Kreiso Privacy Policy
Last updated: May 22, 2026
This Privacy Policy explains how Kreiso collects, uses, stores, and protects your personal data when you use our website (kreiso.app), our mobile application, and any related services (collectively, the "Service"). This policy applies to our waitlist, our mobile app, and all features within.
1. Data Controller
Kreiso is operated by:
Nikita Konstantinovskiy Operating as Kreiso nikitakonst1@gmail.com
Nikita Konstantinovskiy is the entity responsible for your personal data and acts as the "data controller" under the EU General Data Protection Regulation (GDPR), the "business" under the California Consumer Privacy Act (CCPA), and equivalent terms under other applicable privacy laws.
2. Data We Collect
2.1 Waitlist
When you join our waitlist, we collect:
- Email address
- Phone number (if provided)
If you provide a phone number, you may receive SMS messages from us about Kreiso, including service updates, event invitations, and (where you have opted in) marketing or re-engagement communications. SMS messages are delivered via Twilio (see Section 5). You can opt out of SMS at any time by replying STOP to any message we send, or by contacting us at nikitakonst1@gmail.com. Message and data rates may apply.
2.2 Event Invitation Applications
When you submit an application through the event invitation flow (kreiso.app/apply), we collect:
- Email address or phone number (depending on the contact method you choose)
- Age
- Gender
- Languages you speak
- Life stage (e.g., student, early career, founder)
- City of residence (Berlin or "Somewhere else")
- Time in Berlin (only if you indicated Berlin as your city)
- Outreach attribution (the campaign identifier in the link you clicked, if any)
- The events you select when invited to express interest
We use this information to manually review applications, decide which events to invite you to, and contact you about those invitations. Submitting an application does not guarantee an invitation; we curate invitations at our discretion based on event fit and group composition.
If you provide a phone number as your contact method, you may receive SMS messages from us about your application, including event invitations, reminders, and follow-ups. SMS messages are delivered via Twilio (see Section 5). You can opt out of SMS at any time by replying STOP, or by contacting us at the email above. Message and data rates may apply.
2.3 Account & Profile Data
When you create an account, we collect:
- Name
- Date of birth
- Profile photo
- Country of origin
- Languages spoken
- City of residence
2.4 Onboarding Survey Data
During onboarding, we collect your responses to our compatibility survey, which includes:
- Life stage
- Work field
- Education level
- Time in your city
- Interests (selected from a curated list)
- Humor style preference
- Conversation depth preference
- Social format preference
- Friend priorities
- Connection intent
- Event preferences
- Deal breakers
- Venue preferences (like/dislike swipes on curated venue cards)
2.5 Event Area Data
You set your preferred event area on a map, which provides us with:
- Approximate geographic center point (latitude and longitude)
- Preferred radius (in kilometers)
We do not collect or track your real-time GPS location.
2.6 Behavioral Data
As you use the Service, we collect:
- Event commitments and attendance
- Post-event feedback (ratings, free-text responses)
- Social preferences expressed through feedback (e.g., which group members you would meet again)
- Activity ratings
2.7 Payment Data
If you make payments through the Service, payment processing is handled by Stripe. We do not store your credit card number, bank account details, or other financial account information on our servers. Stripe collects and processes your payment data as an independent data controller under its own privacy policy.
2.8 Spam and Abuse Prevention
We use Google reCAPTCHA to protect the Service from spam, bots, and abuse. reCAPTCHA collects hardware and software information (such as device and application data) and sends it to Google for analysis. Your use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.
2.9 Automatically Collected Data
When you use the Service, we automatically collect:
- Device type and operating system
- App version
- Crash reports and error logs
- General usage patterns (screens viewed, features used)
We use cookieless analytics. We do not use tracking cookies, advertising pixels, or cross-site tracking technologies.
3. How We Use Your Data
We use your data for the following purposes:
- Waitlist management: To notify you when the Service launches or when a spot becomes available.
- Event invitation review: To manually review event invitation applications, decide which events to invite you to, and contact you about those invitations. Submitting an application does not guarantee an invitation.
- Account creation and authentication: To create and secure your account.
- Age verification: To verify you meet our minimum age requirement of 16 and to apply additional age restrictions to specific events (e.g., 18+ for alcohol-serving venues).
- Compatibility matching: To compute similarity scores between users, form compatible groups for events, and generate personalized event recommendations. This is the core function of the Service.
- Event coordination: To organize events, form groups, assign venues, and facilitate group communication.
- Improving the Service: To refine our matching algorithm based on aggregated feedback and behavioral patterns. We do not use your data to train third-party AI or machine learning models.
- Communication: To send you event notifications, feedback requests, re-engagement reminders, and essential service updates. Communications may be delivered by email (via Resend) or SMS (via Twilio), depending on the contact information you have provided and the opt-out choices you have made.
- Safety and enforcement: To enforce our Terms of Service and protect users from harmful behavior.
- Payment processing: To process event fees or subscription payments through Stripe.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Waitlist communication | Your consent (Art. 6(1)(a) GDPR) |
| Event invitation application review and outreach | Your consent (Art. 6(1)(a) GDPR), confirmed via the checkbox you tick before submitting the application |
| Account creation and service delivery | Performance of a contract (Art. 6(1)(b) GDPR) |
| Compatibility matching and group formation | Performance of a contract (Art. 6(1)(b) GDPR) |
| Payment processing | Performance of a contract (Art. 6(1)(b) GDPR) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f) GDPR) |
| Safety and enforcement | Legitimate interest (Art. 6(1)(f) GDPR) |
| Marketing communications and re-engagement | Your consent (Art. 6(1)(a) GDPR) |
You may withdraw your consent at any time by contacting us or adjusting your notification settings within the app. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data to third parties. We share data only with the following service providers ("processors") who process data on our behalf and under our instructions:
| Service Provider | Purpose | Data Location |
|---|---|---|
| Google Firebase (Firebase Auth, Firestore, Cloud Messaging, Crashlytics) | Authentication, real-time data storage, push notifications, error tracking | Global (Google data centers) |
| Google Cloud SQL | Database hosting (PostgreSQL) for matching computation | Global (Google data centers) |
| Firebase Hosting | Hosting the landing page and web assets | Global (Google CDN) |
| Resend | Transactional email delivery (waitlist confirmations, event notifications, feedback requests) | United States |
| Twilio | Transactional and marketing SMS delivery (event invitations, reminders, feedback requests, re-engagement messages) | United States |
| Stripe | Payment processing | United States |
| Google reCAPTCHA | Spam and abuse prevention | Global (Google data centers) |
| Apple App Store / Apple Push Notification Service | App distribution and push notifications (iOS) | Global (Apple data centers) |
| Google Play Store / Firebase Cloud Messaging | App distribution and push notifications (Android) | Global (Google data centers) |
All processors are bound by data processing agreements and process your data only for the purposes described in this policy.
We may also disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Kreiso, our users, or the public.
6. International Data Transfers
The Service is provided globally, and your data may be processed and stored on servers located in the United States, the European Union, and other jurisdictions where our service providers operate.
For users in the European Economic Area, the United Kingdom, or Switzerland: where personal data is transferred to a third country, we ensure adequate protection through one of the following mechanisms:
- The EU-U.S. Data Privacy Framework, where applicable
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions of the European Commission or competent authorities
For users in other jurisdictions: by using the Service, you consent to the transfer and processing of your data in any country where Kreiso or its service providers operate.
You may request additional information about applicable transfer safeguards by contacting us at nikitakonst1@gmail.com.
7. Data Retention
We retain your data as follows:
| Data Type | Retention Period |
|---|---|
| Waitlist data (email, phone) | Until you unsubscribe or until 12 months after the last contact, whichever is earlier |
| Event invitation applications (kreiso.app/apply) | Until you ask us to delete it, or until 12 months after the last interaction (whichever is earlier). If you accept an invitation and onboard to the app, the relevant fields may be migrated to your account profile and follow the retention period below. |
| Account and profile data | For the duration of your account, plus 180 days after account deletion |
| Survey and behavioral data | For the duration of your account, plus 180 days after account deletion |
| Payment records | As required by applicable tax and accounting law in the relevant jurisdictions |
| Crash reports and error logs | 180 days |
After the retention period, your data is permanently deleted or irreversibly anonymized.
During the 180-day post-deletion period, your data is deactivated and inaccessible to other users. This period exists to allow you to recover your account if you change your mind, to resolve any outstanding payment disputes (which may take up to 120 days), and to maintain the integrity of group and event records for other users who participated in shared events.
8. Your Rights
8.1 Rights Under GDPR (EEA, UK, Switzerland)
You have the right to:
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time for processing based on consent
- Lodge a complaint with a supervisory authority
8.2 Rights Under U.S. State Privacy Laws
If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another U.S. state with an applicable privacy law, you have the right to:
- Know what personal data we collect, use, and share
- Delete your personal data
- Opt out of the sale of your personal data. We do not sell your personal data.
- Non-discrimination for exercising your privacy rights
8.3 How to Exercise Your Rights
To exercise any of these rights, contact us at nikitakonst1@gmail.com. We will respond within 30 days for GDPR requests and within 45 days for CCPA requests, as required by law.
We may ask you to verify your identity before processing your request. For CCPA requests, we will use reasonable methods to verify the requester's identity to the degree of certainty appropriate to the type of personal information requested.
9. Age Requirement
You must be at least 16 years old to use the Service. We do not knowingly collect personal data from anyone under 16. If we learn that we have collected data from a person under 16, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at nikitakonst1@gmail.com.
Certain events may have additional age restrictions (e.g., 18+ for events at alcohol-serving venues). These restrictions are displayed on each event listing.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities without undue delay, as required by applicable law. Notification will include information about the nature of the breach, likely consequences, measures taken or proposed to address the breach, and contact information for further inquiries.
11. Security
We implement technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Firebase Authentication with secure token management
- Access controls limiting data access to essential operations
- Regular security reviews of our infrastructure
No method of transmission or storage is completely secure. If you discover a security vulnerability, please report it to nikitakonst1@gmail.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the State of Delaware, United States of America, without prejudice to mandatory data protection laws applicable in your jurisdiction.
14. Contact
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
Nikita Konstantinovskiy Operating as Kreiso nikitakonst1@gmail.com
We aim to respond to all privacy-related inquiries within 30 days.