Privacy Policy

1. Who We Are

Kairo Technologies FZCO(“we,” “us,” “our”) is a company registered in the Dubai Multi Commodities Centre (DMCC) free zone, Dubai, United Arab Emirates. We operate The Distribution Market at thedistributionmarket.com(“the Platform”). This Privacy Policy explains what personal data we collect when you use the Platform, how we use it, who we share it with, how long we keep it, and what rights you have. If you have any questions, contact us at hugues@topr.io.

2. Data We Collect

2.1 Information You Provide

• Account data:email address, and — if you sign in via Google OAuth — your Google profile display name and avatar image
• Onboarding preferences: your niche selection (e.g., B2B SaaS, developer tools, consumer apps) and founder stage, collected during the onboarding flow to personalise your experience
• Saved content: insights and founders you bookmark within the Platform
• Payment data:processed entirely by Stripe — we store only your Stripe customer ID; we never see, transmit, or store your full card number, expiry date, or CVV
• Takedown or correction requests: name, email, and the content of any notice you submit via hugues@topr.io

2.2 Information Collected Automatically

• Product analytics:pages viewed, search queries entered, insight cards clicked, and feature interactions — collected via PostHog
• Error telemetry: JavaScript exceptions, stack traces, and performance traces collected via Sentry to help us identify and fix bugs
• Device and request data:IP address, browser type and version, operating system, language preferences, and HTTP request metadata — used for security, abuse prevention, and aggregate analytics
• Bot-protection signals: Cloudflare Turnstile collects device and behavioural signals on sign-up and takedown forms to distinguish real users from automated traffic; this data is processed by Cloudflare and is not stored by us

2.3 Public Information About Founders and Operators

The core product of The Distribution Market is a curated database of insights about founders, operators, and the apps they ship. This information is drawn exclusively from publicly available sources — interviews, podcasts, YouTube videos, articles, newsletters, and social posts — that were freely accessible at the time of ingestion.

• Business information only— we collect only business-related statements (revenue, distribution tactics, product decisions). Personal communications and consumer-context content are disregarded.
• Paraphrase-first— our primary payload is our own paraphrase of what was said. Verbatim quotes are capped at 25 words and used only as supporting evidence.
• Full attribution— every insight carries the original publisher, host or interviewer name, publication date, and a direct link to the source.
• No full transcripts— we never store or expose full audio transcripts. Any intermediate audio-derived text is purged within 7 days of insight publication.
• Opt-out— any founder included in our database may request removal of their profile and all associated insights at any time by emailing hugues@topr.io with “Opt-out request” in the subject line. We process opt-out requests within 10 business days.

3. How We Use Your Data

We use your personal data to:

• Create and maintain your account, authenticate your sessions, and gate access to paid features
• Personalise your feed and search results based on the niche and founder stage you select during onboarding
• Process payments, manage your subscription, and issue receipts through Stripe
• Send transactional emails: account verification links, password reset links, subscription confirmations, billing receipts, and takedown acknowledgement notices — delivered via Resend
• Improve the Platform through aggregated, anonymised usage analytics via PostHog
• Monitor and fix application errors and crashes via Sentry
• Prevent fraud, abuse, and unauthorised access

We do not sell your personal data to any third party. We do not use your data for targeted advertising or share it with advertising networks. We do not send marketing emails without your explicit opt-in.

4. Legal Basis for Processing

We process your personal data on the following legal bases, consistent with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL) and applicable international standards:

• Contract performance:processing necessary to deliver the service you’ve subscribed to (account creation, payment processing, personalisation)
• Legitimate interests: security monitoring, fraud prevention, error tracking, and product analytics that help us improve the Platform, where these interests are not overridden by your rights
• Consent: where we ask for your explicit agreement (e.g., optional marketing communications)
• Legal obligation: retention of purchase records to satisfy financial reporting and legal obligations
• Publicly available data (UAE PDPL Art. 4(2)): for the processing of personal information about founders and operators that has been made publicly available by the data subject — such as statements made in public interviews, podcasts, and articles — we rely on Article 4(2) of UAE Federal Decree-Law No. 45 of 2021.

5. Third-Party Services

We work with a limited number of trusted third-party service providers to operate the Platform (including hosting, payments, email, analytics, and error monitoring). We only share personal data with these providers to the extent necessary to deliver the service. Each provider is contractually required to protect your data in accordance with applicable law, including the GDPR and UAE PDPL where relevant, and may not use your data for their own purposes. We do not sell personal data to any third party and do not share it with advertising networks.

6. Data Retention

• Account data: retained while your account is active and for 30 days after account deletion (to allow recovery), then permanently deleted
• Purchase records: retained for 7 years to meet applicable financial record-keeping obligations, then deleted
• Usage analytics: individual-level event records purged after 90 days; aggregated, anonymised data may be retained indefinitely
• Error logs: retained in Sentry for 90 days, then automatically purged
• Takedown and correction requests: retained for 3 years for legal record-keeping purposes, then deleted

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to personal data we hold about you:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion:request deletion of your personal data (“right to be forgotten”), subject to our legal retention obligations
• Portability: receive your account data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests
• Withdrawal of consent: where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Automated decision-making: the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you.

To exercise any of these rights, email us at hugues@topr.io. We will respond within 30 days. We may ask you to verify your identity before processing a request. We may extend the response period by up to two further months where necessary due to the complexity or number of requests — we will notify you of any extension within the initial 30-day period. If we decline to act on a request, we will explain why and inform you of your right to lodge a complaint with a supervisory authority.

8. Cookies

We use the following cookies and similar technologies:

• Supabase auth session: an HTTP-only, Secure cookie that maintains your authenticated session. This cookie is strictly necessary for the Platform to function and cannot be disabled without preventing login.
• PostHog analytics:a first-party analytics cookie that tracks anonymised usage patterns such as page views and feature interactions. You can opt out via your browser’s cookie controls or by contacting us.
• Vercel Analytics: anonymous page-view data used to measure application performance; no personal identifiers are stored.

We do not use advertising cookies, third-party tracking pixels, or participate in cross-site retargeting networks.

We honor browser-level Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we treat it as an opt-out of any sale or sharing of your personal information where applicable under US state privacy laws.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data. All data in transit is encrypted via TLS (HTTPS). Database access is governed by Supabase row-level security policies, ensuring each user’s data is isolated and inaccessible to other users. Authentication sessions use HTTP-only, Secure cookies that are not accessible to client-side JavaScript. Payment data is handled exclusively by Stripe, a PCI DSS Level 1-compliant provider. In the event of a personal data breach, we will notify affected users and relevant authorities within the timeframes required by applicable law.

10. International Transfers

Some of our third-party service providers may process and store data in the United States and other regions outside the UAE. For outbound transfers from the UAE to these sub-processors, we rely on contractual measures meeting Article 23(1)(a) of UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL).

For users in the European Economic Area: for transfers of your personal data to The Distribution Market in the UAE, we rely on the European Commission’s Standard Contractual Clauses (2021). For UK data subjects, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

If you have questions about the transfer mechanisms applicable to a specific provider, contact us at hugues@topr.io.

11. Children’s Privacy

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from persons under 18. If we become aware that we have collected personal data from a person under 18, we will delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us at hugues@topr.io.

12. UAE Data Protection

This Privacy Policy is consistent with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the “UAE PDPL”). As a company registered in the DMCC free zone, Dubai, we are subject to oversight by the UAE Data Office (the competent supervisory authority under the PDPL).

Under the UAE PDPL, you have rights to: access your personal data (Art. 13); correct inaccurate data (Art. 14); erase your data (Art. 15); restrict processing (Art. 16); receive a portable copy of your data (Art. 17); object to processing (Art. 18); and not be subject to decisions based solely on automated processing (Art. 18).

For data protection complaints under UAE law, you may contact the UAE Data Office at uaedataoffice.gov.ae, or contact us first at hugues@topr.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, third-party service providers, or applicable law. For material changes — those that significantly affect how we collect or use your data — we will notify you by email or by a prominent notice on the Platform at least 14 days before the change takes effect. The “last updated” date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.

14. Contact

For privacy-related questions, data subject requests, or to exercise any of your rights under this policy, contact us at hugues@topr.io. We aim to respond to all privacy enquiries within 30 days.

Kairo Technologies FZCO
Unit RET-R5-134, Detached Retail R5
Plot JLT-PH2-RET-R5, Jumeirah Lakes Towers
Dubai, United Arab Emirates