Privacy policy
How KillTheCut handles account, booking, and marketplace data under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). This page is written for our DACH-first pilot, names the data controller, the legal bases for processing, your rights as a data subject, and how to reach us about them.
1. Data controller / Verantwortlicher (Art. 4 No. 7 GDPR)
KillTheCut, Inc. ("KillTheCut", "we", "us")
Email: privacy@killthecut.com
Full registered address and registry information is published on our Imprint page. KillTheCut has not appointed a Data Protection Officer per Art. 37 GDPR; for any privacy concern please email the address above.
2. Categories of data we process
KillTheCut stores the data needed to run a direct premium media marketplace.
- Account data: name, business email, company name, role, password hash, and sign-in session metadata.
- Buyer data: brand profiles, campaign briefs, AI-generated plans, booking activity, invoices, billing email, messages, creative submissions, and issue handling.
- Publisher data: outlet details, listings, legal and payout details, team users, blacklist entries, and fulfillment records.
- Marketplace ops data: reviews, proof-of-delivery, disputes, intervention history, and audit-style operational events.
- Technical data: truncated client IP and request metadata used for rate-limiting and abuse prevention.
- Optional device data: consent choice and per-device preferences when storage is allowed by you.
3. Purposes and legal basis (Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Creating and managing accounts; running the marketplace's core booking, fulfillment, payout, and invoicing workflows. | Art. 6(1)(b) GDPR – performance of contract. |
| Preventing abuse, securing accounts, rate-limiting, fraud detection. | Art. 6(1)(f) GDPR – legitimate interests in operating a secure marketplace. |
| Sending transactional emails (booking confirmed, plan approved, fulfillment updates). | Art. 6(1)(b) GDPR – performance of contract. |
| Meeting accounting, tax, and commercial-law retention requirements. | Art. 6(1)(c) GDPR – legal obligation (HGB §257, AO §147). |
| Optional device-level preference storage. | Art. 6(1)(a) GDPR – your consent (revocable any time). |
4. AI-assisted processing
KillTheCut uses third-party large language models (currently Anthropic Claude) to extract structured fields from buyer-pasted brand books and briefs and to generate media plans. The text you paste, your brand profile, the brief content, and a filtered list of inventory candidates are sent to the model to produce the output. We do not allow the model provider to train on this data and operate under the provider's commercial-API terms. Plans, refinements, and extracted fields are stored in our database. The legal basis is Art. 6(1)(b) GDPR (performance of contract) – the AI is the product.
5. Recipients and processors (Art. 28 GDPR)
Data is shared only where the marketplace workflow or operational reality requires it.
- Buyers and publishers can see each other's booking-related details when needed to fulfill a deal.
- Marketplace operators can access disputes, payment status, and delivery records to support the transaction.
- Sub-processors used to run the service (each under a Data Processing Agreement):
- Render (Render Services, Inc., USA) – application hosting and database.
- Anthropic (Anthropic PBC, USA) – AI model inference for brand profile extraction, brief extraction, plan generation, and refinement.
- SMTP provider – transactional email delivery (provider to be finalised before public launch; transactional only).
Where sub-processors are based outside the EEA, transfers are made under the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) and any supplementary measures required after the Schrems II ruling.
6. Retention periods
- Account data: kept for the lifetime of the account. Deactivated 30 days after a deletion request; deleted thereafter unless retention is required for the items below.
- Booking and invoice data: retained for 10 years after the end of the calendar year of the transaction (HGB §257, AO §147).
- Brand profiles, briefs, plans: retained for the lifetime of the account; deleted with the account unless they back an active or unsettled booking.
- Audit and security logs: retained for up to 12 months for abuse prevention and forensics, then aggregated or deleted.
7. Your rights as a data subject (Art. 15-22 GDPR)
You have the right to:
- request access to the personal data we hold about you (Art. 15);
- have inaccurate data corrected (Art. 16);
- have your data erased where one of the grounds in Art. 17 applies;
- have processing restricted in the circumstances of Art. 18;
- receive your data in a structured, commonly used and machine-readable format and have it transmitted to another controller where Art. 20 applies;
- object at any time to processing based on legitimate interests (Art. 21);
- withdraw any consent you have given without affecting the lawfulness of prior processing (Art. 7(3)).
To exercise any of these rights, email privacy@killthecut.com. We will respond within one month per Art. 12(3) GDPR.
8. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular the one in your habitual residence, place of work, or place of the alleged infringement. For Germany this is typically the data protection authority of the federal state in which the data subject resides.
9. Contact
For privacy and data-rights questions, email privacy@killthecut.com. For postal correspondence, see the Imprint.
Last updated 2026-05-04. This page is a working draft for the DACH pilot and should be reviewed by company-specific legal counsel prior to public launch. The Imprint is a placeholder until the operating entity is finalised.