Privacy Policy

Effective 7 July 2026 · Kratt Labs OÜ

Kratt is built on a simple idea: a genuinely useful AI assistant should not cost you your privacy. This policy explains, in plain language, what data we handle, where it lives, who processes it and why, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who we are 2. What we process 3. AI processing 4. Processors 5. Retention 6. Your rights 7. Cookies 8. Security 9. Children 10. Changes

1. Who we are

Kratt Labs OÜ, a private limited company registered in Estonia, is the data controller for the Kratt services (chat.krattlabs.eu and the Kratt apps, Kratt Code, and this website). For any privacy matter, contact us at krattlabs@proton.me.

2. What we process, and why

Account data

Username, a hash of your password (bcrypt, we never store the password itself), optional contact email, plan tier, language and interface preferences. Basis: performance of our contract with you (Art. 6(1)(b)).

Content you create

Your conversations with the assistant, files you attach, saved memories and custom instructions, calendar events, budget entries, lists, reminders, and Kratt Code sessions you sync. This content exists so the service can work for you; we do not read it, mine it, or build profiles from it. Basis: contract (Art. 6(1)(b)).

Email (if you use Kratt's email features)

Messages sent and received through your Kratt address are stored so the assistant can show and act on them for you. Basis: contract (Art. 6(1)(b)).

Usage accounting

Message counts and per-request compute cost, kept to enforce plan limits and prevent abuse. Your usage page shows percentages only. Basis: contract and legitimate interest (Art. 6(1)(b), (f)).

Technical data

Short-lived server logs including IP addresses (security and abuse prevention), session tokens, and, only if you install the Android app and allow notifications, a push token for your device. Basis: legitimate interest in securing the service (Art. 6(1)(f)).

We run no analytics, no trackers, and no advertising, on this website or in the apps.

3. AI processing: an honest explanation

Your account and your stored data live on our own servers in the European Union and are never used to train AI models. To generate a reply, however, the messages in your current conversation (including files you attach to it) are transmitted to the AI infrastructure partners listed below, which operate the underlying language models. This happens transiently, to produce the response, under contractual terms that prohibit using your content to train models. Transfers outside the EU are covered by EU Standard Contractual Clauses and, where certified, the EU-U.S. Data Privacy Framework.

When you use web search, your query is proxied through our own EU-hosted search engine (SearXNG); the search engines it queries see the search terms but never your identity or account. Tool lookups (weather, places, currency, Wikipedia) send only the minimal query needed, a city name, a search term, never your account data.

4. Processors and sub-processors

ProviderPurposeLocation
Contabo GmbHServer hosting (all storage)Germany · servers in France (EU)
HostingerEmail mailboxes (Kratt email)EU
OpenRouter, Inc.AI gateway (reply generation)USA*
DeepInfra, Inc.AI compute for text repliesUSA*
DigitalOcean, LLCAI compute for image/audio/video understandingUSA*
Google (Firebase Cloud Messaging)Push notifications, Android app onlyUSA*
MET Norway, GeoNames, ExchangeRate-API, Coinbase, WikipediaTool data lookups (query content only)Various

* Content is transmitted only as described in section 3, protected by Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework.

5. How long we keep things

DataKept until
Account & content (chats, calendar, budget, lists…)You delete it, or you delete your account
Uploaded attachmentsAuto-deleted within 60 minutes of upload
Login sessionsExpire after 90 days (sooner if you sign out)
Encrypted backupsRolling 14 days
Remnants after account deletionFully purged from backups and quarantine within 30 days
Security logs (IP addresses)Short system rotation

6. Your rights, and how to use them right now

Under the GDPR you can access, correct, export, restrict, object to, and erase your data. With Kratt you don't need to write us a letter:

For anything else, email krattlabs@proton.me, we respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

7. Cookies

We set exactly one cookie: a strictly necessary session cookie that keeps you signed in. Preferences like theme and language are stored in your browser's local storage. There are no tracking, analytics or advertising cookies, which is why you won't find a cookie banner here.

8. Security

TLS on every connection with HSTS, hardened and sandboxed servers with key-only administrative access, passwords hashed with bcrypt, rate-limited authentication, encrypted nightly backups stored in the EU, and least-privilege service isolation. If a breach ever puts your data at risk, we will notify the supervisory authority within 72 hours and affected users without undue delay, as the GDPR requires.

9. Children

Kratt is not directed at children under 13, and we do not knowingly process their data.

10. Changes to this policy

If we change this policy in any meaningful way, we will update the date at the top and, for material changes, tell you in the app before they take effect.