Privacy Policy
Effective Date: [DATE]
This Privacy Policy describes how Treetop Technologies, Inc. ("we," "us," or "our") collects, uses, and protects your personal information when you use Krezl, including its web application, iOS application, API, and AI-powered features (collectively, the "Service").
1. Information We Collect
1.1 Account Information
When you create an account, we collect: email address, name, organization name and handle, and authentication credentials (hashed; we do not store plaintext passwords).
1.2 Workspace Content
You create and store content within the Service, including tasks, projects, spaces, features, comments, attachments, and entity relationships. This content is stored in your organization's dedicated database schema and is not accessible to other organizations.
1.3 AI Interaction Data
When you use AI features (Aria), we process your messages to Aria, context about the entities you are viewing, and Aria's responses. AI interaction data is processed solely to provide the Service and is not used for model training.
1.4 Usage and Technical Data
We automatically collect: IP address, browser type and version, device type and operating system, pages visited and features used, and timestamps of activity.
1.5 Cookies
We use essential cookies only for authentication and session management. See Section 8 for details.
2. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service | Performance of contract |
| Process AI requests and generate responses | Performance of contract |
| Authenticate your identity and secure your account | Performance of contract / Legitimate interest |
| Send transactional notifications (reminders, task updates) | Performance of contract |
| Monitor and improve Service performance and reliability | Legitimate interest |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Respond to your support requests | Performance of contract |
We do NOT use your information to:
- Train AI models on your Workspace Content
- Build advertising profiles
- Sell your data to third parties
- Cross-reference your data with other users' data
3. How We Share Your Information
Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure | US |
| Google Vertex AI | Text embeddings | US |
| Google Gemini | AI processing | US |
| Vercel | Web hosting | Global |
| Apple APNs | Push notifications | US |
We also share information: within your organization (other members may see Workspace Content in shared spaces, subject to permissions); for legal requirements (when required by law, regulation, or governmental request — we will notify you where legally permitted); and in connection with business transfers (mergers, acquisitions, or asset sales — we will notify you before your information becomes subject to a different privacy policy).
4. Data Isolation and Security
Each organization's data is stored in a dedicated database schema (schema-per-tenant), architecturally isolated from other organizations. Enterprise customers may operate on fully dedicated infrastructure.
We implement:
- TLS encryption in transit
- Encryption at rest (Google Cloud managed keys)
- JWT-based authentication
- Cloud Armor WAF at the infrastructure edge
- Rate limiting and abuse prevention
5. Data Retention
Active accounts: We retain your Workspace Content and account information for as long as your account is active.
Deletion: When you delete your account, data is permanently removed from production systems within 30 days and from backups within 90 days through normal backup rotation.
Inactive accounts: Free accounts inactive for more than 12 months may be deleted after notice. Paid accounts are retained as long as the subscription is active.
6. Your Rights
GDPR (EEA, UK, Switzerland)
You have the right to:
- Access your personal data
- Rectify inaccurate personal data
- Erase your personal data ("right to be forgotten")
- Restrict processing of your personal data
- Port your data to another service in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with your local data protection authority
We respond to data subject access requests within 30 days.
CCPA/CPRA (California)
California residents have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information (we do not sell your personal information)
Data Export
You may export your Workspace Content at any time through the Service or by contacting us. We provide your data in a standard machine-readable format (JSON).
7. Automated Decision-Making
The Service uses AI to assist with organizing information and retrieving knowledge. AI features are user-directed tools — they do not make autonomous decisions that produce legal or similarly significant effects on you. We do not use automated profiling.
8. Cookies
We use essential cookies only for authentication and session management. We do not use advertising or tracking cookies.
9. International Transfers
Your data is processed and stored in the United States. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected such information, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and, where appropriate, by email. Your continued use of the Service after such changes constitutes your acceptance of the revised policy.
12. Contact
For privacy-related inquiries or to exercise your rights:
Treetop Technologies, Inc.
Email: privacy@krezl.com
For GDPR inquiries, our Data Protection Officer: dpo@krezl.com