TLDR
Back to home

Privacy Policy

Last updated: March 1, 2026

TLDR ("we", "us", "the Service") is operated by KPilot, an individual entrepreneur based in Spain. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

1. Data Controller

KPilot (Marouan Hammami)
Email: info@kpilotlabs.com
Location: Spain

2. Data We Collect

Account Data

  • Email address — provided at registration, used for authentication and transactional emails (verification codes).
  • Hashed password — stored using bcrypt; we never store or access your plain-text password.

Document Data

  • Uploaded documents — text extracted from PDF, DOCX, or TXT files you upload, or text you paste directly.
  • AI analyses — summaries, concerns, and recommendations generated by AI from your documents.
  • Chat messages — questions you ask and AI responses about your documents.

Technical Data

  • Browser localStorage — stores your authentication token (JWT) and language preference. No cookies are used.

Analytics Data

  • Anonymous usage statistics — we use Umami, a self-hosted, privacy-friendly analytics tool that collects: pages visited, referrer URL, browser type, operating system, device type, and country (derived from your IP address). Umami does not use cookies, does not track you across sites, does not collect personal data, and does not store your IP address. All data is aggregated and anonymous.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR) — processing your documents and providing analysis is necessary to deliver the service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR) — essential browser storage for authentication and preferences, and anonymous analytics to improve the service.

4. Third-Party Processors

  • DeepSeek API (deepseek.com) — your document text is sent to DeepSeek for AI analysis. DeepSeek processes data under their privacy policy.
  • Resend (resend.com) — used to send transactional emails (verification codes). Your email address is shared with Resend for this purpose.

No data is sold to third parties.

5. Data Retention

  • Account and document data is retained as long as your account is active.
  • When you delete your account, all associated data (documents, analyses, chat messages) is permanently deleted.
  • You can delete individual documents at any time from your dashboard.

6. Your Rights (GDPR Articles 15-22)

You have the right to:

  • Access your data — use the "Export My Data" feature in your dashboard.
  • Rectification — contact us to correct inaccurate data.
  • Erasure — delete your account and all data from the dashboard.
  • Data portability — export your data in JSON format.
  • Object to processing — contact us at info@kpilotlabs.com.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

7. Data Security

We use HTTPS encryption for all data in transit, bcrypt password hashing, and JWT-based authentication. Data is stored on secured servers within the EU.

8. International Transfers

Document text is sent to DeepSeek's API for AI processing. DeepSeek may process data outside the EU. By using the Service, you acknowledge this transfer is necessary for the core functionality of the Service.

9. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of the Service after changes constitutes acceptance.

10. Contact

For any privacy-related questions or to exercise your rights, contact us at: info@kpilotlabs.com