to third countries in connection with the use of data processors, the above provisions apply accordingly.

4. Data retention

We retain data that we process in connection with Account registration and Account administration (see point 2.1), as well as data that we process for the administration of the Companion Subscription (see point 2.2), for up to two months following the termination of the contractual relationship.

We retain data that we process for the verification of compliance with the Terms of Use (see point 2.3) for the duration of the review of the specific matter and, in any event, no longer than 12 months after its conclusion, unless a longer period is required to establish, exercise or defend legal claims. We retain data that we process for product-analysis purposes (page views and events; see point 2.4) for a period of 14 months from collection.

We retain data that is necessary for the assertion of legal claims or for defence in legal disputes (see point 2.5) for as long as is required in ongoing (extra)judicial and administrative disputes or proceedings.

5. Rights of data subjects

Data subjects have certain rights under the GDPR. With regard to the data processing described herein, you are entitled to the specific rights defined in more detail below. If you wish to exercise any of these rights, you may contact us at any time using the contact information provided in point 1.

5.1. Right of access

Upon request, we will provide you within the legally prescribed timeframe with information regarding the data we process about you. In addition to the data itself, this information includes, amongst other things, the purpose of processing, the recipients of the data and the retention period. Your right of access is restricted by law under certain circumstances. If this is the case, we will provide you with the reasons for this.

5.2. Right to rectification

You have the right to request that we rectify or complement any incorrect or incomplete data we have collected. We may ask you to provide proof of your identity before we can comply with this request. Until your data has been rectified or complemented, you may also request that we restrict its processing.

5.3. Right to erasure, right to restriction

You have the right to request that we delete your data if and to the extent that (i) the data is no longer necessary for the purposes for which it was collected, (ii) the data was collected unlawfully, or (iii) the processing is based on your consent and you have withdrawn your consent.

The right to erasure is restricted if the data is subject to a statutory retention obligation or if processing the data is necessary for establishing, exercising or defending legal claims. However, in such cases, you have the right to restrict the processing of your data to the extent required by law or necessary for the enforcement of legal claims.

5.4. Right to data portability

You have the right, where technically feasible, to have all personal data that you have provided to us transferred to a third party specified by you.

5.5. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of our own legitimate interests or those of a third party. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

5.6. Right to withdraw consent

You may withdraw your consent to the processing of your personal data at any time, either in whole or in part, with effect for the future. In such cases, we will delete your data immediately, unless this is not permitted by law, in which case we will restrict its processing for any use beyond the legal requirements. You may contact us at any time using the contact details provided in point 1 to do so. Until the withdrawal, processing of your data is lawful.

5.7. Right to lodge a complaint

If you believe that the processing of your data breaches data protection law or that your data protection rights have otherwise been infringed, you may contact us at any time using the contact details provided in point 1 or lodge a complaint with the relevant supervisory authority.

In Austria this is the Data Protection Authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Telephone: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

6. Cookies and similar technologies

We use cookies and comparable technologies (such as browser local storage) when you use the Platform. A cookie is a small text file that a website stores on your device in order to recognise your browser.

We use cookies and local storage that are technically required to operate the Platform – in particular to authenticate you, to keep you signed in, and to remember your cookie preferences. These are necessary to provide the service you request and are processed on the legal basis of Article 6 (1) (b) and (f) of the GDPR. They cannot be switched off.

For the product-analysis purposes described in point 2.4, we use our analytics provider PostHog. When you first visit the Platform, a consent banner asks whether you accept analytics cookies:

• If you accept, PostHog stores cookies that allow us to recognise your device across visits and to analyse how you use the Platform.
• If you decline, no analytics cookies are stored on your device; in that case we process analytics data only in a cookieless manner, using a privacy-preserving identifier that is generated server-side and is not stored on your device.

We set analytics cookies only with your consent pursuant to Article 6 (1) (a) of the GDPR. We also respect the Global Privacy Control (GPC) signal sent by your browser and will not set analytics cookies where it is enabled.

You can withdraw your consent at any time with effect for the future (see point 5.6). Clearing your browser's stored site data for kugelblitz.ai will cause the consent banner to be shown again so that you can change your choice.

7. Changes

We reserve the right to amend or update this Privacy Policy as necessary to reflect legal or technical changes, or changes to our business operations. All updates are available via the link provided. The date of the update can be found at the top of this Privacy Policy.

This Privacy Policy contains all the information that we, Kugelblitz FlexCo, FN 653502h ("Kugelblitz" or "we"), are required to provide under Austrian and European data protection laws – in particular the General Data Protection Regulation ("GDPR") – when processing personal data in connection with the conclusion and fulfilment of the Terms of Services between you and Kugelblitz.

Please note: The definitions set forth in the Terms of Services, available at kugelblitz.ai/terms, also apply to this Privacy Policy.

1. Contact information of the controller and contact person

Controller and contact person for data protection matters:

Kugelblitz FlexCo, FN 653502h
Address: Kegelgasse 24/25, 1030 Vienna
Contact person: Samuel Koch
E-Mail: samuel.koch@kugelblitz.ai
Telephone: +43 676 9430077

You can reach us at the address listed above, as well as by email or phone.

2. Purposes and legal basis of data processing

We process your personal data in connection with the conclusion and fulfilment of the Terms of Services for the following purposes:

• To conclude the Terms of Services and, in connection therewith, to fulfil pre-contractual and contractual obligations (point 2.1);
• For payment processing (point 2.2);
• For the configuration and update of the Companion (point 2.3);
• To create a Platform profile page and for profile administration (point 2.4);
• For communication and customer service purposes (point 2.5);
• To assert legal claims and defend against legal disputes (point 2.6).

We generally collect the personal data necessary to fulfil the purposes mentioned above directly from you. In addition, we occasionally collect personal data from publicly accessible sources or public registers (e.g., the commercial register, company websites). The provision of personal data for the processing purposes described in points 2.1 - 2.4 is necessary for the conclusion and performance of the contractual relationship. Without this data, we generally cannot conclude or fulfil a contract with you.

We do not process your data based on a decision that relies solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

2.1. Conclusion and fulfilment of the Terms of Services

In the context of concluding and fulfilling the Terms of Services, we process the following (categories of) personal data in particular: first and last name or company name and, if applicable, commercial register number, address, credit card or payment details, VAT identification number, first and last name of a contact person, contact details such as email address and phone number, as well as communication data in connection with the conclusion and fulfilment of the contract.

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract or pre-contractual measures).

In the context of the conclusion and fulfilment of the contract, data is transferred to the following recipients or categories of recipients: Stripe, Inc. (USA); Supabase, Inc. (USA; data hosted in the EU – Frankfurt, Germany); Hetzner Online GmbH (Germany); Amazon Web Services EMEA SARL (Luxembourg); Tax consultancy; Public authorities, courts and legal representation. We provide information regarding any potential data transfers to third countries in point 3.

2.2. Payment processing

In the context of payment processing, we process the following (categories of) personal data in particular: first and last name or company name, email address, billing address, credit card or payment details, and VAT identification number.

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract).

For payment processing, we use the services of Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA ("payment service provider"), which we have carefully selected. This involves the transfer of the aforementioned personal data to the payment service provider. Furthermore, as part of the payment processing, data is transferred to our tax consultancy. We provide information regarding any potential data transfers to third countries in point 3.

2.3. Configuration and update of the Companion

In the context of configuring and updating a Companion, we process the following (categories of) personal data provided to us by the Owner in particular: first and last name or company name of the Owner, records, transcripts, documents, FAQs, voice samples and other source material provided by the Owner for the configuration and any update of the Companion.

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract or pre-contractual measures).

In the context of configuring the Companion, data is transferred to the following recipients or categories of recipients: Stripe, Inc. (USA); Supabase, Inc. (USA; data hosted in the EU – Frankfurt, Germany); Hetzner Online GmbH (Germany); Amazon Web Services EMEA SARL (Luxembourg); AssemblyAI, Inc. (USA; data processed via EU endpoint); OpenAI, L.L.C. (USA); ElevenLabs, Inc. (USA); Arize AI, Inc. (USA; data processed via EU endpoint); PostHog, Inc. (USA; EU Cloud, Frankfurt); LiveKit, Inc. (USA). We provide information regarding any potential data transfers to third countries in point 3.

2.4. Platform profile page and profile administration

When the Owner makes a Companion available to third parties via the Platform, we process the following personal data in order to provide a publicly available profile page of the Owner and administrate this profile: first and last name, email address, handle (username), avatar picture, and biography of the Owner.

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract or pre-contractual measures).

In the context of providing and administering the profile page, data is transferred to the following recipients or categories of recipients: Supabase, Inc. (USA; data hosted in the EU – Frankfurt, Germany); Hetzner Online GmbH (Germany); Amazon Web Services EMEA SARL (Luxembourg). As the profile page is publicly accessible, the data displayed on it (first and last name, handle, avatar picture and biography) can be viewed by any visitor. We provide information regarding any potential data transfers to third countries in point 3.

2.5. Customer communication and customer service

In the context of our contractual relationship, it may be necessary for you to contact us or for us to contact you. This involves, in particular, the processing of the contact person's first and last name, email address, and telephone number, as well as all other personal data that you provide to us in the course of our communication.

The processing is carried out on the legal basis of Article 6 (1) (b) of the GDPR (performance of a contract or pre-contractual measures).

In the context of customer communication and customer service, data is transferred to Amazon Web Services EMEA SARL (Luxembourg) and Google Workspace (Google Ireland Ltd., Dublin, Ireland) for the provision of communication services. We provide information regarding any potential data transfers to third countries in point 3.

2.6. Legal claims and legal disputes

In order to assert legal claims and to defend ourselves in legal disputes (both in and out of court), we process your personal data on the legal basis of Article 6 (1) (f) of the GDPR (to safeguard our legitimate interests). Our legitimate interest lies in the effective assertion, exercise and defence of legal claims, as well as in safeguarding our legal positions.

In the context of asserting legal claims and defending against legal disputes, data may be transferred to the following categories of recipients: legal and tax advisors, courts, public authorities.

3. Transfer of your personal data

In order to fulfil the processing purposes set out above, it is necessary, amongst other things, for us to transfer your personal data to specific recipients. We provide information about the relevant recipients or categories of recipients in point 2.

In connection with the transfer of your personal data to the recipients listed above, personal data may (occasionally) also be transferred to third countries (i.e. countries outside the EU/EEA).

In all cases, we ensure that European data protection standards are upheld. Personal data is only transferred to countries for which the European Commission has determined that they have an adequate level of data protection (Article 45 GDPR), or we implement measures in accordance with Article 46 GDPR to ensure that recipients have an adequate level of data protection (e.g. by entering into standard contractual clauses). Data may be transferred to third countries in the case of the following recipients:

• Stripe, Inc. (USA); Legal basis: EU-US Data Privacy Framework, Article 45 of the GDPR.
• Supabase, Inc. (USA, data hosted in the EU/Frankfurt); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• Google Ireland Ltd. (Ireland, parent company: Google LLC, USA); Legal basis: EU-US Data Privacy Framework, Article 45 of the GDPR.
• AssemblyAI, Inc. (USA; data processed via EU endpoint); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• OpenAI, L.L.C. (USA); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• ElevenLabs, Inc. (USA); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• Arize AI, Inc. (USA; data processed via EU endpoint); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• PostHog, Inc. (USA; EU Cloud, Frankfurt); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.
• LiveKit, Inc. (USA); Legal basis: Standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR.

We are happy to provide further information on data transfers to third countries upon your request. The service providers we engage, who qualify as data processors, process your personal data solely on our behalf and in accordance with our instructions in order to fulfil the processing purposes set out above. Where personal data is transferred to third countries in connection with the use of data processors, the above provisions apply accordingly.

4. Data retention

We retain data that we process in connection with the conclusion and fulfilment of contracts (see points 2.1, 2.2 and 2.5) for a period of three years following the termination of the contractual relationship. In addition, we are subject to various corporate and/or tax law retention requirements; data subject to such obligations (e.g. invoices, accounting data) is retained for seven years following the end of the calendar or fiscal year to which it relates.

We retain data that we process for the configuration and updates of Companions, as well as data that we process in connection with the Owner's platform profile page and for profile administration (see points 2.3 and 2.4), for up to two months following the termination of the contractual relationship.

We retain data that is necessary for the assertion of legal claims or for defence in legal disputes (see point 2.6) for as long as is required in ongoing (extra)judicial and administrative disputes or proceedings.

5. Rights of data subjects

Data subjects have certain rights under the GDPR. With regard to the data processing described herein, you are entitled to the specific rights defined in more detail below. If you wish to exercise any of these rights, you may contact us at any time using the contact information provided in point 1.

5.1. Right of access

Upon request, we will provide you within the legally prescribed timeframe with information regarding the data we process about you. In addition to the data itself, this information includes, amongst other things, the purpose of processing, the recipients of the data and the retention period. Your right of access is restricted by law under certain circumstances. If this is the case, we will provide you with the reasons for this.

5.2. Right to rectification

You have the right to request that we rectify or complement any incorrect or incomplete data we have collected. We may ask you to provide proof of your identity before we can comply with this request. Until your data has been rectified or complemented, you may also request that we restrict its processing.

5.3. Right to erasure, right to restriction

You have the right to request that we delete your data if and to the extent that (i) the data is no longer necessary for the purposes for which it was collected, (ii) the data was collected unlawfully, or (iii) the processing is based on your consent and you have withdrawn your consent.

The right to erasure is restricted if the data is subject to a statutory retention obligation or if processing the data is necessary for establishing, exercising or defending legal claims. However, in such cases, you have the right to restrict the processing of your data to the extent required by law or necessary for the enforcement of legal claims.

5.4. Right to data portability

You have the right, where technically feasible, to have all personal data that you have provided to us transferred to a third party specified by you.

5.5. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of our own legitimate interests or those of a third party. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

5.6. Right to withdraw consent

You may withdraw your consent to the processing of your personal data at any time, either in whole or in part, with effect for the future. In such cases, we will delete your data immediately, unless this is not permitted by law, in which case we will restrict its processing for any use beyond the legal requirements. You may contact us at any time using the contact details provided in point 1 to do so. Until the withdrawal, processing of your data is lawful.

5.7. Right to lodge a complaint

If you believe that the processing of your data breaches data protection law or that your data protection rights have otherwise been infringed, you may contact us at any time using the contact details provided in point 1 or lodge a complaint with the relevant supervisory authority.

In Austria this is the Data Protection Authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Telephone: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

6. Changes

We reserve the right to amend or update this Privacy Policy as necessary to reflect legal or technical changes, or changes to our business operations. The date of the update can be found at the top of this Privacy Policy.