Privacy Policy

1. Introduction

Welcome to Kelvo. We take your privacy seriously. This Privacy Policy explains how QuattroTech OÜ ("we", "us", "our") collects, uses, stores, and protects personal data when you use Kelvo (the "Service"), accessible at kelvo.app.

As a company registered in Estonia and operating within the European Union, we are fully subject to the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy is written to meet those requirements and to give you clear, plain-language information about your data.

By using Kelvo, you acknowledge that you have read and understood this policy. If you do not agree, please stop using the Service.

2. Who We Are

The data controller for all personal data processed through Kelvo is:

As data controller, we determine the purposes and means of processing your personal data. Where we engage third-party services, those parties act as data processors on our behalf under signed data processing agreements.

3. Data We Collect

3.1 Account data

When you create an account, we collect your email address and password (stored as a secure hash). You may optionally provide your full name, business name, business address, and a logo. This data is necessary to provide the Service.

3.2 Business data

To deliver core invoicing functionality, we store data you enter: client names and contact details, invoice line items and amounts, expense records and receipt images, and payment records. This data belongs to you and is processed solely to power the Service on your behalf.

3.3 Usage data

We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. This data is used to maintain service reliability, detect abuse, and improve performance. Logs are retained for 30 days.

3.4 Email communications

If you use the Magic Email Inbox feature, inbound emails sent to your Kelvo address are processed to extract actionable data (payments, expenses). Email content is parsed and discarded; only the extracted data is stored. You can disable this feature at any time.

3.5 Payment data

If you subscribe to Kelvo Pro, payment is processed by our billing provider. We do not store full card numbers or payment credentials. We receive only a billing confirmation, subscription status, and the last four digits of your card for display purposes.

4. How We Use Your Data

We use your personal data to:

• Create and maintain your Kelvo account
• Deliver the invoicing, expense tracking, and accounting features you use
• Send invoices and reminders to your clients on your behalf
• Process payments for Kelvo Pro subscriptions
• Send transactional emails (invoice confirmations, payment notifications, weekly digest)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations under EU and Estonian law
• Improve the Service based on aggregated, anonymised usage patterns

We do not sell your data. We do not use your data for advertising. We do not profile you for purposes unrelated to delivering the Service.

5. Legal Basis for Processing (GDPR)

Under GDPR Article 6, we rely on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, business data, and billing data is necessary to fulfill our contract with you — providing the Kelvo Service.
• Legitimate interests (Art. 6(1)(f)): We process usage logs and security data to protect the integrity of the Service and our users. Our legitimate interest does not override your rights.
• Legal obligation (Art. 6(1)(c)): We may process data where required by EU or Estonian law (e.g. tax record-keeping, law enforcement requests with valid legal basis).
• Consent (Art. 6(1)(a)): Where we send optional marketing communications or use non-essential cookies, we rely on your explicit consent, which you may withdraw at any time.

6. Data Sharing & Third Parties

We share your data only with the sub-processors necessary to operate the Service, each bound by a Data Processing Agreement (DPA):

• Supabase Inc. — database and authentication infrastructure. Data stored in EU-region servers. Privacy policy.
• Resend Inc. — transactional email delivery (invoices, reminders, notifications). Privacy policy.
• Vercel Inc. — application hosting and edge infrastructure. Privacy policy.

We do not share your data with advertisers, data brokers, or any other third parties beyond those listed above. We will notify you if this list changes materially.

We may disclose your data if required by a valid legal order from a competent authority. Where permitted by law, we will notify you before complying.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account:

• Your profile, clients, invoices, and expenses are deleted within 30 days
• Backups are purged within 90 days
• Billing records may be retained for up to 7 years to comply with Estonian accounting law (Raamatupidamise seadus)
• Server logs are deleted after 30 days regardless of account status

You can export all your data at any time from Settings → Export before deleting your account.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, email us at privacy@kelvo.app. We will respond within 30 days.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data. Most data can be edited directly in Settings.
• Right to erasure (Art. 17): Request deletion of your account and all associated data, subject to legal retention requirements above.
• Right to restriction (Art. 18): Ask us to restrict processing while a dispute is resolved.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (CSV export available in-app).
• Right to object (Art. 21): Object to processing based on legitimate interests. We will stop unless we have compelling grounds.
• Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee or with the supervisory authority in your EU member state of residence.

9. Cookies

Kelvo uses a minimal set of cookies, strictly necessary for the Service to function:

• Session cookie: Stores your authentication token to keep you logged in. Expires when you log out or after 7 days of inactivity. Essential — cannot be disabled without breaking the Service.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across sites. If we add non-essential cookies in the future, we will request your consent first.

10. International Data Transfers

Our primary infrastructure (Supabase) stores data within the European Economic Area. Some sub-processors (Resend, Vercel) may process data in the United States. Where this occurs, transfers are governed by:

• Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
• The EU-U.S. Data Privacy Framework where applicable

We maintain signed DPAs with all sub-processors covering these transfer mechanisms. Copies are available on request.

11. Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security policies ensuring users can only access their own data
• Hashed passwords (bcrypt) — we never store plaintext credentials
• Rate limiting on all API endpoints to prevent abuse
• Regular security reviews of our codebase and infrastructure

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours and affected users without undue delay, as required by GDPR Article 33–34.

12. Children's Privacy

Kelvo is a business tool intended for adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account, please contact us at privacy@kelvo.app and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect and update the "Last updated" date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For any questions, data requests, or concerns about this Privacy Policy or our data practices, contact us at:

We aim to respond to all privacy-related inquiries within 5 business days, and will fulfil verified data subject requests within 30 days as required by GDPR.