Kindling

Privacy Policy

Last updated: April 14, 2026

What Kindling Is

Kindling (kindlingmagic.com) is an AI marketing tool that helps startup teams plan and create marketing campaigns. You give us a brief. We generate campaign content using AI. That's it.

This policy explains what data we collect, what we don't, and how we handle what passes through our system.

What We Collect

Account information (stored on our servers):

  • Email address
  • Hashed password (if you sign up with email)
  • Subscription status (free or Pro)
  • Aggregate usage metrics -- campaign count, feature usage counts
  • Campaigns you save to your account, including the brief, brand context, and generated content. These are stored in Firestore, encrypted at rest, scoped to your user account by database security rules, and deletable by you at any time.

Your saved campaigns are visible only to you. Firestore security rules enforce user-level isolation at the database layer -- no other user can read or list your campaigns, and staff access is limited to the few people who operate Kindling, under confidentiality obligations.

If you don't want a campaign saved to your account, just don't hit Save. Campaigns you don't save are never persisted server-side.

What We Store Locally

Campaign history, brand profiles, and user preferences are stored in your browser's local storage (IndexedDB). This data lives on your device, not our servers. You can clear it anytime from your Account page.

What We Share with Third Parties

We share limited data with three services to make Kindling work:

  • Anthropic (Claude API) -- When you generate a campaign, your brief and brand context are sent to Anthropic's API for content generation. Anthropic processes this data under their API terms and does not use it to train models.
  • Google Cloud (Firebase / Firestore) -- Hosts our user accounts and any campaigns you choose to save. Data is encrypted at rest (AES-256) and in transit, and access is enforced at the database layer by per-user security rules.
  • Loops -- Your email address is shared with Loops for transactional emails (account notifications, schedule reminders). Nothing else.
  • Vercel -- Kindling is hosted on Vercel. Standard server logs (IP addresses, request metadata) are processed by Vercel's infrastructure.

No analytics platforms receive your campaign content. We don't sell or share your data with advertisers.

Data Processing -- Not Storage

When you submit a brief, it's sent to our API, forwarded to Anthropic for generation, and the result is returned to your browser. Nothing is persisted on our servers. The brief goes in, content comes out, and the server forgets.

Cookies

We use essential cookies for authentication and session management. If we add analytics in the future, we'll implement a cookie consent banner and update this policy.

Cross-Border Data

Kindling is operated from Australia. Your data is processed by services based in the United States (Anthropic, Vercel, Loops). By using Kindling, you acknowledge that your data may be transferred to and processed in the United States.

Your Rights

You can:

  • Delete your account -- From the Account page or by emailing us. This removes all server-side data permanently.
  • Clear local data -- Use the "Clear all data" button on the Account page to wipe campaign history and brand context from your browser.
  • Request your data -- Email us and we'll provide everything we have (which is just your account info and usage counts).
  • Withdraw consent -- Stop using the service anytime. Delete your account to remove your data.

GDPR (EU/UK Users)

If you're in the EU or UK, you have additional rights under GDPR including the right to access, rectification, erasure, data portability, and the right to object to processing. Our legal basis for processing is contract performance (providing the service you signed up for) and legitimate interest (improving the product).

We maintain Data Processing Agreements with Anthropic, Vercel, and Loops.

Australian Privacy Act

We comply with the Australian Privacy Principles. We only collect data necessary to provide the service, use it only for that purpose, and disclose cross-border processing to US-based services as noted above.

Data Retention

Account data is retained while your account is active. When you delete your account, all server-side data is permanently removed. Browser-stored data persists until you clear it or clear your browser data.

Security

Passwords are hashed. API keys are stored as environment variables, never in source code. All traffic is encrypted via TLS. API routes run in isolated serverless functions with rate limiting and input validation.

Children

Kindling is not intended for anyone under 18. We don't knowingly collect data from minors.

Changes to This Policy

We'll update this page if anything changes. If it's significant, we'll email you.

Contact

Questions about your data? Email hello@kindlingmagic.com