Privacy Policy

Kitfo is a service of Ereko Labs, trading as Kitfo (“we”, “our”, “us”). We are the data controller responsible for personal data collected through the kitfo.co platform and mobile applications.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information. By using Kitfo, you agree to the practices described in this policy.

For data protection enquiries, contact us at privacy@kitfo.co.

Information you provide directly:

• Account registration data (name, email address, username)
• Profile information (bio, avatar, banner, website, credits, social links)
• Documents, scripts, and files you upload or share
• Content you post (Takes, Waves, comments) — including anonymous Takes, which are linked to your account in our systems even though your identity is not displayed to other users
• Payment information (processed by our payment provider — we do not store card numbers)
• Communications with us (support tickets, feedback)
• Confidentiality agreement acceptances — when you view NDA-protected content shared by another user, we collect your full name (as you type it), IP address, and the timestamp of acceptance, regardless of whether you hold a Kitfo account

Information collected automatically:

• Log data (IP address, browser type, pages visited, timestamps)
• Device information (hardware model, operating system, unique identifiers)
• Usage data (features accessed, actions taken within the platform)
• Cookies and similar tracking technologies (see our Cookie Policy)

If you are located in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

• Contractual necessity (Art. 6(1)(b)): Processing required to operate your account, provide the Service, and fulfil your requests — including authentication, profile display, document sharing, and payment processing.
• Legitimate interests (Art. 6(1)(f)): Processing for fraud prevention, platform security, abuse detection, and aggregate analytics, where our interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including responding to lawful government requests and enforcing our Terms.
• Consent (Art. 6(1)(a)): Where you have opted in to marketing communications. You may withdraw consent at any time without affecting prior processing.

We use the information we collect to:

• Provide, operate, and improve our services
• Create and manage your account
• Process payments and manage subscriptions
• Send service-related communications (account updates, security alerts, receipts)
• Send marketing communications (only with your consent; unsubscribe at any time)
• Analyse usage patterns to improve user experience
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not sell, rent, or trade your personal data — or your uploaded content — to any third party, for any purpose. This applies to your profile information, usage data, uploaded videos, cuts, scripts, documents, and any other data you provide to Kitfo. If we ever change this practice, we will provide clear advance notice and obtain your explicit consent before doing so.

We do not use your content to train AI or machine learning models. Your uploaded videos, scripts, self-tapes, documents, and any other content you create or upload on Kitfo is not used to train, fine-tune, or evaluate any artificial intelligence or machine learning system — by us or by any third party we work with. If we ever wish to change this, we will ask for your explicit opt-in consent first. It will never happen silently.

We may share your information with:

• Infrastructure providers: Trusted services that help us run the platform — including cloud hosting, database management, file storage, email delivery, and payment processing — all bound by confidentiality agreements and applicable data protection law.
• Other users: Information on your public profile is visible to any visitor. Content you post publicly (Takes, Waves) is visible according to your privacy settings.
• Document and content recipients: When you share a document, script, video cut, or playlist link, the recipient can view it according to your configured access settings. You are in control of who receives those links.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
• Legal requirements: When required by law, valid legal process, or to protect the rights, property, and safety of Kitfo, our users, or the public. This includes disclosing the identity behind anonymous or pseudonymous posts where legally compelled.

Your video content and uploaded files. Videos, cuts, reels, self-tapes, and other files you upload to Kitfo are stored privately on our infrastructure and are never shared with, or made accessible to, anyone outside the platform unless you explicitly choose to do so — for example, by generating a share link, making your profile public, attaching content to a Stage post, or submitting to a festival. We do not grant any third party access to your content without your action initiating it.

Festival partners. When you choose to submit a film project to a festival listed on Kitfo, you grant that festival's organiser a limited right to view the content you have submitted, solely for the purpose of evaluating your entry. What the organiser may do with your submission within the context of their festival is governed by the festival's own terms, which are set and disclosed by the organiser at the time you submit. Kitfo does not grant festival organisers any rights beyond accessing submitted content within the platform for evaluation purposes. We do not sell, transfer, or license your content to festival partners, and we are not responsible for how organisers handle content outside the Kitfo platform.

Kitfo is operated from the United States. If you access our services from the European Economic Area, United Kingdom, or other regions with data protection laws, your personal data will be transferred to and processed in the United States.

Where such transfers occur, we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission, or equivalent transfer mechanisms as required by applicable law. Our infrastructure providers maintain data processing agreements that comply with applicable international transfer requirements.

Your data is stored on secure cloud infrastructure in certified data centres. We implement industry-standard security measures including encryption in transit (TLS) and at rest, access controls, and regular security assessments.

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to maintaining appropriate safeguards.

We retain your personal information for as long as your account is active or as needed to provide the Service. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law (such as financial records required for tax compliance) or for legitimate purposes such as resolving disputes or enforcing our agreements.

NDA acceptance records. Records of confidentiality agreement acceptances — including the signer's name, IP address, and timestamp — are retained for a minimum of 2 years from the date of acceptance, consistent with the term of the underlying agreement. Records related to an active or reasonably anticipated legal dispute may be retained for longer. Content owners can view their records at any time from their NDA log.

Depending on your location, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data, subject to legal retention requirements
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we limit how we process your data in certain circumstances

To exercise any of these rights, email privacy@kitfo.co. We will respond within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
• Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond those permitted by the CPRA.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise your California privacy rights, email privacy@kitfo.co with “California Privacy Request” in the subject line. We will verify your identity before processing your request.

You may also lodge a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

If you are located in the European Economic Area or United Kingdom and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, contact the supervisory authority in your member state.

We encourage you to contact us at privacy@kitfo.co first — we will endeavour to resolve any concern promptly.

Kitfo is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will delete it promptly. If you believe a child has provided us with their information, contact us at privacy@kitfo.co.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the platform. Your continued use of Kitfo after changes constitutes acceptance of the updated policy.

Questions or requests regarding this Privacy Policy:

• Email: privacy@kitfo.co