Legal

Privacy Policy

Effective 25 June 2026. This policy explains how Testware Informatics Pvt Ltd (“Kuvi”, “we”, “us”) collects, uses, shares and protects personal data through the Kuvi web, desktop and mobile apps and the website at kuvi.work (the “Service”).

1. Our role — controller vs. processor

Kuvi is a multi-tenant workspace. For the content your organisation puts into Kuvi (tasks, messages, files, invoices, attendance, vault entries and your colleagues’ details), your organisation is the data controller / data fiduciary and Kuvi acts as a data processor, handling that data on your organisation’s instructions.

For the account and billing information of the person who signs up, for diagnostics, and for our own website and marketing, Kuvi is the controller. If you are an employee or member of an organisation using Kuvi, please also refer to your organisation’s own privacy notice.

2. Information we collect

We collect only what we need to run the Service:

  • Account & identity — name, work email, password (stored only as a salted bcrypt hash, never in plain text), role, optional profile photo, and your organisation’s details (including GSTIN and registered address used on invoices).
  • Workspace content — projects, tasks, chat messages, uploaded files, invoices and expenses, and entries you store in the encrypted Key Docker vault.
  • Attendance & location — when you use geo-verified clock-in on the mobile app, we capture your device location at that moment to confirm on-site presence. We do not track your location continuously or in the background.
  • Usage & device data — log data such as IP address, browser/device type, and error diagnostics, used to keep the Service secure and reliable.
  • Payment data — subscription payments are processed by Razorpay. We receive a payment reference and status; we do not store full card numbers.
  • Cookies — a single essential, http-only session cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies.

3. How we use your data

  • To provide, maintain and improve the Service and its features.
  • To authenticate you and keep your account and workspace secure.
  • To process subscriptions, billing and send service-related communications.
  • To provide support and respond to your requests.
  • To detect, prevent and address fraud, abuse and security incidents.
  • To comply with legal, tax and accounting obligations.

We do not sell your personal data, and we do not use your workspace content to train AI models or for advertising.

4. Legal bases (GDPR)

Where the GDPR applies, we process personal data on these bases:

  • Performance of a contract — to deliver the Service you signed up for.
  • Legitimate interests — to secure, support and improve the Service.
  • Consent — for optional features such as location-based clock-in or Google sign-in (which you can decline or withdraw).
  • Legal obligation — for tax, accounting and lawful requests.

5. Sharing & sub-processors

We share data only with vetted service providers who help us run Kuvi, under contracts that require them to protect it and use it solely on our instructions:

ProviderPurposeRegion
NeonManaged PostgreSQL database hostingSingapore (ap-southeast-1)
VercelApplication hosting & global CDNIndia / Global edge
Cloudflare R2File & attachment object storageGlobal
ResendTransactional email (invites, resets, notifications)Global
RazorpaySubscription & payment processingIndia
SentryError monitoring & diagnosticsUnited States
GoogleOptional Google sign-in (only if you use it)Global
ZoomOptional video meetings (Meetings Pro add-on only)Global

We may also disclose data if required by law, to enforce our terms, or in connection with a merger or acquisition (with notice to you).

6. Where your data is processed

Kuvi is operated from India and processes data with the providers above, including in Singapore and on global content-delivery networks. Where data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses and the providers’ own compliance programmes.

7. Data retention

We keep workspace data for as long as your organisation’s account is active. Security audit logs are retained for a limited period and then purged automatically. When an account is closed, or on a valid deletion request, we delete or irreversibly anonymise personal data within a reasonable period, except where we must retain it to meet legal obligations (for example, tax invoices).

8. How we protect your data

  • All traffic is encrypted in transit (HTTPS/TLS).
  • Vault entries (Key Docker) are encrypted with AES-256-GCM; passwords are hashed with bcrypt; two-factor authentication (TOTP) is available.
  • Strict tenant isolation keeps each organisation’s data separate.
  • Access is on a least-privilege basis and monitored.

No system is perfectly secure, but we work hard to protect your data and will notify you and the relevant authorities of a breach as required by law.

9. Your rights

Subject to applicable law (including the India Digital Personal Data Protection Act, 2023 and, where relevant, the GDPR), you may:

  • Access the personal data we hold about you and request a copy.
  • Correct or update inaccurate or incomplete data.
  • Request erasure of your personal data.
  • Withdraw consent for optional processing at any time.
  • Port your data, and object to or restrict certain processing.
  • Lodge a grievance or complaint with us or with a supervisory authority.

To exercise these rights, email privacy@kuvi.work. If your data is held within an organisation’s workspace, we may direct your request to that organisation as the controller.

10. Children

Kuvi is a workplace tool intended for businesses and their staff. It is not directed to, and we do not knowingly collect personal data from, children under 18. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified in-app or by email, and the “Effective” date above will be updated. Continued use of the Service after changes take effect constitutes acceptance.

12. Contact us

For any privacy question or request, contact:

Testware Informatics Pvt Ltd
Privacy team — privacy@kuvi.work
Grievance Officer (DPDP Act, 2023) — privacy@kuvi.work