Privacy Policy
Version 2 · Last updated: 2026-04-11
What changed in this version
- Disclosed OpenAI as the AI provider that processes your proposal text for AI generation (brief intake, send-ready check, inline rewrites, follow-ups).
- Disclosed Railway (database hosting) and Upstash (rate limiting) as sub-processors.
- Split LemonSqueezy from the Stripe line item and added AppSumo as a billing sub-processor.
- Added a new International Data Transfers section explaining that US-based sub-processors rely on the Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
- Expanded the Your Rights section with the Right to Restriction (Art. 18) and the Right to Object (Art. 21).
- Added a per-purpose legal basis table and per-category retention periods.
- Acknowledged that an EU representative (GDPR Art. 27) will be appointed before active marketing in the EEA.
- Clarified that Google Analytics and Google Ads scripts load only after you click Accept in the cookie consent modal.
Kulvo ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect information when you use our platform and services.
Data controller: Kulvo is an independent product operated from the Republic of Korea. For any privacy matter, including access, deletion, portability, complaint routing, or formal controller identity details, email us at support@kulvo.io. We will respond within 30 days. We are not required to appoint a Data Protection Officer under GDPR Art. 37 at our current scale.
EU representative (Art. 27): Kulvo is established outside the EEA. An EU representative has not yet been appointed. If you are an EEA resident, please contact support@kulvo.io directly to exercise your rights — we will respond within the same 30-day window. We intend to appoint a representative before initiating paid acquisition campaigns targeted at the EEA.
1. Information We Collect
Information you provide directly
- Account information: Name, email address, company name, website URL, and profile details when you create an account
- Proposal content: Free-text briefs, generated proposal sections, pricing, and any attachments. Proposal text is sent to OpenAI for AI generation (see Section 3)
- Signature data: Electronic signatures, signer names, email, IP address, and a timestamp — retained as an e-signature audit trail (see retention schedule in Section 5)
- Client information: Names, email addresses, and company details of your clients that you provide when sending proposals. We process this data on your behalf as a processor under GDPR Art. 28 (see Section 12)
- Payment information: Subscription billing details are collected and processed by our payment partners. We do not store full card numbers. Your clients' payments are handled directly via your own payment provider — Kulvo does not touch client payment data
Information collected automatically
- IP addresses: Recorded when a proposal is viewed, signed, or generated in the Playground, for fraud prevention and audit purposes
- Device and browser data: User agent, screen resolution, and similar technical metadata passed with each request
- Usage data: Pages visited, features used, and interaction patterns, processed by Vercel Web Analytics (always on, cookieless) and — only after you accept — Google Analytics 4
2. How We Use Your Information & Legal Basis
Under GDPR Art. 6, every processing purpose must have a lawful basis. Here is how each purpose maps to a basis:
| Purpose | Legal basis (Art. 6) |
|---|---|
| Delivering the Service (account, proposals, AI generation, signatures, delivery emails) | Contract — Art. 6(1)(b) |
| Transactional emails (magic link, view notifications, signature alerts) | Contract — Art. 6(1)(b) |
| Vercel Web Analytics (aggregate, cookieless) | Legitimate interests — Art. 6(1)(f) (product improvement) |
| Google Analytics 4 + Google Ads conversion measurement | Consent — Art. 6(1)(a) (opt-in via cookie modal) |
| Sentry error monitoring | Legitimate interests — Art. 6(1)(f) (service reliability) |
| Rate limiting + fraud prevention (Upstash, IP logging) | Legitimate interests — Art. 6(1)(f) (security) |
| E-signature audit trails | Legal obligation — Art. 6(1)(c) (eIDAS, national e-signature laws) |
| Billing records (subscription, tax compliance) | Legal obligation — Art. 6(1)(c) (Korean tax law, EU VAT where applicable) |
Is providing data required? Yes — creating an account and providing a valid email is a contractual requirement. Without it we cannot deliver the Service. You can always decline optional analytics cookies without affecting account access.
3. Third-Party Services (Sub-processors)
We use the following third-party services to operate Kulvo. Each is bound by its own Data Processing Agreement. Any transfer of personal data outside the EEA is covered by the mechanisms described in Section 7a.
- Vercel (United States) — Cloud hosting, Web Analytics, and Speed Insights. Vercel delivers every HTTP request and stores no cookies for its analytics products. See vercel.com/legal/privacy-policy and vercel.com/legal/dpa.
- Railway (United States) — Managed PostgreSQL database hosting. Stores accounts, proposals, signatures, contacts, and audit events. See railway.com/legal/privacy.
- OpenAI (United States) — AI model provider (
gpt-4.1-mini). Your brief text, proposal content, and client names are sent to OpenAI's API for AI generation, quality checks, and follow-ups. OpenAI does not train on API data by default. See openai.com/policies/privacy-policy and openai.com/policies/data-processing-addendum. If you prefer not to have your content processed by AI, email support@kulvo.io — we will explore a non-AI manual workflow on request. - Upstash (multi-region) — Redis-backed rate limiting, one-time password storage, and AI quota tracking. Processes IP addresses and user IDs. See upstash.com/trust/privacy.
- Stripe (Ireland / United States) — Card processing for Kulvo subscriptions. See stripe.com/privacy.
- LemonSqueezy (United States) — Alternative billing provider + Merchant of Record for EU sales tax. See lemonsqueezy.com/privacy.
- AppSumo (United States) — Lifetime deal redemption. Receives your email on redemption. See appsumo.com/privacy.
- Resend (United States) — Transactional email delivery. See resend.com/legal/privacy-policy.
- Google Analytics 4 & Google Ads (United States) — Loaded only after you click Accept in the cookie consent modal. Sets first-party cookies (
_ga,_ga_*,_gcl_au) to measure traffic and advertising conversions. If you decline, no Google scripts are executed. See policies.google.com/privacy. - Google (Sign-in) (United States / Ireland) — Optional OAuth sign-in. Your Google email and display name are shared with Kulvo to create your account.
- Sentry (United States / European Union) — Application error monitoring. Captures unhandled exceptions with stack traces, URL paths, and browser info. We do not intentionally attach personal identifiers to error reports. See sentry.io/privacy.
We do not sell your personal data to third parties. We do not share your proposal content with advertisers, data brokers, or any service not listed above.
4. Cookies
Kulvo uses two categories of cookies:
Essential (always on)
- Session cookies: Keep you signed in and maintain your session
- Security cookies: Prevent cross-site request forgery and other security threats
- Consent storage: A single localStorage entry that remembers your cookie choices so we don't re-prompt you on every visit
Analytics (loaded only with your consent)
- Google Analytics 4:
_ga,_ga_*— measures traffic, sessions, and feature usage - Google Ads conversion:
_gcl_au,_gcl_aw— attributes signups to advertising campaigns
When you first visit Kulvo, a cookie consent modal asks for your permission before loading any analytics or advertising cookies. Click Decline and none of the optional cookies are set. Click Accept and the analytics scripts are loaded after the page becomes interactive. Every Accept or Decline event is recorded as an append-only entry in our consent log for audit purposes (GDPR Art. 7(1)).
We do not use retargeting, behavioral profiling, or cross-site advertising cookies.
5. Data Retention
We retain different categories of data for different periods:
| Category | Retention |
|---|---|
| Account + profile data | Until account deletion, then 30 days |
| Proposal content (drafts, sent, signed) | Retained for the life of your account. When you delete your account, proposals and their signature records are deleted with it. If you need long-term retention for legal audit, keep your account active or export before deletion (see Section 6) |
| E-signature audit records | Retained alongside the parent proposal — see above. You as the controller of your clients' signature data are responsible for preserving audit trails under eIDAS and any local e-signature law if you need them beyond your account lifetime |
| Billing records | 7 years (Korean tax law) |
| Proposal view IP logs | 12 months, enforced by daily retention cron |
| Section engagement heatmaps | 12 months, enforced by daily retention cron |
| Playground generations | 24 hours (unless claimed by a user account) |
| Webhook payloads (Stripe / LemonSqueezy / AppSumo) | 90 days after processing, then deleted |
| Sentry error reports | 90 days (Sentry default) |
| Google Analytics data | 14 months (GA4 default) |
| Cookie consent logs | 3 years (EDPB recommendation) |
When you delete your account, we remove your personal data within 30 days, except where a longer retention period is required by law (signature audit trails, billing records).
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of the personal data we hold about you
- Rectification (Art. 16): Request correction of inaccurate data
- Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements
- Restriction (Art. 18): Request that we pause processing while a dispute is resolved
- Portability (Art. 20): Request a portable copy of your data in a machine-readable format
- Object (Art. 21): Object to processing based on legitimate interests, including product analytics and direct marketing
- Withdraw consent (Art. 7(3)): Change your cookie choices at any time using the "Manage cookies" link in our footer. Withdrawal is as easy as giving consent
- Lodge a complaint (Art. 77): Contact your local supervisory authority (e.g., your national DPA — list at edpb.europa.eu)
To exercise any of these rights, contact us at support@kulvo.io. We respond within 30 days.
7. GDPR Compliance (EEA Users)
If you are located in the European Economic Area, our legal bases for processing your personal data are listed in the table in Section 2. You have the full set of data-subject rights listed in Section 6, and you have the right to lodge a complaint with your local data protection authority if you believe our processing violates GDPR.
7a. International Data Transfers
Most of the sub-processors listed in Section 3 (Vercel, Railway, OpenAI, Stripe, LemonSqueezy, AppSumo, Resend, Google, Sentry) process personal data in the United States. Transfers of EEA personal data to these processors rely on:
- Standard Contractual Clauses (European Commission Decision 2021/914, Modules 2 and 3) as incorporated in each vendor's Data Processing Addendum
- EU-US Data Privacy Framework certification where the vendor participates (currently Google, Vercel, and several others)
- Supplementary technical measures including TLS 1.2+ in transit, encryption at rest where the vendor supports it, and strict IAM controls
You can request a copy of the SCCs for any specific sub-processor by emailing support@kulvo.io.
8. CCPA Compliance (California Users)
If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information. To exercise your CCPA rights, contact us at support@kulvo.io.
9. Data Security
We implement industry-standard security measures to protect your data, including TLS encryption in transit, encryption at rest via our cloud providers, session-based authentication, rate limiting on authentication endpoints, and regular security reviews. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we bump the version number and the cookie consent modal reappears on your next visit, drawing your attention to the updated terms. The "Last updated" date at the top of this page and the version number indicate the current state.
11. Contact
If you have any questions about this Privacy Policy or how we handle your data, please contact us at support@kulvo.io.
12. When Kulvo Acts as a Processor
When you use Kulvo to send proposals to your clients, your clients' personal data (name, email, and when they view or sign: IP address, device info) is processed by Kulvo on your behalf under GDPR Art. 28. In that context you are the data controller and Kulvo is the processor.
Our standard Data Processing Addendum is available on request at support@kulvo.io and incorporates the EU Standard Contractual Clauses where required. The sub-processors you are implicitly authorizing us to use are the ones listed in Section 3.
13. Manage Your Cookie Preferences
You can change your cookie consent at any time. Withdrawing consent is as easy as giving it (GDPR Art. 7(3)).
Loading preferences…