← Back to home

Privacy Policy

Last updated: April 26, 2026

1. Who We Are

Kairo Ventures (“we,” “us,” “our”) is a company registered in a free zone in Dubai, United Arab Emirates. We operate TactMax at founder-signal.com (“the Platform”). This Privacy Policy explains what personal data we collect when you use the Platform, how we use it, who we share it with, how long we keep it, and what rights you have. If you have any questions, contact us at hugues@topr.io.

2. Data We Collect

2.1 Information You Provide

  • Account data: email address, and — if you sign in via Google OAuth — your Google profile display name and avatar image
  • Onboarding preferences: your niche selection (e.g., B2B SaaS, developer tools, consumer apps) and founder stage, collected during the onboarding flow to personalise your experience
  • Saved content: insights and founders you bookmark within the Platform
  • Payment data: processed entirely by Stripe — we store only your Stripe customer ID; we never see, transmit, or store your full card number, expiry date, or CVV
  • Takedown or correction requests: name, email, and the content of any notice you submit via hugues@topr.io

2.2 Information Collected Automatically

  • Product analytics: pages viewed, search queries entered, insight cards clicked, and feature interactions — collected via PostHog
  • Error telemetry: JavaScript exceptions, stack traces, and performance traces collected via Sentry to help us identify and fix bugs
  • Device and request data: IP address, browser type and version, operating system, language preferences, and HTTP request metadata — used for security, abuse prevention, and aggregate analytics
  • Bot-protection signals: Cloudflare Turnstile collects device and behavioural signals on sign-up and takedown forms to distinguish real users from automated traffic; this data is processed by Cloudflare and is not stored by us

3. How We Use Your Data

We use your personal data to:

  • Create and maintain your account, authenticate your sessions, and gate access to paid features
  • Personalise your feed and search results based on the niche and founder stage you select during onboarding
  • Process payments, manage your subscription, and issue receipts through Stripe
  • Send transactional emails: account verification links, password reset links, subscription confirmations, billing receipts, and takedown acknowledgement notices — delivered via Resend
  • Improve the Platform through aggregated, anonymised usage analytics via PostHog
  • Monitor and fix application errors and crashes via Sentry
  • Prevent fraud, abuse, and unauthorised access

We do not sell your personal data to any third party. We do not use your data for targeted advertising or share it with advertising networks. We do not send marketing emails without your explicit opt-in.

4. Legal Basis for Processing

We process your personal data on the following legal bases, consistent with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL) and applicable international standards:

  • Contract performance: processing necessary to deliver the service you’ve subscribed to (account creation, payment processing, personalisation)
  • Legitimate interests: security monitoring, fraud prevention, error tracking, and product analytics that help us improve the Platform, where these interests are not overridden by your rights
  • Consent: where we ask for your explicit agreement (e.g., optional marketing communications)
  • Legal obligation: retention of purchase records to satisfy financial reporting and legal obligations

5. Third-Party Services

We rely on the following named third-party services to operate the Platform. Each provider is subject to its own privacy policy and data processing agreement. We do not share personal data with any party not listed here.

  • Supabase — database hosting and authentication; your account data, preferences, and bookmarks are stored in Supabase’s managed Postgres infrastructure, protected by row-level security
  • Vercel — application hosting and global edge delivery; processes HTTP request logs and anonymised page performance data via Vercel Analytics
  • Stripe — payment processing and subscription management; subject to Stripe’s own privacy policy; we store only your Stripe customer ID, not your card details
  • Resend — transactional email delivery for account and billing notifications
  • Sentry — error monitoring and crash reporting; error events are retained for 90 days
  • PostHog — product analytics; we configure PostHog to anonymise where possible and do not send personally identifiable information beyond what is technically required for session attribution
  • Cloudflare Turnstile — bot-protection on sign-up and takedown forms; challenge signals are processed by Cloudflare and are not retained by us

6. Data Retention

  • Account data: retained while your account is active and for 30 days after account deletion (to allow recovery), then permanently deleted
  • Purchase records: retained for 7 years to meet applicable financial record-keeping obligations, then deleted
  • Usage analytics: individual-level event records purged after 90 days; aggregated, anonymised data may be retained indefinitely
  • Error logs: retained in Sentry for 90 days, then automatically purged
  • Takedown and correction requests: retained for 3 years for legal record-keeping purposes, then deleted

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to personal data we hold about you:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Deletion: request deletion of your personal data (“right to be forgotten”), subject to our legal retention obligations
  • Portability: receive your account data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests

To exercise any of these rights, email us at hugues@topr.io. We will respond within 30 days. We may ask you to verify your identity before processing a request.

8. Cookies

We use the following cookies and similar technologies:

  • Supabase auth session: an HTTP-only, Secure cookie that maintains your authenticated session. This cookie is strictly necessary for the Platform to function and cannot be disabled without preventing login.
  • PostHog analytics: a first-party analytics cookie that tracks anonymised usage patterns such as page views and feature interactions. You can opt out via your browser’s cookie controls or by contacting us.
  • Vercel Analytics: anonymous page-view data used to measure application performance; no personal identifiers are stored.

We do not use advertising cookies, third-party tracking pixels, or participate in cross-site retargeting networks.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data. All data in transit is encrypted via TLS (HTTPS). Database access is governed by Supabase row-level security policies, ensuring each user’s data is isolated and inaccessible to other users. Authentication sessions use HTTP-only, Secure cookies that are not accessible to client-side JavaScript. Payment data is handled exclusively by Stripe, a PCI DSS Level 1-compliant provider. In the event of a personal data breach, we will notify affected users and relevant authorities within the timeframes required by applicable law.

10. International Transfers

Our infrastructure providers may process and store data in regions outside the UAE, including the European Union and the United States. Where personal data is transferred internationally, we rely on appropriate contractual safeguards, including the EU Standard Contractual Clauses (SCCs) where applicable, to ensure that your data receives an equivalent level of protection to that required under the UAE PDPL. If you would like more information about the transfer mechanisms applicable to a specific provider, contact us at hugues@topr.io.

11. Children’s Privacy

The Platform is intended for users aged 18 and over and is not directed to children under the age of 18. We do not knowingly collect personal data from minors. In compliance with the Children’s Online Privacy Protection Act (COPPA) and equivalent laws, if we become aware that we have collected personal data from a person under 18, we will delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us at hugues@topr.io.

12. UAE Data Protection

This Privacy Policy is governed by and consistent with the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the “UAE PDPL”). As a company registered in Dubai, UAE, we are subject to the jurisdiction and oversight of the relevant UAE data protection authority. For any data protection complaints or concerns relating to UAE law, you may contact us at hugues@topr.io or refer your concern to the appropriate UAE regulatory authority.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, third-party service providers, or applicable law. For material changes — those that significantly affect how we collect or use your data — we will notify you by email or by a prominent notice on the Platform at least 14 days before the change takes effect. The “last updated” date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.

14. Contact

For privacy-related questions, data subject requests, or to exercise any of your rights under this policy, contact us at hugues@topr.io. We aim to respond to all privacy enquiries within 30 days.

TermsPrivacyAttributionTakedown

© 2026 Kairo Ventures

TermsPrivacyAttributionTakedownContact
TactMax
AppsFoundersChannelsSaved
Sign inGet started