Krevaya (“Krevaya”, “we”, “us”) provides an AI-assisted social publishing platform for creators and businesses. This policy explains what personal information we collect, how we use it, who we share it with, how we protect it, and the rights and choices you have. It applies to krevaya.com and all Krevaya services.
1. Personal information we collect
Information you provide.
- Account information — your email address, a secure hash of your password (we never store or see the plaintext), your display name, timezone, and subscription plan.
- Content — post drafts, edits, approvals and rejections, brand settings, personas and voice samples you provide, and media you upload for the design studio.
- Payment information — processed entirely by our payment processor, Stripe. We never receive or store your card number; we retain only your subscription status, plan, and a Stripe customer reference.
Information from connected social accounts. When you connect a social account (Facebook Page, Instagram Business account, Threads, or LinkedIn), we receive and store the account identifiers, page or profile names, and the access tokens required to publish on your behalf. Access tokens are encrypted at rest with keys held in a dedicated key vault. We also retrieve performance insights (reach, impressions, engagement) for posts published through Krevaya so we can show you analytics.
Information collected automatically. Standard request and error logs (IP address, user agent, timestamps) used for security, debugging, and abuse prevention, retained for up to 30 days. We do not use third-party advertising cookies, tracking pixels, or cross-site analytics — a single session credential keeps you signed in.
Non-personal data. We maintain a shared cache of publicly available trending topics (from sources such as Hacker News, Reddit, GitHub, and dev.to). It is common to all users and contains no personal information about you.
2. How we use your information
- To provide, operate, and secure the service.
- To authenticate you and maintain your session.
- To generate drafts, ideas, and analytics for you — including processing your prompts, niche, and writing samples with AI models as described in section 3.
- To publish content to your connected social accounts, only at your direction (per-post approval, or the auto-publish schedule you enable).
- To process subscription payments and manage your plan.
- To send transactional email (verification, password reset, invites). We do not send marketing email without your consent.
- To comply with law and enforce our Terms of Service.
We do not sell or rent your personal information, and we do not use your content to train AI models.
3. How we share your information
We share personal information only with the service providers required to operate Krevaya, each acting under contractual data-protection obligations:
- Social platforms — when you approve a post, we transmit it (text, hashtags, media) to the platform you chose: Meta Platforms, Inc. (Facebook, Instagram, Threads) or LinkedIn Corporation. Your use of those platforms is governed by their own terms and privacy policies.
- Cloud infrastructure — Microsoft Azure hosts our application, database, and encrypted media storage.
- AI model providers — draft generation may be performed by vetted third-party AI infrastructure providers acting as our data processors. These calls contain only the material needed to write your draft (the topic, your niche and style preferences, and relevant prior post angles). They never include your passwords, social access tokens, payment details, or social platform data. Where generation runs on Krevaya-operated models, no third party is involved at all.
- Payments — Stripe, Inc. processes all payments and subscription billing.
- Legal requirements — we may disclose information if required by law, subpoena, or to protect the rights, safety, and security of Krevaya, our users, or the public.
A current list of our subprocessors is available on request from privacy@krevaya.com.
4. International data transfers
Our primary infrastructure is located in Microsoft Azure data centers in the United States. Where personal information originating in the EEA, UK, or Switzerland is transferred internationally — including to AI processing subprocessors — we rely on appropriate safeguards such as Standard Contractual Clauses and process only the minimum content necessary to provide the feature.
5. How we protect your information
- All connections to the service are encrypted with TLS.
- Social access tokens are encrypted at the application layer before they touch the database; the encryption keys live in a dedicated cloud key vault, are fetched only at process startup, and are never written to disk or logs.
- Passwords are stored as salted bcrypt hashes.
- Production access is limited, credentialed, and logged; secrets are never stored in source control.
- No system is perfectly secure. If you believe you have found a vulnerability, please report it to security@krevaya.com — we investigate every report.
6. Data retention
- Active accounts — profile, content, and analytics data are retained for as long as your account is active.
- Deleted accounts — purged within 30 days of a deletion request (see Data Deletion), except where law requires longer retention.
- Operational logs — rolled off after at most 30 days.
- Encrypted backups — expire within 35 days of deletion.
- Billing records — retained as required by tax and accounting law.
7. Your rights and choices
Depending on where you live — including under the GDPR (EU), UK GDPR, and CCPA/CPRA (California) — you may have the right to:
- access the personal information we hold about you,
- correct inaccurate information,
- delete your account and associated data (self-service from your dashboard, or via the Data Deletion page),
- receive a portable export of your data,
- object to or restrict certain processing,
- not be subject to solely automated decisions with legal or similarly significant effects — Krevaya makes none,
- (California) know what categories of personal information we collect and disclose. We do not sell or share personal information as those terms are defined by the CCPA/CPRA.
To exercise any of these rights, email privacy@krevaya.com. We verify each request and respond within 30 days. You will never be discriminated against for exercising your privacy rights.
8. Children's privacy
Krevaya is not directed to children under 13 (or under 16 where a higher threshold applies). We do not knowingly collect personal information from children; if we learn that we have, we delete it promptly. Report concerns to privacy@krevaya.com.
9. Changes to this policy
We will post material changes on this page at least 30 days before they take effect and notify registered users by email when a change meaningfully affects how their data is used. The effective date above always reflects the current version.
10. Contact us
Privacy requests: privacy@krevaya.com
Security reports: security@krevaya.com
Everything else: support@krevaya.com