Privacy Policy

Last updated: 22 June 2026 ยท Compliant with the EU General Data Protection Regulation (GDPR)

This Privacy Policy explains how Kuruvi ("we", "us", "our") collects, uses, stores, and shares personal data when you use the Kuruvi application, the kuruvi.com website, and related services (collectively, the "Service"). We take your privacy seriously and aim to be as transparent as possible.

Short version: We collect only what we need to run Kuruvi (your account, the messages we sync on your behalf, and basic usage analytics). We never sell your data. We're a data controller for your account information and a data processor for the messages and Shopify data we sync for you. You can export or delete everything at any time.

1. Who we are

The data controller for the personal data we hold about you is Kuruvi. For any questions about this policy or to exercise your rights, contact us at hello@kuruvi.com. If your enquiry concerns data protection specifically, you can reach our data protection lead at privacy@kuruvi.com.

2. What personal data we collect

Information you give us

Information we sync on your behalf

Information we collect automatically

3. Legal basis for processing (Article 6 GDPR)

We rely on the following lawful bases for processing your personal data:

4. How we use your information

We use personal data to:

Marketing emails: we only send marketing emails if you opt in during signup or via account settings. You can unsubscribe anytime via the link in every email, or by emailing privacy@kuruvi.com. Unsubscribing from marketing does not stop transactional messages tied to your account.

5. Sharing your data

We never sell your personal data. We share it only with the following categories of recipients, and only as needed.

Sub-processors

The third parties below process data on our behalf under data-processing agreements (DPAs) that match GDPR standards.

Sub-processor Purpose Location DPA
Firebase / Google Cloud Infrastructure (Firestore, Auth, Storage, Cloud Functions, FCM push, App Check) US (us-central1) Yes
Stripe Subscription payments & billing US / EU Yes
OpenAI AI features (Ask Kuruvi, AI replies, summaries โ€” see section 6) US Yes
Anthropic AI features (Claude fallback for customer-support tasks) US Yes
SendGrid (Twilio) Transactional email delivery & inbound mail parse US Yes
Meta APIs WhatsApp Business, Instagram DMs, Facebook Messenger sync US Yes
Google APIs Gmail OAuth, YouTube posting US Yes
Shopify Order & customer sync from your connected store US / CA Yes
eBay Order & listing sync from your connected eBay shop US Yes
Telegram Bot API Telegram bot message routing Netherlands / various Yes

Note: when you connect a self-hosted WooCommerce store, the WooCommerce site itself runs on infrastructure you control (your WordPress host) โ€” not on a Kuruvi-managed sub-processor. Webhook delivery between your store and Kuruvi goes through Google Cloud Functions in us-central1.

6. AI processing

When you use AI features (suggested replies, conversation summaries, Ask Kuruvi help), we send the relevant conversation content or question to OpenAI as a sub-processor under OpenAI's API terms. OpenAI does not train models on this data. We do not send AI providers your full inbox, only the specific content needed for the requested AI task. You can disable AI features in Settings โ†’ AI.

For customer-support AI tasks (suggested replies, conversation summaries, order-status drafts), the request may fall back to Anthropic (Claude) if OpenAI is unavailable. Ask Kuruvi help requests use OpenAI only. Both providers contractually commit not to train on API data.

Before sending content to any AI provider, Kuruvi sanitises common sensitive patterns (card numbers, Shopify/Stripe API tokens, Google API keys, Bearer tokens). Customer names are reduced to first name; order data is reduced to a small set of fields (order number, status, item titles, tracking number).

7. International transfers

Kuruvi's primary application infrastructure runs on Firebase and Google Cloud. Some sub-processors and platform partners may process data outside the EEA. In those cases we rely on Standard Contractual Clauses (SCCs) and, where required, supplementary safeguards, to ensure your data is afforded an equivalent level of protection.

Data residency: primary data is stored in Google Cloud's us-central1 region. EU customer data may be moved to europe-west1 in future as our EU customer base grows. We'll notify affected users before any such migration and update this section.

8. Data retention

We retain personal data only as long as necessary for the purposes set out above:

9. Your rights under GDPR

If you are in the EEA or UK, you have the following rights with respect to your personal data:

To exercise any of these rights, email privacy@kuruvi.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

10. Cookies

Our website uses a minimal set of cookies:

We do not use third-party advertising cookies.

11. Security

We protect personal data with industry-standard measures: TLS in transit, encryption at rest, principle-of-least-privilege access, audit logs, automated vulnerability scanning, and security reviews of major releases. No system is ever 100% secure โ€” if we ever become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, in line with Article 33 GDPR.

Data-loss prevention & unauthorized-access controls:

For our full incident-response process and how to report a vulnerability, see our Security page.

12. California residents (CCPA/CPRA)

If you live in California, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

To exercise any California right, email privacy@kuruvi.com with "California rights request" in the subject. We verify the request by confirming control of the account email and respond within 45 days (extendable by 45 if reasonably necessary, with notice). Authorised agents may submit requests on your behalf with written permission.

13. Children

Kuruvi is intended for businesses and is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we hold such data, contact us and we will delete it.

14. Changes to this policy

We may update this policy occasionally. When we do, we'll change the "Last updated" date at the top and, for material changes, notify you by email or in-app. Continued use of the Service after notice constitutes acceptance of the updated policy.

15. Contact

General privacy questions: privacy@kuruvi.com
Anything else: hello@kuruvi.com

16. Shopify Protected Customer Data

This section sets out, specifically, how Kuruvi handles Protected Customer Data accessed through the Shopify API, in line with Shopify's Protected Customer Data requirements.

16.1 What Shopify data we access

When a merchant connects their Shopify store, Kuruvi accesses only the following customer and order data, and only to provide the Service:

We do not request or store full payment card numbers โ€” payment data stays with Shopify and its payment processors.

16.2 How we use it

We do not use Shopify Protected Customer Data for advertising, profiling unrelated to the merchant's own customer service, or resale.

16.3 Data retention and deletion

16.4 Data security

16.5 Third-party sharing

Shopify Protected Customer Data is stored only with Google Firebase / Google Cloud (our infrastructure sub-processor, under a DPA). It is never sold to third parties. The only other processing is the limited, sanitised order context optionally sent to AI providers as described in section 6 (customer names reduced to first name; order data reduced to a small field set).

16.6 Merchant and customer rights

16.7 GDPR & CCPA

Shopify Protected Customer Data is covered by the same GDPR rights and lawful bases set out in sections 3 and 9, and the CCPA/CPRA rights in section 12. Kuruvi acts as a data processor for this data on behalf of the merchant (the data controller).