Skip to main content
Libre Claw joins the Libre stack
Legal hub

Legal

Privacy Policy

Last updated: June 19, 2026

This Privacy Policy explains how Kroonen AI, Inc. ("Kroonen AI," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our website, Open-Source Software, SaaS Services, Research previews, and Professional Services.

Last updated: June 19, 2026

1. Introduction & Scope

This Privacy Policy applies to personal information processed by Kroonen AI in the course of operating the kroonen.ai website and providing our Services, as described in the Terms of Service. It should be read together with our Acceptable Use Policy and AI Addendum.

Our role under data-protection law depends on the activity:

  • Controller. For the kroonen.ai website, contact-form submissions, marketing communications, and the administration of accounts for our SaaS Services (Libre Bot), Kroonen AI acts as the controller (GDPR) / business (CCPA/CPRA) and decides why and how personal information is processed.
  • Processor. For Customer Data that a Customer and its Authorized Users submit to, or generate through, the Libre Bot widget at librebot.ai, Kroonen AI acts as a processor (GDPR) / service provider (CCPA/CPRA), processing such data only on the Customer's documented instructions under a Data Processing Addendum (DPA). The Customer is the controller of that Customer Data, and the Customer's own privacy notice governs how end users' information is handled.

This Policy describes our practices as controller. For Customer Data processed as a processor, see Section 18 (Data Processing Addendum).

Our Open-Source Software (Libre WebUI and Libre Claw) is distributed under the Apache-2.0 license and runs in environments you control; Kroonen AI does not collect personal information through your self-hosted deployments. Our Research previews (Genesis 1B) are offered as hosted HuggingFace playgrounds; interactions there are also subject to HuggingFace's own privacy practices.

2. Information We Collect

We collect the following categories of personal information. We do not intentionally collect, and we ask that you do not submit through our forms, any special-category data (GDPR Art. 9) or sensitive personal information (CPRA) — such as health, biometric, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, or government identifiers. We do not use any personal information for the purpose of inferring sensitive characteristics.

2.1 Contact-form and communications data

  • Name, email address, and the free-text message content you choose to provide when you submit a contact form, email [email protected], or otherwise correspond with us.
  • Records of your communications, including support requests and inquiries about Professional Services.

2.2 Technical and log data

  • IP address, user-agent string, approximate country/region, request timestamps, referring URLs, and pages viewed, collected automatically by our hosting and security provider (Cloudflare).
  • Anti-abuse signals generated by Cloudflare Turnstile when you interact with protected forms (a challenge token and related metadata; Turnstile is designed to be privacy-preserving and does not track users across sites).

2.3 SaaS account data

  • For Libre Bot accounts: account holder name, business email, organization name, authentication credentials, configuration and usage settings, and billing-related identifiers handled through our payment processor (we do not store full payment-card numbers).
  • Usage and diagnostic logs associated with your account for service operation, security, and support.

2.4 Customer Data (processed as processor)

  • Content, prompts, queries, and documentation that a Customer or its Authorized Users submit to Libre Bot, together with the Output generated in response. This is processed under the DPA on the Customer's instructions and is described here for transparency.

3. Sources of Information

  • Directly from you — when you complete a form, create an account, request Professional Services, or communicate with us.
  • Automatically — through server logs and security tooling provided by Cloudflare and Cloudflare Turnstile when you use the website or SaaS Services.
  • From our Customers — when a Customer configures Libre Bot and its Authorized Users or end users interact with the widget (processed as processor).
  • From service providers — limited information from our payment processor and model providers strictly to operate the Services.

4. How & Why We Use Information

We use personal information for the following purposes, mapped to the categories above:

  • To respond to inquiries and provide support — using contact-form and communications data (2.1).
  • To operate, maintain, and secure the website and SaaS Services — using technical/log data (2.2) and SaaS account data (2.3), including detecting, preventing, and investigating fraud, abuse, and security incidents.
  • To provide and administer SaaS accounts and process payments — using SaaS account data (2.3).
  • To deliver Professional Services (e.g., pre-training, fine-tuning, dataset preparation, AI safety / red-team / CBRN evaluation, application and telephony development, and AI agents/orchestration) — using communications and account data as needed to scope, perform, and document engagements under an Order Form / SOW.
  • To send service and, where permitted, marketing communications — using contact and account data; you may opt out of marketing at any time.
  • To comply with legal obligations and enforce our agreements — using relevant categories as necessary.
  • To improve our website and Services — using aggregated or de-identified technical data. We do not use Customer Data, contact-form content, or Output to train, fine-tune, or improve any general-purpose or foundation model. See the AI Addendum.

5. Legal Bases for Processing (GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases (Art. 6):

  • Contract (Art. 6(1)(b)) — to provide the SaaS Services and Professional Services you request, administer accounts, and process payments.
  • Legitimate interests (Art. 6(1)(f)) — to respond to inquiries, secure and improve our Services, prevent abuse, and conduct limited direct marketing, balanced against your rights and interests.
  • Consent (Art. 6(1)(a)) — where required for non-essential cookies/tracking or certain marketing; you may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)) — to meet tax, accounting, and other legal requirements.

6. Cookies & Tracking; "Do Not Sell or Share"

We aim to keep tracking to a minimum. Our website uses only strictly necessary cookies and security mechanisms (including Cloudflare Turnstile) required to operate the site and protect against abuse. Where we use any non-essential cookies or analytics, we will request consent where required and provide controls to manage your preferences.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and similar U.S. state laws. We have not done so in the preceding twelve (12) months.

Global Privacy Control (GPC). We honor opt-out preference signals, including the Global Privacy Control, transmitted by your browser. Because we do not sell or share personal information, such a signal results in no change to data sales/sharing; we nonetheless treat it as a valid opt-out request for any applicable processing.

7. Disclosures & Sub-processors

We disclose personal information only to the categories of recipients below, and only as necessary for the purposes described in this Policy. We do not disclose personal information for monetary or other valuable consideration.

  • Cloudflare — website and SaaS hosting (Pages/Workers), content delivery, logging, and security (including Turnstile anti-abuse).
  • Twilio — telephony processing for Libre Phone / telephony-related Professional Services, where applicable.
  • SendGrid — delivery of contact-form and transactional email.
  • Payment processor — processing of SaaS subscription payments and billing (handled by our third-party payment provider; we do not store full card numbers).
  • Model providers — Anthropic and OpenAI, which process prompts/queries to generate Output within Libre Bot. We select providers that contractually commit not to use API inputs/outputs to train their models, consistent with the AI Addendum.
  • Professional and legal advisors, and authorities — where required by law, to enforce our agreements, or to protect rights, safety, and property.
  • Corporate transactions — a successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.

A current list of sub-processors for the SaaS Services is maintained for Customers and forms part of the DPA. We require sub-processors to provide appropriate safeguards and to process personal information only on our instructions.

8. Automated Decision-Making & AI

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing, including profiling, within the meaning of GDPR Art. 22.

Our SaaS Services and Research previews use AI models to generate Output in response to user input. This generation does not, by itself, constitute a solely automated decision with legal or significant effect on an individual. Output may be inaccurate or incomplete and should not be relied upon as professional advice; further details on AI processing, no-training commitments, and Output are in the AI Addendum.

9. Data Retention

We retain personal information only for as long as needed for the purposes described, using the following guidelines:

  • Contact-form and communications data — up to 24 months from your last interaction, unless an ongoing inquiry or legal requirement justifies longer retention.
  • Technical and log data — security and server logs are retained for up to 90 days, after which they are deleted or aggregated/de-identified, except where retained longer for security investigations.
  • SaaS account data — for the duration of the account plus up to 12 months after termination, except for billing/tax records retained for up to 7 years to meet legal obligations.
  • Customer Data (as processor) — retained and deleted in accordance with the DPA and the Customer's instructions; on termination, deleted or returned within the period stated in the DPA.
  • Marketing data — until you opt out or after 24 months of inactivity, whichever is earlier.

We may retain de-identified or aggregated data, which is not used to re-identify you, for longer periods.

10. Your Rights

10.1 Rights under the GDPR / UK GDPR

Subject to applicable law, you may have the right to: access your personal information; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; withdraw consent; and lodge a complaint with your supervisory authority. We will respond to verified requests within one (1) month, extendable by up to two further months for complex requests with notice.

10.2 Rights under the CCPA/CPRA and other U.S. state laws

Subject to applicable law, you may have the right to: know/access the categories and specific pieces of personal information we collect; delete personal information; correct inaccurate information; opt out of sale/sharing (note: we do not sell or share); limit use of sensitive personal information (note: we do not collect it for such purposes); and not receive discriminatory treatment for exercising your rights. We will confirm receipt within 10 business days and respond to verifiable requests within 45 days, extendable by an additional 45 days with notice.

10.3 How to exercise your rights and verification

To submit a request, email [email protected] or write to the address in Section 17. To protect your privacy, we will take reasonable steps to verify your identity (for example, by confirming control of the email address on file or matching information we hold) before acting on a request. You may use an authorized agent where permitted by law, subject to proof of authorization. Where you are an end user of a Customer's Libre Bot deployment, please direct your request to that Customer (the controller); we will assist the Customer as required by the DPA.

11. International Transfers

Kroonen AI is based in the United States, and our service providers may process personal information in the United States and other countries. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), and, where applicable, certification under the EU-U.S. Data Privacy Framework (including the UK Extension and Swiss-U.S. DPF).

12. Security

We implement technical and organizational measures designed to protect personal information, including encryption in transit (TLS), access controls and least-privilege practices, infrastructure-level protections provided by Cloudflare, anti-abuse controls (Turnstile), logging and monitoring, and vendor due diligence. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

In the event of a personal-data breach affecting your information, we will notify affected individuals and competent authorities as required by applicable law and without undue delay, and we will cooperate with Customers under the DPA where we act as processor.

13. Children's Privacy

Our website and Services are intended for business users and are not directed to children. We do not knowingly collect personal information from children under 16 years of age, and we do not knowingly collect personal information from children under 13 in a manner that would require parental consent under the U.S. Children's Online Privacy Protection Act (COPPA). If you believe a child has provided us with personal information, please contact us and we will delete it.

14. Third-Party Links

Our website and Services may contain links to third-party sites and services (for example, HuggingFace playgrounds for Genesis 1B, or model-provider documentation). We are not responsible for the privacy practices of those third parties; we encourage you to review their privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We review it at least every 12 months and will revise the "Last updated" date when changes are made. Material changes will be communicated by reasonable means, such as a notice on the website or, for SaaS Customers, by email. Your continued use of the Services after an update constitutes acceptance of the revised Policy where permitted by law.

16. Contact & Data-Protection Requests

For questions about this Policy or to exercise your rights, contact us at:

  • Kroonen AI, Inc.
  • 8 The Green, Ste B, Dover, DE 19901, United States
  • Email: [email protected]
  • Phone: +1 (916) 999-5979

17. EU / UK Representative

Where required under GDPR Art. 27 or UK GDPR, individuals in the EEA or UK may contact our designated representative regarding the processing of their personal information.

18. Data Processing Addendum (DPA)

A Data Processing Addendum is available for Libre Bot business Customers and governs our processing of Customer Data as a processor, including security measures, sub-processors, international-transfer mechanisms, and breach notification. To request the DPA, contact [email protected]. The DPA, together with the applicable Order Form / SOW and the Terms of Service, governs that processing and prevails over this Policy with respect to Customer Data.

Contact

Kroonen AI, Inc. · 8 The Green, Ste B, Dover, DE 19901, USA
[email protected]