Privacy Policy

Last updated: 2026-04-20 · Version 1.0

This policy describes how Kilwa ("we", "us") collects, uses, and protects personal data of users of our website, mobile apps, Telegram bot, and API (the "Service").

1. Data we collect

  • Account data: email, password hash, tier, timezone, country — used to sign you up, bill you, and gate tier features.
  • Payment data: Stripe customer ID and last 4 of card (we never store full card numbers).
  • Usage data: pages visited, signal interactions, Telegram deliveries — for product improvement and support.
  • Device data: IP address, user-agent, timezone — for fraud prevention and localisation.
  • Diagnostics: error reports and crash logs via Sentry, for reliability.

2. Why we process it (GDPR legal bases)

  • Contract performance — to provide the signal service you're paying for.
  • Legitimate interest — fraud prevention, product analytics, security.
  • Legal obligation — tax, AML, regulator information requests.
  • Consent — marketing emails and non-essential cookies (you can withdraw any time).

3. Who we share it with

Only processors necessary to run the service: Stripe (payments), Resend (email), Telegram (delivery, if you link), Sentry (errors), Cloudflare (edge/DDoS), our cloud host.

We do not sell your data. We do not share it with advertisers.

4. Retention

Account data: while your account is active + up to 7 years after closure to satisfy tax and regulator record-keeping rules. Signal logs: 5 years. Analytics: 26 months. Backups are rotated out within 90 days.

5. International transfers

We host in the EU (primary) and may transfer to the US for Stripe/Sentry using the appropriate Standard Contractual Clauses and the EU-US Data Privacy Framework.

6. Your rights

Under GDPR / UK GDPR / CCPA / UAE PDPL you can request: access, rectification, erasure, restriction, portability, objection. Email privacy@kilwa.archivesy.com. We respond within 30 days.

7. Children

The Service is not for anyone under 18. We don't knowingly collect data from minors and delete it promptly if we become aware.

8. Contact

Data Protection Officer: dpo@kilwa.archivesy.com. Lodge a complaint with your local data-protection authority if unresolved.

Full draft (under counsel review) available in the project repository: legal/drafts/privacy-policy.md.