Skip to main content

Privacy Policy

Last updated: February 28, 2026

1. Introduction

UserDispatch (“we”, “us”, “our”) is operated by Kiruna Labs, Inc., 2261 Market Street, San Francisco, CA 94114, United States. This Privacy Policy explains how we collect, use, and protect information when you use our feedback widget, dashboard, API, and MCP server (collectively, the “Service”). Kiruna Labs is the data controller for all personal data processed through the Service.

2. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, and profile picture provided via Google OAuth when you sign in to the dashboard.
  • Feedback data: Submissions collected through the widget, including feedback text, ratings, bug reports, file attachments, and browser metadata (user agent, viewport size, page URL).
  • Application logs: If enabled by the app developer, the widget may collect application console logs alongside feedback submissions for debugging purposes.
  • Usage data: Basic analytics about how you interact with the dashboard, including page views and feature usage.
  • Technical data: IP addresses, request timestamps, and server logs necessary for security and rate limiting.

3. How We Use Your Information

  • To provide and maintain the Service, including processing feedback submissions and delivering email notifications.
  • To authenticate your identity and manage your account.
  • To communicate with you about the Service, including responding to support requests.
  • To detect and prevent abuse, fraud, and security incidents.
  • To improve the Service and develop new features.

4. Legal Basis for Processing (EEA)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

  • Performance of a contract: Processing your account information and feedback data is necessary to provide the Service you signed up for.
  • Legitimate interests: We process usage data and technical data for security, fraud prevention, and service improvement. These interests do not override your fundamental rights.
  • Consent: Where required by law, we obtain your consent before processing (e.g., optional application log collection). You may withdraw consent at any time.

5. Data Storage & Security

Your data is stored in Neon PostgreSQL databases hosted in the United States. File attachments are stored via Vercel Blob Storage. We use encryption in transit (TLS) and implement access controls to protect your data. API keys are generated using cryptographically secure methods. While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

6. International Data Transfers

All data is processed and stored in the United States. If you are located outside the United States, including in the EEA or United Kingdom, your personal data will be transferred to the US.

For transfers from the EEA, we rely on the EU-US Data Privacy Framework as the primary transfer mechanism. Where the Data Privacy Framework does not apply, we use Standard Contractual Clauses approved by the European Commission. You may contact us to obtain a copy of the applicable safeguards.

7. Third-Party Services

We share data with the following third-party service providers, each acting as a data processor on our behalf:

  • Google OAuth: Used for authentication. We receive your name, email, and profile picture.
  • Resend: Used to send email notifications and replies to feedback submitters.
  • Vercel: Hosts the application and provides blob storage for file uploads.
  • Neon: Provides the PostgreSQL database service.

8. Data Retention

We retain data for the following periods:

  • Account data: Retained while your account is active and for 30 days after deletion to allow recovery.
  • Feedback submissions and file attachments: Retained while the associated organization account is active. Permanently deleted when the organization is deleted.
  • Rate-limit data: Held in memory only and automatically discarded after 5 minutes.
  • Server logs: Retained for up to 90 days for security and debugging purposes.

You may request earlier deletion of your data at any time by contacting us.

9. Your Rights

All users have the right to access, correct, or delete their personal data by contacting us at the email below.

EU/EEA and UK Residents

Under the GDPR and UK GDPR, you additionally have the right to:

  • Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Restriction of processing: Request that we limit how we use your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint: File a complaint with your local data protection supervisory authority.

California Residents

Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell or share your personal information as defined by the CCPA.

Other US State Privacy Laws

Residents of states with applicable privacy laws (e.g., Virginia, Colorado, Connecticut) may exercise similar rights. Contact us at the email below to submit a request.

10. Cookies

We use session cookies for authentication purposes only. We do not use tracking cookies or third-party advertising cookies.

11. Children’s Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at the email below.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “Last updated” date.

14. Contact

If you have questions about this Privacy Policy or wish to exercise any of your rights, contact us at hello@kiruna.ai or write to us at Kiruna Labs, Inc., 2261 Market Street, San Francisco, CA 94114, United States.

Privacy Policy — UserDispatch