Privacy Policy
Last updated: 22 June 2026 ยท Compliant with the EU General Data Protection Regulation (GDPR)
This Privacy Policy explains how Kuruvi ("we", "us", "our") collects, uses, stores, and shares personal data when you use the Kuruvi application, the kuruvi.com website, and related services (collectively, the "Service"). We take your privacy seriously and aim to be as transparent as possible.
1. Who we are
The data controller for the personal data we hold about you is Kuruvi. For any questions about this policy or to exercise your rights, contact us at hello@kuruvi.com. If your enquiry concerns data protection specifically, you can reach our data protection lead at privacy@kuruvi.com.
2. What personal data we collect
Information you give us
- Account information: your name, email address, password (stored hashed), and business name when you sign up.
- Billing information: processed by our payment provider (Stripe). We store the last four digits of your card and your billing address, never the full card number.
- Support correspondence: messages you send us, and any information you choose to include.
Information we sync on your behalf
- Channel data: when you connect WhatsApp Business, Instagram, or Facebook Messenger, we sync your conversations, contact names, profile photos, and message content so we can show them in your inbox.
- Shopify data: when you connect Shopify, we read your customers (name, email, phone), order history, and order statuses, plus products, to display them alongside conversations. See section 16 for the full Shopify Protected Customer Data disclosure.
Information we collect automatically
- Usage data: log data such as IP address, device type, OS version, app version, and timestamps. We use this for security, debugging, and product improvement.
- Cookies and similar: the website uses essential cookies for session management and one privacy-preserving analytics cookie. See section 10.
3. Legal basis for processing (Article 6 GDPR)
We rely on the following lawful bases for processing your personal data:
- Contract (Art. 6(1)(b)): to provide the Service you've signed up for โ syncing your inbox, showing Shopify context, processing payments.
- Legitimate interests (Art. 6(1)(f)): to keep the Service secure, prevent abuse, and improve features based on aggregated usage. These interests are balanced against your rights.
- Consent (Art. 6(1)(a)): for optional marketing emails and non-essential analytics. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): when we must retain or disclose data to comply with tax, accounting, or law-enforcement requirements.
4. How we use your information
We use personal data to:
- Operate the Service โ sync messages, display Shopify context, send notifications.
- Authenticate you and keep your account secure.
- Process subscription payments and send billing receipts.
- Respond to support requests and improve our help materials.
- Debug crashes, monitor uptime, and detect abuse or fraud.
- Send transactional emails (e.g. billing, security alerts).
Marketing emails: we only send marketing emails if you opt in during signup or via account settings. You can unsubscribe anytime via the link in every email, or by emailing privacy@kuruvi.com. Unsubscribing from marketing does not stop transactional messages tied to your account.
5. Sharing your data
We never sell your personal data. We share it only with the following categories of recipients, and only as needed.
Sub-processors
The third parties below process data on our behalf under data-processing agreements (DPAs) that match GDPR standards.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Firebase / Google Cloud | Infrastructure (Firestore, Auth, Storage, Cloud Functions, FCM push, App Check) | US (us-central1) | Yes |
| Stripe | Subscription payments & billing | US / EU | Yes |
| OpenAI | AI features (Ask Kuruvi, AI replies, summaries โ see section 6) | US | Yes |
| Anthropic | AI features (Claude fallback for customer-support tasks) | US | Yes |
| SendGrid (Twilio) | Transactional email delivery & inbound mail parse | US | Yes |
| Meta APIs | WhatsApp Business, Instagram DMs, Facebook Messenger sync | US | Yes |
| Google APIs | Gmail OAuth, YouTube posting | US | Yes |
| Shopify | Order & customer sync from your connected store | US / CA | Yes |
| eBay | Order & listing sync from your connected eBay shop | US | Yes |
| Telegram Bot API | Telegram bot message routing | Netherlands / various | Yes |
Note: when you connect a self-hosted WooCommerce store, the WooCommerce site itself runs on infrastructure you control (your WordPress host) โ not on a Kuruvi-managed sub-processor. Webhook delivery between your store and Kuruvi goes through Google Cloud Functions in us-central1.
- Legal authorities: when we are legally compelled to do so. We push back on overbroad requests and notify you wherever lawfully permitted.
6. AI processing
When you use AI features (suggested replies, conversation summaries, Ask Kuruvi help), we send the relevant conversation content or question to OpenAI as a sub-processor under OpenAI's API terms. OpenAI does not train models on this data. We do not send AI providers your full inbox, only the specific content needed for the requested AI task. You can disable AI features in Settings โ AI.
For customer-support AI tasks (suggested replies, conversation summaries, order-status drafts), the request may fall back to Anthropic (Claude) if OpenAI is unavailable. Ask Kuruvi help requests use OpenAI only. Both providers contractually commit not to train on API data.
Before sending content to any AI provider, Kuruvi sanitises common sensitive patterns (card numbers, Shopify/Stripe API tokens, Google API keys, Bearer tokens). Customer names are reduced to first name; order data is reduced to a small set of fields (order number, status, item titles, tracking number).
7. International transfers
Kuruvi's primary application infrastructure runs on Firebase and Google Cloud. Some sub-processors and platform partners may process data outside the EEA. In those cases we rely on Standard Contractual Clauses (SCCs) and, where required, supplementary safeguards, to ensure your data is afforded an equivalent level of protection.
Data residency: primary data is stored in Google Cloud's us-central1 region. EU customer data may be moved to europe-west1 in future as our EU customer base grows. We'll notify affected users before any such migration and update this section.
8. Data retention
We retain personal data only as long as necessary for the purposes set out above:
- Account data: for as long as your account exists, and up to 90 days after deletion for backups.
- Synced messages and Shopify data: while your channel is connected. Disconnecting a channel removes its data within 30 days.
- Billing records: retained for 7 years to comply with accounting and tax law.
- Logs and analytics: rotated within 90 days.
- AI request logs: the question and the chunk IDs used to answer it are retained for up to 90 days for safety review and quality improvement. Sanitised before logging.
9. Your rights under GDPR
If you are in the EEA or UK, you have the following rights with respect to your personal data:
- Right of access โ request a copy of the personal data we hold about you.
- Right to rectification โ correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") โ ask us to delete your data, subject to legal retention obligations.
- Right to restrict processing โ limit how we use your data while a query is being resolved.
- Right to data portability โ receive your data in a structured, machine-readable format.
- Right to object โ object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent โ at any time, where processing is based on consent.
- Right not to be subject to automated decisions โ Kuruvi does not make legally significant decisions about you using purely automated processing.
To exercise any of these rights, email privacy@kuruvi.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
10. Cookies
Our website uses a minimal set of cookies:
- Essential cookies โ required for sign-in, session management, and CSRF protection. These do not require consent.
- Analytics โ we use a privacy-friendly analytics tool that does not set tracking cookies and does not identify individuals. No data is shared with advertising networks.
We do not use third-party advertising cookies.
11. Security
We protect personal data with industry-standard measures: TLS in transit, encryption at rest, principle-of-least-privilege access, audit logs, automated vulnerability scanning, and security reviews of major releases. No system is ever 100% secure โ if we ever become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, in line with Article 33 GDPR.
Data-loss prevention & unauthorized-access controls:
- Firebase Security Rules enforce per-merchant data isolation and prevent unauthorized access โ users can only reach their own (or their team's) data.
- All API calls are authenticated, and privileged operations run through Cloud Functions that verify the caller's identity (with Firebase App Check on top).
- Rate limiting is enabled on sensitive and costly endpoints to prevent abuse.
- Suspicious-activity monitoring โ we monitor logs and usage for anomalous activity and alert on it.
For our full incident-response process and how to report a vulnerability, see our Security page.
12. California residents (CCPA/CPRA)
If you live in California, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
- Right to know โ request the categories and specific pieces of personal information we have collected about you in the past 12 months, along with how we use and share it.
- Right to delete โ request deletion of personal information we have collected from you, subject to legal-retention exceptions.
- Right to correct โ request that we correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" โ Kuruvi does not sell or share personal information as those terms are defined under the CCPA/CPRA. We have nothing to opt you out of, but the right exists if our practices ever change.
- Right to limit use of sensitive personal information โ you can ask us to restrict the use of sensitive categories (e.g. precise geolocation, account credentials) to what's strictly necessary to provide the Service.
- Right to non-discrimination โ we won't deny you the Service, charge you more, or give you a worse experience for exercising any of these rights.
To exercise any California right, email privacy@kuruvi.com with "California rights request" in the subject. We verify the request by confirming control of the account email and respond within 45 days (extendable by 45 if reasonably necessary, with notice). Authorised agents may submit requests on your behalf with written permission.
13. Children
Kuruvi is intended for businesses and is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we hold such data, contact us and we will delete it.
14. Changes to this policy
We may update this policy occasionally. When we do, we'll change the "Last updated" date at the top and, for material changes, notify you by email or in-app. Continued use of the Service after notice constitutes acceptance of the updated policy.
15. Contact
General privacy questions: privacy@kuruvi.com
Anything else: hello@kuruvi.com
16. Shopify Protected Customer Data
This section sets out, specifically, how Kuruvi handles Protected Customer Data accessed through the Shopify API, in line with Shopify's Protected Customer Data requirements.
16.1 What Shopify data we access
When a merchant connects their Shopify store, Kuruvi accesses only the following customer and order data, and only to provide the Service:
- Customer name
- Customer email address
- Customer phone number
- Order history (order number, line items, totals)
- Order status (financial and fulfilment status, tracking)
We do not request or store full payment card numbers โ payment data stays with Shopify and its payment processors.
16.2 How we use it
- Display beside customer messages โ so a seller sees the relevant order context next to a conversation.
- Match customers across platforms โ to link a Shopify customer to the same person's WhatsApp/Instagram/Messenger/email thread.
- Help sellers respond to inquiries โ order details power replies, summaries, and support context.
We do not use Shopify Protected Customer Data for advertising, profiling unrelated to the merchant's own customer service, or resale.
16.3 Data retention and deletion
- Shopify data is retained only while the app is installed and the store remains connected.
- On uninstall or disconnection, the associated Shopify customer and order data is deleted within 30 days.
- Kuruvi implements Shopify's mandatory compliance webhooks โ
customers/data_request,customers/redact, andshop/redactโ so customer-data requests and erasure are honoured automatically.
16.4 Data security
- Encrypted at rest using AES-256 (Google Cloud / Firestore default encryption), with sensitive credentials additionally protected via Google Cloud KMS.
- Encrypted in transit using TLS.
- Access controls โ least-privilege access, Firebase App Check, per-merchant data isolation, and audit logging.
16.5 Third-party sharing
Shopify Protected Customer Data is stored only with Google Firebase / Google Cloud (our infrastructure sub-processor, under a DPA). It is never sold to third parties. The only other processing is the limited, sanitised order context optionally sent to AI providers as described in section 6 (customer names reduced to first name; order data reduced to a small field set).
16.6 Merchant and customer rights
- Request deletion of their data at any time.
- Export their data.
- Contact us at hello@kuruvi.com for any Shopify data request.
16.7 GDPR & CCPA
Shopify Protected Customer Data is covered by the same GDPR rights and lawful bases set out in sections 3 and 9, and the CCPA/CPRA rights in section 12. Kuruvi acts as a data processor for this data on behalf of the merchant (the data controller).