Privacy Policy

This privacy policy explains what personal data we process when you use kral.ai (the "Service"), why we process it, and the rights you have. The controller responsible for this processing is Martin Král (the "Provider"); full contact and company details are on our imprint. We process only the data necessary to run the Service and we do not sell personal data.

1. Controller

Martin Král, a sole trader established in CZ, business ID (IČO) 21106312. kral.ai is a brand under which Martin Král operates; there is no separate company behind it. Postal address and registration details: see the imprint. For any privacy matter you can reach us at [email protected].

2. Data we process

Account data. The email address you provide, a hashed password, and your display name. If you sign in through a third-party login provider (Google, Microsoft, GitHub, Apple), that provider transmits to us the identifier it returns and the basic profile fields you consent to share; this is a source of personal data about you.

Usage and log data. To operate and secure the Service we log request metadata such as IP address, user agent, requested URL, timestamp, response code, and token/credit consumption per request. These logs are used for billing, security, abuse detection, and capacity planning.

Content data. Conversations, prompts, uploaded files, and other content you submit are stored to provide chat history and related features. To produce a response, this content is transmitted to the AI provider you select (see section 4). We may also access and process this content to operate, secure, support, and debug the Service, to prevent abuse, and to comply with legal obligations.

Billing data. For paid use we store invoicing data (name, billing address, VAT ID where applicable) and a transaction record. Card and payment-instrument details are handled by our payment processor; we never store full payment-instrument data.

3. Legal bases

We process the data above to perform our contract with you (Art. 6(1)(b) GDPR), to meet legal obligations such as bookkeeping and tax retention (Art. 6(1)(c) GDPR), based on our legitimate interest in a secure and abuse-free Service (Art. 6(1)(f) GDPR), and, for non-essential analytics and marketing tools, on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

4. AI model providers

The Service is a gateway that forwards your prompts and attached content to the third-party AI provider you select for a given request. Depending on your choice, content is transmitted to one or more of: OpenAI, Anthropic, Google, xAI, Groq, DeepSeek, Moonshot AI, and comparable model or tool providers (for example web-search and document-processing tools). These providers process the submitted content to generate a response under their own terms and privacy policies. Several of them are located outside the EU/EEA (see section 11). We do not use your content to train our own models, and we select providers on the basis that customer content is not used to train their models by default; the applicable provider terms remain authoritative.

5. Other processors

We share data with processors only as necessary to run the Service:

• Payment processing — our payment provider (Mollie B.V., Netherlands) and any additional provider you choose at checkout, to take payment and issue refunds.
• Email delivery — to send transactional email (confirmations, invoices, security notices).
• Hosting and infrastructure — to host the application, database, and chat backend.

All processors act under data processing agreements and only for the purposes above.

6. Website analytics and marketing tools

On our public website we use the tools below. Except for strictly necessary tools, these load only after you consent through the cookie banner, and you can change or withdraw your choice at any time via the cookie settings. Consent is split into "Analytics" and "Marketing" categories.

Strictly necessary (no consent required).

• Cloudflare Turnstile (Cloudflare, Inc.) — protects forms and sign-in against bots and abuse. It runs on our legitimate interest in security and does not set advertising cookies.

Analytics (requires your consent).

• Google Analytics 4 / Google Tag Manager (Google Ireland Ltd. / Google LLC) — aggregated visitor statistics and traffic analysis.
• Microsoft Clarity (Microsoft Corporation) — usage analytics including heatmaps and aggregated session statistics, to understand how pages are used.

Marketing (requires your consent).

• Google Ads (Google) — conversion measurement and remarketing for our advertising.
• Microsoft Advertising / Bing UET (Microsoft) — conversion measurement for ads on Microsoft/Bing.
• Meta Pixel (Meta Platforms Ireland Ltd.) — conversion measurement and audience building for ads on Facebook/Instagram.
• LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company) — conversion measurement and audience building for ads on LinkedIn.
• X (Twitter) Pixel (X Corp.) — conversion measurement and audience building for ads on X (Twitter).

These tools may set cookies and transmit usage data, including identifiers and IP address, to the respective provider. Several providers are located in the USA (see section 11). If you decline the relevant category, the tool is not loaded.

7. Cookies and consent

We use cookies and similar technologies. Strictly necessary cookies are set without consent because the Service cannot function without them; analytics and marketing cookies are set only after you opt in via the cookie banner, and you can withdraw consent at any time through the cookie settings.

The exact names and retention periods of third-party cookies are set by the respective provider and described in their cookie and privacy documentation. The providers above, and the countries their data may be transferred to, are detailed in sections 6 and 11.

8. Email communications

We send transactional emails (for example sign-up confirmation, invoices, security and account notices) because they are necessary to provide the Service and fulfil our contract with you. We send marketing emails only where you have consented or where otherwise permitted by law; you can opt out at any time via your account notification settings or the unsubscribe link in any marketing email. Opting out of marketing does not stop transactional emails.

9. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), hashed passwords, access controls, and restricted administrative access. No system is completely secure, but we maintain measures appropriate to the risk and review them periodically.

10. Data breaches and automated decisions

If a personal-data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority and, where required, affected users, in line with Art. 33 and 34 GDPR.

We use automated checks to detect abuse, fraud, and security threats, which may flag or temporarily restrict an account. We do not make decisions producing legal or similarly significant effects about you on a solely automated basis without the possibility of human review; you may request human review of any such measure by contacting us.

11. International transfers

Some of the providers above are located outside the EU/EEA, in particular in the United States (e.g. OpenAI, Anthropic, xAI, Groq, Google, Microsoft, Meta, LinkedIn, X, Cloudflare) and in China (e.g. DeepSeek, Moonshot AI). Where we transfer personal data to such countries, we rely on appropriate safeguards under Art. 46 GDPR, in particular the European Commission's Standard Contractual Clauses, or on an adequacy decision where one exists. When you select a model hosted by a provider in a third country, your prompt content is transmitted to that country to produce the response. You can avoid a given third country by not selecting that provider's models.

12. Retention

Account and content data is kept while your account is active. After deletion, content is removed from the live system within a reasonable period and ages out of backups within the standard backup window. Invoicing and accounting records are kept for the period required by Czech accounting and tax law. Server logs are kept only for a limited period for security and billing purposes.

13. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, data portability, and to object to certain processing, as well as the right to withdraw consent at any time with effect for the future. To exercise any of these rights, contact us at [email protected].

You also have the right to lodge a complaint with a supervisory authority. The competent authority for the Provider is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz.

14. Children

The Service is not directed to children under 18, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

15. Changes

We may update this policy as the Service evolves. Material changes will be announced through the Service before they take effect. The version date is shown below.