Privacy Policy

This Privacy Policy describes how Okto Labs LLP ("we," "our," or "us"), a limited liability partnership registered in England and Wales (Company Number OC458551, registered office at Stoney Works, 8 Stoney Lane, London, United Kingdom SE19 3BD), collects, uses, stores, and protects your personal information when you use Krafto, our visual editor for React codebases (the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

## 1. Information We Collect

### 1.1 Personal Information You Provide

When you sign up for or use Krafto, we may collect the following:

Account information:

• · Email address
• · Name (if provided)
• · Account credentials
• · Profile information

Payment information:

• · Payment method details (processed by third-party payment processors)
• · Billing address
• · Transaction history

Communications:

• · Support inquiries and correspondence
• · Feedback and survey responses

### 1.2 Automatically Collected Information

Usage data:

• · Editor interactions and feature usage
• · AI agent prompt counts and aggregate statistics
• · Error logs and diagnostic information

Technical data:

• · IP address
• · Browser type and version
• · Device information
• · Operating system
• · Time zone and locale settings
• · Krafto CLI and agent version

Cookies and tracking technologies:

• · Session cookies for authentication
• · Analytics cookies to understand usage patterns
• · Preference cookies to remember your settings

### 1.3 Codebase Data

Krafto runs as a self-hosted Docker container on infrastructure you control. Your source files, repositories, and commit history remain on your machine. We do not receive a copy of your codebase as part of normal operation.

What stays on your machine:

• · Source files and project structure
• · Patches written by the CLI and the agent
• · Git history and commit metadata

What we may receive:

• · The text of AI agent prompts you submit, together with the minimum source context the agent needs to fulfil them (see §11)
• · Anonymous telemetry (feature usage, error reports), if you have not opted out

## 2. How We Use Your Information

We use collected information for the following purposes:

### 2.1 Service Provision

• · Provide, operate, and maintain the Service
• · Authenticate users and manage accounts
• · Process AI agent requests and return outputs
• · Process billing and subscription management

### 2.2 Service Improvement

• · Analyze usage patterns and trends
• · Identify and fix bugs and errors
• · Develop new features and functionality
• · Optimize performance and user experience

### 2.3 Communication

• · Send service-related notifications
• · Respond to support requests
• · Send updates about new features (with your consent)
• · Deliver marketing communications (with your consent)

### 2.4 Security and Compliance

• · Detect and prevent fraud and abuse
• · Monitor for security threats
• · Enforce our Terms of Service
• · Comply with legal obligations

### 2.5 Analytics and Research

• · Understand how users interact with the Service
• · Conduct research and analysis
• · Generate aggregated, anonymized statistics

## 3. Data Storage and Security

### 3.1 Storage Infrastructure

Account, billing, and telemetry data is stored using industry-standard cloud infrastructure with secure, redundant storage and encryption. Your source code is not stored on our servers.

### 3.2 Security Measures

Encryption:

• · TLS/SSL encryption for all data in transit
• · AES-256 encryption for data at rest
• · Encrypted database connections

Access controls:

• · Role-based access control (RBAC)
• · Multi-factor authentication for administrative access
• · Regular access audits

Monitoring:

• · Security monitoring and alerting
• · Automated threat detection
• · Regular security assessments

Data backup:

• · Regular automated backups of account and billing data
• · Geographically distributed backup storage
• · Disaster recovery procedures

### 3.3 Security Limitations

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

## 4. Data Sharing and Disclosure

### 4.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

### 4.2 Service Providers

We share data with trusted third-party service providers that help us operate the Service:

Payment processing:

• · Stripe handles payment information directly and is PCI-DSS compliant

AI model providers:

• · When you use the AI agent with cloud models, prompts and source context are sent to third-party providers (e.g., Anthropic, OpenAI) for processing — see §11

Analytics and infrastructure:

• · Hosting, error tracking, and analytics services that help us run the Service

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

### 4.3 Legal Requirements

We may disclose your information if required by law or in response to:

• · Court orders or legal processes
• · Government or regulatory requests
• · Protection of our rights, property, or safety
• · Investigation of fraud, security, or technical issues
• · Enforcement of our Terms of Service

### 4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your data.

### 4.5 Aggregated Data

We may share aggregated, anonymized data that does not identify you personally for research, marketing, or other purposes.

## 5. Your Privacy Rights

### 5.1 UK GDPR Rights

If you are in the UK or EEA, you have the following rights:

• · Right to Access: request a copy of the personal data we hold about you.
• · Right to Rectification: request correction of inaccurate or incomplete data.
• · Right to Erasure: request deletion of your personal data in certain circumstances.
• · Right to Restrict Processing: request that we limit how we use your data.
• · Right to Data Portability: receive your data in a structured, commonly used format.
• · Right to Object: object to processing of your data for certain purposes.
• · Right to Withdraw Consent: withdraw consent for processing where we rely on consent.
• · Right to Lodge a Complaint: file a complaint with the UK Information Commissioner's Office (ICO).

### 5.2 California Privacy Rights

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• · Right to Know: request information about data collection and sharing.
• · Right to Delete: request deletion of personal information.
• · Right to Opt-Out: opt out of the sale of personal information (note: we do not sell personal information).
• · Right to Non-Discrimination: exercise privacy rights without discrimination.

### 5.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@krafto.dev. We will respond to your request within 30 days. You may need to verify your identity before we can process your request.

## 6. Data Retention

### 6.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide the Service.

### 6.2 Closed Accounts

After you close your account, we retain your data for 90 days to allow for account recovery. After 90 days, we permanently delete your account and associated data, except as required for:

• · Legal compliance and record-keeping
• · Fraud prevention and security
• · Backup retention periods (typically 30 additional days)

### 6.3 Agent Prompt Data

AI agent prompts and the source context attached to them are retained for up to 30 days for abuse prevention, then deleted unless required for legal compliance.

### 6.4 Legal and Compliance Data

We may retain certain information longer if required by law, for regulatory compliance, or to resolve disputes and enforce our agreements.

## 7. Cookies and Tracking Technologies

### 7.1 Types of Cookies

• · Essential cookies: required for the Service to function (authentication, security).
• · Analytics cookies: help us understand how users interact with the Service.
• · Preference cookies: remember your settings and preferences.

### 7.2 Cookie Management

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

### 7.3 Third-Party Tracking

We may use third-party analytics services (e.g., Plausible, Google Analytics) that use cookies to collect usage data. These services have their own privacy policies.

## 8. Third-Party Services and Links

### 8.1 AI Model Providers

Krafto's AI agent can be configured to use third-party model providers such as Anthropic and OpenAI. When you use these models, your prompts and the source context attached to them are sent to those providers under their respective privacy policies and data-processing terms.

### 8.2 Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

### 8.3 Third-Party Integrations

If you connect Krafto to third-party services (version control hosts, CI providers, model providers, etc.), those third parties may collect data about you. Their data practices are governed by their own privacy policies.

## 9. International Data Transfers

### 9.1 Data Location

Your data may be processed and stored in the United Kingdom, European Economic Area, United States, or other countries where our service providers operate.

### 9.2 Transfer Safeguards

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• · Standard Contractual Clauses (SCCs)
• · Adequacy decisions
• · Other legally approved transfer mechanisms

## 10. Children's Privacy

Krafto is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

If you become aware that a child under 13 has provided us with personal information, please contact us at privacy@krafto.dev, and we will take steps to delete such information.

## 11. AI and Automated Processing

### 11.1 The AI Agent

Krafto includes an AI agent that can edit your codebase in response to natural-language prompts. When you invoke the agent:

• · Your prompt text is sent to the configured AI model provider.
• · The minimum source context needed to fulfil the prompt (e.g., the selected element and nearby code) is sent alongside.
• · We do not send your full repository, files you did not select, or your git history.
• · AI-generated outputs are returned for your review and are applied to disk only after you confirm.

### 11.2 Third-Party AI Services

We may use third-party AI model providers (e.g., Anthropic, OpenAI) that have their own privacy policies and data practices. You may configure Krafto to use a self-hosted model instead, in which case no prompt data leaves your infrastructure.

### 11.3 No Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

## 12. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals.

## 13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of changes:

• · Material changes will be communicated via email or prominent notice within the Service
• · Continued use of the Service after changes constitutes acceptance
• · The "Last Updated" date at the top indicates when the policy was last revised

We encourage you to review this Privacy Policy periodically.

## 14. Contact Information

### 14.1 Data Controller

The data controller responsible for your personal information is:

• Okto Labs LLP
• Stoney Works, 8 Stoney Lane
• London, United Kingdom SE19 3BD
• Company Number: OC458551

### 14.2 Privacy Inquiries

• · Privacy: privacy@krafto.dev
• · Support: hello@krafto.dev

### 14.3 Data Protection Officer

For significant data protection matters, you may contact our Data Protection Officer at dpo@krafto.dev.

### 14.4 Supervisory Authority

If you are in the UK or EEA and have concerns about our data practices, you have the right to lodge a complaint with your local supervisory authority:

• UK Information Commissioner's Office (ICO)
• Website: ico.org.uk
• Telephone: 0303 123 1113

## 15. Additional Information

### 15.1 Data Accuracy

We rely on you to provide accurate information. Please keep your account information up to date.

### 15.2 Security Incidents

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by law.

### 15.3 Account Security

You are responsible for maintaining the security of your account credentials. Please use a strong password and do not share your credentials with others.

By using Krafto, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

If you do not agree with this Privacy Policy, please do not use the Service.