Privacy Policy

1. Introduction

CurioKeep ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and website located at curiokeep.app (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

If you do not agree with this Privacy Policy, please do not use our Service. We encourage you to read this Privacy Policy carefully and contact us if you have any questions.

2. Information We Collect

2.1. Account Information

When you create an account, we collect information through our authentication provider, Clerk:

• Email address (required for account creation)
• Authentication credentials (managed by Clerk, not stored by us)
• Profile information you choose to provide (name, profile picture)
• Authentication method (Google, Apple, email/password)

2.2. Content You Create

When you use our Service, we collect and store the following information:

• Loved Ones Data: Names, relationships, notes, gift preferences, important dates (birthdays, anniversaries, etc.), last contacted dates, profile photos, and AI-generated profile data (sizes, favorites, sensitivities, gift style preferences)
• Hints: Text notes, voice recordings, and images you upload about your loved ones, along with AI analysis of those hints (extracted insights, preferences, ownership status, events)
• Important Dates: Birthdays, anniversaries, graduations, and custom dates you track
• Gift Ideas: AI-generated gift recommendations, your ratings and feedback on gift ideas, purchase tracking, and related memory associations
• Uploaded Files: Images and audio files you upload to the Service

2.3. Subscription and Payment Information

If you subscribe to Premium, we collect payment information through Stripe:

• Subscription tier (Free or Premium)
• Billing cycle (monthly or annual)
• Stripe customer ID and subscription ID
• Payment method information (processed by Stripe, not stored by us)
• Subscription status and billing dates

We do not store your full payment card details. All payment processing is handled by Stripe, which is PCI-DSS compliant.

2.4. Usage Information

We automatically collect certain information when you use our Service:

• Device information (device type, operating system, browser type)
• Usage patterns (features used, time spent, pages visited)
• IP address (collected for security, fraud prevention, and audit purposes)
• Terms of Service acceptance records (version, timestamp, IP address for legal compliance)
• Feature usage tracking (AI analysis requests, gift generation requests) for rate limiting and subscription tier enforcement
• Rate limit counters (temporary, automatically expired after 1 hour)

2.5. Cookies and Tracking Technologies

We use essential cookies and similar technologies to:

• Maintain your authentication session
• Remember your preferences
• Provide security features

We do not use cookies for advertising or third-party tracking. You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

3. How We Use Your Information

We use the information we collect to:

• Provide and Maintain the Service: To deliver the core functionality of tracking loved ones, memories, and gift ideas
• Process Your Content: To store and organize your data, transcribe voice notes (if applicable), and generate gift recommendations
• Authenticate Your Account: To verify your identity and secure your account
• Enforce Subscription Tiers: To track usage and enforce subscription tier limits (e.g., number of AI analyses, gift recommendations per month)
• Rate Limiting: To prevent abuse and ensure fair usage through distributed rate limiting (temporary counters, automatically expired)
• Improve the Service: To analyze usage patterns and enhance features (using aggregated, anonymized data)
• Legal Compliance: To comply with legal obligations, enforce our Terms of Service, and protect our legal rights
• Security and Fraud Prevention: To detect and prevent fraud, abuse, and security threats
• Communicate with You: To send service-related notifications, respond to your inquiries, and provide customer support

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

4. Third-Party Services and Data Processors

We use the following third-party services (subprocessors) to store and process your data. All subprocessors are contractually obligated to protect your data and comply with applicable data protection laws:

4.1. Clerk (Authentication)

Purpose: User authentication and account management
Data Stored: Email address, authentication credentials, profile information, Terms of Service acceptance metadata
Location: United States
Privacy Policy: https://clerk.com/legal/privacy

4.2. Neon (Database)

Purpose: Primary database storage for all user content
Data Stored: Loved ones profiles, memories, important dates, Terms of Service acceptance logs, deletion logs
Location: United States (with data replication for availability)
Privacy Policy: https://neon.tech/legal/privacy-policy

4.3. Cloudflare R2 (File Storage)

Purpose: Storage of uploaded images and audio files
Data Stored: User-uploaded images and audio files
Location: United States
Privacy Policy: https://www.cloudflare.com/privacypolicy/

4.4. OpenAI (AI Processing)

Purpose: Voice transcription, AI-powered hint analysis, and gift recommendation generation
Data Processed: Audio files, text hints, and gift context sent for AI processing
Data Retention: OpenAI does not retain your data for training purposes. Data is processed and not stored by OpenAI beyond the processing session. We use OpenAI's API (not ChatGPT consumer service) with data usage for training disabled.
Location: United States
Privacy Policy: https://openai.com/policies/privacy-policy

4.5. Stripe (Payment Processing)

Purpose: Processing subscription payments for Premium tier
Data Processed: Payment method information, billing address, subscription details
Data Retention: Stripe retains payment records per their legal requirements (tax, accounting). We do not store your full payment card details.
Location: United States
Privacy Policy: https://stripe.com/privacy

4.6. Upstash Redis (Rate Limiting)

Purpose: Distributed rate limiting to prevent abuse and ensure fair usage
Data Processed: Temporary rate limit counters (user ID, timestamp, request count). No personal data is stored beyond rate limit tracking.
Data Retention: Rate limit data is automatically expired and deleted after the rate limit window (typically 1 hour)
Location: United States
Privacy Policy: https://upstash.com/legal/privacy

4.7. Unsplash (Image Service)

Purpose: Fetching stock photography to enhance gift recommendations
Data Processed: Search queries (product keywords). No personal information is sent to Unsplash.
Data Retention: Unsplash images are publicly available and cached by us for 1 hour. No personal data is stored by Unsplash.
Location: Global
Privacy Policy: https://unsplash.com/privacy

4.8. Vercel (Hosting)

Purpose: Application hosting and content delivery
Data Processed: Application logs, request metadata
Location: Global (with data primarily in United States)
Privacy Policy: https://vercel.com/legal/privacy-policy

We will notify you of any material changes to our subprocessors. You can request a current list of subprocessors by contacting us.

5. Data Retention

We retain your personal data only for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

• Account Data: Retained while your account is active. Upon account deletion, data is deleted immediately (typically within minutes), with backups retained for up to 90 days due to technical constraints.
• Subscription Data: Retained while your subscription is active. When you cancel, subscription data is deleted along with your account. Payment records are retained by Stripe per their legal requirements (tax, accounting) and are not deleted by us.
• Terms of Service Acceptance Logs: Retained indefinitely for legal compliance and non-repudiation. When you delete your account, we anonymize your user ID (hash it) and clear your IP address, but keep the record to prove consent if needed.
• Deletion Logs: Retained indefinitely. We maintain a one-way hash of your email address (not the email itself) to prove deletion occurred. This is not personally identifiable information and cannot be reversed to obtain your email.
• Rate Limit Data: Automatically expired and deleted after the rate limit window (typically 1 hour). No persistent personal data is stored.
• Legal Obligations: We may retain certain data longer if required by law, to resolve disputes, enforce agreements, or protect our legal rights. Such retention will be limited to what is legally necessary.

6. Your Privacy Rights (GDPR/CCPA)

Depending on your location, you may have the following rights regarding your personal data:

6.1. Right to Access

You have the right to request a copy of all personal data we hold about you. You can access most of your data directly through the Service, or request a complete export by contacting us.

6.2. Right to Rectification

You have the right to request correction of inaccurate or incomplete data. You can update most of your data directly through the Service.

6.3. Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your account and all associated data at any time. To exercise this right:

• Use the "Delete Account" feature in your account settings, or
• Contact us through the Service

Upon receiving a valid request, we will immediately and permanently delete your data in the following order:

1. Cancel Active Subscription: Immediately cancel any active subscription to prevent further charges
2. Delete Uploaded Files: Delete all uploaded files (images, audio) from Cloudflare R2 storage
3. Delete Database Records: Delete all database records including loved ones, memories, important dates, gift ideas, gift batches, usage tracking, and subscription records
4. Anonymize Legal Records: Anonymize Terms of Service acceptance logs by hashing your user ID and clearing your IP address (records are kept for legal compliance but no longer contain personally identifiable information)
5. Delete Authentication Account: Delete your authentication account from Clerk

This process is typically completed immediately (within minutes), but may take up to 30 days in exceptional circumstances. We will confirm deletion in writing. Some information may remain in backup systems for up to 90 days due to technical constraints, after which it will be permanently deleted.

Note: Payment records processed through Stripe are retained by Stripe per their legal requirements (tax, accounting) and are not deleted by us. These records do not contain your full payment card details.

6.4. Right to Data Portability

You have the right to request your data in a structured, machine-readable format. Contact us to request a data export.

6.5. Right to Object

You have the right to object to processing of your data for certain purposes. Contact us to exercise this right.

6.6. Right to Restrict Processing

You have the right to request that we limit how we process your data. Contact us to exercise this right.

6.7. Right to Withdraw Consent

If processing is based on consent, you may withdraw it at any time. Withdrawing consent may affect your ability to use certain features of the Service.

6.8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and disclose
• Right to delete personal information (subject to certain exceptions)
• Right to opt-out of the sale of personal information (we do not sell your personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us through the Service or visit our website. We will respond to your request within 30 days (or as required by applicable law). For data protection inquiries, please clearly indicate "Data Protection Request" in your communication.

7. Biometric Data and Voice Processing (BIPA Compliance)

We are committed to protecting your biometric privacy:

• No Biometric Identifiers: We do not collect, store, or process biometric identifiers such as voiceprints, facial geometry, fingerprints, or other biometric data for identification purposes.
• Voice/Audio Processing: If you upload audio files (voice notes), we use such audio solely for transcription purposes (converting speech to text). We do not analyze audio to identify speakers, create voiceprints, or perform voice recognition.
• No Biometric Features: We do not and will not build features that group photos by face recognition, filter audio by speaker identification, or perform any other biometric analysis. If such features are added in the future, we will obtain explicit consent and comply with all applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA).
• Audio Storage: Audio files are stored only for your playback and transcription purposes. They are deleted when you delete your account.

By using voice or audio features, you consent to the processing of your audio files solely for transcription and playback purposes, and you acknowledge that we do not create or store biometric identifiers from your audio.

8. Children's Privacy (COPPA)

Our Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 13 years of age in violation of the Children's Online Privacy Protection Act (COPPA).

Parental Consent for Minor Data: This application allows adult users to track information about their loved ones, including minors. We only process data regarding minors that is explicitly provided by their parent or legal guardian for the purpose of family hint keeping and gift tracking. The parent or legal guardian must be the account holder and is solely responsible for all data entered about minors.

If you are a parent or guardian and believe your child under 18 has directly provided us with personal information without your consent, please contact us immediately so we may delete such information.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption in transit (HTTPS/TLS) for all data transmission
• Encryption at rest for sensitive data
• Secure authentication through Clerk
• Regular security assessments and updates
• Access controls and authentication requirements
• Secure file storage with Cloudflare R2

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Notify you and relevant authorities as required by applicable law (typically within 72 hours for GDPR, or as soon as practicable for other jurisdictions)
• Send notifications to the email address associated with your account
• Include information about the nature of the breach, the data affected, and steps we are taking to address it

11. Affiliate Links and Third-Party Retailers

When you click on gift recommendations, you may be directed to third-party retailers (such as Amazon) through affiliate links. We may receive a commission if you make a purchase through these links, at no additional cost to you.

Data Sharing: When you click an affiliate link, you are redirected to the retailer's website. We do not share your personal information with retailers. The retailer may collect information about your visit through cookies and other tracking technologies in accordance with their own privacy policies.

We are not responsible for the privacy practices of third-party retailers. We encourage you to review the privacy policies of any retailers you visit through our affiliate links.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure that such transfers comply with applicable data protection laws through:

• Contractual safeguards with our subprocessors
• Compliance with GDPR, CCPA, and other applicable laws
• Appropriate security measures as outlined in Section 9

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top of this Privacy Policy
• Sending you an email notification (if you have an account)
• Providing notice through the Service

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data privacy rights, or need to report a security concern, please contact us:

• Through the Service at curiokeep.app
• By using the contact features available in the Service

For data protection inquiries, please clearly indicate "Data Protection Request" in your communication to ensure prompt handling. We will respond to your request within 30 days (or as required by applicable law).

15. Additional Information

This Privacy Policy should be read in conjunction with our Terms of Service , which govern your use of the Service.

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Privacy Policy will otherwise remain in full force and effect.