Add your text here. This block is intentionally simple and freeform.

Privacy Policy (EU/EEA, UK, Switzerland Version)

Effective date: 01 March 2026

For the global version of this policy please refer to the following link.

This Privacy Policy explains how Kahuna Labs UG (“we”, “us”, “our”) collects, uses, stores, and shares personal data when you use our website, applications, and services (collectively, the “Services”).

We are committed to protecting your privacy and handling personal data in accordance with applicable data protection laws, including the EU GDPR, UK GDPR, and applicable national laws.

1. Who we are (Data Controller)

Controller: Kahuna Labs UG (haftungsbeshränkt)

Registered address: Pauline Str. 23/25 7076 Heilbronn (DE)

Email: privacy@kahuna-labs.de

If you are in the EEA, UK, or Switzerland, this policy applies to your use of our Services.

2. Scope of this policy

This Privacy Policy applies to personal data we process when you use our Services directly as an end user.

It does not apply to data we process solely on behalf of business customers under a separate data processing agreement (if applicable).

3. Personal data we collect

We collect the following categories of personal data:

A. Data you provide directly

  • Account information (e.g., name, email address, password, username, account settings)
  • User content (e.g., prompts you submit to the LLM, files/uploads, and generated outputs/results associated with your account)
  • Communications (e.g., messages you send to support, feedback, survey responses)

B. Payment and transaction data (processed via Stripe)

When you pay for paid features/subscriptions, payment processing is handled by Stripe (or another payment provider we may designate). We do not store full payment card numbers, billing name/address, VAT/tax details, invoice details on our systems. Stripe processes payment method data (such as card details) and provides us with transaction metadata (for example, status, last 4 digits, expiry, billing information, and identifiers needed for invoicing, reconciliation, fraud prevention, and support).

C. Data collected automatically

  • Log and device data (e.g., IP address, browser type, device type, operating system, timestamps, request logs)
  • Usage data (e.g., features used, actions taken, session duration, error events, performance diagnostics)
  • Cookies and similar technologies (see Section 9)

4. How we use personal data

We use personal data for the following purposes:

  1. To provide the Services
    • Create and manage your account
    • Process your prompts and return LLM-generated results
    • Store prompts/results so they remain available to you later (e.g., history, retrieval, continuity)
  2. To operate, secure, and maintain the Services
    • Monitor performance, troubleshoot issues, prevent abuse/fraud, and maintain security
    • Enforce our terms and policies
  3. To process payments and manage subscriptions
    • Handle billing, invoicing, payment verification, refunds, accounting, and tax compliance
    • Coordinate with Stripe and related payment service providers
  4. To communicate with you
    • Service notices, account updates, support replies, and important changes
    • Marketing communications (only where permitted by law and subject to your choices)
  5. To improve and develop our Services
    • Analyze usage trends and feedback
    • Improve product quality, reliability, and features
    • Potentially use prompts/outputs and related content to improve our services and models, where permitted by law and subject to your settings, opt-out choices, or consent where required
  6. To comply with legal obligations
    • Financial recordkeeping, legal requests, dispute handling, and regulatory compliance

5. Legal bases for processing (EU/EEA/UK/Switzerland)

Depending on the purpose, we rely on one or more of the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) e.g., creating your account, delivering LLM outputs, providing paid features
  • Legitimate interests (Art. 6(1)(f) GDPR) e.g., service security, fraud prevention, internal analytics, product improvement, support, and operational reliability (balanced against your rights and interests)
  • Legal obligation (Art. 6(1)(c) GDPR) e.g., accounting, tax, legal compliance, responding to valid legal requests
  • Consent (Art. 6(1)(a) GDPR), where required e.g., non-essential cookies, certain marketing activities, or specific product-improvement/training uses where consent is required by applicable law

If we rely on consent, you may withdraw it at any time (without affecting processing before withdrawal).

6. AI-specific processing (prompts and outputs)

Our Services allow you to submit prompts and receive LLM-generated results.

  • Prompts and outputs may contain personal data, depending on what you submit.
  • We store prompts/outputs primarily to provide the Service to you (for example, history, retrieval, and continuity).
  • We may also process prompts/outputs to improve and develop our Services, including quality, safety, and model performance, where permitted by law and subject to your controls/settings.
  • Please avoid submitting sensitive personal data unless necessary for your use case.

If we offer a setting to opt out of content use for improvement/training, details will be available in your account settings or product documentation.

7. How we share personal data

We may share personal data with:

A. Service providers / processors

We use vendors that help us operate the Services, such as:

  • cloud hosting/infrastructure providers
  • analytics and monitoring providers
  • customer support tools
  • email/communication tools
  • security/fraud prevention services
  • payment processors (Stripe)
  • LLM/model providers and related AI infrastructure providers (where applicable)

These providers process personal data on our behalf under contractual safeguards and only as needed to provide services to us.

B. Professional advisors and business transfers

We may disclose personal data to legal, accounting, or audit advisors, or in connection with a merger, acquisition, financing, restructuring, or sale of assets (subject to confidentiality and applicable law).

C. Legal and safety disclosures

We may disclose personal data where necessary to:

  • comply with law or valid legal process
  • protect rights, property, or safety
  • investigate fraud, abuse, or policy violations

D. Affiliates

We may share personal data with affiliated entities under common control, where relevant to providing and operating the Services, and subject to this policy.

8. International data transfers

Your personal data may be processed outside your country, including outside the EEA/UK/Switzerland.

When we transfer personal data internationally, we use appropriate safeguards as required by applicable law, such as:

  • adequacy decisions (where available), and/or
  • Standard Contractual Clauses (SCCs) (and UK addendum/Swiss measures where applicable)

You may contact us to request more information about the safeguards we use.

9. Cookies and similar technologies

We use cookies and similar technologies to:

  • keep you signed in
  • maintain preferences
  • secure the Services
  • understand usage and improve performance
  • measure effectiveness of features and communications

Where required by law, we request your consent before using non-essential cookies. You can manage cookie preferences through our cookie banner/settings (where available) and your browser controls.

10. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy, including providing the Services, complying with legal obligations, resolving disputes, and enforcing agreements.

Retention periods may vary by data type:

  • Account data: retained while your account is active and for a limited period afterward as necessary
  • Prompts/outputs (content): retained to provide your history/retrieval features until you delete them, close your account, or according to your settings, subject to legal/security retention needs
  • Payment/transaction and invoicing records: retained as required for accounting, tax, and regulatory compliance
  • Logs and security records: retained for operational and security purposes for an appropriate limited period

We may retain data longer where required by law or where necessary to establish, exercise, or defend legal claims.

11. Your rights (EEA/UK/Switzerland)

Subject to applicable law, you may have the right to:

  • access your personal data
  • correct inaccurate personal data
  • delete personal data
  • restrict processing
  • object to processing (including certain processing based on legitimate interests)
  • data portability
  • withdraw consent (where processing is based on consent)
  • lodge a complaint with your local supervisory authority

To exercise your rights, contact us at privacy@kahuna-labs.de.

We may need to verify your identity before responding. We will respond within the time required by applicable law.

12. Children

Our Services are not intended for children under 13, and we do not knowingly collect personal data from children below that age.

If you believe a child has provided personal data to us, please contact us and we will investigate and take appropriate action.

13. Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the Effective date above. Where required by law, we will provide additional notice.

15. Contact us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Kahuna Labs UG

Pauline Str. 23/25 7076 Heilbronn (DE)

privacy@kahuna-labs.de

If you are in the EEA/UK/Switzerland, you also have the right to contact your local data protection authority.