Privacy Policy
Last updated: March 27, 2026
1. Data Controller
The data controller for personal data processed through Knowledge Raven ("Service") is:
BirdFlai UG (haftungsbeschränkt)
Tarpenbekstraße 13, 22848 Norderstedt, Germany
Represented by: Jan Christiansen, Pascal Meger
Privacy contact: pascal@birdflai.com
2. Data We Collect
We collect the following categories of personal data:
- Account information: name, email address, workspace membership
- Documents and metadata: files you upload or connect via connectors (e.g., Google Drive), including file names, sizes, and modification dates
- Payment information: billing address, plan details, and invoice history (credit card data is handled exclusively by Stripe — see Section 7)
- Connector credentials: OAuth tokens for connected services (e.g., Google Drive), stored encrypted
- Usage data: search queries, feature usage, and MCP tool interactions
- Technical data: IP address, browser type, device information, and server logs
3. Legal Basis for Processing (Art. 6 GDPR)
We process your personal data on the following legal bases:
- Contract performance (Art. 6(1)(b)): processing your account data, documents, and connector credentials to provide the Service
- Legitimate interest (Art. 6(1)(f)): improving the Service, ensuring security, preventing abuse, and generating aggregated usage analytics
- Consent (Art. 6(1)(a)): placing analytics cookies and processing data via Google Analytics 4 (only after your explicit consent)
- Legal obligation (Art. 6(1)(c)): retaining billing and tax records as required by German law
4. How We Use Your Data
Your data is used to provide and improve the Service: indexing documents for search, generating embeddings, authenticating users, processing payments, and generating aggregated usage analytics.
We do not use your documents to train AI models. Your content is processed solely to provide the Service (indexing, embedding, and search retrieval). Embedding and reranking APIs receive document content for processing but do not retain it.
5. Sub-Processors and Third-Party Services
We use the following sub-processors to operate the Service. Each processes data according to their own privacy policies and our data processing agreements.
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database, Authentication, File Storage | EU (Frankfurt) |
| Weaviate | Vector Database | EU |
| Google / Gemini | Embedding API (document indexing) | US (EU SCCs) |
| Cohere | Reranking API (search quality) | US / Canada (EU SCCs) |
| Stripe | Payment Processing | US (EU SCCs, PCI DSS Level 1) |
| Railway | Backend Hosting | US (EU SCCs) |
| Vercel | Frontend Hosting | Global CDN (EU SCCs) |
| Google Analytics 4 | Website Analytics (consent-based only) | US (consent-based) |
6. International Data Transfers
Some of our sub-processors are based outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on EU Standard Contractual Clauses (SCCs) as the legal mechanism to ensure an adequate level of data protection. This applies to: Google / Gemini, Cohere, Stripe, Railway, Vercel, and Google Analytics 4.
Supabase and Weaviate process data within the EU.
7. Payment Data
All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. Knowledge Raven never receives, stores, or has access to your credit card numbers or full payment card details. We store only: your selected plan, billing cycle, and invoice history.
8. Data Storage and Security
Documents are stored in Supabase Storage with encryption at rest. Vector embeddings are stored in Weaviate with multi-tenant isolation (each workspace has its own isolated tenant). Connector OAuth tokens are stored encrypted. All data is transmitted over TLS. Access to production systems is restricted and logged.
9. Data Retention
We retain your data according to the following schedule:
- Account data: for the duration of your account, plus 30 days after deletion
- Documents and embeddings: deleted within 30 days of account or knowledge base deletion
- Payment and billing records: 10 years after the end of the contractual relationship (required by German tax law, AO §147)
- Server logs: 90 days
- Analytics data: 14 months (Google Analytics 4 default retention)
10. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
- Right of access (Art. 15): request a copy of the personal data we hold about you
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion of your personal data
- Right to restriction (Art. 18): request that we restrict the processing of your data
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time (e.g., for analytics cookies) without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at pascal@birdflai.com. We will respond within 30 days. You also have the right to lodge a complaint with your competent data protection authority. The supervisory authority responsible for BirdFlai UG is: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany, https://www.datenschutzzentrum.de.
11. Cookies and Analytics
We use Google Analytics 4 (GA4) to understand how visitors interact with our marketing website. GA4 collects anonymized data including page views, navigation paths, session duration, and general geographic region. IP addresses are anonymized by default.
When you consent to analytics cookies, the following cookies may be set: _ga (expires after 2 years, used to distinguish users) and _ga_<ID> (expires after 2 years, used to maintain session state). These cookies are only set after you give explicit consent via the cookie consent banner.
No analytics scripts are loaded and no tracking cookies are placed until you actively consent. You can change your cookie preferences at any time by clicking the "Cookie Settings" link in the website footer. For more information about how Google processes data, see Google's Privacy Policy.
12. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at pascal@birdflai.com and we will delete the data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email to the address associated with your account. The "Last updated" date at the top of this page will be revised accordingly.