NewPrimer ranked #1 in financial modelingRead analysis

28 May 2026

Privacy Policy

Primer Privacy Policy

Last updated: 28 May 2026

1. Who We Are

Kernel AI Ltd, trading as Primer ("Primer", "we", "us", or "our"), is a company registered in England and Wales under company number 15117085. Our registered office is 128 City Road, London EC1V 2NX, England.

For the personal data described in this Privacy Policy, Primer is the controller except where we explain that we act as a processor or service provider on behalf of a customer.

You can contact us at:

  • Email: hello@primerapp.com
  • Post: Kernel AI Ltd, 128 City Road, London EC1V 2NX, United Kingdom

2. Scope

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data in connection with Primer's websites, applications, AI features, financial-analysis tools, subscriptions, communications, events, and related services (together, the "Services").

This Privacy Policy applies to:

  • visitors to primerapp.com and related websites;
  • people who create a consumer account or use Primer for personal, non-business purposes;
  • individuals who sign up for a trial, paid plan, newsletter, waitlist, webinar, demo, or event;
  • people who contact us for support or send us enquiries;
  • individuals at business customers, prospects, suppliers, partners, and investors;
  • candidates who apply for roles with us; and
  • any other individual whose personal data we process as a controller.

When a business customer uses Primer and submits content containing personal data, Primer may act as that customer's processor and the customer remains the controller. That processing is governed by our Data Processing Agreement and the customer's instructions, not this Privacy Policy. If your personal data was submitted to Primer by a business customer, you should normally contact that customer to exercise your privacy rights.

For consumer accounts, you contract with Primer directly. In that context, we are generally the controller of personal data you provide to or generate through the Services, including account information, prompts, uploaded files, notes, watchlists, workflows, generated outputs, usage data, and support communications.

The Services are not intended for anyone under 18.

3. Personal Data We Collect

The personal data we collect depends on how you interact with us.

3.1 Account and Identity Data

We may collect your name, email address, password hash, authentication identifiers, profile information, country, language, account settings, plan, subscription status, legal acceptance records, and communications preferences.

If you sign in using a third-party identity provider, such as Google, we receive information made available by that provider, such as your email address, name, profile image, and authentication token metadata.

3.2 Billing and Subscription Data

If you buy a subscription, we and our payment processor may collect billing name, billing email, billing address, tax location, tax identifiers where relevant, payment method metadata, plan, price, tax amount, renewal date, cancellation status, invoices, receipts, chargeback records, and payment status.

We do not store full payment-card numbers. Payment processing is handled by third-party payment processors such as Stripe.

3.3 Service Content

When you use the Services, we process the content you provide, generate, or store. This may include prompts, uploaded files, imported documents, notes, watchlists, company lists, models, spreadsheets, datasets, connected-source content, configurations, workflows, instructions, generated outputs, exports, feedback, and conversation history.

Service Content may include personal data, confidential information, financial information, market-sensitive information, third-party content, or other sensitive material if you choose to submit it. You must not submit personal data or sensitive information unless you have the right and lawful basis to do so and the relevant feature is appropriate for that information.

3.4 Usage, Device, and Technical Data

We may collect IP address, approximate location derived from IP address, device type, browser, operating system, screen size, language, referring URL, pages or routes viewed, features used, session events, login times, credit usage, model/tool usage, errors, latency, diagnostics, audit logs, security logs, and other telemetry needed to operate, secure, debug, and improve the Services.

3.5 AI Processing Data

To provide AI features, we may process your prompts, files, retrieved context, tool results, generated outputs, workflow steps, model selections, evaluation traces, and related metadata. AI Processing Data may be sent to AI model providers, retrieval systems, evaluation tools, observability tools, and infrastructure providers so that the Services can generate, evaluate, secure, troubleshoot, and improve outputs.

Unless we clearly tell you otherwise or you separately consent, we do not use your uploaded files, prompts, or generated outputs to train third-party foundation models. We have agreements with relevant model providers under which customer content is not used to train their models. We may use Service Content, usage data, feedback, and evaluation data to provide, secure, debug, analyse, evaluate, and improve Primer, including through automated or human review where needed for safety, quality, support, abuse prevention, or legal compliance.

3.6 Website, Cookies, and Similar Technologies

We and our providers may use cookies, local storage, pixels, SDKs, and similar technologies to operate the Services, keep you signed in, remember preferences, measure usage, detect fraud, secure the Services, and, where enabled and consented to where required, perform analytics or advertising measurement. See our Cookies Policy for more detail.

3.7 Marketing, Events, and Communications Data

If you join a waitlist, request a demo, subscribe to updates, attend an event, respond to a survey, or contact us, we may collect your name, email, organisation, role, phone number, event attendance, message content, preferences, and related correspondence.

Where we send marketing emails, you can unsubscribe at any time using the link in the email or by contacting us.

3.8 Recruitment Data

If you apply for a role, we may collect your CV, contact details, work history, education, portfolio, cover letter, interview notes, assessment submissions, references, right-to-work information, and other recruitment information.

3.9 Third-Party and Public Sources

We may receive personal data from authentication providers, payment processors, business contacts, referrals, public sources, customer relationship tools, event platforms, professional networks, and third-party data sources used in the Services. Financial data feeds, public filings, transcripts, presentations, news, and similar sources may incidentally contain personal data about individuals acting in a professional capacity, such as company executives.

4. How We Use Personal Data

We use personal data for the following purposes:

  • provide, operate, maintain, and administer the Services;
  • create and authenticate accounts;
  • process subscriptions, payments, invoices, taxes, cancellations, refunds, disputes, and legal acceptance records;
  • generate, retrieve, analyse, summarise, evaluate, and deliver AI outputs;
  • store and synchronise notes, files, workspaces, models, workflows, and settings;
  • provide support, respond to enquiries, and troubleshoot issues;
  • monitor service performance, usage, availability, security, and reliability;
  • detect, prevent, investigate, and respond to fraud, abuse, harmful content, security incidents, policy violations, and unlawful activity;
  • improve, test, evaluate, and develop the Services;
  • send transactional emails, service notices, renewal notices, trial reminders, price-change notices, security alerts, and legal updates;
  • send marketing communications where permitted by law and your preferences;
  • run events, webinars, surveys, waitlists, and customer research;
  • manage recruitment and hiring;
  • comply with legal, regulatory, tax, accounting, sanctions, export-control, consumer-protection, and payment obligations;
  • establish, exercise, or defend legal claims; and
  • support corporate transactions such as a financing, merger, acquisition, restructuring, or sale of assets.

5. Lawful Bases for UK and EEA Users

Where UK GDPR or EU GDPR applies, we rely on the following lawful bases:

  • Contract: to provide the Services, create accounts, process subscriptions, manage billing, deliver AI features, provide support, and administer cancellation or refund requests.
  • Legitimate interests: to secure, debug, monitor, improve, and analyse the Services; prevent fraud and abuse; understand product usage; communicate with users; conduct limited business-to-business outreach; and establish or defend legal claims.
  • Consent: for optional marketing emails where required, non-essential cookies or similar technologies where required, certain events or surveys, and any processing where we specifically ask for consent.
  • Legal obligation: to comply with tax, accounting, sanctions, consumer, privacy, financial-crime, court, regulator, and other legal obligations.
  • Vital interests or public interest: only where necessary in exceptional circumstances, such as responding to an urgent safety issue.

Where we rely on legitimate interests, you may object to the processing. We will assess your objection in accordance with applicable law. Direct marketing based on legitimate interests can always be opted out of.

6. AI, Human Review, and Automated Decisions

Primer is an AI-powered research and financial-analysis workspace. AI systems may process your prompts, files, notes, retrieved context, and other Service Content to generate outputs.

Outputs are intended to support human research and productivity. We do not design the Services to make decisions about people that produce legal or similarly significant effects without human review. You must not use Primer as the sole basis for high-impact decisions about people, including decisions about finance, credit, insurance, employment, housing, education, healthcare, legal rights, public benefits, or access to services.

We may use automated systems and human review to:

  • route prompts and retrieve context;
  • generate and evaluate outputs;
  • detect abuse, security risks, spam, fraud, or policy violations;
  • debug and improve service quality;
  • respond to support requests;
  • comply with law; and
  • protect users, Primer, providers, and third parties.

Human reviewers may access Service Content where necessary for support, troubleshooting, safety, abuse prevention, quality evaluation, legal compliance, or with your permission.

7. Who We Share Personal Data With

We do not sell personal data. We may share personal data with:

  • hosting and infrastructure providers, including Render, Amazon Web Services, and Supabase;
  • AI and machine-learning providers, including Anthropic, OpenAI, Google, xAI, OpenRouter, and similar providers used to deliver AI features;
  • AI evaluation and observability providers, including Braintrust;
  • payment processors and billing tools, including Stripe;
  • analytics and product telemetry providers, including PostHog, and, where enabled, similar analytics tools;
  • error monitoring and logging providers, including Sentry, Render logs, and AWS CloudWatch;
  • email, support, CRM, and communications tools, including Resend, Google Workspace, HubSpot, Pipedrive, Slack, and similar providers;
  • workflow and automation tools, including n8n;
  • professional advisers, insurers, auditors, accountants, lawyers, banks, investors, and transaction counterparties;
  • regulators, courts, law-enforcement agencies, public authorities, tax authorities, payment networks, and competent authorities where required or lawful;
  • third parties involved in an actual or proposed corporate transaction; and
  • other third parties where you direct us to share information, connect an integration, or give consent.

Providers may process personal data in the United Kingdom, European Economic Area, United States, and other countries. We require service providers to protect personal data and use it only for authorised purposes.

8. International Transfers

Our core customer-facing infrastructure is currently hosted in the United Kingdom and European Economic Area. Some providers process personal data in other countries, including the United States.

Where we transfer personal data from the UK, EEA, or Switzerland to a country that has not been recognised as providing adequate protection, we use appropriate safeguards where required, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the UK International Data Transfer Agreement, or reliance on the UK Extension to the EU-US Data Privacy Framework or EU-US Data Privacy Framework where applicable.

You can contact us for more information about transfer safeguards.

9. Retention

We keep personal data only for as long as needed for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Typical retention periods are:

  • account data: for the life of the account and a reasonable period afterwards;
  • Service Content in active consumer accounts: while the account is active, until you delete it, or until the relevant feature retention period expires;
  • deleted account content: deleted or de-identified from active systems within a reasonable period, subject to backups, legal holds, fraud prevention, dispute records, and technical limits;
  • prompt, output, trace, support, security, and debugging logs: for as long as needed for service delivery, security, debugging, abuse prevention, support, legal compliance, or product evaluation;
  • billing, invoice, tax, and accounting records: typically six years from the end of the relevant accounting period, or longer if required by law;
  • legal acceptance and consent records: for as long as needed to demonstrate compliance and resolve disputes;
  • support communications: typically three years from the last communication;
  • marketing records: until you unsubscribe or we no longer need the record;
  • security and access logs: typically up to 12 months unless needed for an investigation, legal claim, or security purpose;
  • recruitment records: typically 12 months from the end of the recruitment process unless a longer period is agreed or required.

Backups and disaster-recovery copies are deleted according to our backup schedules and remain protected until deletion.

10. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access. These measures may include encryption in transit, access controls, authentication, logging, monitoring, vulnerability management, vendor controls, workforce confidentiality obligations, and security training.

No system is perfectly secure. You are responsible for keeping your account credentials confidential and for using the Services lawfully and safely.

11. Your Rights

Depending on where you live, you may have rights to:

  • access personal data we hold about you;
  • correct inaccurate or incomplete personal data;
  • delete personal data;
  • restrict or object to processing;
  • receive certain personal data in a portable format;
  • withdraw consent where processing is based on consent;
  • object to direct marketing;
  • opt out of sale, sharing, targeted advertising, or certain profiling where applicable;
  • limit use or disclosure of sensitive personal information where applicable;
  • appeal a decision about a privacy request where applicable; and
  • complain to a data protection authority or privacy regulator.

These rights are not absolute and may be subject to legal limits, identity verification, exceptions, and retention obligations.

To exercise rights, contact hello@primerapp.com. We may ask for information to verify your identity and process your request. Authorised agents may make requests where permitted by law and after we verify authorisation.

If you are in the UK, you may complain to the Information Commissioner's Office. If you are in the EEA or Switzerland, you may complain to your local supervisory authority. If you are elsewhere, you may have rights to complain to a local privacy or consumer regulator.

12. United States State Privacy Notices

Some US state privacy laws require additional disclosures. Depending on the law that applies to you, the categories of personal information we collect may include identifiers, commercial information, internet or network activity, geolocation derived from IP address, professional information, inferences, sensitive personal information you choose to provide, and content of communications with us.

We collect these categories for the purposes described in this Privacy Policy, disclose them to the categories of recipients described above, and retain them as described in the Retention section.

We do not sell personal information for money. If we enable advertising or remarketing technologies that constitute "sharing", "targeted advertising", or a "sale" under applicable US state privacy laws, we will provide any required notice and opt-out mechanism.

We do not knowingly sell or share personal information of children under 16. The Services are not intended for anyone under 18.

13. Marketing

We may send service messages that are necessary for your account or subscription, such as security alerts, billing notices, renewal notices, trial reminders, support messages, and legal updates.

We may send marketing communications where permitted by law and your preferences. You can unsubscribe from marketing emails at any time using the unsubscribe link in the email or by contacting hello@primerapp.com. Transactional and service messages may still be sent after you unsubscribe from marketing.

14. Cookies and Similar Technologies

Our Cookies Policy explains how we use cookies and similar technologies. In summary:

  • strictly necessary technologies are used to provide the website, authentication, security, checkout, billing, and preference storage;
  • analytics technologies, such as PostHog, help us understand product usage and improve the Services;
  • advertising or remarketing technologies will only be used where enabled and where any required notice, consent, or opt-out is provided; and
  • you can manage preferences through the cookie controls we make available and through browser settings.

Where law requires consent for non-essential cookies or similar technologies, we will seek consent before using them.

15. Children

The Services are not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact hello@primerapp.com so we can take appropriate steps.

16. Changes

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you, such as posting a notice, emailing account holders, or asking for renewed acknowledgement where required by law.

The "Last updated" date shows when this Privacy Policy was most recently revised.

17. Contact

For privacy questions, requests, or complaints, contact:

  • Email: hello@primerapp.com
  • Post: Kernel AI Ltd, 128 City Road, London EC1V 2NX, United Kingdom