Privacy Policy
Effective 7 July 2026 · Kratt Labs OÜ
Kratt is built on a simple idea: a genuinely useful AI assistant should not cost you your privacy. This policy explains, in plain language, what data we handle, where it lives, who processes it and why, and the rights you have under the EU General Data Protection Regulation (GDPR).
1. Who we are
Kratt Labs OÜ, a private limited company registered in Estonia, is the data controller for the Kratt services (chat.krattlabs.eu and the Kratt apps, Kratt Code, and this website). For any privacy matter, contact us at krattlabs@proton.me.
2. What we process, and why
Account data
Username, a hash of your password (bcrypt, we never store the password itself), optional contact email, plan tier, language and interface preferences. Basis: performance of our contract with you (Art. 6(1)(b)).
Content you create
Your conversations with the assistant, files you attach, saved memories and custom instructions, calendar events, budget entries, lists, reminders, and Kratt Code sessions you sync. This content exists so the service can work for you; we do not read it, mine it, or build profiles from it. Basis: contract (Art. 6(1)(b)).
Email (if you use Kratt's email features)
Messages sent and received through your Kratt address are stored so the assistant can show and act on them for you. Basis: contract (Art. 6(1)(b)).
Usage accounting
Message counts and per-request compute cost, kept to enforce plan limits and prevent abuse. Your usage page shows percentages only. Basis: contract and legitimate interest (Art. 6(1)(b), (f)).
Technical data
Short-lived server logs including IP addresses (security and abuse prevention), session tokens, and, only if you install the Android app and allow notifications, a push token for your device. Basis: legitimate interest in securing the service (Art. 6(1)(f)).
We run no analytics, no trackers, and no advertising, on this website or in the apps.
3. AI processing: an honest explanation
Your account and your stored data live on our own servers in the European Union and are never used to train AI models. To generate a reply, however, the messages in your current conversation (including files you attach to it) are transmitted to the AI infrastructure partners listed below, which operate the underlying language models. This happens transiently, to produce the response, under contractual terms that prohibit using your content to train models. Transfers outside the EU are covered by EU Standard Contractual Clauses and, where certified, the EU-U.S. Data Privacy Framework.
When you use web search, your query is proxied through our own EU-hosted search engine (SearXNG); the search engines it queries see the search terms but never your identity or account. Tool lookups (weather, places, currency, Wikipedia) send only the minimal query needed, a city name, a search term, never your account data.
4. Processors and sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Contabo GmbH | Server hosting (all storage) | Germany · servers in France (EU) |
| Hostinger | Email mailboxes (Kratt email) | EU |
| OpenRouter, Inc. | AI gateway (reply generation) | USA* |
| DeepInfra, Inc. | AI compute for text replies | USA* |
| DigitalOcean, LLC | AI compute for image/audio/video understanding | USA* |
| Google (Firebase Cloud Messaging) | Push notifications, Android app only | USA* |
| MET Norway, GeoNames, ExchangeRate-API, Coinbase, Wikipedia | Tool data lookups (query content only) | Various |
* Content is transmitted only as described in section 3, protected by Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework.
5. How long we keep things
| Data | Kept until |
|---|---|
| Account & content (chats, calendar, budget, lists…) | You delete it, or you delete your account |
| Uploaded attachments | Auto-deleted within 60 minutes of upload |
| Login sessions | Expire after 90 days (sooner if you sign out) |
| Encrypted backups | Rolling 14 days |
| Remnants after account deletion | Fully purged from backups and quarantine within 30 days |
| Security logs (IP addresses) | Short system rotation |
6. Your rights, and how to use them right now
Under the GDPR you can access, correct, export, restrict, object to, and erase your data. With Kratt you don't need to write us a letter:
- Export everything, Account → Export my data downloads your complete data in open formats (JSON + SQLite), covering chat, calendar, budget, lists, reminders, email and usage.
- Delete everything, Account → Delete my account erases your account and all content across every Kratt app immediately; residual copies leave backups within 30 days.
- Correct things, your profile, email and preferences are editable in Account.
For anything else, email krattlabs@proton.me, we respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.
7. Cookies
We set exactly one cookie: a strictly necessary session cookie that keeps you signed in. Preferences like theme and language are stored in your browser's local storage. There are no tracking, analytics or advertising cookies, which is why you won't find a cookie banner here.
8. Security
TLS on every connection with HSTS, hardened and sandboxed servers with key-only administrative access, passwords hashed with bcrypt, rate-limited authentication, encrypted nightly backups stored in the EU, and least-privilege service isolation. If a breach ever puts your data at risk, we will notify the supervisory authority within 72 hours and affected users without undue delay, as the GDPR requires.
9. Children
Kratt is not directed at children under 13, and we do not knowingly process their data.
10. Changes to this policy
If we change this policy in any meaningful way, we will update the date at the top and, for material changes, tell you in the app before they take effect.