Privacy Policy
Last updated: 22 March 2026
ClanConsulting Ltd. (“we”, “us”, “our”) operates KineticBrand (branding.kineticbrain.ai) and KineticPrompt (kineticprompt.lovable.app), collectively referred to as “the Services”. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Services.
We are the data controller for the personal data processed through our Services. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act (ZZLD), and the ePrivacy Directive 2002/58/EC as implemented in Bulgarian law.
1. Data Controller
ClanConsulting Ltd.
Sofia, Bulgaria, European Union
Email: clan.consult.dk@gmail.com
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Password (stored as a salted hash — we never store plain-text passwords)
- Account creation date
- Subscription tier and billing status
2.2 Usage Data
When you use our Services, we automatically collect:
- Pages visited and features used
- Timestamps of interactions
- Browser type, operating system, and device type
- IP address (used for security and analytics; not stored long-term)
2.3 Content Data
When you use our tools, we process the content you create:
- Business ideas and descriptions submitted to the Validator
- Brand strategy data (positioning, naming, messaging, etc.)
- Prompts created and saved in KineticPrompt
- Chat conversations with the Brain assistant
- Research results generated by our AI pipeline
2.4 Payment Data
If you subscribe to a paid plan, our payment processor (Stripe) collects your card details. We do NOT store your full card details on our servers. Stripe processes and stores this data as an independent data controller. We only receive a tokenised reference and the last four digits of your card.
2.5 Third-Party Authentication Data
If you sign in via Google OAuth, we receive your Google email address, display name, and profile picture URL. We do not access your Google contacts, files, calendar, or any other Google data.
3. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Providing core Services | Performance of contract | Art. 6(1)(b) |
| Processing payments | Performance of contract | Art. 6(1)(b) |
| Transactional emails | Performance of contract | Art. 6(1)(b) |
| Analytics and improvement | Legitimate interest | Art. 6(1)(f) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Non-essential cookies | Consent | Art. 6(1)(a) |
4. How We Use Your Data
We use your personal data to provide, maintain, and improve our Services; authenticate your identity; process AI-powered analysis using third-party AI providers; process payments through Stripe; send account-related notifications; respond to support requests; detect and prevent abuse; and comply with legal obligations.
We do NOT sell your personal data, use your content to train AI models, share your business ideas with other users, or display advertising.
5. Third-Party Processors and International Data Transfers
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage | US | EU SCCs |
| Anthropic PBC (Claude) | AI analysis and generation | US | EU SCCs |
| Perplexity AI Inc. | Market research | US | EU SCCs |
| Stripe Inc. | Payment processing | US | EU SCCs + DPF |
| Vercel Inc. | Hosting (KineticBrand) | US | EU SCCs |
| Google LLC | OAuth, Gmail API | US | EU SCCs + DPF |
When you submit content to our Services, it is sent to third-party AI providers for processing. They do not use your data to train their models when accessed via API. We maintain Data Processing Agreements with all processors including the EU Standard Contractual Clauses.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Content data | Until deletion by user or account deletion |
| Usage/analytics data | 26 months |
| Payment records | 5 years (Bulgarian Accountancy Act) |
| Support correspondence | 2 years from resolution |
| Server logs | 90 days |
7. Your Rights Under GDPR
As a data subject in the European Union, you have the following rights:
- Right of access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — request correction of inaccurate data
- Right to erasure (Art. 17) — request deletion of your data
- Right to restriction (Art. 18) — request limits on how we use your data
- Right to data portability (Art. 20) — receive your data in machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time
- Right regarding automated decisions (Art. 22) — our AI tools are advisory only and do not make automated decisions with legal effects on you
Send requests to clan.consult.dk@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria — cpdp.bg. If you are in another EU member state, you may also contact your local supervisory authority.
8. Cookies
We use cookies and similar technologies. For full details, see our Cookie Policy. We do NOT use advertising cookies or cross-site tracking.
9. Children's Privacy
Our Services are not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us.
10. Security
We implement encryption in transit (TLS 1.2+) and at rest (AES-256), salted password hashing (bcrypt), Row-Level Security on our database, and access controls. If we become aware of a data breach posing high risk, we will notify you and the CPDP within 72 hours (GDPR Art. 33).
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email or in-product notice. Continued use after a change constitutes acceptance.
12. Contact Us
ClanConsulting Ltd.
Sofia, Bulgaria, European Union
Email: clan.consult.dk@gmail.com
For GDPR requests, include “GDPR Request” in your subject line.