Skip to main content
kreel Home
Sign in Get a key

Kreel Legal

Privacy Policy

Last updated: 2026-04-18

This Privacy Policy describes how Kreel ("we", "us", "Kreel") handles personal information when you use our Service (the Kreel platform, CLI, MCP server, and related offerings available at kreel.ai and app.kreel.ai).

1. Who we are

Kreel is operated by Beyond Peaks, a company incorporated in France. Contact: privacy@kreel.ai.

2. Data we process

Account data

  • Email, name, and authentication identifiers when you sign up.
  • Billing information (handled by Stripe; we do not store card numbers).
  • Workspace and team membership records.

Connected-platform data (on your behalf)

When you connect Shopify, Klaviyo, Meta Ads, or Google Ads accounts, Kreel accesses data from those platforms to provide the Service. This may include:

  • Store products, orders, customers, and order fulfilment status (Shopify).
  • Email campaigns, flows, segments, and performance metrics (Klaviyo).
  • Ad accounts, campaigns, ads, and performance metrics (Meta, Google).

We access this data via OAuth tokens that you authorise. You can revoke access at any time from your connected platform or from your Kreel workspace.

Usage data

  • Request logs, API call counts, and error logs used to operate and improve the Service.
  • Analytics events collected via a privacy-first provider (Plausible). No cookies or cross-site tracking.

3. How we use data

  • To provide the Service and respond to your API requests.
  • To prevent abuse, monitor uptime, and enforce usage limits per your pricing tier.
  • To communicate about your account, billing, and material changes to the Service.
  • To improve the Service using aggregated and de-identified signals.

We do not sell personal data. We do not use connected-platform data to train third-party AI models.

4. Sharing

We share personal data only with sub-processors who help us run the Service, each under a data-processing agreement. Current sub-processors:

  • Supabase (auth, database hosting; EU region).
  • Stripe (billing and payments).
  • Vercel (marketing site hosting; static content only).
  • Plausible (aggregate analytics for kreel.ai).
  • Hetzner (application workload hosting; EU region).

An up-to-date list and applicable DPAs are available on request. See our Data Processing Agreement.

5. Data location and transfers

Primary data is stored in the European Union. Where transfers outside the EU occur (for example to a US-based sub-processor), they are made under appropriate safeguards including Standard Contractual Clauses.

6. Retention

  • Account data is retained while your account is active and for up to 12 months after closure for legal and accounting reasons.
  • Connected-platform data is deleted from Kreel within 30 days of you disconnecting the integration or closing your account.
  • Logs older than 90 days are aggregated or deleted.

7. Your rights

Subject to applicable law (including the GDPR for EU residents), you have the right to access, correct, delete, restrict, or export your personal data, and to object to processing. Submit requests to privacy@kreel.ai. We will respond within 30 days.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest. OAuth tokens are stored encrypted. Access to production systems is limited to a small number of personnel, logged, and reviewed quarterly. For more, see our Security page.

9. Children

Kreel is not intended for individuals under the age of 16 and we do not knowingly collect their data.

10. Changes

We may update this policy. Material changes will be notified by email or in-product at least 30 days before they take effect. The "Last updated" date reflects the most recent change.

11. Contact

For questions about this policy: privacy@kreel.ai.