Privacy Policy

Krova is the controller of the personal data described in this policy, unless stated otherwise. For privacy questions, requests or complaints, please contact us at [email protected].

2.1 Account data

• Email address, name and (if you sign in with Google) the profile photo URL associated with that Google account.
• Authentication identifiers from our authentication system (session tokens, magic-link tokens, OAuth account references).
• Your role within a space (owner, admin, member, viewer) and any permissions granted to you.

2.2 Authentication and session data

• IP address and user-agent string of the device used to sign in, recorded against each session for security purposes.
• Magic-link request timestamps, sign-in attempts and session expiry information.

2.3 Billing data

• Credit balance, top-up and subscription history, ledger entries and invoice metadata.
• Identifiers issued by our payment provider for your customer record, subscriptions, checkouts and orders. We do not store full payment card details on our systems; those are held by the payment provider under its own privacy notice.

2.4 Operational and product data

• Metadata about the resources you create — spaces, Cubes, snapshots, backups, custom domains, port mappings, API keys, SSH public keys.
• Lifecycle and audit logs capturing the actions you take in the dashboard, server actions and API.
• Job logs and real-time events used to stream status updates back to your browser.

2.5 Email delivery telemetry

We record delivery events for transactional and marketing emails (e.g. delivered, bounced, complained, failed) returned to us by our email provider. These records are stored against your user identifier for a limited period and pruned periodically.

2.6 Website and product analytics

We use Google Tag Manager to load Google Analytics and may use similar analytics, performance and product-telemetry tools to understand how visitors and customers interact with our website and dashboard. These tools may collect information such as your IP address, device, browser, operating system, referrer, pages viewed, links clicked, session duration, interaction events, general (city / country) location inferred from IP, and a pseudonymous identifier stored in cookies or local storage. See our Cookie Policy for details about the specific cookies set.

2.7 Customer Content inside your Cubes

Anything you install on, upload to or generate within a Cube is Customer Content. We do not routinely inspect Customer Content. We may access host-level metadata about a Cube (resource usage, boot state, network attributes) and, where necessary, the Customer Content itself to operate the Service, troubleshoot incidents, enforce our Terms of Service or Acceptable Use Policy, investigate suspected abuse, fraud or security threats, or comply with applicable law or a legal request.

We use personal data to:

• create and operate your account, authenticate you and provide the features of the Service;
• measure and bill resource usage, process payments, apply surcharges, grant or claw back subscription credit, and pursue unpaid amounts;
• send transactional emails (sign-in links, billing alerts, security notices, abuse notifications, service announcements);
• send service updates and, where permitted, marketing communications you can opt out of at any time;
• secure the Service against abuse, fraud, intrusion and outages, including by analysing access logs, rate-limiting behaviour, building profiles of suspicious activity and sharing information with law-enforcement bodies where appropriate;
• comply with our legal obligations and enforce our Terms of Service and Acceptable Use Policy;
• measure and improve the performance, security and design of the Service, including by analysing usage trends and building aggregated or de-identified statistics that we may use freely for any purpose;
• establish, exercise or defend legal claims.

If you are in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are:

• Contract: to create your account, provide the Service and process payments under our Terms.
• Legitimate interests: to secure the Service, prevent and investigate abuse and fraud, recover unpaid amounts, measure and improve our product, and run our business efficiently. We balance these interests against your rights and freedoms.
• Legal obligation: to keep records required by tax, accounting, sanctions or other applicable laws and to respond to lawful requests from authorities.
• Consent: where required, for example for certain marketing communications or non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We do not sell your personal data for monetary consideration, and we do not share personal data with third parties for cross-context behavioural advertising. We share personal data only with the following categories of recipients and only as needed to provide, secure, market or improve the Service or as required by law:

• Infrastructure providers — bare-metal server and storage providers that host our infrastructure. Customer Content sits on infrastructure operated by these providers.
• Payment provider — Polar, for payment processing of top-ups and subscriptions. The payment provider receives billing identifiers and processes card data under its own privacy notice.
• Cloudflare — DNS, edge networking, bot mitigation and Cloudflare for SaaS for customer custom-domain routing and TLS.
• Email provider — EmailIt, for delivery of transactional and marketing email and storage of delivery telemetry. The provider receives your email address and the content of messages we send you.
• Real-time messaging — Pusher or our self-hosted Soketi for real-time delivery of UI update events to your browser.
• Analytics and product telemetry — Google (Tag Manager, Analytics) and any similar analytics or product- telemetry providers we use from time to time. These providers may set cookies in your browser; see our Cookie Policy.
• Google— if you choose Google as your sign-in method, Google receives an authentication request and returns your profile information to us under Google's privacy policy.
• Professional advisers and authorities— lawyers, accountants, auditors and law-enforcement or regulatory bodies where we determine, in our discretion, that disclosure is appropriate, including in response to lawful requests or to protect our or others' rights, property or safety.
• Corporate transactions — counterparties, advisers and successors in connection with a merger, acquisition, financing, reorganisation or sale of all or part of our business or assets. The recipient may continue to use your personal data as described in this policy or under a replacement policy we make available.

Our subprocessors operate globally and your personal data may be transferred to and processed in countries outside your country of residence, including outside the EEA, the United Kingdom and Switzerland. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other mechanisms permitted by applicable law or published by the relevant subprocessor.

We keep personal data only for as long as we reasonably need it for the purposes described in this policy, and longer where required or permitted by applicable law (for example, tax, accounting, anti-fraud, audit, dispute-handling and the establishment, exercise or defence of legal claims). Indicative retention periods are:

• Account data: for the lifetime of your account and a reasonable period afterwards for billing, dispute and legal-compliance purposes.
• Session and authentication data: for the duration of the session, plus a security-forensics window.
• Billing records and invoices: for the period required by applicable tax and accounting law (typically up to 10 years).
• Audit and lifecycle logs: for as long as necessary for security, compliance and dispute-handling purposes.
• Email delivery telemetry, job logs and similar operational telemetry: for a limited period and pruned periodically.
• Customer Content (Cubes, snapshots, backups): until you delete it or your account is closed or terminated; residual copies may persist in backups and operational systems for a reasonable rotation period before permanent removal.

We may retain personal data for longer where necessary to investigate or defend against suspected fraud, abuse, security incidents, chargebacks or legal claims, or as required by law.

If your application processes personal data of your own end users inside a Cube, you act as the controller (or equivalent) of that data and Krova acts as your processor (or equivalent) for that processing only. You must have a lawful basis for that processing, inform your end users as required by law and implement appropriate technical and organisational measures inside your Cube. We process such data only on your documented instructions, as described in our Terms and any data-processing addendum we make available where one is required.

Depending on where you live, you may have the right, subject to applicable conditions and exemptions, to:

• access the personal data we hold about you;
• correct inaccurate or incomplete personal data;
• request deletion of your personal data;
• restrict or object to certain processing, including direct marketing;
• receive a portable copy of personal data you provided to us; and
• lodge a complaint with your local data-protection authority.

You can exercise many of these rights directly from your profile (for example by editing your details, exporting your data or deleting your account). For anything else, write to us at [email protected]. We will respond within the timeframe required by applicable law. We may need to verify your identity, ask for additional information or, where permitted by law, decline or charge a reasonable fee for manifestly unfounded or excessive requests.

We may send you marketing communications about Krova — for example product updates, tips and offers. Where applicable law requires prior consent (including in the European Economic Area and the United Kingdom), we will only send marketing communications after you have given that consent. Elsewhere, we rely on the soft-opt-in or the legitimate interest of marketing our own similar products and services to existing customers.

You can opt out of marketing communications at any time by:

• toggling the marketing-email setting in your profile in the dashboard; or
• clicking the unsubscribe link in any marketing email we send.

Opting out of marketing does not stop transactional or service-related emails (sign-in links, billing notifications, security alerts, abuse notices and service announcements) that are necessary to operate the Service.

We use industry-standard administrative, technical and physical safeguards designed to protect personal data against unauthorised access, alteration, disclosure and destruction, including encryption of sensitive secrets, transport-layer encryption, audit logging, access controls and isolation between customer environments. No system is perfectly secure, however, and we do not guarantee the security of any personal data or Customer Content. You are responsible for the security of any software and data you put inside your Cubes and on any devices you use to access the Service.

The Service is not intended for, and we do not knowingly collect personal data from, anyone under 18 (or the age of majority in your jurisdiction, if higher). If you believe a child has provided us with personal data, please contact us so we can take appropriate action, including deleting the account.

We use a limited set of cookies and similar technologies to operate the Service and to measure how it is used. For details, see our Cookie Policy.

We may update this policy from time to time. When we make changes, we will update the “Last updated” date above. Where we make material changes, we will use reasonable efforts to give additional notice — for example, by email or an in-product banner — but no specific notice period is guaranteed. Your continued use of the Service after the updated policy takes effect constitutes acceptance of it.

For any privacy question or to exercise your rights, contact us at [email protected].

Krova · krova.cloud