Legal
Privacy Policy
Last updated: March 5, 2026
This Privacy Policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection laws. It explains how we collect, use, store, and protect your personal information when you use the Krust platform.
1. Data Controller
Company: Krust, UAB
Registration code: 307542063
Address: Perkūnkiemio g. 19, LT-12120 Vilnius, Lithuania
Email: info@trykrust.com
Yummy, MB is the data controller responsible for processing your personal data in connection with the Krust platform and services.
2. Personal Data We Collect
We collect and process the following categories of personal data:
| Category | Data |
|---|---|
| Account Data | Email address, name, profile information, authentication provider (Google, Apple, or email) |
| Billing Data | Subscription plan, billing history, payment method details (processed and stored by Stripe) |
| Usage Data | Login timestamps, IP address, device type, browser type, operating system, pages visited, features used, credit consumption history |
| Uploaded Content | Reference photos (containing facial images), product images, brand assets, scripts, and text prompts |
| Generated Content | AI-generated videos, images, and associated metadata (model used, generation parameters, timestamps) |
| Communication Data | Feedback submissions, support requests, and correspondence |
3. Special Categories of Data
Biometric-Adjacent Data: Reference photos you upload contain facial images that are processed by third-party AI models for face swap functionality. While we do not extract or store biometric identifiers (such as faceprints or facial geometry), the reference photos themselves contain visual representations of individuals.
By uploading reference photos, you confirm that you have obtained explicit consent from the depicted individuals for use in AI-generated video content. You are responsible for maintaining records of such consent.
4. Processing Purposes & Legal Basis
We process your personal data for the following purposes under the legal bases specified in GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| AI content generation (videos & images) | Contract performance (Art. 6(1)(b)) |
| Subscription billing & credit management | Contract performance (Art. 6(1)(b)) |
| Service notifications & updates | Legitimate interest (Art. 6(1)(f)) |
| Service improvement & analytics | Legitimate interest (Art. 6(1)(f)) |
| Content moderation & safety | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance & fraud prevention | Legal obligation (Art. 6(1)(c)) |
5. Data Recipients & Third-Party Processors
Your personal data may be shared with the following categories of recipients:
- Cloud Infrastructure – Supabase and Vercel for application hosting, database storage, and file storage. Data is stored on servers within the European Union and United States.
- AI Service Providers – Third-party AI model providers (for video generation, image generation, and face swap processing). Your uploaded content and prompts are sent to these providers to generate content.
- Payment Processor – Stripe for subscription billing and payment processing. Stripe processes and stores payment card details directly; we do not store your full card information.
- Authentication Providers – Google and Apple for social login authentication (if you choose to sign in via these providers).
- Analytics Services – For understanding service usage and improving the platform. Data is anonymized where possible.
- Law Enforcement – When required by applicable law, court order, or governmental regulation.
6. International Data Transfers
Your data is primarily stored on servers within the European Union (Supabase EU region). However, some of our service providers may process data in the United States or other countries outside the EU/EEA.
For transfers outside the EU/EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:
- European Commission adequacy decisions (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all third-party processors
7. Data Retention Periods
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 1 year after deletion request |
| Uploaded content (references, products) | Duration of account (deleted upon account deletion) |
| Generated content (videos, images) | Duration of account (deleted upon account deletion) |
| Billing & transaction records | 5 years (legal obligation for accounting records) |
| Login & access logs | 6 months |
| Analytics data | 24 months (anonymized) |
| Feedback & support requests | 2 years |
8. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15) – Obtain a copy of your personal data and information about how it is processed
- Right to Rectification (Art. 16) – Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17) – Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing (Art. 18) – Request limitation of how your data is processed
- Right to Data Portability (Art. 20) – Receive your data in a structured, commonly used, machine-readable format
- Right to Object (Art. 21) – Object to processing based on legitimate interest or for direct marketing purposes
- Right to Withdraw Consent – Withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing carried out before withdrawal
- Right Not to Be Subject to Automated Decision-Making (Art. 22) – Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
To exercise any of these rights, contact us at: info@trykrust.com. We will respond to your request within 30 days.
9. Right to Lodge a Complaint
If you believe your personal data is being processed in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
Lithuanian Supervisory Authority:
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Address: L. Sapiegos g. 17, 10312 Vilnius, Lithuania
Website: vdai.lrv.lt
Email: ada@ada.lt
10. Is Providing Data Mandatory?
Providing personal data is voluntary but necessary to use the Service. Without providing the required data (email address for account creation), you cannot create an account or access the platform. Specific data requirements:
- Account creation: Email address is required (via email signup, Google, or Apple)
- Subscription: Payment information is required to activate a paid plan (processed by Stripe)
- Content generation: Uploading reference photos and product images is optional but required for certain features (face swap, product placement)
11. Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that would have legal or similarly significant effects on you as an individual. Our AI services process your uploaded content (reference photos, product images, text prompts) to generate advertising content, but these do not constitute automated decisions about you.
Content moderation systems may automatically flag or reject uploaded content that violates our policies. You may contest such decisions by contacting our support team.
12. Cookies & Tracking
We use cookies and similar technologies to operate the Service, remember your preferences, and analyze usage patterns. For detailed information about the cookies we use and how to manage your preferences, please visit our Cookie Settings page.
Categories of cookies we use:
- Essential cookies – Required for the Service to function (authentication, session management)
- Analytics cookies – Help us understand how the Service is used (with your consent)
- Functional cookies – Remember your preferences and settings
13. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Data encryption in transit (TLS/SSL) and at rest
- Secure password hashing and authentication
- Role-based access control and least-privilege principles
- Regular security reviews and updates
- Secure cloud infrastructure with industry-standard certifications
- Incident response procedures for data breaches
In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Articles 33 and 34.
14. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at info@trykrust.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through a notice within the Service at least 10 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
16. Contact Us
For any questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us:
Email: info@trykrust.com
Company: Krust, UAB
Address: Perkūnkiemio g. 19, LT-12120 Vilnius, Lithuania
This Privacy Policy has been prepared in accordance with GDPR and applicable EU data protection laws.
For questions, contact us at info@trykrust.com.