Privacy Policy
Effective Date: February 19, 2026 · Last Updated: February 19, 2026
This Privacy Policy describes how Kewbed ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our resource allocation planning platform ("Service"). We are committed to protecting your privacy and complying with applicable data protection laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union's General Data Protection Regulation (GDPR), and US state privacy laws including the California Consumer Privacy Act (CCPA/CPRA).
1. Information We Collect
1.1 Account Information
- Email address — required for account creation and authentication
- Name — if provided during account setup or via Google OAuth profile
- Password — hashed and stored securely (we never store plaintext passwords)
- Google OAuth tokens — if you connect your Google account for Drive file access (stored encrypted, used only for file retrieval)
1.2 Organization Data (Customer Data)
- Resource names, department structures, trade classifications
- Project names, assignments, allocation percentages, dates
- Billing rates and organizational settings
Important: Customer Data belongs to you. We process it solely to provide the Service. See our Terms of Service for data ownership details.
1.3 Technical and Usage Data
- Error reports — collected via Sentry for debugging and service reliability. Includes error stack traces, browser type, and page URL. No marketing analytics or behavioral tracking is performed.
- Server logs — standard web server access logs maintained by our infrastructure providers (Vercel, Supabase). These include IP addresses, request timestamps, and HTTP status codes.
1.4 What We Do NOT Collect
- We do not use marketing cookies, advertising trackers, or analytics tools that track user behavior.
- We do not collect financial information directly (future payment processing will be handled by Stripe).
- We do not collect biometric data, geolocation, or device identifiers for tracking purposes.
2. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the Service | Account info, Customer Data | Contract performance |
| Authenticate your identity | Email, password, OAuth tokens | Contract performance |
| Fix bugs and maintain reliability | Error reports (Sentry) | Legitimate interest |
| Respond to support requests | Email, account info | Contract performance |
| Send service notifications | Contract performance | |
| Comply with legal obligations | As required | Legal obligation |
3. Cookies and Tracking
The Service uses only essential cookies required for authentication and session management (set by Supabase Auth). We do not use:
- Marketing or advertising cookies
- Analytics cookies (Google Analytics, Mixpanel, etc.)
- Third-party tracking pixels or beacons
- Cross-site tracking of any kind
Because we use only strictly necessary cookies, no cookie consent banner is required under GDPR or ePrivacy Directive.
4. Data Storage and Security
4.1 Where Your Data Is Stored
Customer Data and account information are stored on Supabase, which uses Amazon Web Services (AWS) infrastructure. Data may be stored in the following regions depending on Supabase project configuration:
- AWS regions in the United States or Canada
4.2 Security Measures
- Encryption in transit: All connections use TLS 1.2 or higher (HTTPS)
- Encryption at rest: Data is encrypted at rest using AES-256 via AWS
- Row Level Security: Multi-tenant data isolation at the database level ensures organizations cannot access each other's data
- Access control: Role-based access control (Admin, Manager, Finance, Viewer) enforced both in the UI and at the database level
- Authentication: Passwords are hashed using bcrypt. JWT tokens are used for session management with automatic expiry.
5. Third-Party Service Providers
We use the following third-party processors to operate the Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, real-time sync | All Customer Data, account info | AWS (US) |
| Vercel | Web hosting and CDN | Server logs (IP, request data) | Global CDN |
| Sentry | Error tracking | Error reports, browser info | US |
| OAuth login, Drive file access | Email, name (via OAuth); file access tokens | US | |
| Resend | Transactional email (password reset) | Email address | US |
| Cloudflare | DNS and DDoS protection | Server logs (IP, request data) | Global |
Each provider maintains their own privacy and security practices. We select providers that maintain appropriate security certifications (SOC 2 Type II for Supabase and Vercel).
6. Data Retention
- Active accounts: Customer Data is retained for the duration of your subscription.
- After termination: Customer Data is available for export for 30 days after account termination, then permanently deleted within 60 days.
- Error logs (Sentry): Retained for 90 days, then automatically purged.
- Server logs: Retained per infrastructure provider policies (typically 30 days).
- Backup data: May persist in encrypted backups for up to 30 days after deletion from the live system.
7. Your Privacy Rights
7.1 Rights Under PIPEDA (Canada)
Under Canada's Personal Information Protection and Electronic Documents Act, you have the right to:
- Access your personal information held by us
- Correct inaccurate personal information
- Withdraw consent for non-essential processing
- File a complaint with the Office of the Privacy Commissioner of Canada
7.2 Rights Under GDPR (European Union)
If you are located in the European Economic Area (EEA), you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request that we limit processing of your data
- Data portability — receive your data in a structured, machine-readable format (CSV/Excel export)
- Object — object to processing based on legitimate interest
- Lodge a complaint with your local Data Protection Authority
For GDPR purposes, Kewbed is the data controller for account information and the data processor for Customer Data uploaded by your organization.
7.3 Rights Under US State Privacy Laws (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt out of the sale or sharing of personal information
- Non-discrimination for exercising your privacy rights
We do not sell or share your personal information as defined under CCPA/CPRA. We do not use personal information for targeted advertising.
8. International Data Transfers
Your data may be transferred to and processed in the United States through our infrastructure providers. For transfers from the EEA, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Our providers' compliance with applicable data protection frameworks
9. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice within the Service at least 15 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised.
11. Contact Us
For privacy inquiries, data access requests, or to exercise any of your rights described above, contact us at:
- Email: support@kewbed.com
- Subject line: "Privacy Request - [Your Request]"
We will respond to all privacy requests within 30 days (or within the timeframe required by applicable law).