This Policy describes how Kuaklabs processes the personal data of users of kuaklabs.com and of the browser extensions Grok AutoKuak, Flow AutoKuak, ChatGPT AutoKuak and TubeKRadar, in accordance with the GDPR (EU 2016/679), the Spanish LOPDGDD (Organic Law 3/2018) and the LSSI-CE (Law 34/2002). Full controller identification details in the Legal Notice. Contact: hello@kuaklabs.com.
1. Data we process
- Account data: email, name and, where applicable, public profile picture obtained when you sign in with Google.
- Subscription data: plan, status, next renewal date and internal identifiers used to sync with the payment gateway.
- Anonymous identifiers: if you use the extension without an account, we assign a pseudonymous identifier to apply Free Plan limits.
- Usage data: daily aggregate counters per tool (prompts in Grok/Flow/ChatGPT and TubeKRadar scans) that reset at 00:00 UTC and are used exclusively to enforce plan quotas.
- Technical data: IP address, user-agent and access logs kept in server logs.
Kuaklabs does not process: passwords (authentication is exclusively via Google OAuth), the content of your prompts or texts captured by the extension (they travel directly between your browser and the chosen service —Grok, Flow, ChatGPT, YouTube— without passing through Kuaklabs servers), full card or bank account data (Stripe processes them in its PCI-DSS environment) or special category data under GDPR Art. 9.
Sites where the extensions operate
- Source (reading prompts delimited with
[INI]and[FIN]markers): chatgpt.com, claude.ai, gemini.google.com, grok.com, x.com, labs.google. Only the text you have delimited is read. - Destination (sending prompts and downloading results): grok.com / x.com (Grok AutoKuak), labs.google on Flow/Veo routes (Flow AutoKuak) and chatgpt.com (ChatGPT AutoKuak).
- YouTube (TubeKRadar): www.youtube.com / youtube.com. Processes only public data visible on the page.
2. Legal bases and purposes
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and maintain the account, authenticate, apply plan quotas and unlock Pro features | Art. 6(1)(b) — contract performance |
| Process payments and subscriptions | Art. 6(1)(b) — contract performance; Art. 6(1)(c) — tax and accounting obligations |
| Operational communications (sign-up, receipts, reminders, change notices) | Art. 6(1)(b) — contract performance |
| Fraud and abuse prevention | Art. 6(1)(f) — legitimate interest |
| Compliance with legal obligations (invoicing, requests from authorities) | Art. 6(1)(c) — legal obligation |
Kuaklabs does not perform automated decisions with legal effects (GDPR Art. 22), does not build advertising profiles and does not use third-party analytics or advertising tools.
3. Recipients and international transfers
- Google — identity provider (OAuth).
- Stripe — payment gateway.
- Third-party AI and video services — xAI (Grok), Google LLC (Flow/Veo), OpenAI (ChatGPT) and, as sources, Anthropic (claude.ai) and Google (gemini.google.com). Content travels directly from your browser to those services; their use is governed by each provider’s policies.
- Cloud and web hosting providers (EU) — host the backend/database and the kuaklabs.com website respectively.
- Transactional email provider — sends operational communications.
Transfers outside the European Economic Area rely on the mechanisms of Chapter V GDPR (EU-US Data Privacy Framework and/or Standard Contractual Clauses).
4. Retention
- Account and subscription data: while the account is active.
- After deletion: up to 6 months for support and accounting reconciliation; afterwards, erasure or anonymisation.
- Technical logs: 30 to 90 days.
- Invoicing and payment records: the applicable legal periods (Spanish Commercial Code Art. 30 and General Tax Law Art. 66).
5. Your rights
You may at any time exercise the rights of access, rectification, erasure, restriction, portability and objection (GDPR Arts. 15-22) and withdraw consent when processing is based on it, by writing to hello@kuaklabs.com. We will respond within a maximum of 30 calendar days. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD) — www.aepd.es.
6. Minors and security
The Service is not directed at children under 14 years (Art. 7 LOPDGDD); if Kuaklabs becomes aware that an account has been created in the name of a minor under 14, it will proceed to delete it. We apply reasonable technical and organisational measures (TLS encryption, access control, cryptographic verification of webhooks). A breach likely to result in a high risk will be notified to the AEPD within 72 hours (GDPR Art. 33) and to the affected User without undue delay (Art. 34).