Privacy Policy

Account information: When you register, we collect your email address and hashed password (we never store passwords in plain text).

Usage data: We record which features you use — brand analyses run, KOL URLs analyzed, outreach records generated — to enforce plan quotas and improve the product.

Payment information: Payments are processed by Paddle, our Merchant of Record. We never see or store your card number. Paddle shares subscription status and customer ID with us.

Chrome extension data: When you use our extension on a YouTube or TikTok page, the extension extracts publicly visible channel information (name, subscriber count, public bio, recent video titles). This data is sent to our API for AI analysis. We do not collect your browsing history, cookies, private messages, or login credentials from third-party platforms.

Error and performance data: We use Sentry to capture application errors. Error reports may include anonymized stack traces and browser metadata, but not the content of your generated drafts.

• Provide and operate the KOL-Craft service
• Enforce plan quotas (generation limits per subscription tier)
• Process payments via Paddle and manage subscriptions
• Send transactional emails (account confirmation, subscription receipts)
• Detect and prevent abuse or unauthorized access
• Improve AI output quality using aggregated, anonymized usage patterns

We do not sell your personal data to third parties. We do not use your data for advertising profiling.

We share data with the following processors to operate the service:

We retain your data for as long as your account is active. Specific retention windows:

• Draft records: 12 months
• AI call logs: 12 months
• Public generation logs (free tool): 30 days
• KOL analysis cache: 7 days (auto-expired)
• Subscription records: permanently (financial compliance)

When you delete your account, we delete all personal data within 30 days, except financial records required by law.

We use a single authentication cookie (kc_token) to keep you signed in. It is:

• HttpOnly — not accessible by JavaScript
• Secure — only sent over HTTPS in production
• Expires in 7 days

We do not use advertising or analytics cookies. Cloudflare may set a __cf_bm cookie for bot protection.

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and data
• Export your data (draft history)
• Withdraw consent at any time

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

We protect your data using:

• Argon2 password hashing (no plain-text passwords stored)
• HTTPS/TLS for all data in transit
• JWT tokens for session management
• Minimal permission model — employees cannot access user-generated content

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to [email protected].

KOL-Craft is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

We may update this policy. When we do, we will update the “Last updated” date and, for material changes, notify users by email or in-app notice. Continued use after notification constitutes acceptance.

For privacy questions or data requests:

Email: [email protected]