Privacy Policy

Last updated: 21.05.2026

Your privacy is important to Kreuzberg (“Kreuzberg,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, store, and protect your personal information, and describes your rights under the General Data Protection Regulation (GDPR) and applicable German law.

Kreuzberg is the data controller for the personal data described in this policy.

What information we collect

We collect only the personal information necessary to provide and improve our services. Depending on how you interact with us, we may collect:

Account information: email address and (where applicable) billing details, for account creation, authentication, and direct contact.

Usage and analytics data: IP address, device and browser type, operating system, pages visited, actions taken in the product, and session timestamps. These data are collected only if you give consent for analytics cookies.

Cookies and similar technologies: cookie identifiers and tracking signals used to provide site functionality and, with your consent, analytics and performance measurement.

Communications: content you send to us when you contact support or otherwise correspond with us (e.g., email content).

We do not collect special categories of personal data (e.g., gender, health, religion) through our standard early-access flows.

How we use your information and legal basis for processing

We use your personal data for the following purposes and legal bases:

To provide services and operate the site: processing necessary for contract performance (Article 6(1)(b) GDPR). Example: sending you onboarding, transactional, and billing-related emails.

With your consent, for analytics and product improvement: processing based on your consent (Article 6(1)(a) GDPR). Analytics cookies are only activated if you opt in via the cookie banner or preferences.

With your consent, for marketing communications: we may send promotional emails if you have opted in. You can withdraw consent at any time (see “Your rights” below).

For legitimate business interests: where appropriate, we may process limited data to ensure security, detect and prevent fraud, debug and improve service performance (Article 6(1)(f) GDPR). We balance these interests against your privacy rights.

Cookies and cookie consent

When you first visit our site, you will see a cookie banner with options to Accept All or Customize. Our banner distinguishes between:

Essential cookies: required for core site functionality (enabled by default).

Analytics cookies: used to measure and improve site and product usage.

Analytics and other non-essential cookies are set after you accept them, either by “Accept All” or by enabling them in the Customize preferences. You can change or withdraw your consent at any time via your browser settings.

Third-party services and processors

We do not sell, rent, or trade your personal information. We may utilize trusted third-party services for analytics, performance monitoring, and email communications. These third parties are obligated to protect your data and are prohibited from using it for any other purposes. These include (but are not limited to):

Google Ads: for marketing performance analytics

Google Analytics: for product and website analytics (activated only after you consent to analytics cookies).

Resend: for sending marketing and newsletter emails (if you opt in).

Mixpanel: product analytics destination reached via server-side Segment routing. Mixpanel receives forwarded events such as feature usage, page views, and session metadata (device type, browser, operating system), keyed to an opaque internal identifier — never your email, name, or IP address. No Mixpanel script is loaded in your browser. Mixpanel is activated only after you consent to analytics cookies; if you withdraw consent, Segment stops routing events to Mixpanel. For more information, see Mixpanel's Privacy Policy.

Segment: as a customer data platform that collects and routes behavioral and usage data (such as events, page views, and user interactions) to our analytics and marketing tools. Segment enables us to consolidate data flows between services in a privacy-consistent manner. Segment is activated only after you consent to analytics cookies. For more information, see Segment's Privacy Policy.

Stripe Payments Europe Ltd. (Stripe): payment processor and Merchant of Record for paid plans. When you subscribe, Stripe collects and processes your name, billing address, payment card details, country of residence, and transaction history. Kreuzberg receives a Stripe customer reference, subscription status, and tax/invoice metadata, but never your full card number or CVV. Stripe acts as an independent controller for fraud detection and tax compliance, and as our processor for billing operations. Required for service delivery under Article 6(1)(b) GDPR. Ireland (with onward transfers to the United States under Standard Contractual Clauses). For more information, see Stripe's Privacy Policy.

Google Firebase Authentication (Google Ireland Ltd.): identity provider for account sign-in. Firebase processes your email address, hashed password (where applicable), authentication tokens, and sign-in event metadata (IP address, user agent, timestamp) to authenticate sessions and detect suspicious activity. Required for service delivery under Article 6(1)(b) GDPR; abuse-prevention processing relies on Article 6(1)(f) GDPR. Ireland (with onward transfers to the United States under Standard Contractual Clauses). For more information, see Firebase Privacy and Security.

Grafana Labs (Grafana Cloud): error and security event logging. We send technical log records — authentication errors, API errors, unhandled exceptions, and session identifiers — to Grafana Cloud Loki via the Grafana Faro browser library. These records include a Kreuzberg user identifier (an opaque ULID) and short-lived session metadata, but no message contents, document contents, or behavioural product analytics. Processing is based on Article 6(1)(f) GDPR (legitimate interest in operating a secure and reliable service); see Recital 49. This logging runs independently of your cookie preferences because it is necessary for security, fraud prevention, and debugging. You can object to this processing at privacy@kreuzberg.dev.

For more information on how Google collects and processes data, please visit Google's Privacy & Terms.

Open-Source Repository

Our open-source Kreuzberg code is published under the MIT License. Visiting or using our public code repositories does not require an account and is generally governed by the repository platform’s terms (e.g., GitHub) and the applicable open-source license. This Privacy Policy applies to our website and hosted services, and to any personal data you provide to us here (such as when signing up with your email or contacting us).

Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, to comply with legal obligations, or to resolve disputes. Typical retention periods:

• Account sign-up email and basic account records: until you request deletion or close your account. Billing records and tax-relevant data are retained for the period required by applicable tax and accounting law (typically 10 years in Germany under §147 AO).
• Analytics data: aggregated for product improvement; raw analytics data retained for up to 24 months unless you request otherwise.
• Communications and support correspondence: retained for up to 24 months for record-keeping and quality purposes.

If you wish to know the exact retention period for a specific set of data, please contact us.

Your rights under the GDPR

You have the following rights:

• Access: request a copy of personal data we hold about you.
• Correction: ask us to correct inaccurate personal data.
• Deletion: request erasure of your personal data (“right to be forgotten”).
• Restriction: request restriction of processing in certain circumstances.
• Portability: receive your personal data in a commonly used, machine-readable format.
• Object: object to processing based on legitimate interests or direct marketing.
• Withdraw consent: withdraw any consent you have given at any time.

To exercise your rights, contact us at privacy@kreuzberg.dev.

Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or disclosure. While we strive to protect your data, no system is completely secure. If you believe your account has been compromised, please contact us immediately.

Data breaches

If a data breach occurs that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach and will notify affected users as soon as possible in the case of a high risk breach. Internally, we maintain a breach response plan to ensure timely assessment and action.

Youth Protection

Kreuzberg is not intended for use by children under 16, nor do we knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us, and we will take steps to delete it.

International data transfers

Where personal data is transferred outside the European Economic Area (EEA), there are appropriate safeguards (such as Standard Contractual Clauses) to ensure protection for your personal data in accordance with EU law.

Changes to This Privacy Policy

Kreuzberg reserves the right to update or modify this Privacy Policy at any time. Any changes will be posted prominently on this page, and we encourage you to review our Privacy Policy regularly for updates.

Contact Information

For questions or concerns about our Privacy Policy or your personal data, please contact us at privacy@kreuzberg.dev