Privacy Policy

Last updated: 16 May 2026 · Compliant with the EU General Data Protection Regulation (GDPR)

This Privacy Policy explains how Kuruvi ("we", "us", "our") collects, uses, stores, and shares personal data when you use the Kuruvi application, the kuruvi.com website, and related services (collectively, the "Service"). We take your privacy seriously and aim to be as transparent as possible.

Short version: We collect only what we need to run Kuruvi (your account, the messages we sync on your behalf, and basic usage analytics). We never sell your data. We're a data controller for your account information and a data processor for the messages and Shopify data we sync for you. You can export or delete everything at any time.

1. Who we are

The data controller for the personal data we hold about you is Kuruvi. For any questions about this policy or to exercise your rights, contact us at hello@kuruvi.com. If your enquiry concerns data protection specifically, you can reach our data protection lead at privacy@kuruvi.com.

2. What personal data we collect

Information you give us

Account information: your name, email address, password (stored hashed), and business name when you sign up.
Billing information: processed by our payment provider (Stripe). We store the last four digits of your card and your billing address, never the full card number.
Support correspondence: messages you send us, and any information you choose to include.

Information we sync on your behalf

Channel data: when you connect WhatsApp Business, Instagram, or Facebook Messenger, we sync your conversations, contact names, profile photos, and message content so we can show them in your inbox.
Shopify data: when you connect Shopify, we read your customers, orders, products, and order statuses to display them alongside conversations.

Information we collect automatically

Usage data: log data such as IP address, device type, OS version, app version, and timestamps. We use this for security, debugging, and product improvement.
Cookies and similar: the website uses essential cookies for session management and one privacy-preserving analytics cookie. See section 9.

3. Legal basis for processing (Article 6 GDPR)

We rely on the following lawful bases for processing your personal data:

Contract (Art. 6(1)(b)): to provide the Service you've signed up for — syncing your inbox, showing Shopify context, processing payments.
Legitimate interests (Art. 6(1)(f)): to keep the Service secure, prevent abuse, and improve features based on aggregated usage. These interests are balanced against your rights.
Consent (Art. 6(1)(a)): for optional marketing emails and non-essential analytics. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): when we must retain or disclose data to comply with tax, accounting, or law-enforcement requirements.

4. How we use your information

We use personal data to:

Operate the Service — sync messages, display Shopify context, send notifications.
Authenticate you and keep your account secure.
Process subscription payments and send billing receipts.
Respond to support requests and improve our help materials.
Debug crashes, monitor uptime, and detect abuse or fraud.
Send transactional emails (e.g. billing, security alerts). Marketing emails only with your consent.

5. Sharing your data

We never sell your personal data. We share it only with the following categories of recipients, and only as needed:

Sub-processors: infrastructure providers (AWS in the EU region), Stripe (payments), Sentry (error monitoring), Postmark (transactional email). A current list is available on request.
Platform partners: Meta (for WhatsApp, Instagram, and Messenger) and Shopify, when you authorise us to connect to those services on your behalf.
Legal authorities: when we are legally compelled to do so. We push back on overbroad requests and notify you wherever lawfully permitted.

All sub-processors are bound by data-processing agreements that match GDPR standards.

6. International transfers

Kuruvi's primary infrastructure is hosted in the EU (Frankfurt). Some sub-processors may be located outside the EEA. In those cases we rely on Standard Contractual Clauses (SCCs) and, where required, supplementary safeguards, to ensure your data is afforded an equivalent level of protection.

7. Data retention

We retain personal data only as long as necessary for the purposes set out above:

Account data: for as long as your account exists, and up to 90 days after deletion for backups.
Synced messages and Shopify data: while your channel is connected. Disconnecting a channel removes its data within 30 days.
Billing records: retained for 7 years to comply with accounting and tax law.
Logs and analytics: rotated within 90 days.

8. Your rights under GDPR

If you are in the EEA or UK, you have the following rights with respect to your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
Right to restrict processing — limit how we use your data while a query is being resolved.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent — at any time, where processing is based on consent.
Right not to be subject to automated decisions — Kuruvi does not make legally significant decisions about you using purely automated processing.

To exercise any of these rights, email privacy@kuruvi.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

9. Cookies

Our website uses a minimal set of cookies:

Essential cookies — required for sign-in, session management, and CSRF protection. These do not require consent.
Analytics — we use a privacy-friendly analytics tool that does not set tracking cookies and does not identify individuals. No data is shared with advertising networks.

We do not use third-party advertising cookies.

10. Security

We protect personal data with industry-standard measures: TLS in transit, encryption at rest, principle-of-least-privilege access, audit logs, automated vulnerability scanning, and security reviews of major releases. No system is ever 100% secure — if we ever become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, in line with Article 33 GDPR.

11. Children

Kuruvi is intended for businesses and is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we hold such data, contact us and we will delete it.

12. Changes to this policy

We may update this policy occasionally. When we do, we'll change the "Last updated" date at the top and, for material changes, notify you by email or in-app. Continued use of the Service after notice constitutes acceptance of the updated policy.

13. Contact

General privacy questions: privacy@kuruvi.com
Anything else: hello@kuruvi.com