1. Who we are

This Privacy Policy explains how POCKET CORP LIMITED ("Pocket Corp", "we", "us", or "our"), a company incorporated in England and Wales with company number 17216769 and registered office at Suite A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom, collects, uses, and protects your personal data when you use Kyroo (the "Service"), our B2B advertising attribution platform available at getkyroo.com and app.getkyroo.com.

Pocket Corp Limited operates Kyroo as a trading name. Throughout this policy, references to "Kyroo" refer to the Service operated by Pocket Corp Limited.

For any privacy-related queries, contact us at support@getkyroo.com.

2. Scope of this policy

This policy applies to:

• Visitors to getkyroo.com

• Users of the Kyroo application at app.getkyroo.com

• Recipients of our marketing or transactional communications

• Individuals whose personal data is processed by Kyroo on behalf of our customers (data controllers)

Where Kyroo processes personal data on behalf of a business customer, that customer is the data controller and we act as a data processor. We offer a Data Processing Agreement (DPA) based on the Common Paper mutual DPA template. A sample DPA is available at getkyroo.com/dpa, and counter-signed copies are generated on request — contact support@getkyroo.com.

3. Information we collect

3.1 Information you provide directly

• Account information: name, email address, password (hashed), company name, role.

• Billing information: billing email, billing address, payment card details (handled by our payment processor Stripe — we do not store full card numbers).

• Communications: any information you send us via email, support requests, or in-product chat.

• Optional profile information: profile photo, organisation logo, team member details.

3.2 Information collected when you connect integrations

When you authorise Kyroo to connect to third-party services, we collect data from those services as authorised by you. Specifically:

• LinkedIn Ads: OAuth access and refresh tokens, ad account identifiers, campaign metadata, advertising performance metrics, and company-level engagement data (impression counts by company).

• HubSpot CRM: Private app token or OAuth tokens, company records (name, domain, industry, country), deal records (name, value, stage, close date), and associated metadata authorised by the connected scopes.

• Slack: Webhook URL and channel metadata for notification delivery.

We only access integration data within the scopes you authorise. We do not request write access to your CRM, ad accounts, or any data beyond what is needed to deliver the Service.

3.3 Information collected automatically

• Usage data: pages visited, features used, session duration, click events within the Service.

• Device and connection data: IP address (used for security and abuse prevention), browser type, operating system, referring URL.

• Cookies and similar technologies: see Section 9 below.

4. How we use your information

We use personal data for the following purposes, relying on the following lawful bases under UK GDPR:

Purpose Lawful basis Providing the Service to you Contractual necessity Processing payments and managing subscriptions Contractual necessity Sending transactional emails (password resets, receipts, account notifications) Contractual necessity Providing customer support Legitimate interests / Contractual necessity Sending marketing communications (only where you have opted in or where permitted by soft opt-in rules) Consent / Legitimate interests Improving the Service, debugging, and security monitoring Legitimate interests Complying with legal obligations Legal obligation Preventing fraud, abuse, and security incidents Legitimate interests

We do not sell your personal data. We do not use your personal data to train AI models.

5. Who we share your information with

We share personal data with the following categories of recipients, only as necessary to deliver the Service:

5.1 Sub-processors

We maintain a current list of sub-processors at getkyroo.com/subprocessors. Sub-processors that may process personal data include:

• Supabase Inc. — database hosting, authentication, and file storage. Customer data is hosted in AWS Frankfurt (eu-central-1), Germany.

• Vercel Inc. — application hosting and edge runtime.

• Stripe Payments Europe Ltd — payment processing.

• Resend Inc. — transactional and marketing email delivery (covered by the EU-US Data Privacy Framework).

• Upstash Inc. — caching and rate limiting.

• HubSpot Ireland Limited — CRM integration data exchange (only when connected by customer).

• LinkedIn Ireland Unlimited Company — advertising data exchange (only when connected by customer).

• Slack Technologies LLC — notification delivery (only when connected by customer).

We enter into Data Processing Agreements or equivalent contractual safeguards with each sub-processor, and we will provide reasonable notice of any changes to our sub-processor list per our DPA.

5.2 Other recipients

• Professional advisors (lawyers, accountants, auditors) bound by confidentiality.

• Regulators and law enforcement where required by law.

• Potential acquirers in connection with a merger, acquisition, or asset sale, subject to confidentiality protections.

6. International data transfers

We primarily store customer data in the European Economic Area (EEA), specifically AWS Frankfurt (eu-central-1), Germany.

Some of our sub-processors are located outside the UK and EEA, including in the United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards including:

• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses (SCCs)

• The EU Standard Contractual Clauses

• The EU-US Data Privacy Framework (where the recipient is certified)

7. How long we keep your information

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Specifically:

• Account data: retained for the duration of your account plus 30 days after cancellation, after which the account is deleted or anonymised.

• Billing records: retained for 7 years to comply with UK tax and accounting law.

• Integration data (LinkedIn impressions, HubSpot company and deal records): retained for the duration of your account; deleted within 30 days of account cancellation.

• Marketing communications data: retained until you withdraw consent or unsubscribe.

• Security logs: retained for up to 12 months for security and abuse prevention.

8. Your rights

Under UK GDPR, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.

• Right to rectification: request correction of inaccurate or incomplete personal data.

• Right to erasure: request deletion of your personal data (subject to legal exceptions).

• Right to restrict processing: request that we limit how we use your personal data.

• Right to data portability: request a copy of your data in a machine-readable format.

• Right to object: object to processing based on legitimate interests or direct marketing.

• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

• Right to lodge a complaint: you may complain to your local data protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, contact us at support@getkyroo.com. We will respond within one month, or notify you if we need additional time.

9. Cookies and tracking technologies

We use cookies and similar technologies for the following purposes:

• Strictly necessary cookies: required to operate the Service (authentication, security, session management).

• Functional cookies: remember your preferences (e.g. UI settings).

• Analytics cookies: help us understand how the Service is used so we can improve it.

You can manage cookie preferences through your browser settings. Strictly necessary cookies cannot be disabled as they are required for the Service to function.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2 or higher)

• Encryption at rest (AES-256 via Supabase)

• Row-level security in our database to enforce tenant isolation

• Read-only OAuth scopes for third-party integrations

• Continuous security monitoring via Aikido Security

• Regular dependency and code scanning

• Access controls and authentication safeguards

Further detail is available at getkyroo.com/data-and-security.

No system is completely secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

11. Children's data

The Service is intended for use by businesses and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@getkyroo.com and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify you via email or in-product notice at least 30 days before the change takes effect.

13. Contact us

Pocket Corp Limited

Suite A, 82 James Carter Road

Mildenhall, IP28 7DE

United Kingdom

Email: support@getkyroo.com

Company number: 17216769

For data protection matters, please mark your email "Privacy enquiry" so we can prioritise it appropriately.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).