Privacy Policy

1. Who We Are

Kurtel ("we", "us", "our") is a multi-agent AI development platform. This Privacy Policy explains what data we collect, why we collect it, and how we use it. We comply with the EU General Data Protection Regulation (GDPR) and applicable French data protection laws.

2. Data We Collect

We collect the following categories of data:

• Account data: email, name, GitHub username, profile picture.
• Billing data: payment details handled by Stripe (we never see your full card number), invoices, VAT info.
• Repository access: OAuth tokens for GitHub and any connectors you enable (Supabase, Stripe, Resend, etc.).
• Usage data: agent hours consumed, prompts submitted, PRs generated, errors, logs.
• Technical data: IP address, browser, device, language — collected via cookies and analytics.

3. Your Code

Your code stays in your GitHub repositories. Our agents read it temporarily to plan and write changes, and write back via pull requests. We do not store your full codebase on our servers beyond what is required to run an active task. We do not train any AI model on your code, and we do not share it with third parties.

4. How We Use Your Data

• To provide and operate the Kurtel service.
• To process payments and send invoices (legal basis: contract).
• To send transactional emails (PR notifications, account alerts).
• To improve the product through aggregated, anonymized usage analytics (legal basis: legitimate interest).
• To comply with legal obligations (tax, accounting, fraud prevention).
• To send marketing emails — only with your consent, which you can withdraw at any time.

5. Sub-Processors & Third Parties

We rely on a small set of trusted providers to operate the service:

• Anthropic, OpenAI, OpenRouter — AI model providers (used for agent reasoning).
• Vercel — hosting & deployment.
• Supabase — database & authentication.
• Stripe — payments.
• Resend — transactional emails.
• Posthog — product analytics.
• E2B — sandboxed code execution environments.
• GitHub — code hosting (your code lives here).

Some of these providers may process data outside the EU. When that happens, we rely on Standard Contractual Clauses or equivalent safeguards.

6. Cookies

We use essential cookies to keep you logged in and analytics cookies (Posthog) to understand how the product is used. Non-essential cookies require your consent, which you can manage from the cookie banner at any time.

7. Data Retention

We retain your account data as long as you have an active subscription. After cancellation, we delete personal data within 90 days, except where retention is required by law (e.g., invoices kept 10 years for accounting purposes). Operational logs are retained for 30 days.

8. Your Rights (GDPR)

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data ("right to be forgotten").
• Restrict or object to certain processing.
• Port your data to another provider.
• Withdraw consent at any time.
• Lodge a complaint with the CNIL (the French data protection authority) or your local supervisory authority.

To exercise any of these rights, contact us at privacy@kurtel.com.

9. Security

We apply industry-standard security measures: encrypted data in transit (TLS) and at rest, scoped OAuth tokens, isolated container execution per task, secrets kept server-side, and strict access controls on internal systems. No system is perfectly secure, but we work hard to keep yours safe.

10. Children

Kurtel is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us and we will delete the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or via the dashboard. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For any privacy-related question, contact our data team at privacy@kurtel.com.