Skip to main content
kreel Home
Sign in Request beta access

Kreel Legal

Privacy Policy

Last updated: 2026-06-05

This Privacy Policy describes how Kreel ("we", "us", "Kreel") handles personal information when you use our Service (the Kreel platform, CLI, MCP server, and related offerings available at kreel.ai and app.kreel.ai).

1. Who we are

Kreel is operated by Beyond Peaks Ltd, a company incorporated in Malta. Contact: privacy@kreel.ai.

2. Data we process

Account data

  • Email, name, and authentication identifiers when you sign up.
  • Billing information (handled by Stripe; we do not store card numbers).
  • Workspace and team membership records.

Connected-platform data (on your behalf)

When you connect Shopify, Klaviyo, Meta Ads, or Google Ads accounts, Kreel accesses data from those platforms to provide the Service. This may include:

  • Store products, orders, customers, and order fulfilment status (Shopify).
  • Email campaigns, flows, segments, and performance metrics (Klaviyo).
  • Ad accounts, campaigns, ads, and performance metrics (Meta, Google).

We access this data via OAuth tokens that you authorise. You can revoke access at any time from your connected platform or from your Kreel workspace.

Usage data

  • Request logs, API call counts, and error logs used to operate and improve the Service.
  • Product usage analytics collected via PostHog to operate and improve the Service.

3. How we use data

  • To provide the Service and respond to your API requests.
  • To prevent abuse, monitor uptime, and enforce usage limits per your pricing tier.
  • To communicate about your account, billing, and material changes to the Service.
  • To improve the Service using aggregated and de-identified signals.

We do not sell personal data. We do not use connected-platform data to train third-party AI models.

4. Sharing

We share personal data only with sub-processors who help us run the Service, each under a data-processing agreement. Current sub-processors:

  • Supabase (authentication and database hosting; EU region).
  • Hetzner (application hosting; EU region).
  • Anthropic (US; generates descriptive tags from ad creative images to power the creative analysis feature).
  • PostHog (product usage analytics).
  • SendGrid (transactional email).
  • Stripe (billing and payments).
  • Vercel (marketing and documentation site hosting; static content).

An up-to-date list and applicable DPAs are available on request. See our Data Processing Agreement.

5. Data location and transfers

Primary data is stored in the European Union. Where transfers outside the EU occur (for example to a US-based sub-processor), they are made under appropriate safeguards including Standard Contractual Clauses.

6. Retention

  • Account data is retained while your account is active and for up to 12 months after closure for legal and accounting reasons.
  • Connected-platform data is deleted immediately when you explicitly delete a workspace. Disconnected workspace data is purged by the retention process according to the configured schedule.
  • Logs older than 90 days are aggregated or deleted.

7. Your rights

Subject to applicable law (including the GDPR for EU residents), you have the right to access, correct, delete, restrict, or export your personal data, and to object to processing. Submit requests to privacy@kreel.ai. We will respond within 30 days.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest. OAuth tokens are stored encrypted. Access to production systems is limited to a small number of personnel, logged, and reviewed quarterly. For more, see our Security page.

9. Children

Kreel is not intended for individuals under the age of 16 and we do not knowingly collect their data.

10. Changes

We may update this policy. Material changes will be notified by email or in-product at least 30 days before they take effect. The "Last updated" date reflects the most recent change.

11. Contact

For questions about this policy: privacy@kreel.ai.