Privacy Policy

Controller

Controller within the meaning of Art. 4(7) GDPR and the Austrian DSG:

Kullisa Labs Alexander Leypold Schmittstrasse 15/10 8720 Knittelfeld Austria Email: info@kullisalabs.com

General Information

  1. The protection of your personal data is of paramount importance to us. We process your data exclusively on the basis of statutory provisions (GDPR, Austrian DSG, TKG 2021).
  2. This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data on:
    • kullisalabs.com (public landing page)
    • The Kullisa Labs Creator Program
    • Creator landing pages (wildcard subdomains)
    • Customer modules

Data Processing — Creators

What data is collected?

When registering for and using the Creator Program, we collect:

Data CategorySourcePurposeLegal Basis
Email addressGoogle / Microsoft OAuthAccount creation, login, communicationArt. 6(1)(b) GDPR
Display nameGoogle / Microsoft OAuthDisplay in Creator PortalArt. 6(1)(b) GDPR
Profile picture URLGoogle / Microsoft OAuthAvatar in Creator PortalArt. 6(1)(b) GDPR
Product name / WildcardCreator inputSubdomain, landing pageArt. 6(1)(b) GDPR
Stripe Connect account IDStripe APIPayment processingArt. 6(1)(b) GDPR
API keys (encrypted)Creator inputGateway AI proxyArt. 6(1)(b) GDPR
VAT ID (optional)Creator inputInvoicingArt. 6(1)(c) GDPR
Transaction dataStripe webhookBilling, audit logArt. 6(1)(b)+(c) GDPR

Where is the data stored?

All Creator data is stored in a dedicated database, technically and logically separated from the databases in which end customer data is processed. Only essential platform services have write access to Creator data.

Retention period

  • Account data: Until the Creator account is deleted
  • Transaction data: 7 years pursuant to §132 BAO / §212 UGB (anonymised)
  • API keys: AES-256-encrypted, deleted upon account deletion
  • Webhook event IDs: Permanent for idempotency verification

Data Processing — Subscription End Customers

What data is collected?

Data CategorySourcePurposeLegal Basis
Email addressGoogle OAuthAccount creation, loginArt. 6(1)(b) GDPR
NameGoogle OAuthDisplay in customer portalArt. 6(1)(b) GDPR
Profile picture URLGoogle OAuthAvatarArt. 6(1)(b) GDPR
Subscription planStripe webhookAccess controlArt. 6(1)(b) GDPR
Stripe customer IDStripe APIPayment processingArt. 6(1)(b) GDPR
Subscription historyStripe webhookContract evidenceArt. 6(1)(b) GDPR

Controllership

The Creator is the Controller for this data (Art. 4(7) GDPR). Kullisa Labs acts as a Processor (Art. 28 GDPR) and only processes this data on the documented instructions of the Creator.

Data Processing — Credit End Customers

What data is collected?

Data CategorySourcePurposeLegal Basis
Email addressGoogle OAuthAccount creation, loginArt. 6(1)(b) GDPR
NameGoogle OAuthDisplay in customer portalArt. 6(1)(b) GDPR
Profile picture URLGoogle OAuthAvatarArt. 6(1)(b) GDPR
Wallet balanceCredit purchase, gatewayBalance managementArt. 6(1)(b) GDPR
Transaction ledgerGateway meteringUsage recordsArt. 6(1)(b) GDPR

Controllership

Creator is Controller, Kullisa is Processor.

Data Processing — Landing Page Visitors

  1. When visiting our public landing pages, we automatically collect the following server log data: anonymised IP address, date and time, browser type/version, operating system, referrer URL, requested URL.
  2. Purpose: Ensuring technical operation, error analysis, abuse detection. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
  3. Retention period: Server logs are automatically deleted after 30 days.
  4. kullisalabs.com is hosted by Microsoft Azure.
  5. Cookies: The landing page does NOT use tracking cookies.

Disclosure to Third Parties

RecipientDataPurposeSafeguard
Stripe Inc. (USA)Email, name, payment amountsPayment processingDPF-certified
Microsoft Azure (EU)Anonymised IPHostingData centres: EU
Google Ireland Ltd.Email addressOAuthEU-based
Microsoft Ireland Ltd.Email addressOAuthEU-based

No further disclosure to third parties takes place unless legally obliged or with explicit consent.

Security (Art. 32 GDPR)

  1. We implement the following TOMs:
    • AES-256 encryption of Creator API keys
    • Strict database separation with documented access rights
    • HTTPS/TLS for all data transmission
    • JWT-based authentication with cryptographic signature
    • Automated test suite including security tests
  2. We do NOT store credit card numbers, CVC codes, bank details, PINs, or other payment authentication data. All payment processing is carried out by Stripe (PCI-DSS Level-1 certified).

Your Rights

  1. You have the following rights under the GDPR:
    • Right of access (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure — ‘Right to be forgotten’ (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR)
    • Right to object (Art. 21 GDPR)
    • Right to withdraw consent (Art. 7(3) GDPR)
  2. To exercise your rights, contact: info@kullisalabs.com. We will process your request within one month (Art. 12(3) GDPR).
  3. Right to lodge a complaint (Art. 77 GDPR):
    Austrian Data Protection Authority Barichgasse 40–42 1030 Vienna, Austria Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at Web: https://www.dsb.gv.at/
  4. No automated individual decision-making including profiling (Art. 22 GDPR) takes place.

Deletion of Data (Art. 17 GDPR)

  1. Creator Self-Deletion: The Creator may delete their account via profile settings. Deletion is immediate and irreversible, including all associated records across all databases. Transaction records are retained in anonymised form for 7 years.
  2. End Customer Deletion: End customers may request deletion. Deletion is carried out by the Creator (as Controller) or upon instruction. Any remaining credit balance is forfeited.

Amendments to This Privacy Policy

We reserve the right to amend this Privacy Policy as necessary. The current version is always available at kullisalabs.com. Material changes will be communicated to registered users by email.