Privacy Policy

Last updated: June 2026

1. Who We Are

This Privacy Policy applies to Krit{ai} (also referenced in third-party app stores and developer platforms as "Krit-AI"), a web application available at krit-ai.com. Krit{ai} is operated by Lanark Gray Limited (company number 17017431, registered office: Belmont Suite, Paragon Business Park, Chorley New Road, Bolton, Lancashire, United Kingdom, BL6 6HG). We provide a revenue intelligence platform for ecommerce brands. This policy explains how we collect, use, store, and protect your data.

Contact: info@krit-ai.com

2. Data We Collect

We collect the following categories of data:

Account data: Your name, email address, and authentication credentials when you sign up.

Organisation data: Your business name, timezone, currency, and Pulse configuration preferences.

Connected platform data: When you connect third-party platforms, we access data through their official APIs:

Shopify: Order data (totals, dates, referral sources, financial status). We do not access customer personal information.
Instagram: Account insights (reach, engagement, profile views, media performance, follower count).
Facebook: Page insights (impressions, engagement, fan count).
TikTok: Video performance data (views, likes, comments, shares, follower count).
Klaviyo: List sizes, subscriber counts, campaign performance metrics, attributed revenue.
Google Ads: Account-level reporting metrics only (cost/spend, impressions, clicks, conversions, conversion value/ROAS, currency, account name). Read-only. We do not create, modify, or manage campaigns, and we do not access individual end-customer personal data.
Meta Ads: Ad account performance metrics (spend, impressions, reach, ROAS). Read-only.

Usage data: How you interact with the Service, including Pulse generation history and delivery logs.

3. How We Use Your Data

We use your data to:

Generate your daily Pulse briefs using AI analysis
Deliver Pulses to your configured email addresses
Calculate rolling averages and performance trends
Improve the accuracy and relevance of the Service
Communicate with you about your account and the Service

4. AI Processing

Your connected platform data is processed by AI models (Claude by Anthropic) to generate Pulse briefs. The data sent to the AI model includes aggregated metrics (revenue figures, reach numbers, engagement counts) but does not include personal information about your customers. AI-generated outputs are stored in your account for your reference.

5. Data Storage and Security

Your data is stored on servers provided by Supabase (PostgreSQL) and Vercel, located in EU data centres. All OAuth access tokens are encrypted using AES-256-CBC encryption before storage. API keys are stored encrypted and are never exposed in client-side code. All connections use HTTPS/TLS encryption in transit.

6. Data Sharing

We do not sell your data. We share data only with:

Anthropic: Aggregated metrics sent for AI processing (no personal customer data)
Resend: Email addresses for Pulse delivery
Supabase/Vercel: Infrastructure providers for hosting and database

We may disclose data if required by law or to protect our legal rights.

7. Google User Data and Limited Use

When you connect Google Ads, Krit{ai} accesses your Google Ads account through the Google Ads API using the read-only adwords scope. We retrieve only account-level performance metrics (spend, impressions, clicks, conversions, conversion value/ROAS, currency, and the account name), once per day. We never create, modify, pause, or manage campaigns, and we never access end-customer personal data.

We use this data solely to generate the "Paid Ads" section of your daily Pulse brief and to calculate rolling performance trends for your own organisation. Google user data is not used for advertising purposes, is not sold or transferred to third parties, and is not used to develop, improve, or train generalised or standalone AI/ML models. The only processing involves sending aggregated, non-personal performance metrics to our AI provider (Anthropic) to compose your brief.

Krit{ai}'s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can disconnect Google Ads at any time from the Integrations page in Krit{ai}, or revoke access via your Google Account permissions at myaccount.google.com/permissions. On disconnection we delete the stored encrypted refresh token, ending all future access.

8. Data Retention

We retain your data for as long as your account is active. Pulse logs and daily snapshots are retained for 12 months for trend analysis. Upon account deletion, all data is permanently deleted within 30 days.

9. Your Rights

Under GDPR and UK data protection law, you have the right to:

Access: Request a copy of all data we hold about you
Rectification: Correct inaccurate data
Erasure: Request deletion of your data
Portability: Receive your data in a machine-readable format
Objection: Object to processing of your data
Restriction: Request limited processing of your data

To exercise any of these rights, contact us at info@krit-ai.com. We will respond within 30 days.

10. Cookies

We use essential cookies for authentication and session management only. We do not use tracking cookies or advertising cookies.

11. Third-Party Platform Permissions

When you connect a platform, you grant us specific permissions through their OAuth system. You can revoke these permissions at any time through the platform's settings (e.g. Facebook Settings, Shopify App settings) or by disconnecting the integration in Krit{ai}.

12. Children

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email. The "Last updated" date at the top reflects the most recent revision.

14. Contact

For privacy-related questions or to exercise your data rights, contact us at info@krit-ai.com.