Privacy Policy

Last updated: March 19, 2026

At Kromi, your privacy is fundamental to how we build and operate our service. This policy explains what data we collect, how we use it, and the choices you have. We aim to be transparent and straightforward.

1. Information We Collect

We collect the minimum amount of data needed to provide and improve Kromi.

Account information. When you sign up, we collect your name, email address, and authentication credentials. If you subscribe to a paid plan, our payment processor collects billing information on our behalf.

Brand project data. This includes any brand systems you create through Kromi: colors, typography, logos, images you upload, layout configurations, copy, and any other content you add to your projects.

Usage analytics. We collect anonymous, aggregated data about how you interact with the platform, such as pages viewed, features used, and performance metrics. This helps us understand what's working and what needs improvement.

2. How We Use Your Data

We use the information we collect to:

  • Provide, maintain, and operate the Kromi service
  • Authenticate your account and manage your sessions
  • Store and render your brand projects and generated sites
  • Improve the product based on aggregate usage patterns
  • Send essential service communications (security alerts, billing, major updates)
  • Respond to support requests

3. MCP and AI Data Flow

Kromi uses the Model Context Protocol (MCP) to allow AI assistants to read and edit your brand data. When you connect an MCP-compatible client (such as Claude, Cursor, or another LLM-powered tool), your brand data flows through the connection between your chosen AI provider and the Kromi API.

We do not control how your AI provider processes data. The data you share through MCP is transmitted to your chosen LLM provider according to that provider's own privacy policy and data handling practices. We recommend reviewing your AI provider's privacy policy to understand how they handle the data that passes through their systems.

Kromi's MCP server only facilitates the connection and executes the operations requested. We do not store, log, or inspect the content of MCP conversations beyond what is necessary to perform the requested brand data operations.

4. We Do Not Train AI on Your Data

Your brand projects, designs, uploaded assets, and any other content you create on Kromi are never used to train machine learning models. Your creative work belongs to you, and we do not use it to improve AI systems, build datasets, or for any purpose beyond providing you the service.

5. We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or brand data to third parties. We never have, and we never will. Your data is not our product; Kromi subscriptions are.

6. Cookies

We use minimal cookies, limited to what is strictly necessary for the service to function:

  • Authentication session cookie. Keeps you signed in. Expires when you sign out or after a period of inactivity.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking.

7. Data Retention and Deletion

We retain your data for as long as your account is active and you are using the service.

When you delete your account, we delete everything. Your account information, all brand projects, uploaded assets, and any associated data are permanently removed from our systems. This process is irreversible and typically completes within 30 days, including removal from backups.

You can delete individual projects at any time from your dashboard. You can request full account deletion by contacting us at privacy@kromi.app.

8. Third-Party Services

We rely on a small number of trusted third-party services to operate Kromi:

  • Neon for database hosting. Your project data is stored in Neon's infrastructure with encryption at rest and in transit.
  • Netlify for application hosting and deployment. Static assets and the application itself are served through Netlify's CDN.
  • Your LLM provider (e.g., Anthropic, OpenAI) when using MCP features. Data flows through their systems according to their own privacy policies.

Each of these providers has been selected for their strong privacy and security practices. We do not share more data with these providers than is necessary for them to perform their function.

9. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS), encryption at rest, and secure authentication practices. While no system is perfectly secure, we take reasonable and appropriate steps to safeguard your information.

10. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you through the application or by email. Continued use of Kromi after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this privacy policy or how we handle your data, contact us at privacy@kromi.app.