Privacy Policy

Krevo is a managed website service operated from Texas. We build, host, maintain, and support custom websites for small and local businesses under a single monthly plan. This Privacy Policy explains what information we collect when you visit our marketing pages, submit a lead form, sign up for an account, or use the client portal at www.krevo.io, and how we handle that information.

This policy applies to everyone who interacts with Krevo — visitors to our public pages, people who submit our lead or waitlist forms, and clients who maintain accounts in the portal. It does not apply to third-party websites that link to or from ours, even if those sites were built by Krevo.

By using Krevo, you agree to the practices described here. If something in this policy is unclear, or you would like us to act on one of the rights described below, please reach out through our in-app support system at https://www.krevo.io/support.

We try to collect only the information we need to deliver, support, and improve the service. The categories below cover everything we hold about you.

We use the information described above to:

• Provide the service. Create and authenticate your account, render the portal, store your billing history, run support workflows, and deliver the website we manage for you.
• Respond to support requests. Read and reply to tickets, investigate issues, and keep a record of past conversations so we can pick up where we left off.
• Send service communications. Send account, billing, and support emails (for example, password resets, refund-request status updates, invoices). These are operational and you cannot opt out of them while your account is active.
• Review inbound requests. Store lead, proposal, waitlist, support, and refund submissions in the admin portal so we can decide the next operational step.
• Prevent abuse and secure the platform. Use bot-detection signals, rate-limit logs, and standard server logs to detect and block fraud, scraping, brute-force login attempts, and other abuse.
• Improve the service. Review aggregate, de-identified usage data to understand which pages work, which flows confuse people, and where to invest next.

We do not sell your personal information. We do not share it with advertisers, data brokers, or marketing networks.

If you are located in a jurisdiction that requires us to identify a legal basis for processing your personal information (for example, the EU or UK), the bases we rely on are:

• Contract. We process your account, billing, and support data because we need it to deliver the service you signed up for.
• Consent. We rely on your consent for marketing emails sent through our outreach tool and for any optional fields you choose to fill in. You can withdraw consent at any time by unsubscribing or contacting support.
• Legitimate interest. We rely on legitimate interest for security telemetry, bot detection, abuse prevention, fraud screening, and basic privacy-friendly analytics. We have weighed these interests against your rights and believe they are proportionate and expected.

Your data lives in a Supabase Postgres database protected by row-level security (RLS) policies. RLS means that, at the database layer, a user can only read or write rows that belong to them; administrative access is gated behind separate, audited server paths. Data is encrypted at rest by the database provider and in transit using TLS whenever it moves between your browser, our servers, and our database.

Our application runs on Vercel's Fluid Compute infrastructure with the Node.js runtime. Vercel handles network-edge security, TLS termination, DDoS mitigation, and the underlying compute environment. We layer additional protections on top: strict Content-Security-Policy headers, HSTS, frame-busting, cookie flags (httpOnly, secure, SameSite), input validation with Zod, server-side rate limiting on sensitive endpoints, and bot detection on public form submissions.

Internally, only the people who need access to your data to operate the service have it, and that access is logged. We do not export production data to local machines, and we do not use real customer data in development environments.

No system is perfectly secure. If we ever discover a breach that affects your information, we will notify you and the relevant authorities as required by applicable law.

We keep our vendor list short on purpose. Today, the only third parties that touch your personal data are:

• Supabase — authentication (email/password sessions) and our primary Postgres database. Supabase stores your email, name, password hash, profile, transactions, refund requests, support tickets, and lead form entries.
• Vercel — application hosting, edge network, server logs, and Vercel Analytics (privacy-friendly traffic insights with no third-party cookies).
• BotID by Vercel — bot-detection telemetry on our lead and waitlist endpoints to block automated abuse. BotID does not power advertising or profiling.
• Payment processor — collects and processes card or bank details when you pay for your plan. We receive transaction metadata (amount, date, status) but not the underlying payment credentials.

Each vendor processes your data under its own privacy policy and a data-processing agreement with Krevo. We do not currently use any third-party advertising, retargeting, social-media tracking, or cross-site profiling tools.

Krevo uses a small number of strictly necessary cookies. The most important one is the Supabase Auth session cookie, set after you sign in, which lets the server recognize you on subsequent requests. These cookies are first-party, server-side rendered cookies — they are not used for tracking you across other websites.

We do not use third-party tracking cookies, advertising pixels, social-media tags, or cross-site profiling tools. Vercel Analytics, which powers our traffic insights, does not rely on cookies and does not build user profiles.

Your browser's "Do Not Track" or Global Privacy Control signal is respected to the extent technically feasible: because we do not run cross-site tracking in the first place, there is nothing for these signals to disable.

Depending on where you live, you have some or all of the following rights regarding your personal information:

• Access. Ask us what information we hold about you and receive a copy.
• Correction. Ask us to fix information that is inaccurate or incomplete. You can also update most of this yourself in /dashboard/settings.
• Deletion. Ask us to delete your account and the data associated with it. Some records (for example, transaction history needed for tax and accounting) may be retained as required by law.
• Export / portability. Ask us for a machine-readable copy of the personal data you have provided.
• Opt out of marketing. Unsubscribe from any marketing email using the link in the message, or ask us to remove you from outreach lists.
• Withdraw consent. Where we rely on consent, withdraw it at any time. Withdrawal does not affect processing that already happened.
• Object or restrict. Object to processing based on legitimate interest, or ask us to restrict processing while a request is being resolved.

To exercise any of these rights, contact us through the in-app support system at https://www.krevo.io/support. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before acting on certain requests.

We keep your information only as long as we need it:

• Account data (profile, email, name) is retained while your account is active and for 90 days after you delete it, after which it is permanently removed from production systems. Encrypted backups may retain it for a short additional period before rotating out.
• Support tickets are retained for 2 years from the date of the last message in the thread, so we can reference past issues if you reach out again. After that, ticket content is deleted or anonymized.
• Lead capture form submissions are retained for 24 months from the date of submission, after which they are deleted from our database. Your record with our email outreach provider follows the unsubscribe behavior described in section 8.
• Billing and transaction records are retained for as long as required by tax, accounting, and anti-fraud laws (typically 7 years in Texas), even after account deletion.
• Server logs, analytics, and bot-detection telemetry are retained on a short rolling window (typically 30–90 days) sufficient for debugging, security, and abuse investigation.

Krevo is a business service. It is not directed at children, and we do not knowingly collect personal information from anyone under the age of 13. If you believe a child has provided information through one of our forms or accounts, please contact us through the support system and we will delete the information promptly.

Krevo is operated from Texas, USA. Our application and database providers (Vercel and Supabase) host the infrastructure that runs our service primarily in United States regions. If you access Krevo from outside the United States, the information you provide will be transferred to, stored in, and processed in the U.S.

Where required, our vendor agreements include standard contractual clauses or equivalent transfer mechanisms so that personal data leaving your home jurisdiction continues to receive comparable protection.

We may update this Privacy Policy from time to time — for example, when we add a new vendor, change a retention period, or respond to a new law. When we make a material change, we will update the "Last updated" date at the top of this page and, where appropriate, notify active clients by email or an in-app notice. Continued use of Krevo after the effective date constitutes acceptance of the revised policy.

Older versions of this policy are available on request through the support system.

The only channel for privacy questions, requests, or complaints about Krevo is our in-app support system at https://www.krevo.io/support.

Krevo does not maintain a public privacy mailbox or phone line — every request comes through the support system so we can route it, track it, and respond to it in one place. If you cannot reach the support system for some reason, sign in to your account and open a ticket from the portal.