ClusterFast Legal

Privacy Policy

Last updated: 18 June 2026

1. Controller

The data controller for ClusterFast is TOV "KRYSTAL IF", company code 33450951, registered address: Ukraine, 01054, Kyiv, Yaroslaviv Val Street, building 17A, office 100A.

Privacy contact: privacy@clusterfast.app

This Privacy Policy explains how ClusterFast processes personal data and customer data when you create an account, use projects, run AI workflows, request packages, or connect integrations.

2. Data We Process

Account data: email, name, authentication identifiers, session data, Google account identifier if you sign in with Google, administrator 2FA status where applicable.

Workspace data: projects, briefs, ICP hypotheses, segments, personas, research questions, campaign plans, manual performance notes, generated outputs, and related metadata.

Billing data: package requests, token wallet balances, token ledger entries, OpenAI usage records, quoted prices, manual activation notes, and payment records where applicable.

Integration data: Meta account identifiers, selected ad accounts, pages, Instagram actor identifiers, connection status, and access tokens if you connect Meta.

Technical data: logs, request metadata, security events, IP-derived rate limiting data, cookies needed for authentication, and service diagnostics.

3. Why We Process Data

To create and secure your account, authenticate sessions, provide the workspace, run AI generation workflows, save project results, process billing requests, prevent abuse, troubleshoot issues, and comply with legal obligations.

Where required, processing is based on contract performance, legitimate interests, legal obligations, or your consent. Optional integrations and optional privacy controls are processed according to your actions in the product.

4. Learning Core And Anonymized Patterns

ClusterFast is designed to improve recommendations by converting project inputs and observed outcomes into structured tags, pseudonymized signals, and aggregated patterns.

Shared learning patterns are intended not to contain names, emails, raw briefs, free-form customer text, credentials, or directly identifying personal data. The system uses tag validation, source weighting, retention windows, and deletion workflows to reduce re-identification risk.

Use of anonymized tag aggregation is part of the ClusterFast service described in the Terms of Service. User-linked source records and market signals are treated as customer-linked data while they remain connected to an account or project. Aggregated patterns that are no longer reasonably linkable to a person or customer may be retained to keep the service useful and consistent.

5. AI Providers And Subprocessors

ClusterFast may send prompts, context, and generated content to AI providers such as OpenAI-compatible APIs to perform requested AI tasks. Usage metadata is stored to calculate actual cost and CF Token consumption.

ClusterFast may also use infrastructure, authentication, analytics, and integration providers needed to operate the service, including hosting providers, Google authentication, and Meta APIs when connected by the user.

See the Subprocessor Register at /subprocessors for provider purpose, data categories, location, and safeguards.

6. Retention

Account, billing, and security records are retained as long as needed to provide the service, meet legal obligations, resolve disputes, and maintain auditability.

Learning raw records and source records follow configurable retention windows. Defaults: LEARNING_RAW_RETENTION_DAYS=90 and LEARNING_SOURCE_RETENTION_DAYS=180 unless changed in deployment configuration.

Backups and logs may persist for a limited period after deletion requests due to technical and security requirements.

7. Your Rights

Depending on applicable law, including GDPR where it applies, you may request access, correction, deletion, restriction, portability, objection to certain processing, and withdrawal of consent where processing is based on consent.

These rights apply to personal data and customer-linked records. They do not apply to data that has been irreversibly anonymized so that it no longer identifies or is reasonably linkable to a person, account, or customer. Aggregated anonymous tag patterns may therefore remain after account-level requests.

You can download a full account export from your workspace or contact privacy@clusterfast.app for DSAR support.

You also have the right to complain to a competent data protection authority if you believe your data protection rights have been violated.

8. Security

ClusterFast uses access controls, secure cookies, production-only secret handling, encryption for selected secrets, rate limiting, 2FA for administrators, database isolation, and pseudonymization/anonymization controls for learning data.

No system is perfectly secure. You should avoid uploading secrets, credentials, sensitive personal data, or data you are not authorized to process.

9. International Transfers

Service providers may process data in countries outside your country of residence. Where required, ClusterFast relies on appropriate contractual, technical, and organizational safeguards.

10. Changes

We may update this Privacy Policy as the service evolves. Material updates may be shown in the product or require renewed acceptance where appropriate.

11. Cookies

ClusterFast currently uses strictly necessary cookies only for authentication and security, including the clusterfast_session HttpOnly session cookie.

We do not load non-essential analytics or marketing cookies in the product today. If optional tracking is added later, it will require opt-in consent before activation.

Google Fonts may be loaded by the frontend for typography; this can cause browser requests to Google servers. See the Subprocessor Register for details.