NewPrimer ranked #1 in financial modelingRead analysis

Legal

Privacy Policy

Version 2026-06-02 · Effective 2 June 2026

Last updated: 2 June 2026

1. Who We Are

Kernel AI Ltd, trading as Primer ("Primer", "we", "us", or "our"), is a company registered in England and Wales under company number 15117085. Our registered office is 128 City Road, London EC1V 2NX, United Kingdom.

For the personal data described in this Privacy Policy, Primer is the controller except where we explain that we act as a processor or service provider on behalf of a customer.

You can contact us at:

  • Email: hello@primerapp.com
  • Post: Kernel AI Ltd, 128 City Road, London EC1V 2NX, United Kingdom

2. Scope

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data in connection with Primer's websites, applications, AI features, financial-analysis tools, subscriptions, communications, cookies and similar technologies, events, and related services (together, the "Services").

This Privacy Policy applies to:

  • visitors to primerapp.com and related websites;
  • people who create an account or use Primer;
  • individuals who sign up for a trial, paid plan, newsletter, waitlist, webinar, demo, or event;
  • people who contact us for support or send us enquiries;
  • individuals at business customers, prospects, suppliers, partners, and investors;
  • candidates who apply for roles with us; and
  • any other individual whose personal data we process as a controller.

When a business customer uses Primer and submits content containing personal data, Primer may act as that customer's processor and the customer remains the controller. That processing is governed by our Data Processing Agreement or other written agreement with the customer, not this Privacy Policy. If your personal data was submitted to Primer by a business customer, you should normally contact that customer to exercise your privacy rights.

The Services are not intended for anyone under 18.

3. Personal Data We Collect

The personal data we collect depends on how you interact with us.

3.1 Account and Identity Data

We may collect your name, email address, password hash, authentication identifiers, profile information, country, language, account settings, plan, subscription status, legal acceptance records, and communications preferences.

If you sign in using a third-party identity provider, such as Google or LinkedIn, we receive information made available by that provider, such as your email address, name, profile image, and authentication token metadata.

3.2 Billing and Subscription Data

If you buy a subscription, we and our payment processor may collect billing name, billing email, billing address, tax location, tax identifiers where relevant, payment method metadata, plan, price, tax amount, renewal date, cancellation status, invoices, receipts, chargeback records, and payment status.

We do not store full payment-card numbers. Payment processing is handled by third-party payment processors such as Stripe.

3.3 Service Content

When you use the Services, we process the content you provide, generate, or store. This may include prompts, uploaded files, imported documents, notes, watchlists, company lists, models, spreadsheets, datasets, connected-source content, configurations, workflows, instructions, generated outputs, exports, feedback, and conversation history.

Service Content may include personal data, confidential information, financial information, market-sensitive information, third-party content, or other sensitive material if you choose to submit it. You must not submit personal data or sensitive information unless you have the right and lawful basis to do so and the relevant feature is appropriate for that information.

3.4 Usage, Device, and Technical Data

We may collect IP address, approximate location derived from IP address, device type, browser, operating system, screen size, language, referring URL, pages or routes viewed, features used, session events, login times, credit usage, model and tool usage, errors, latency, diagnostics, audit logs, security logs, and other telemetry needed to operate, secure, debug, and improve the Services.

3.5 AI Processing Data

To provide AI features, we may process prompts, files, retrieved context, tool results, generated outputs, workflow steps, model selections, evaluation traces, and related metadata. AI Processing Data may be sent to AI model providers, retrieval systems, evaluation tools, observability tools, and infrastructure providers so that the Services can generate, evaluate, secure, troubleshoot, and improve outputs.

Unless we clearly tell you otherwise or you separately consent, we do not use your uploaded files, prompts, or generated outputs to train third-party foundation models. We have agreements with relevant model providers under which customer content is not used to train their models. We may use Service Content, usage data, feedback, and evaluation data to provide, secure, debug, analyse, evaluate, and improve Primer, including through automated or human review where needed for safety, quality, support, abuse prevention, or legal compliance.

3.6 Cookies and Similar Technologies

We and our providers may use cookies, local storage, session storage, pixels, SDKs, tags, device identifiers, scripts, and similar technologies to operate the Services, keep you signed in, remember preferences, detect fraud, secure the Services, measure usage, and improve the product.

Examples may include authentication cookies, session cookies, local storage for product state, security cookies, Stripe checkout or billing technologies, error monitoring, operational logs, and analytics tools.

The logged-in application currently uses first-party product analytics in a cookieless, in-memory configuration. It does not set analytics cookies or store persistent analytics identifiers on your device. Our implementation uses explicit product events rather than automatic page capture, disables session recording, and avoids advertising-network tracking in the logged-in application.

We do not currently intend to use advertising or remarketing cookies in the logged-in application. If we use advertising, remarketing, conversion tracking, or cross-context behavioural advertising on the marketing website or elsewhere, those technologies may be used to measure campaigns, attribute sign-ups, build audiences, or show ads on third-party platforms, and we will seek consent where required.

In the UK, EEA, and other jurisdictions with similar rules, we generally need consent before storing or accessing non-essential information on your device, including many advertising technologies and any analytics that set cookies or persistent identifiers. Strictly necessary technologies do not require consent.

The logged-in app does not currently set non-essential cookies or similar technologies that require consent. For that reason we do not present an in-app cookie consent banner. If we later introduce non-essential cookies or similar technologies that require consent, we will provide a consent mechanism that lets you accept, reject, and manage optional technologies as required by law.

You can also manage cookies and similar technologies through browser settings. Blocking cookies or deleting local storage may sign you out, reset preferences, disable features, or prevent parts of the Services from working.

3.7 Marketing, Events, and Communications Data

If you join a waitlist, request a demo, subscribe to updates, attend an event, respond to a survey, or contact us, we may collect your name, email, organisation, role, phone number, event attendance, message content, preferences, and related correspondence.

Where we send marketing emails, you can unsubscribe at any time using the link in the email or by contacting us.

3.8 Recruitment Data

If you apply for a role, we may collect your CV, contact details, work history, education, portfolio, cover letter, interview notes, assessment submissions, references, right-to-work information, and other recruitment information.

3.9 Third-Party and Public Sources

We may receive personal data from authentication providers, payment processors, business contacts, referrals, public sources, customer relationship tools, event platforms, professional networks, and third-party data sources used in the Services. Financial data feeds, public filings, transcripts, presentations, news, and similar sources may incidentally contain personal data about individuals acting in a professional capacity, such as company executives.

4. How We Use Personal Data

We use personal data to:

  • create, secure, and manage accounts;
  • provide, operate, personalise, and improve the Services;
  • process subscriptions, payments, invoices, taxes, cancellations, refunds, disputes, and legal acceptance records;
  • provide AI features, retrieval, analysis, outputs, reports, workflows, and related product functionality;
  • debug, monitor, test, evaluate, and secure the Services;
  • prevent fraud, abuse, misuse, unauthorised access, and security incidents;
  • provide support and respond to enquiries;
  • send transactional emails, service notices, renewal notices, trial reminders, price-change notices, security alerts, and legal updates;
  • send marketing communications where permitted;
  • conduct product analytics and business reporting;
  • comply with legal, regulatory, tax, accounting, sanctions, export-control, consumer-protection, and payment obligations;
  • establish, exercise, or defend legal claims; and
  • carry out recruitment, business operations, corporate transactions, and investor or partner communications.

5. Legal Bases

Where UK GDPR, EU GDPR, or similar laws apply, we rely on one or more of the following legal bases:

  • Contract: to provide the Services, manage accounts, process payments, and perform our Terms or other agreements.
  • Legitimate interests: to secure, debug, monitor, improve, and analyse the Services; prevent fraud and abuse; understand product usage; communicate with users; conduct limited business-to-business outreach; and establish or defend legal claims.
  • Consent: for optional marketing emails where required, non-essential cookies or similar technologies where required, certain events or surveys, and any processing where we specifically ask for consent.
  • Legal obligation: to comply with tax, accounting, sanctions, consumer, privacy, financial-crime, court, regulator, and other legal obligations.
  • Vital interests or public interest: where rarely necessary and recognised by applicable law.

6. AI Features, Human Review, and High-Impact Decisions

Outputs are intended to support human research and productivity. We do not design the Services to make decisions about people that produce legal or similarly significant effects without human review.

Human reviewers may access Service Content where necessary for support, troubleshooting, safety, abuse prevention, quality evaluation, legal compliance, or with your permission. We use access controls and internal policies to limit review to appropriate purposes.

7. How We Share Personal Data

We may share personal data with:

  • hosting, infrastructure, database, storage, security, and networking providers;
  • AI model, retrieval, evaluation, observability, and tooling providers;
  • payment processors, tax providers, billing systems, banks, and card networks;
  • authentication, email, customer-support, analytics, error-monitoring, and communications providers;
  • professional advisers, auditors, insurers, banks, investors, and corporate transaction counterparties;
  • business customers where we process data on their behalf or provide account administration;
  • regulators, courts, law enforcement, government authorities, or third parties where required or permitted by law; and
  • other parties with your direction or consent.

We do not sell personal data in the ordinary meaning of that term. If a law defines "sale" or "sharing" broadly enough to include certain advertising or analytics disclosures, we will provide required notices and choices where applicable.

8. International Transfers

We may process and store personal data in the United Kingdom, European Economic Area, United States, and other countries where we or our providers operate. Where required, we use safeguards such as adequacy decisions, standard contractual clauses, data processing agreements, and provider security commitments.

9. Retention

We keep personal data only for as long as needed for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Typical retention considerations include:

  • account data: for the life of the account and a reasonable period after closure;
  • billing, tax, and transaction records: for the period required by tax, accounting, and payment laws;
  • legal acceptance and consent records: for as long as needed to demonstrate compliance and resolve disputes;
  • Service Content: while your account or workspace needs it, unless deleted earlier or retained for legal, security, or backup reasons;
  • deleted account content: deleted or de-identified from active systems within a reasonable period, subject to backups, legal holds, fraud prevention, dispute records, and technical limits;
  • prompt, output, trace, support, security, and debugging logs: for as long as needed for service delivery, security, debugging, abuse prevention, support, legal compliance, or product evaluation;
  • marketing records: until you unsubscribe or we no longer need them; and
  • recruitment records: for the recruitment process and any legally permitted follow-up period.

10. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. No service can be completely secure, and you are responsible for using strong credentials, keeping account access secure, and telling us promptly about suspected compromise.

11. Your Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or port your personal data, withdraw consent, opt out of certain processing, or complain to a regulator.

These rights are not absolute and may be subject to legal limits, identity verification, exceptions, and retention obligations. To exercise rights, contact hello@primerapp.com.

If you are in the UK, you may contact the Information Commissioner's Office. If you are in the EEA, you may contact your local data protection authority.

12. Marketing Choices

You can unsubscribe from marketing emails using the link in the email or by contacting us. We may still send transactional or service messages that are necessary for your account, subscription, security, billing, support, or legal notices.

13. Children

The Services are not intended for anyone under 18. We do not knowingly collect personal data from children.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify users, such as posting the updated Privacy Policy, sending an email, or showing an in-product notice.

The "Last updated" date shows when this Privacy Policy was most recently revised.

15. Contact

For questions about privacy, cookies, similar technologies, or data protection, contact hello@primerapp.com.