Legal

Privacy Policy

Last updated: 15 April 2026

Summary: We collect only what we need to provide you with Krubly's services. We never sell your data. Your information is stored securely on infrastructure that supports GDPR compliance, and you have full control over your data at all times.

1. Who We Are

Krubly ("we", "us", "our") is an AI-powered website builder and business management platform We provide website generation, CRM, e-commerce, and business tools to small and medium businesses.

For questions about this policy or your data, contact us at hello@krubly.com.

2. What Data We Collect

Account Information

When you sign up, we collect your email address, password (hashed and salted — we never store plaintext passwords), and business information you provide during onboarding (business name, type, description).

Website & CRM Data

Content you create through Krubly — including website HTML, products, properties, leads, contacts, orders, blog posts, and uploaded images — is stored in your account and scoped to your organisation.

Visitor & Analytics Data

When visitors view your published Krubly site, we collect basic page view analytics (page URL, timestamp, referrer). We do not use third-party tracking cookies or advertising pixels.

Payment Information

Payments are processed by Stripe. We do not store your credit card details. Stripe handles all payment data in compliance with PCI-DSS standards.

Automatically Collected Information

We collect standard server logs (IP address, browser type, device type, timestamps) for security and performance monitoring.

3. How We Use Your Data

To provide, maintain, and improve Krubly's services
To generate AI-powered websites and content on your behalf
To process your subscription payments
To send transactional emails (lead notifications, order confirmations, account updates)
To provide customer support
To monitor and prevent abuse, fraud, and security threats
To display analytics about your published sites

We do not use your data for advertising, do not sell your data to third parties, and do not use your content to train AI models.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or other jurisdiction where GDPR or equivalent legislation applies, we process your personal data under the following legal bases:

Purpose	Legal Basis
Providing our services	Performance of contract
Processing payments	Performance of contract
Sending transactional emails	Legitimate interest
Security and abuse prevention	Legitimate interest
Analytics on published sites	Legitimate interest
Marketing communications (if opted in)	Consent

5. Where Your Data Is Stored

Your data is processed and stored using the following infrastructure providers:

Provider	Purpose	Location
Supabase	Database, authentication, file storage	Singapore (AWS ap-southeast-1)
Vercel	Application hosting, CDN, edge functions	Global (primarily US, with edge in Asia)
Stripe	Payment processing	US (PCI-DSS certified)
Resend	Transactional email delivery	US
Google (Gemini API)	AI content generation	US

Supabase maintains a Data Processing Addendum (DPA) that supports GDPR compliance. All data at rest is encrypted, and connections use TLS encryption in transit. Row-Level Security (RLS) is enabled on all database tables to ensure data isolation between organisations.

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

Infrastructure providers listed above, acting as data processors under our instructions
Payment processor (Stripe) for billing
Law enforcement if required by law or valid legal process

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Request your data in a machine-readable format
Restriction: Request we limit processing of your data
Objection: Object to processing based on legitimate interest
Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email hello@krubly.com. We will respond within 30 days.

8. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data and associated content within 30 days, except where retention is required by law (e.g., billing records).

Server logs are retained for up to 90 days for security purposes and then automatically deleted.

9. Cookies

Krubly uses only essential cookies required for authentication and session management. We do not use advertising cookies, marketing trackers, or third-party analytics cookies.

Cookie	Purpose	Type
sb-*-auth-token	Authentication session (Supabase)	Essential / Strictly necessary

10. Children's Privacy

Krubly is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Security

We implement industry-standard security measures to protect your data, including:

TLS encryption for all data in transit
AES-256 encryption for data at rest (via Supabase/AWS)
Row-Level Security (RLS) for database access control
Hashed and salted password storage
Regular security reviews and monitoring

12. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the Krubly dashboard. Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

Krubly (Krubly)
Email: hello@krubly.com
Website: krubly.com