Kalova

Privacy Policy

Last updated: April 25, 2026

This Privacy Policy describes how Kalova (“we”, “us”) collects, uses, and shares information when you use the Kalova service.

1. Information We Collect

Account Information

When you sign up, we collect your email, password (hashed), and the workspace details you provide (company name, workspace slug).

Customer Content

We store the documents, conversations, and metadata you upload or generate. This content is private to your workspace and is protected by row-level access controls.

Usage Information

We log basic usage metrics — pages visited, API calls, error rates — to operate and improve the Service. We do not sell or share this data with advertisers.

2. How We Use Information

  • To provide and maintain the Service.
  • To authenticate users and enforce workspace isolation.
  • To process payments through our billing partner.
  • To send you transactional and support emails.
  • To detect, investigate, and prevent abuse.

3. Subprocessors

We rely on the following third-party services to operate Kalova:

  • Supabase — managed Postgres, authentication, file storage.
  • OpenAI — large language models for answering questions and generating embeddings. Customer Content is sent to OpenAI to generate answers but is not used to train OpenAI's models per their API terms.
  • Railway — application hosting.
  • Stripe — payment processing (when you upgrade to a paid plan).
  • Meta (WhatsApp) — message delivery for tenants who connect WhatsApp Business.

4. Data Retention

We retain Customer Content for as long as your workspace is active and for 30 days after deletion to allow recovery. Authentication records are retained for the life of your account. Aggregated usage metrics may be retained indefinitely.

5. Your Rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal data we hold about you.
  • Correct or delete that data.
  • Export your data in a portable format.
  • Object to certain processing.

To exercise these rights, email privacy@kalova.io. We will respond within 30 days.

6. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest for credentials and access tokens, and tenant isolation via row-level security in our database. No system is perfectly secure; if we discover a breach affecting your data, we will notify you as required by law.

7. International Transfers

Kalova is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US.

8. Children

The Service is not directed to anyone under 16. We do not knowingly collect personal data from minors.

9. Changes to This Policy

We may update this Policy from time to time. If a change is material, we will notify you by email or in-app notice.

10. Contact

Privacy questions go to privacy@kalova.io.

This is a baseline template. Before relying on it for real customers, have it reviewed by counsel familiar with the privacy laws in your relevant jurisdictions (GDPR, CCPA, etc.).