Privacy Policy

Effective Date: 2026-05-29 | Version: 1.3

This Privacy Policy explains how KR Labs GmbH ("KR Labs", "we", "us") processes personal data when you use the Verbatim RAG service (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and Austrian data protection law.

1. Controller and Contact

Controller: KR Labs GmbH, FN 643586a, Handelsgericht Wien. Address: Schüttelstraße 23-25A/3/16, 1020 Wien, Austria. Contact: info@krlabs.eu. Imprint: Imprint.

2. Categories of Data

• Account data (email, user ID, sign-in timestamps).
• Query data (questions you submit, responses, citations, and timestamps).
• Technical data (IP address, device/browser information) for security and logs.
• Billing data (if billing is enabled): Stripe customer ID, subscription status, invoices.
• Preference data (training opt-out choice, account settings).
• Feedback data (ratings, suggestions you voluntarily provide).

Important: Queries may contain personal data that you choose to include. We recommend not including sensitive personal data about yourself or others.

3. Data Requirement

Providing your email address is necessary to create an account and use the Service. Without it, we cannot provide you access. Query data and feedback are provided voluntarily by you during use of the Service.

4. Purposes and Legal Bases

• Provide the Service (GDPR Art. 6(1)(b) contract).
• Service improvement and quality analysis (Art. 6(1)(f) legitimate interests).
• AI model training using de-identified query data (Art. 6(1)(f) legitimate interests, with opt-out available).
• Processing feedback you voluntarily provide (Art. 6(1)(f) legitimate interests).
• Authentication, security, abuse prevention (Art. 6(1)(f)).
• Usage tracking and quotas (Art. 6(1)(b)/(f)).
• Compliance with legal obligations (Art. 6(1)(c)).
• Payments and billing (Art. 6(1)(b) and Art. 6(1)(c), if billing is enabled).
• With consent (Art. 6(1)(a)) where required (e.g., optional analytics/cookies).

5. Processors and Transfers

We use the following processors that act under our instructions:

• Supabase: authentication and database (EU region).
• Fly.io: application hosting (EU region).
• Baseten: AI processing and inference infrastructure (may involve processing outside the EU/EEA).
• Stripe: payment processing (if billing is enabled).
• Zilliz (Milvus Cloud): vector database for search (USA/EU).
• Google Ireland Limited (Google Analytics 4): aggregate website usage measurement. Set only after analytics consent is granted. See the Cookie Policy for details.

Some processors are located outside the EU/EEA (for example Baseten and Zilliz). Where transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses or applicable adequacy decisions. You can request details at info@krlabs.eu.

6. Retention

We retain personal data only as long as necessary for the purposes described:

• Account data: until account deletion + 30 days.
• Query text and responses: 90 days, then automatically deleted. De-identified data derived from queries may be retained longer for service improvement.
• Usage metadata (counts, timestamps): 12 months.
• Security/access logs: 12 months.
• Billing records (if applicable): 7 years (Austrian statutory retention).
• Legal acceptance records: 7 years after account deletion.

7. Training Data and Opt-Out

By default, we may use your queries in de-identified or aggregated form to improve our AI models and service quality. This processing is based on our legitimate interest in improving our products.

Your choices:

• You can opt out of training data usage at any time in your account settings.
• If you opt out, your queries will not be used for training purposes.
• All queries are deleted after 90 days regardless of your opt-out choice.
• Data that has already been de-identified (and cannot be linked to you) may persist.

Feedback: If you provide voluntary feedback (such as ratings or suggestions), we may use this to improve the service. Feedback is not subject to the training opt-out.

8. Your Rights

• Access, rectification, erasure, restriction (Art. 15–18 GDPR).
• Data portability (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Withdraw consent at any time (Art. 7(3)).
• Opt out of training data usage (via account settings or email).
• Lodge a complaint with the Austrian Data Protection Authority.

To exercise your rights, email info@krlabs.eu with the subject line "Data Subject Request". We respond within 30 days. You can also manage your training data preference directly in your account settings.

Austrian Data Protection Authority (DSB): Barichgasse 40-42, 1030 Wien, Austria. Website: www.dsb.gv.at.

9. Security

We use appropriate technical and organizational measures, including access controls, encryption in transit, and least-privilege principles for data access.

10. Cookies and Analytics

We use strictly necessary cookies and local storage for authentication and session management, and optional Google Analytics 4 cookies only after you grant consent via the cookie banner. Google Consent Mode v2 is configured so no analytics identifiers are stored before consent. You can withdraw consent at any time by deleting the krlabs-consent cookie. See the Cookie Policy for the full list of cookies and the legal basis.

11. Automated Decision-Making

Our AI-powered responses assist with research and information retrieval but do not constitute automated decision-making with legal or similarly significant effects. We may use automated content moderation to enforce acceptable use policies.

12. Children

The Service is not intended for children under 16 in the EU. We do not knowingly process such data without appropriate consent.

13. International Users

We process data in accordance with GDPR. If you are outside the EU/EEA, by using the Service you acknowledge that your data will be transferred to and processed in the EU. We apply the same privacy protections to all users regardless of location.

14. Changes

We may update this Policy. Material changes will be communicated, and continued use after the effective date constitutes acknowledgment.

15. Contact

KR Labs GmbH, Schüttelstraße 23-25A/3/16, 1020 Wien, Austria — info@krlabs.eu