1. Information We Collect
We collect information to provide, improve, and secure the Service. The types of information we collect include:
Account Information
When you create an account, we collect your name, email address, and a password. Organization administrators may also provide company name, phone number, and business details.
Job and Business Data
Data you enter into the Service including job details, customer records, invoices, schedules, production notes, mockup files, and any other content created within the platform.
Payment Information
Payment processing is handled by Stripe. We do not directly store credit card numbers or full bank account details. Stripe collects and processes payment information in accordance with their own privacy policy.
Usage Analytics
We collect anonymized usage data such as feature usage patterns, page views, session duration, and error logs to improve the Service. This data is not linked to individual users.
2. How We Use Information
We use the information we collect to:
- Provide, operate, and maintain the Service.
- Process transactions and send related billing information.
- Send service-related notifications (e.g., job status updates, invoice reminders, system alerts).
- Improve and optimize the Service based on usage patterns.
- Respond to customer support inquiries and provide technical assistance.
- Detect, prevent, and address fraud, abuse, and security issues.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information to third parties. We do not use your data for advertising purposes.
3. Data Storage and Security
Your data is stored on secure infrastructure provided by industry-leading cloud providers:
- Database: Neon PostgreSQL with encryption at rest and in transit.
- Application Hosting: Vercel, with automatic TLS/SSL encryption for all connections.
- File Storage: Vercel Blob storage with encrypted access.
- Passwords: Hashed using bcrypt; we never store plaintext passwords.
We implement industry-standard security measures including encrypted communications (TLS 1.2+), secure authentication tokens, rate limiting, and account lockout protections. While we take reasonable measures to protect your data, no system is completely secure, and we cannot guarantee absolute security.
4. Third-Party Services
The Service integrates with the following third-party providers. Each has their own privacy practices:
- Stripe — Payment processing for subscriptions and invoice payments. Stripe Privacy Policy
- Twilio — SMS notifications for job updates and alerts. Twilio Privacy Policy
- Google — Gmail integration for email inbox features, Google Drive integration for file management, and optional OAuth authentication. Google Privacy Policy
- Anthropic — AI-powered features including purchase order processing and intelligent suggestions. Anthropic Privacy Policy
5. AI Data Usage
Important Notice Regarding AI Features
When you use AI-powered features within Kontraktr (such as AI purchase order processing, smart suggestions, or AI-assisted scheduling), relevant data may be sent to our AI provider (Anthropic) for processing.
- Your data is NOT used for AI model training. Data sent to AI services is processed solely to fulfill the specific feature request.
- Data is transmitted securely and is not retained by the AI provider beyond the duration needed to generate a response.
- You can use the Service without AI features if you prefer not to have your data processed by AI systems.
6. Data Retention
- Active Accounts: Your data is retained for as long as your account is active and in good standing.
- Cancelled Accounts: Upon cancellation, your data is retained for thirty (30) days to allow for data export. After the 30-day period, all data is permanently and irreversibly deleted from our systems.
- Backups: Encrypted database backups may retain deleted data for up to an additional 30 days as part of our disaster recovery procedures. Backups are automatically purged according to our retention schedule.
- Legal Obligations: We may retain certain data as required by applicable law (e.g., financial records for tax compliance).
7. User Rights
You have the following rights regarding your data:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may request that we correct inaccurate or incomplete personal data.
- Deletion: You may request that we delete your personal data, subject to legal retention requirements.
- Export: You may export your data at any time through the Service or by contacting us.
- Opt-Out of Marketing: You may opt out of marketing communications at any time. Service-related notifications (e.g., billing alerts) cannot be opted out of while your account is active.
To exercise any of these rights, contact us at privacy@kontraktr.io. We will respond to requests within 30 days.
8. CCPA/GDPR Compliance
California Consumer Privacy Act (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect about you and how it is used.
- Request deletion of your personal information.
- Opt out of the “sale” of personal information. Note: we do not sell personal information.
- Not be discriminated against for exercising your privacy rights.
General Data Protection Regulation (GDPR)
If you are located in the European Economic Area (EEA), you have additional rights including:
- Lawful Basis: We process your data based on contractual necessity (to provide the Service), legitimate interest (to improve and secure the Service), and your consent where applicable.
- Data Portability: You may request your data in a structured, machine-readable format.
- Right to Restrict Processing: You may request that we limit how we use your data.
- Right to Object: You may object to our processing of your data in certain circumstances.
9. Cookies
Kontraktr uses cookies for essential Service functionality:
- Session Cookies: Managed by NextAuth for authentication. These are essential for logging in and maintaining your session.
- Preference Cookies: Used to store your theme preferences (light or dark mode) and other UI settings.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track you across other websites. We do not participate in cross-site tracking or ad networks.
10. Children's Privacy
The Service is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will promptly delete such information from our systems.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@kontraktr.io.
11. Changes to Policy
We reserve the right to update this Privacy Policy at any time. If we make material changes, we will provide at least thirty (30) days' notice via email or through a prominent notice within the Service.
Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.