Privacy Policy

Last updated: 2026-05-05

1. Introduction

Kouna ("we," "us," "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Kouna platform ("Platform") at kouna.app.

This Privacy Policy applies to all users: Members (founders, professionals, team members) and Accelerators. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

We comply with the General Data Protection Regulation (GDPR) and Slovak data protection laws.

2. Data Controller

• Data Controller: Matej Kuka
• Business Registration (IČO): 55957366
• Registered Address: M.R.Štefánika 1696/6, 96001 Zvolen, Slovensko
• Data Protection Contact: gdpr@kouna.app
• Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27, Slovakia (www.dataprotection.gov.sk)

3. What Personal Data We Collect

3.1. Account and Authentication Data

• Email address: Required for account creation and communication
• Password: Stored as hashed value using bcrypt (10 salt rounds); we never store plain-text passwords
• OAuth provider data: If you sign up via Google, we receive your email address and Google user ID
• Age verification: Confirmation that you are at least 16 years old (checkbox during registration). We do not store your date of birth.

3.2. Profile Data (Members)

• Personal Information: First name, last name, contact email (may differ from login email)
• Professional Information: Skills, experience level, bio, LinkedIn URL, location, languages, role preferences, availability status
• Educational Information: School name, school type (high school/university), school status (current student/alumni) — all optional
• Profile Photo: Optional image upload
• Visibility Preference: Whether your profile is publicly discoverable

3.3. Company and Opening Data

• Company Information: Company name, description, stage, industry, location, languages, contact email, logo
• Team Members: Names and role labels of team members (with or without Platform accounts). Unconfirmed team members (name and role only, no account) are publicly visible on company profiles.
• Openings: Job title, role type, requirements, compensation details, languages

3.4. Accelerator Data

• Organization Information: Accelerator name, description, logo, website, contact email, location
• Program Data: Program names, descriptions, requirement criteria, preference criteria, cohort details
• Participant Records: For cohort management, accelerators can add two types of participants: (1) Linked participants — existing Platform members added to cohorts, for whom accelerators can view name, login email, contact email, and profile data; (2) Unlinked participants — individuals without Platform accounts, for whom accelerators manually add name, email, company name, role label, and status. Unlinked participant data is visible only to the accelerator who added it, not to other Platform users or other accelerators.

3.5. Communication Data

• Contact Messages: Message content, sender ID, recipient ID, timestamp (retained for 30 days)
• Feedback and Reports: Feedback submissions (account required), content reports, associated metadata
• Newsletter Subscription: Email address if you opt in to receive updates

3.6. Invitation Data

• Target Email Addresses: When you invite someone to join your company team or when an accelerator invites a participant, we store the target email address to deliver the invitation. This data is retained for 30 days after the invitation is used or expires, then permanently deleted.

3.7. Technical and Usage Data

• Authentication Logs: Login timestamps, failed login attempts, IP addresses, session tokens
• Error Logs: Application errors, stack traces, request metadata (via Sentry)
• Analytics Data: Page views, feature usage, session recordings with masking enabled to redact passwords and sensitive form inputs (via PostHog, EU region)
• Application Clicks: Anonymous counter when founders click accelerator application links
• AI Assistant Data: When you use the Finish Profile AI assistant, we temporarily process uploaded PDFs and extracted text (immediately deleted after processing). Only metadata is stored for 30 days: upload timestamp, text lengths, field counts, success status, Mistral request ID.

4. How We Use Your Personal Data

4.1. To Provide the Platform Services (Contractual Necessity — GDPR Art. 6(1)(b))

• Create and manage your account
• Display your profile, company, or accelerator information to other users
• Enable contact relay between members (email addresses are hidden from browse pages and only shared after you initiate contact)
• Facilitate co-founder and employee matching
• Match startups to relevant accelerator programs based on startup profile data (location, stage, industry, languages, school information, confirmed team member count) and accelerator program criteria
• Enable accelerators to search existing Platform members by email to link them to cohorts (internal administrative function for cohort management)
• Provide accelerator dashboard and cohort management tools
• Process invitations and account linking
• Process uploaded documents via AI to generate profile suggestions when you use the Finish Profile AI assistant feature

4.2. With Your Consent (GDPR Art. 6(1)(a))

• Newsletter: Send you platform updates and news if you opt in during registration
• Profile Visibility: Make your profile discoverable when you toggle visibility to public
• Accelerator Recommendations: Match your startup to relevant accelerator programs

4.3. For Legitimate Interests (GDPR Art. 6(1)(f))

• Security and Fraud Prevention: Monitor login attempts, enforce account lockouts, detect abuse
• Platform Improvement: Analyze usage patterns to improve features and user experience
• Error Monitoring: Identify and fix technical issues via error logs
• Matching Algorithm: Match startups to accelerators and members to opportunities
• Communication: Send essential service emails (verification, password reset, contact notifications)

4.4. To Comply with Legal Obligations (GDPR Art. 6(1)(c))

Respond to lawful requests from authorities, comply with court orders, enforce our Terms of Service.

5. Who We Share Your Data With

We do NOT sell your personal data. We share your data only with:

5.1. Other Platform Users

• Public Profiles: When you set your profile to visible, other members and accelerators can see your profile information (name, skills, bio, location, photo, LinkedIn URL). Your login email and contact email are NOT visible in browse pages or search results.
• Hidden Profiles Listed as Team Members: If you set your profile to hidden but are listed as a team member on a company profile, your name and role will be visible on that company's public profile page. Your full profile remains accessible only via direct link.
• Company Information: Startup profiles and openings are visible to all users for matching purposes. Company contact emails are NOT visible in browse pages.
• Contact Relay: When you send a message via the Platform, the recipient receives your contact email to enable direct communication. Your email remains hidden from other users until you initiate contact.
• Accelerator Cohort Management: When an accelerator adds you to their cohort participant list, they can see your name, login email, contact email, and profile information. This is visible only to that accelerator's administrators, not to other Platform users. If an accelerator invites you to the Platform via cohort participant invitation link, your account will be automatically linked to that accelerator's cohort upon registration, and the accelerator will immediately be able to view your profile information as described above.
• Accelerator Profiles: Accelerator information is publicly visible to facilitate program discovery.

5.2. Service Providers (Data Processors)

We use trusted third-party service providers to operate the Platform. All processors are bound by Data Processing Agreements and GDPR compliance obligations:

• Railway (Netherlands): Backend API hosting
• Neon (AWS Frankfurt): PostgreSQL database storage
• Vercel (EU): Frontend application hosting
• Cloudflare R2 (EU): Image storage for profile photos and company logos
• Resend (Ireland): Transactional email delivery (verification, notifications)
• Sentry (EU region): Error monitoring and debugging
• PostHog (EU region): Usage analytics and product insights
• Mistral AI (France): AI-powered profile suggestion generation when you use the Finish Profile AI assistant feature

All data processing occurs within the European Economic Area (EEA). No data is transferred outside the EEA.

5.2A. AI Processing Provider

When you use the Finish Profile AI assistant feature:

Third-Party Processor: Mistral AI (France, EU)

Data Processing:

• Your uploaded PDF: Deleted immediately after text extraction
• Extracted text: Sent to Mistral AI, deleted immediately after response
• AI suggestions: Deleted immediately after display to you
• Metadata only: Stored 30 days (timestamps, text lengths, counts — NOT content)

Mistral AI Data Handling: We do not have information on Mistral AI's data retention practices. By using this feature, you acknowledge your document text will be processed by Mistral AI.

This feature is optional. You can complete your profile manually.

Legal Basis: Contractual necessity (GDPR Art. 6(1)(b)).

5.3. Legal Obligations

We may disclose your data if required by law, court order, or to protect the rights and safety of Kouna, our users, or the public.

6. How Long We Keep Your Data

6.1. Active Accounts

We retain your data for as long as your account is active and as necessary to provide the Platform services.

6.2. After Account Deletion

When you delete your account:

• Immediate Deletion: Email, password, authentication credentials, session tokens, newsletter subscription
• Archived for 1 year, then permanently deleted: Profile data, contact message metadata, feedback, reports
• Anonymized Retention: Accelerator participant records show "Deleted User" instead of your name

6.3. Specific Data Categories

• Contact Message Content: 30 days after sending
• Invitation Target Emails: 30 days after invitation is used or expires
• Authentication Logs: 1 year (then aggregated anonymously)
• Unlinked Participant Data (added by accelerators): Permanently deleted when accelerator deletes the participant record, cohort, program, or accelerator account
• Accelerator Deletion Impact: If an accelerator deletes their account, you are unlinked from their cohorts. If you were added as an unlinked participant (no Platform account), that data is archived for 1 year then permanently deleted. Your Platform account and profile are unaffected.
• Analytics Data: Retained per PostHog's data retention policy (configurable, default 7 years for free tier)
• AI Assistant Metadata: 30 days after processing (text lengths, counts, timestamps only — content never stored)

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1. Right of Access (Art. 15)

Request a copy of all personal data we hold about you. We will provide this in JSON format within 30 days.

7.2. Right to Rectification (Art. 16)

Correct inaccurate or incomplete data via your profile settings or by contacting gdpr@kouna.app.

7.3. Right to Erasure (Art. 17)

Delete your account via Settings → Delete Account. See Section 6 for data retention after deletion. You may also request erasure by contacting gdpr@kouna.app.

7.4. Right to Restriction of Processing (Art. 18)

Request temporary suspension of data processing under specific circumstances (e.g., while we verify data accuracy or assess legitimate grounds). Contact gdpr@kouna.app.

7.5. Right to Data Portability (Art. 20)

Receive your data in structured, machine-readable JSON format including profile, companies, openings, and contact message metadata. Available in your account settings or by request to gdpr@kouna.app.

7.6. Right to Object (Art. 21)

Object to processing based on legitimate interest (e.g., analytics, matching algorithm, security monitoring). We will stop processing unless we demonstrate compelling legitimate grounds. Contact gdpr@kouna.app.

7.7. Right to Withdraw Consent

Withdraw consent at any time for newsletter subscription (unsubscribe link or profile settings), profile visibility (profile settings), analytics tracking (profile settings toggle), accelerator recommendations (delete startup profile), or AI profile assistance (by choosing not to use the feature).

7.8. Right to Lodge a Complaint

File a complaint with the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) at www.dataprotection.gov.sk or via email to statny.dozor@pdp.gov.sk.

To exercise your rights, contact: gdpr@kouna.app. We will respond within 30 days.

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: TLS encryption for data in transit, encryption of databases at rest via Neon
• Password Security: Passwords hashed using bcrypt with 10 salt rounds; we never store plain-text passwords
• Access Controls: JWT access tokens (15-minute expiry) and refresh tokens (7-day expiry with rotation)
• Account Protection: Account lockout after 5 failed login attempts (15-minute lockout period)
• Secure Infrastructure: EU-based hosting (Railway Netherlands, Neon Frankfurt, Vercel EU, Cloudflare R2 EU, Resend Ireland)
• Input Validation: Protection against SQL injection, XSS, and other common attacks
• Monitoring: Real-time error monitoring via Sentry to detect and respond to security incidents

9. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

• We will notify the Slovak Data Protection Authority within 72 hours of becoming aware of the breach
• If the breach poses a high risk to you, we will notify you via email without undue delay with details of the breach, potential consequences, and recommended protective measures

10. Cookies and Tracking Technologies

10.1. Essential Cookies

We use essential cookies required for Platform operation:

• Authentication: Session tokens to keep you logged in
• Security: CSRF protection tokens

10.2. Analytics Cookies

PostHog (EU region) analytics cookies track:

• Page views and feature usage
• Session recordings (with masking enabled to redact passwords and sensitive form inputs)
• User journey flows

Legal Basis: Legitimate interest (platform improvement). You can opt out by toggling analytics in your profile settings or by enabling "Do Not Track" in your browser.

10.3. Third-Party Cookies

If you sign in via Google OAuth, Google may set its own cookies per their privacy policy. We do not control third-party cookies.

11. International Data Transfers

All personal data is processed and stored within the European Economic Area (EEA):

• Railway: Netherlands
• Neon: AWS Frankfurt, Germany
• Vercel: EU region
• Cloudflare R2: EU region
• Resend: Ireland
• Sentry: EU region
• PostHog: EU region
• Mistral AI: France

No data is transferred outside the EEA. If this changes, we will implement Standard Contractual Clauses (SCCs) or rely on adequacy decisions to ensure GDPR-compliant transfers.

12. Children's Privacy

The Platform is not intended for individuals under 16 years of age. We do not knowingly collect data from children under 16.

During registration, users must confirm they are at least 16 years old via checkbox. We do not collect or store date of birth information. If we discover that a user under 16 has created an account, we will delete the account and associated data immediately.

If you believe a child under 16 has created an account, contact gdpr@kouna.app immediately.

13. Automated Decision-Making and Profiling

13.1. Recommendation Engine

We use automated matching algorithms to:

• Match startups to relevant accelerator programs based on hard requirements and soft preferences
• Suggest relevant members and openings in browse pages

These algorithms do not produce legal effects or have a significant effect on you. They are recommendations only — you control all decisions about whom to contact or which programs to apply to.

13.2. No Profiling for Marketing

We do not use profiling for targeted advertising or automated decision-making that produces legal or similarly significant effects.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Material changes will be communicated via:

• Email notification to your registered email address
• Prominent notice on the Platform homepage

Changes will take effect 30 days after notification. Continued use of the Platform after this period constitutes acceptance of the updated Privacy Policy.

The effective date at the top of this document shows when the policy was last updated.

15. Contact Us

For questions about this Privacy Policy, to exercise your GDPR rights, or to report privacy concerns:

• Data Protection Contact: gdpr@kouna.app
• Postal Address: M.R.Štefánika 1696/6, 96001 Zvolen, Slovensko
• Response Time: We will respond to your request within 30 days.

Supervisory Authority: If you are not satisfied with our response, you may lodge a complaint with:

• Úrad na ochranu osobných údajov Slovenskej republiky
• Hraničná 12, 820 07 Bratislava 27, Slovakia
• Website: www.dataprotection.gov.sk
• Email: statny.dozor@pdp.gov.sk