GeoPulse

Legal

Privacy Policy

Last updated: May 17, 2026

This Privacy Policy explains how Kairos Lab ("we", "us") collects, uses and protects your personal data when you use GeoPulse (the "Service"). It is aligned with the EU General Data Protection Regulation (GDPR) and applicable EU data protection laws.

1. Data controller

The data controller is Kairos Lab. You can reach us at hello@kairos-lab.io for any privacy-related request.

2. Data we collect

2.1 Account data

  • Email address (used for authentication and product communications)
  • Hashed password (if email/password auth is used)
  • Optional: name or workspace name you choose to provide

2.2 Service data

  • Brands, queries and competitors you configure
  • LLM responses, mention metrics and historical visibility metrics
  • Alert preferences and exported reports

2.3 Billing data

  • Handled by Stripe. We never store your card number on our servers. We receive a customer ID, the subscription state and the last 4 digits of your card for display only.

2.4 Technical data

  • IP address, browser, OS, referrer (server logs, kept 30 days)
  • Error events via Sentry (no request bodies, no PII payloads)
  • Aggregated, anonymous product analytics

3. Why we use your data (legal basis)

  • Contract: to provide the Service you subscribed to.
  • Legitimate interest: to keep the Service secure, to prevent fraud, and to improve product reliability.
  • Legal obligation: to keep accounting records and respond to lawful requests.
  • Consent: only for non-essential cookies and marketing emails (you may withdraw consent at any time).

4. Hosting & sub-processors

Your data is hosted in the European Union. We rely on a limited set of sub-processors, each bound by a DPA:

  • Supabase (database, auth) — EU region (Frankfurt)
  • Vercel (frontend hosting) — EU edge
  • Stripe (payments)
  • Resend (transactional email)
  • Sentry (error monitoring)
  • OpenAI, Anthropic, Perplexity (LLM API calls for your tracked queries)

A current list and the relevant DPAs are available on request at hello@kairos-lab.io.

5. Retention

  • Account data: while your account is active, then 30 days after deletion.
  • Service data (queries, runs, reports): while your account is active. You can delete brands at any time.
  • Server logs: 30 days.
  • Billing records: 10 years (legal accounting obligation).

6. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Lodge a complaint with your local Data Protection Authority

To exercise any of these rights, email hello@kairos-lab.io. We respond within 30 days.

7. Cookies

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies. Optional analytics cookies (if any) are loaded only after explicit consent.

8. Security

Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by our hosting providers. Access to production systems is restricted, with 2FA enforced.

9. International transfers

Some LLM providers (OpenAI, Anthropic) are located in the United States. Transfers happen under Standard Contractual Clauses (SCCs). We send only the query text you configure — never your customer data unless you put it in a query yourself.

10. Changes to this policy

We may update this policy. Material changes will be notified by email and via an in-app banner at least 14 days before they take effect.

11. Contact

Questions or requests: hello@kairos-lab.io.