kvendra
·MENU

·LEGAL — PRIVACY

Privacy.

How Kvendra handles visitor data on kvendra.com. Analytics cookies load only after explicit opt-in. The product itself is zero-knowledge by design — this page covers the marketing site.

§ 01 — Identity of the controller

The data controller for kvendra.com is Chronum LLC, a limited liability company incorporated in Wyoming, USA, operating the Kvendra brand. Registered address: 111 NE 1st St, 8th Floor, Miami, FL 33132, Miami-Dade County, United States. EIN 37-2070923. Contact for any privacy matter: security@kvendra.ai.

§ 02 — Scope

This policy covers the public marketing site at kvendra.com (the Astro static site in KvendraAI/kvendra-web) and the analytics opt-in surface served from it. It does not cover the Kvendra CLI, the local broker, the Platform engine, or the hosted Cloud KB — those run zero-knowledge against the user's own vault and are documented separately in the product manuals.

The site processes personal data under two legal bases:

  • Consent (GDPR Art. 6.1.a) — for the analytics cookies described in §05. No analytics script is loaded until you click "Accept analytics" in the banner.
  • Legitimate interest (GDPR Art. 6.1.f) — for the lead-dialog forms on /, /enterprise and /support. When you submit one of these forms, the data you typed is sent to our lead-intake service at forms.kvendra.com so we can respond to your B2B inquiry. Processing the inquiry rests on our legitimate interest in answering prospective customers.
  • Consent (GDPR Art. 6.1.a) — separately, and only if you tick the optional marketing checkbox, for sending you product updates. This uses a double opt-in: you receive a confirmation email and are only added to the list once you click the confirmation link. You can withdraw at any time via the one-click unsubscribe link in every message.

§ 04 — Purposes of processing

  • Measure aggregate site usage (sessions, pages, geography at country level) to improve content priorities.
  • Measure conversion of paid campaigns (Google Ads → lead-form submissions) to validate marketing spend.
  • Receive and respond to B2B inquiries submitted through the lead dialogs (purpose b2b_inquiry, GDPR Art. 6.1.f).
  • Where you explicitly opt in, send you product updates and news (purpose marketing, GDPR Art. 6.1.a, double opt-in).

§ 05 — Categories of data

When you opt in to analytics, Google Analytics 4 and Google Ads may process:

  • IP address (anonymised — we configure anonymize_ip: true).
  • Device and browser information (user-agent, screen size, language).
  • Page navigation events (pages viewed, time on page, referrer).
  • Conversion events when a lead dialog is submitted — the event name is lead_submit with a single parameter lead_type (values: team, enterprise, support-business). No form field contents (name, email, message, etc.) are sent to Google.

When you submit a lead dialog, the data you typed (name, email, company, and the type-specific fields such as role, headcount, team size, preferred SLA or free-text message) is sent over HTTPS to our lead-intake service at forms.kvendra.com. That service runs on Amazon Web Services in the United States: an API Gateway HTTP endpoint receives the request, a Lambda function validates it and stores the lead in a DynamoDB table (system of record), publishes a notification to Amazon SNS to alert our team, and — only if you opted in to marketing — sends a double-opt-in confirmation email via Amazon SES. Alongside the fields you submit, the service records the consent metadata (whether you opted in to marketing, the version of this policy you accepted, the page you submitted from, a server timestamp and the source IP address) so we can evidence the lawful basis for processing.

A hidden anti-spam field (a "honeypot") is included in each form; legitimate browsers leave it empty. We do not send any form field contents to Google or any advertising network — only the aggregate lead_submit conversion event described above.

§ 06 — Third parties

  • Google LLC — Google Analytics 4 (measurement) and Google Ads (conversion tracking). Acts as a joint controller / processor for the events described in §05. See policies.google.com/privacy.
  • Amazon Web Services, Inc. — hosts the static site (S3 + CloudFront) and processes server logs (access timestamps and IPs) for delivery and abuse protection. AWS also operates the lead-intake service at forms.kvendra.com (API Gateway + Lambda + DynamoDB + SNS + SES), which stores and routes the contact-form submissions described in §05 and §08. Acts as a processor on our behalf.

§ 07 — International transfers

Both Google and AWS may process data outside the EEA, in particular in the United States. Transfers rely on the EU-US Data Privacy Framework (DPF) and Google's / AWS's published Standard Contractual Clauses. You can request a copy of the relevant SCC text by writing to security@kvendra.ai.

§ 08 — Retention

  • Google Analytics — default 14-month retention on user-level data; configured to the shortest available value (14 months).
  • Google Ads — conversion records retained per Google's published policy.
  • AWS CloudFront access logs — 90 days, then deleted.
  • Lead submissions — stored in DynamoDB with a time-to-live (TTL) of 24 months from submission, after which the record is automatically deleted. Marketing subscribers who confirm double opt-in are held in the SES contact list until they unsubscribe.

§ 09 — Your rights

Under GDPR you have the right to:

  • Access the data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict or object to processing.
  • Port your data in a machine-readable format.
  • Lodge a complaint with the supervisory authority of your country of residence (in Spain: AEPD).

Send any rights request to security@kvendra.ai. We respond within one month per GDPR Art. 12.3.

You can withdraw analytics consent at any time. Click the button below to clear your stored decision; the banner will reappear so you can choose again.

You can also clear the kvd-consent-v1 entry in your browser's localStorage or refuse cookies in your browser settings entirely.

If you opted in to marketing updates, you can withdraw that consent independently at any time using the one-click unsubscribe link in any email we send, or by writing to security@kvendra.ai. Withdrawing marketing consent does not affect our handling of a B2B inquiry you submitted.

§ 11 — California residents (CCPA / CPRA)

We do not sell personal information for monetary consideration. Sharing for cross-context behavioural advertising (CCPA's "share" definition) only happens with Google Ads after you opt in. California residents may exercise their CCPA / CPRA rights (know, delete, correct, opt-out of sharing) by writing to security@kvendra.ai. We respond within 45 days.

§ 12 — Data Protection Officer / contact

Kvendra is below the headcount + processing thresholds that would mandate a formal DPO appointment under GDPR Art. 37. The contact point for all privacy matters is: security@kvendra.ai.

§ 13 — Last updated

Last updated: 2026-05-29. Policy version: v0.7.

We will publish a notice at the top of this page when the policy changes materially. The full revision history lives in the public repo KvendraAI/kvendra-web.