Effective: March 18, 2026

Privacy Policy

At Kolva AI, we are committed to protecting your privacy and being transparent about how we handle your data. This policy explains what we collect, why, and how we keep it safe.

Information We CollectHow We Use ItThird PartiesData RetentionSecurityYour RightsContact

This Privacy Policy describes how Kolva AI ("Kolva", "we", "us", or "our") collects, uses, and shares information when you use our platform at kolva.ai and our mobile applications (collectively, the "Service").

Kolva is a business-to-business (B2B) platform designed for enterprise field sales management, financial intelligence, and laboratory operations. The Service is intended for use by authorized employees and representatives of our business customers.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Section 1

Information We Collect

Account Information

  • Identity data: Full name, email address, company name, and job role provided during registration.
  • Authentication data: Securely managed by Supabase Auth. We do not store passwords in plain text.
  • Company data: Organization name, industry, and configuration preferences for multi-tenant isolation.

Device Permissions & Sensor Data

  • Location (GPS): Used for route optimization, visit tracking, and driving mode. Collected only when the app is in use or when driving mode is explicitly activated. You can revoke location permission at any time in your device settings.
  • Microphone: Used for voice commands, the "Hey Kolva" wake word, and visit debrief transcription. Audio is processed in real-time and is not stored permanently. You can revoke microphone permission at any time.
  • Camera: Used for product photos and shelf scanning. Photos are uploaded to secure company-scoped storage. You can revoke camera permission at any time.
  • Push notifications: Delivered via Firebase Cloud Messaging (FCM). Used for visit reminders, order updates, and team coordination. You can disable notifications in your device settings.

Business Data

  • ERP data: Data synced from your organization's ERP system (e.g., Sage X3, SAP) through on-premise agents. This includes customers, orders, invoices, products, and financial records as configured by your administrator.
  • AI-processed data: Business data analyzed by Anthropic Claude AI to generate insights, anomaly detection, and recommendations. AI processing is ephemeral -- your data is not used to train AI models.
  • Offline cache: A subset of your business data is cached locally on your device using SQLite for offline access. This data is encrypted and deleted when you sign out.

Automatically Collected Data

  • Usage data: Pages visited, features used, timestamps, and interaction patterns to improve the Service.
  • Device data: Device type, operating system, browser type, and app version for compatibility and debugging.
  • Log data: Server logs including IP addresses, request timestamps, and error reports for security and reliability.

Section 2

How We Use Your Information

We use the information we collect for the following purposes:

Provide and operate the Service. Authenticate users, display business data, process orders, and deliver core platform functionality.
ERP-grounded insights. Analyze business data to generate actionable insights, detect anomalies, forecast revenue, and provide intelligent recommendations.
Route optimization. Use location data to optimize sales routes, track visit completion, and enable driving mode navigation.
Communication. Send transactional emails (alerts, reports, notifications), push notifications, and platform announcements.
Security and fraud prevention. Monitor for unauthorized access, enforce role-based permissions, and maintain audit trails.
Improvement and analytics. Understand usage patterns to improve features, fix bugs, and optimize performance.
Legal compliance. Fulfill legal obligations, respond to lawful requests, and enforce our Terms of Service.

Section 3

Third-Party Services

We use trusted third-party services to operate the platform. Each provider is contractually bound to protect your data and use it only for the purposes we specify.

We do not sell, rent, or trade your personal information to any third party.

AI connectors (MCP). You may connect your own AI assistant — such as Claude or ChatGPT — to your Kolva data through our Model Context Protocol (MCP) connector. When you do, the data you query is transmitted to the AI provider you chose, under your own agreement with that provider: in this flow they act on your instruction, not as a Kolva sub-processor. This access is read-only by default, limited to your role’s perimeter, fully audited, and revocable at any time from Settings → AI connector.

ServicePurpose
SupabaseDatabase, authentication, file storage
Anthropic (Claude)ERP-grounded business insights and analysis
Firebase (Google)Push notifications (FCM)
Google Maps PlatformRoute optimization, geocoding
VercelWeb application hosting and CDN
StripePayment processing
ResendTransactional email delivery

For a complete list of sub-processors, visit our Trust Center.

Section 4

Data Retention

We retain your data for as long as your organization maintains an active account with Kolva, plus a reasonable period afterward for legitimate business purposes.

Account dataDuration of active account + 90 days after deletion request
Business data (ERP sync)Configurable per company. Default: 36 months. Deleted within 30 days of request.
Audit logs36 months (immutable, for security and compliance)
AI processing dataEphemeral -- not retained after processing is complete
Offline cacheDeleted on sign-out or app uninstall
Server logs90 days

When your organization requests data deletion, we will remove or anonymize all personal data within 30 days, except where retention is required by law or for legitimate security purposes (e.g., audit logs).

Section 5

Data Security

We implement industry-standard security measures to protect your data:

Encryption at rest

AES-256 encryption for all stored data.

Encryption in transit

TLS 1.3 for all API calls, webhooks, and data transfers.

Access control

Role-based access control (RBAC) with row-level security (RLS) at the database level for complete tenant isolation.

Multi-tenant isolation

All data is company-scoped. No organization can access another organization's data.

API key security

API keys are hashed with SHA-256 and never stored in plain text.

Infrastructure

Hosted on SOC 2 compliant infrastructure (Supabase on AWS, Vercel Edge CDN).

Monitoring

Real-time security monitoring, anomaly detection, and automated alerting.

On-premise agents

ERP sync agents run on your network. Data stays local until securely transmitted over HTTPS.

For detailed information about our security practices, visit our Trust Center.

Section 6

Your Rights

GDPREuropean Economic Area users

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

  • Right of access -- request a copy of your personal data
  • Right to rectification -- correct inaccurate or incomplete data
  • Right to erasure -- request deletion of your personal data
  • Right to restrict processing -- limit how we use your data
  • Right to data portability -- receive your data in a portable format
  • Right to object -- object to processing based on legitimate interests
  • Right to withdraw consent -- withdraw consent at any time where processing is based on consent

We process data on the legal bases of: contractual necessity (to provide the Service), legitimate interests (to improve and secure the Service), and consent (for optional features like location tracking).

CCPACalifornia residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know -- what personal information we collect, use, and share
  • Right to delete -- request deletion of your personal information
  • Right to opt out -- of the sale of personal information (we do not sell your data)
  • Right to non-discrimination -- we will not discriminate against you for exercising your rights

How to exercise your rights

To exercise any of the above rights, contact us at support@kolva.ai. We will respond to verified requests within 30 days. For organizational data requests, please contact your company's Kolva administrator first, as they manage access and permissions for your account.

Section 7

Children's Privacy

Kolva is a business-to-business platform and is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@kolva.ai and we will promptly delete the information.

Section 8

International Data Transfers

Our primary data infrastructure is located in the European Union (AWS eu-central-1, Frankfurt). Some third-party providers process data in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Section 9

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by updating the effective date at the top of this page and, where appropriate, by sending a notification through the Service or via email.

We encourage you to review this page periodically for the latest information on our privacy practices.

Section 10

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Kolva AI

Email: support@kolva.ai

Website: https://kolva.ai