Member Terms of Service

Effective Date: May 2026

1. Acceptance of Terms

By creating an account on Kouna (the "Platform"), whether through registration or invitation acceptance, you agree to these Terms of Service ("Terms"), the Privacy Policy, and all applicable laws. If you do not agree, do not use the Platform.

These Terms constitute a legally binding agreement between you and the Platform operator (the "Operator"). The Operator is currently operating as a živnosť (sole trader license) registered in Slovakia and will transition to a limited liability company (s.r.o.) upon its registration as an s.r.o.

2. Definitions

• Platform: Kouna web application accessible at kouna.app and associated domains.
• Member: Any individual with a registered account (founder, professional, or team member).
• Founder: A Member who creates company profiles or personal openings.
• Content: All data submitted by Members including profiles, company information, openings, messages, and images.
• Personal Data: Information relating to an identified or identifiable natural person as defined by GDPR.

3. Eligibility

• Age Requirement: You must be at least 16 years old to create an account. During registration, you will be required to confirm you meet this age requirement. Accounts created by individuals under 16 will be terminated.
• Accuracy: You must provide accurate information during registration and keep it current.
• Account Security: You are responsible for maintaining the confidentiality of your password and all activity under your account.

4. Account Registration and Authentication

You may register using:

• Email and password (requires email verification)
• Google OAuth

If you attempt to register using an authentication provider that differs from the one used for an existing account with the same email address, your registration will be rejected. You must use your original authentication method.

After 5 consecutive failed login attempts, your account will be locked for 15 minutes. This is a security measure to protect your account from unauthorized access.

5. Data Controller Information

• Data Controller: Matej Kuka
• Business Registration (IČO): 55957366
• Registered Address: M.R.Štefánika 1696/6, 96001 Zvolen, Slovensko
• Data Protection Contact: gdpr@kouna.app
• Supervisory Authority: Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava

6. Data Processing and Legal Basis

6.1 Categories of Personal Data Processed

• Account Data: Email address, password hash (bcrypt, 10 rounds), authentication provider ID, age requirement confirmation.
• Profile Data: First name, last name, contact email, skills, experience, bio, profile photo, school information, LinkedIn URL, location, languages, availability status, visibility preferences.
• Company Data: Company name, description, stage, industry, location, logo, contact email, team member details.
• Opening Data: Job title, role type, requirements, compensation details, languages.
• Communication Data: Message content, sender ID, recipient ID, timestamp (retained for 30 days).
• Invitation Data: Target email addresses for pending invitations (retained for 30 days after use or expiry).
• Technical Data: Login timestamps, failed login attempts, session tokens, IP addresses (logged for security), error logs.
• AI Assistant Data: When you use the Finish Profile AI assistant, we temporarily process uploaded PDFs and extracted text (immediately deleted after processing). Only metadata is stored for 30 days: upload timestamp, text lengths, field counts, success status, Mistral request ID.

6.2 Legal Bases for Processing

• Contractual Necessity (GDPR Art. 6(1)(b)): Processing of account, profile, company, and opening data necessary to provide the matching service you requested. Processing of uploaded documents via AI assistant when you use that feature.
• Consent (GDPR Art. 6(1)(a)): Newsletter subscription (opt-in checkbox during registration or invitation acceptance), profile visibility toggle, accelerator program recommendation engine.
• Legitimate Interest (GDPR Art. 6(1)(f)): Security monitoring (failed login tracking, account lockout), fraud prevention, error monitoring via Sentry, usage analytics via PostHog (EU region), accelerator matching algorithm.

6.3 Withdrawal of Consent

You may withdraw consent at any time by:

• Unsubscribing from the newsletter via the link in emails or in your profile settings.
• Toggling profile visibility to hidden in your profile settings.
• Deleting your account.

Withdrawal does not affect the lawfulness of processing before withdrawal.

6.4 AI Profile Assistant ("Finish Profile AI")

What It Does: Optionally generates profile suggestions from your uploaded PDF documents.

Data Processing:

• Third-Party Processor: Mistral AI (France, EU)
• Your PDF: Deleted immediately after text extraction
• Extracted text: Sent to Mistral AI, deleted immediately after response
• AI suggestions: Deleted immediately after display to you
• Metadata only: Stored 30 days (timestamps, text lengths, counts — NOT content)

Rate Limit: 5 uploads per 30 minutes.

Your Responsibility: Only upload YOUR OWN documents. Review AI suggestions carefully before saving.

Disclaimer: AI suggestions may be inaccurate. We are not liable for AI errors or Mistral AI's data handling. AI output provided "as is" without warranties.

Legal Basis: Contractual necessity (GDPR Art. 6(1)(b)).

7. Third-Party Data Processors

The Operator uses the following processors under signed Data Processing Agreements (DPAs):

• Railway (Netherlands): Backend API hosting.
• Neon (AWS Frankfurt): PostgreSQL database.
• Vercel (EU): Frontend hosting.
• Cloudflare R2 (EU): Image storage.
• Resend (Ireland): Transactional emails (verification, password reset, contact relay, notifications).
• Sentry (EU region): Error monitoring and logging.
• PostHog (EU region): Usage analytics and session replay.
• Mistral AI (France): AI-powered profile suggestion generation when you use the Finish Profile AI assistant feature.

All processors are configured to store and process data within the European Economic Area. Standard Contractual Clauses are in place where required for non-EEA processors.

8. Profile Visibility and Discoverability

• Public Visibility: When you set your profile to visible, your profile information (name, skills, bio, location, photo, LinkedIn URL) becomes discoverable by all Platform users, including Founders and Accelerators. Your login email and contact email are NOT displayed on browse pages or search results.
• Hidden Visibility: When set to hidden, your profile is excluded from browse pages and search results but remains accessible via direct link or if you are listed as a company team member.
• Email Protection: Your contact email is only shared with another user after you send them a message via the contact relay system, or after they send you a message and you respond. This allows you to control who can contact you directly.
• Accelerator Access: Accelerators with paid subscriptions can browse all visible member profiles and startups to identify talent and deal flow. However, your email addresses remain hidden unless you initiate contact or are added to an accelerator's cohort participant list. This access is based on legitimate interest in facilitating the startup ecosystem.
• Control: You can change your visibility setting at any time in your profile settings.

9. Newsletter and Communications

• Subscription: During registration or invitation acceptance, you will be presented with an opt-in checkbox to subscribe to the Kouna newsletter. This checkbox is unchecked by default. You are not required to subscribe to use the Platform.
• Transactional Emails: You will receive essential service emails (email verification, password reset, contact relay notifications) regardless of newsletter subscription. These are necessary for platform operation.
• Unsubscribe: You may unsubscribe from the newsletter at any time by: (a) clicking the unsubscribe link in any newsletter email, or (b) disabling newsletter subscription in your profile settings.

10. Contact Relay System

The Platform provides an email relay system allowing Members to contact each other without exposing personal email addresses until consent is given.

• How It Works: When you send a message through the Platform, the recipient receives your contact email address so they can reply directly if they choose. Your email remains hidden from other users until you initiate contact.
• Message Storage: Message content, sender ID, recipient ID, and timestamp are stored for 30 days to facilitate dispute resolution and are then permanently deleted.
• Rate Limiting: Contact activity is tracked to enforce rate limits and prevent spam. The Operator reserves the right to suspend accounts that abuse the contact system.
• Prohibited Content: You may not send spam, harassment, discriminatory content, or illegal material through the contact system. Violations may result in immediate account termination.

11. Company Profiles and Team Members

• Company Ownership: The Member who creates a company profile is the owner and has full control over that profile, including adding/removing team members and deleting the company.
• Team Member Invitations: Company owners may invite team members via invitation link. Invitations are valid for a limited time and may only be used once. The invited person's email address is stored for 30 days after the invitation is used or expires, then permanently deleted. The invited person must create an account to be linked to the company.
• Unconfirmed Members: Team members listed without confirmed accounts (name and role only) are visible on the company profile but are not included in accelerator recommendation matching.
• Company Deletion: Deleting a company permanently removes the company profile and all associated openings. This action cannot be undone.

12. Accelerator Program Recommendations

When you create a startup profile, the Platform's recommendation engine matches your startup to relevant accelerator programs based on:

• Hard Requirements: Location, target audience, school affiliation (if applicable), startup stage, industry, languages.
• Soft Preferences: Additional matching criteria set by accelerators (not visible to you).

Recommendations are automatically refreshed when you edit your startup details. Clicking the "Apply" button for a recommended program increments an anonymous counter (no personal tracking) and redirects you to the accelerator's external application page.

You may opt out of receiving recommendations by deleting your startup profile.

13. Prohibited Uses

You agree not to:

• Violate any laws or regulations
• Create false or misleading profiles
• Impersonate any person or entity
• Post inappropriate, offensive, or illegal content
• Harass, abuse, or threaten other users
• Send spam or unsolicited commercial messages
• Scrape, harvest, or systematically download data
• Use automated tools (bots, scripts) without permission
• Upload viruses, malware, or malicious code
• Circumvent security features or access controls
• Interfere with the Platform's operation
• Use the Platform to recruit for competing services
• Upload documents containing other people's personal data to the Finish Profile AI assistant without their consent
• Attempt to manipulate, reverse engineer, or abuse the AI processing pipeline
• Exceed rate limits by creating multiple accounts or using automated tools with the AI assistant
• Upload malicious, encrypted, or corrupted files to the AI assistant feature

14. Data Retention and Deletion

14.1 Active Account Data

All profile, company, and opening data is retained while your account is active.

14.2 Account Deletion

When you delete your account via Settings → Delete Account:

• Immediate Hard Deletion: users table row (email, password hash, authentication credentials), all refresh tokens (session termination), newsletter subscription.
• Profile Anonymization: profiles.user_id set to null, profile marked as archived, excluded from all browse queries.
• Retained for 1 Year, Then Purged: Archived profile data, contact messages (sender/recipient metadata), feedback submissions, reports.
• Retained Indefinitely (Anonymized): Accelerator participant records (if you were linked as a participant) will show "Deleted User" instead of your name.
• Cascade Deletion: All companies you own and their openings are permanently deleted. Personal openings are permanently deleted.

This action cannot be undone.

14.3 Specific Retention Periods

• Contact Message Content: 30 days after sending, then permanently deleted (metadata retained per 14.2).
• Invitation Records: Target email addresses retained for 30 days after invitation is used or expires, then permanently deleted.
• Authentication Logs: 1 year, then aggregated anonymously and individual records deleted.
• AI Assistant Metadata: 30 days after processing (text lengths, counts, timestamps only — content never stored).

15. Data Security

The Operator implements technical and organizational measures to protect your Personal Data:

• Passwords hashed using bcrypt with 10 salt rounds.
• JWT access tokens (15-minute expiry) and refresh tokens (7-day expiry with rotation).
• Account lockout after 5 failed login attempts (15-minute lockout period).
• TLS encryption for all data in transit.
• Database encryption at rest via Neon.
• Input validation and sanitization to prevent injection attacks.
• Regular security monitoring via Sentry error logs.

16. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• The Operator will notify the Úrad na ochranu osobných údajov SR within 72 hours of becoming aware of the breach.
• If the breach poses a high risk, you will be notified via email without undue delay with details of the breach and recommended actions.

17. Content Ownership and License

• Your Content: You retain ownership of all Content you submit. You grant the Operator a non-exclusive, worldwide, royalty-free license to host, display, and process your Content solely to provide the Platform services.
• Prohibited Content: You may not post content that is illegal, defamatory, discriminatory, infringing, fraudulent, or violates third-party rights.
• Content Removal: The Operator reserves the right to remove Content that violates these Terms or applicable law, without prior notice.

18. Reporting Violations

You may report inappropriate content, spam, or suspected violations via the "Report" button on any profile, company, or opening. Reports are reviewed manually. Submitting false reports may result in account suspension.

Serious violations (illegal activity, threats, harassment) should be reported immediately to gdpr@kouna.app.

19. Termination and Suspension

• Voluntary Termination: You may delete your account at any time via Settings → Delete Account (see Section 14 for data handling).
• Suspension for Violations: The Operator may suspend or terminate your account immediately for violations of these Terms, including but not limited to: spam, harassment, fraudulent activity, abuse of the contact relay system, posting prohibited content, or misrepresenting your identity.
• Effect of Termination: Upon termination, your access to the Platform is revoked immediately. Data retention follows Section 14 policies.

20. Disclaimers and Limitation of Liability

20.1 Service Provided "As Is"

The Platform is provided on an "as is" and "as available" basis without warranties of any kind, express or implied. The Operator does not guarantee uninterrupted, error-free, or secure operation.

20.2 No Verification of Users

The Operator does not verify the identity, credentials, or claims of Members. You are solely responsible for evaluating potential co-founders, employees, or business opportunities found through the Platform. Conduct your own due diligence.

20.3 Third-Party Links

The Platform may contain links to accelerator application pages and external websites. The Operator is not responsible for the content or practices of third-party sites.

20.4 Limitation of Liability

To the maximum extent permitted by Slovak law, the Operator shall not be liable for any indirect, incidental, consequential, or punitive damages arising from your use of the Platform, including but not limited to: loss of profits, loss of business opportunities, data loss, or reliance on information obtained through the Platform. The Operator's total liability for any claim shall not exceed €100.

20.5 AI-Generated Content

AI-generated profile suggestions from the Finish Profile AI assistant are provided "as is" without warranties of any kind. The Operator does not guarantee:

• Accuracy or completeness of AI suggestions
• Suitability of AI-generated content for your profile
• That AI suggestions will be free from errors, bias, or inappropriate content
• That the AI assistant feature will always be available or function without interruption

You acknowledge that AI technology has limitations and may produce unexpected or incorrect results. You are solely responsible for all content you save to your profile, including any content derived from AI suggestions.

21. Indemnification

You agree to indemnify and hold harmless the Operator from any claims, damages, losses, or expenses (including legal fees) arising from: (a) your violation of these Terms, (b) your Content, (c) your use of the Platform, or (d) your violation of any third-party rights.

22. Modifications to Terms

The Operator reserves the right to modify these Terms at any time. Material changes will be communicated via email or prominent notice on the Platform at least 30 days before taking effect.

Continued use of the Platform after changes become effective constitutes acceptance of the modified Terms. If you do not agree, you must delete your account.

23. Governing Law and Jurisdiction

These Terms are governed by the laws of the Slovak Republic. Any disputes arising from these Terms or your use of the Platform shall be subject to the exclusive jurisdiction of the courts of Bratislava, Slovakia.

If you are a consumer, you retain the right to bring claims in the courts of your habitual residence within the EU.

24. Severability

If any provision of these Terms is found to be unenforceable or invalid, the remaining provisions shall remain in full force and effect.

25. Entire Agreement

These Terms, together with the Privacy Policy, constitute the entire agreement between you and the Operator regarding the Platform and supersede all prior agreements.

26. Contact Information

For questions about these Terms or to exercise your GDPR rights:

• Email: gdpr@kouna.app
• Postal Address: M.R.Štefánika 1696/6, 96001 Zvolen, Slovensko
• Data Protection Contact: gdpr@kouna.app