Attorney Review Required: This document was drafted as a starting template. Have it reviewed by a licensed attorney before publishing or executing.
Privacy Policy
Last updated: June 22, 2026
This Privacy Policy explains how Krauvix LLC (“Krauvix,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with our AI-powered procurement ERP platform. This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.
1. Introduction and Scope
1.1 B2B Service Context
Krauvix is a business-to-business (B2B) software platform. Our customers are businesses, not individual consumers. The data we process falls into two categories:
- Account and contact data of individuals who use the platform on behalf of a business customer (employees, contractors, administrators)
- Business data uploaded or generated by customers (supplier records, contracts, purchase orders, invoices, financial data)
1.2 Controller vs. Processor
For the personal data of your employees and users who access Krauvix, Krauvix acts as a data processor on your behalf, and your organization is the data controller. This relationship is governed by our Data Processing Agreement (DPA).
For data related to Krauvix's own operations (such as billing contacts, support inquiries, and marketing), Krauvix acts as a data controller.
1.3 Scope
This policy applies to the Krauvix website (krauvix.com), the application (app.krauvix.com), and any related services. It does not apply to third-party services linked from our platform.
2. Data We Collect
2.1 Account Data
When you create an account or add users to your organization, we collect:
- Full name and work email address
- Company name, industry, and size
- Job title and role within your organization
- Account credentials (passwords are hashed and never stored in plaintext)
- Profile settings and preferences
2.2 Business Data (Customer-Uploaded)
In the course of using the Service, you may upload or generate the following (“Customer Data”):
- Supplier information (names, contacts, banking details, risk profiles)
- Purchase orders and requisitions
- Contracts and legal documents
- Invoices and payment records
- Employee and approver information
- Financial data and spend analytics
- Custom fields and metadata you configure
You control what business data you upload. Krauvix processes this data only on your instructions to provide the Service.
2.3 Usage Data
We automatically collect information about your use of the Service, including:
- Features and modules accessed, and frequency of use
- Login timestamps and session durations
- IP address and approximate geographic location (country/region)
- Browser type, operating system, and device information
- Error logs and performance metrics
- API call metadata (for API users)
2.4 Payment Data
Payment processing is handled by Stripe, Inc. Krauvix does not store credit card numbers, bank account numbers, or other sensitive payment instrument details. We receive and store:
- Billing contact name and email
- Billing address
- Last four digits of card and card type (provided by Stripe for display)
- Subscription plan, billing history, and invoice records
Stripe's privacy practices are described at stripe.com/privacy.
2.5 Communications Data
If you contact Krauvix support or sales, we retain records of those communications including email correspondence, support tickets, and notes.
3. How We Use Data
3.1 Providing the Service
We use your data to operate, maintain, and improve the Krauvix platform, including:
- Authenticating users and managing access controls
- Processing and displaying Customer Data within the platform
- Generating procurement workflows, reports, and analytics
- Sending transactional notifications (purchase order approvals, contract alerts)
3.2 AI-Powered Features
To provide AI features (contract analysis, risk scoring, procurement recommendations), relevant Customer Data is transmitted to the Anthropic Claude API for processing. Krauvix applies data minimization and anonymization measures before transmission where technically feasible. See Section 4.1 for more details on Anthropic as a sub-processor.
3.3 Billing and Payments
We use billing data to process subscription payments, issue invoices, handle payment failures, and maintain financial records.
3.4 Customer Support and Communications
We use contact information to:
- Respond to support requests and questions
- Send service announcements, security alerts, and update notifications
- Communicate account status and billing information
3.5 Platform Improvement
We use aggregated and anonymized usage data to analyze trends, improve features, and develop new capabilities. We do not use identifiable Customer Data for product development without your consent.
3.6 Legal and Compliance
We may use data to comply with legal obligations, enforce our Terms of Service, prevent fraud and abuse, and protect the security of the platform.
3.7 Legal Basis (GDPR)
For EU/EEA data subjects, our legal bases for processing include:
- Contract performance: Processing necessary to provide the Service you subscribed to
- Legitimate interests: Security monitoring, fraud prevention, platform analytics
- Legal obligation: Compliance with applicable laws
- Consent: Marketing communications (where applicable)
4. Data Sharing
We do not sell, rent, or trade your personal data or Customer Data to third parties for their marketing purposes. We share data only in the following circumstances:
4.1 Anthropic PBC — AI Processing
Customer Data (including contract text, supplier information, and procurement documents) may be transmitted to Anthropic PBC via their API to power AI features. Anthropic processes this data as a sub-processor on our behalf and does not use API data to train its models. See Anthropic's privacy policy at anthropic.com/privacy.
4.2 Stripe, Inc. — Payment Processing
Billing information is processed by Stripe. Stripe is a PCI-DSS Level 1 certified payment processor. See stripe.com/privacy.
4.3 Supabase, Inc. — Database Hosting and Storage
Krauvix uses Supabase for database hosting. Customer Data is stored in Supabase-managed PostgreSQL databases with encryption at rest. Supabase operates data centers in the USA and EU. See supabase.com/privacy.
4.4 Vercel, Inc. — Application Hosting
The Krauvix web application is hosted on Vercel's infrastructure. Vercel processes request data (IP addresses, request metadata) as part of serving the application. See vercel.com/legal/privacy-policy.
4.5 Legal Disclosures
We may disclose data if required by law, court order, or government authority, or to protect the rights, property, or safety of Krauvix, our customers, or others.
4.6 Business Transfers
If Krauvix undergoes a merger, acquisition, or sale of assets, Customer Data may be transferred to the acquiring entity. We will notify affected customers before any such transfer.
4.7 No Data Selling
Krauvix does not sell personal data or Customer Data to any third party. Ever.
5. Data Retention
We retain data as follows:
- Active subscription: Customer Data is retained for the duration of your active subscription
- Post-termination: Customer Data is retained for ninety (90) days after subscription termination to allow export, then securely deleted
- Account data: Retained for the duration of the account plus any legally required period
- Billing records: Retained for seven (7) years to comply with financial record-keeping requirements
- Usage logs: Retained for up to twelve (12) months for security and performance monitoring
- Backup copies: May persist in encrypted backups for up to thirty (30) additional days after deletion
You may request earlier deletion of your data by contacting privacy@krauvix.com, subject to any legal retention obligations.
6. Security
Krauvix implements industry-standard technical and organizational security measures:
- Encryption in transit: All data transmitted between your browser and Krauvix is encrypted using TLS 1.2 or higher
- Encryption at rest: Customer Data stored in Supabase is encrypted at rest using AES-256
- Access controls: Role-based access controls (RBAC), principle of least privilege, and multi-factor authentication (MFA) available for all accounts
- Vulnerability management: Regular security assessments and dependency scanning
- Incident response: Documented procedures for detecting and responding to security incidents, with breach notification per applicable law
SOC 2 Type II certification is currently in progress. We will publish our certification status and audit reports upon completion.
To report a security vulnerability, please email security@krauvix.com.
7. Your Rights
7.1 GDPR Rights (EU/EEA)
If you are located in the European Economic Area, you have the following rights with respect to your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate personal data
- Right to erasure: Request deletion of your personal data, subject to legal retention requirements
- Right to data portability: Receive your personal data in a structured, machine-readable format
- Right to restrict processing: Request that we limit how we use your data
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw consent at any time for consent-based processing
To exercise these rights, contact privacy@krauvix.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
7.2 CCPA Rights (California)
California residents have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share
- Delete: Request deletion of personal information, subject to certain exceptions
- Opt-out of sale: We do not sell personal information, so this right is not applicable, but we honor opt-out requests
- Non-discrimination: Exercise your rights without receiving discriminatory treatment
To submit a CCPA request, contact privacy@krauvix.com with subject line “CCPA Request.”
7.3 Note on B2B Data
For personal data included in Customer Data (such as supplier contact information), Krauvix processes this as a data processor under your instructions. Rights requests relating to such data should be directed to you as the data controller. We will assist you in responding to such requests as described in our DPA.
8. International Transfers
Krauvix LLC is headquartered in the United States. If you access the Service from outside the United States, your data will be transferred to, processed, and stored in the United States and other countries where our sub-processors operate.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, Krauvix relies on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers.
Our DPA includes the applicable SCCs. Customers subject to EU data transfer requirements may request a copy of the relevant SCCs at privacy@krauvix.com.
10. Contact and Data Protection Officer
For privacy-related inquiries, data subject requests, or to exercise your rights:
Krauvix LLC — Privacy TeamEmail: privacy@krauvix.com
Website: krauvix.com
Data Protection Officer (DPO): If you require DPO contact information, please email privacy@krauvix.com with the subject line “DPO Inquiry.”
We will acknowledge your inquiry within 72 hours and respond substantively within 30 calendar days, or sooner as required by applicable law.