Privacy Policy

Depending on how you use Kourtra, we may process personal data as:

• Controller for our own business operations (e.g., operating our website, account administration, billing, and security).
• Processor when we host and process Community content on behalf of a Community (the Community is typically the controller for that content).

If you use Kourtra through a Community, that Community’s admins may control certain settings and access to data within that Community.

We share information only as needed to operate the Service, including with:

• Infrastructure and hosting providers(compute, databases, backups, and networking).
• Object storage providersfor files and images (S3-compatible storage).
• Email delivery providersto send authentication and service emails.
• Payment processors for subscriptions and contributions (e.g., Stripe). We do not store full payment card numbers.
• AI providers if your Community enables AI-powered features. When enabled, prompts/content you submit may be sent to the configured AI provider (e.g., OpenAI-compatible API endpoints).
• Your Community administratorsfor data within that Community, depending on permissions and settings.
• Legal and safety when required by law or to protect rights, safety, and security.

Subprocessors and configurations can vary by deployment. You can contact us for the current list of subprocessors used for your environment.

We use cookies and similar technologies to provide and secure the Service.

• Device ID cookie: we set an HttpOnly cookie used as a stable device identifier (not an authentication credential) to help secure session refresh/rotation.
• Local storage: the web app stores an access token in browser storage to authenticate API requests.

You can control cookies through your browser settings, but disabling certain cookies may affect Service functionality.

We use administrative, technical, and physical safeguards designed to protect personal data. For example, we use encryption in transit (TLS) and enforce re-authentication for sensitive actions like account deletion and exports.

We may scan uploaded files for malware using antivirus tooling (for example, ClamAV) and quarantine files during processing.

We retain information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

• Sessions: refresh sessions are time-limited (for example, 30-day expirations) and can be revoked.
• Deleted files: when a file is deleted in the Service, it is soft-deleted first; we retain it for a short period (default 30 days, configurable) before permanently deleting it from storage and removing the database record.
• Security audit logs: we keep security audit events to protect the Service. Some security audit logs are designed to be append-only and may persist even after an account is deleted.

We may also retain limited information in backups for a period of time, after which it is overwritten or deleted according to our backup lifecycle.

Depending on where you live, you may have rights regarding your personal data. These may include access, correction, deletion, portability, and objection.

In-app controls

• Export: you can request a data export from your Account settings. The export is provided as a JSON download.
• Delete account: you can delete your account from your Account settings. For security, we require re-authentication.
• Sessions: you can revoke sessions/devices in your account security settings.

EEA/UK (GDPR/UK GDPR)

If GDPR/UK GDPR applies to you, you may have the right to access, rectify, erase, restrict processing, object, and receive a copy (port) of your personal data, and to lodge a complaint with your supervisory authority.

California (CCPA/CPRA)

If you are a California resident, you may have rights to know, access, delete, correct, and opt out of certain data sharing as defined by applicable law. Kourtra does not sell personal information in the ordinary sense.

Texas (TDPSA)

If you are a Texas resident, you may have rights to access, correct, delete, and obtain a copy of your personal data, and to opt out of certain processing as defined by the Texas Data Privacy and Security Act.

When you delete your account, we revoke your active sessions and remove your user record from our authentication database. Some information may remain as part of a Community’s records (for example, security audit logs or historical Community records) or in backups for a limited period.

If you are using Kourtra through a Community, certain content or records may be managed by the Community and may be retained according to the Community’s policies.