CurioKeep

Privacy Policy

Last updated: December 6, 2025

1. Introduction

CurioKeep ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and website located at curiokeep.app (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

If you do not agree with this Privacy Policy, please do not use our Service. We encourage you to read this Privacy Policy carefully and contact us if you have any questions.

2. Information We Collect

2.1. Account Information

When you create an account, we collect information through our authentication provider, Clerk:

  • Email address (required for account creation)
  • Authentication credentials (managed by Clerk, not stored by us)
  • Profile information you choose to provide (name, profile picture)
  • Authentication method (Google, Apple, email/password)

2.2. Content You Create

When you use our Service, we collect and store the following information:

  • Loved Ones Data: Names, relationships, notes, gift preferences, important dates (birthdays, anniversaries, etc.), last contacted dates, and profile photos
  • Memories: Text notes, voice recordings, and images you upload about your loved ones
  • Important Dates: Birthdays, anniversaries, graduations, and custom dates you track
  • Uploaded Files: Images and audio files you upload to the Service

2.3. Usage Information

We automatically collect certain information when you use our Service:

  • Device information (device type, operating system, browser type)
  • Usage patterns (features used, time spent, pages visited)
  • IP address (collected for security, fraud prevention, and audit purposes)
  • Terms of Service acceptance records (version, timestamp, IP address for legal compliance)

2.4. Cookies and Tracking Technologies

We use essential cookies and similar technologies to:

  • Maintain your authentication session
  • Remember your preferences
  • Provide security features

We do not use cookies for advertising or third-party tracking. You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

3. How We Use Your Information

We use the information we collect to:

  • Provide and Maintain the Service: To deliver the core functionality of tracking loved ones, memories, and gift ideas
  • Process Your Content: To store and organize your data, transcribe voice notes (if applicable), and generate gift recommendations
  • Authenticate Your Account: To verify your identity and secure your account
  • Improve the Service: To analyze usage patterns and enhance features (using aggregated, anonymized data)
  • Legal Compliance: To comply with legal obligations, enforce our Terms of Service, and protect our legal rights
  • Security and Fraud Prevention: To detect and prevent fraud, abuse, and security threats
  • Communicate with You: To send service-related notifications, respond to your inquiries, and provide customer support

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

4. Third-Party Services and Data Processors

We use the following third-party services (subprocessors) to store and process your data. All subprocessors are contractually obligated to protect your data and comply with applicable data protection laws:

4.1. Clerk (Authentication)

Purpose: User authentication and account management
Data Stored: Email address, authentication credentials, profile information, Terms of Service acceptance metadata
Location: United States
Privacy Policy: https://clerk.com/legal/privacy

4.2. Neon (Database)

Purpose: Primary database storage for all user content
Data Stored: Loved ones profiles, memories, important dates, Terms of Service acceptance logs, deletion logs
Location: United States (with data replication for availability)
Privacy Policy: https://neon.tech/legal/privacy-policy

4.3. Cloudflare R2 (File Storage)

Purpose: Storage of uploaded images and audio files
Data Stored: User-uploaded images and audio files
Location: United States
Privacy Policy: https://www.cloudflare.com/privacypolicy/

4.4. OpenAI (AI Processing)

Purpose: Voice transcription and AI-powered features (if applicable)
Data Processed: Audio files and text data sent for transcription or AI processing
Data Retention: OpenAI does not retain your data for training purposes. Data is processed and not stored by OpenAI beyond the processing session.
Location: United States
Privacy Policy: https://openai.com/policies/privacy-policy

4.5. Vercel (Hosting)

Purpose: Application hosting and content delivery
Data Processed: Application logs, request metadata
Location: Global (with data primarily in United States)
Privacy Policy: https://vercel.com/legal/privacy-policy

We will notify you of any material changes to our subprocessors. You can request a current list of subprocessors by contacting us.

5. Data Retention

We retain your personal data only for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

  • Account Data: Retained while your account is active. Upon account deletion, data is deleted within 30 days, with backups retained for up to 90 days due to technical constraints.
  • Terms of Service Acceptance Logs: Retained indefinitely for legal compliance and non-repudiation. When you delete your account, we anonymize your user ID (hash it) and clear your IP address, but keep the record to prove consent if needed.
  • Deletion Logs: Retained indefinitely. We maintain a one-way hash of your email address (not the email itself) to prove deletion occurred. This is not personally identifiable information and cannot be reversed to obtain your email.
  • Legal Obligations: We may retain certain data longer if required by law, to resolve disputes, enforce agreements, or protect our legal rights. Such retention will be limited to what is legally necessary.

6. Your Privacy Rights (GDPR/CCPA)

Depending on your location, you may have the following rights regarding your personal data:

6.1. Right to Access

You have the right to request a copy of all personal data we hold about you. You can access most of your data directly through the Service, or request a complete export by contacting us.

6.2. Right to Rectification

You have the right to request correction of inaccurate or incomplete data. You can update most of your data directly through the Service.

6.3. Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your account and all associated data at any time. To exercise this right:

  • Use the "Delete Account" feature in your account settings, or
  • Contact us through the Service

Upon receiving a valid request, we will immediately and permanently delete:

  • Your authentication account from Clerk
  • All database records (loved ones, memories, important dates)
  • All uploaded files from Cloudflare R2 storage
  • All other personal data associated with your account

Deletion will be completed within 30 days, and we will confirm deletion in writing. Some information may remain in backup systems for up to 90 days due to technical constraints, after which it will be permanently deleted.

6.4. Right to Data Portability

You have the right to request your data in a structured, machine-readable format. Contact us to request a data export.

6.5. Right to Object

You have the right to object to processing of your data for certain purposes. Contact us to exercise this right.

6.6. Right to Restrict Processing

You have the right to request that we limit how we process your data. Contact us to exercise this right.

6.7. Right to Withdraw Consent

If processing is based on consent, you may withdraw it at any time. Withdrawing consent may affect your ability to use certain features of the Service.

6.8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information (subject to certain exceptions)
  • Right to opt-out of the sale of personal information (we do not sell your personal information)
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us through the Service or visit our website. We will respond to your request within 30 days (or as required by applicable law). For data protection inquiries, please clearly indicate "Data Protection Request" in your communication.

7. Biometric Data and Voice Processing (BIPA Compliance)

We are committed to protecting your biometric privacy:

  • No Biometric Identifiers: We do not collect, store, or process biometric identifiers such as voiceprints, facial geometry, fingerprints, or other biometric data for identification purposes.
  • Voice/Audio Processing: If you upload audio files (voice notes), we use such audio solely for transcription purposes (converting speech to text). We do not analyze audio to identify speakers, create voiceprints, or perform voice recognition.
  • No Biometric Features: We do not and will not build features that group photos by face recognition, filter audio by speaker identification, or perform any other biometric analysis. If such features are added in the future, we will obtain explicit consent and comply with all applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA).
  • Audio Storage: Audio files are stored only for your playback and transcription purposes. They are deleted when you delete your account.

By using voice or audio features, you consent to the processing of your audio files solely for transcription and playback purposes, and you acknowledge that we do not create or store biometric identifiers from your audio.

8. Children's Privacy (COPPA)

Our Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 13 years of age in violation of the Children's Online Privacy Protection Act (COPPA).

Parental Consent for Minor Data: This application allows adult users to track information about their loved ones, including minors. We only process data regarding minors that is explicitly provided by their parent or legal guardian for the purpose of family memory keeping and gift tracking. The parent or legal guardian must be the account holder and is solely responsible for all data entered about minors.

If you are a parent or guardian and believe your child under 18 has directly provided us with personal information without your consent, please contact us immediately so we may delete such information.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS) for all data transmission
  • Encryption at rest for sensitive data
  • Secure authentication through Clerk
  • Regular security assessments and updates
  • Access controls and authentication requirements
  • Secure file storage with Cloudflare R2

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

  • Notify you and relevant authorities as required by applicable law (typically within 72 hours for GDPR, or as soon as practicable for other jurisdictions)
  • Send notifications to the email address associated with your account
  • Include information about the nature of the breach, the data affected, and steps we are taking to address it

11. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure that such transfers comply with applicable data protection laws through:

  • Contractual safeguards with our subprocessors
  • Compliance with GDPR, CCPA, and other applicable laws
  • Appropriate security measures as outlined in Section 9

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date at the top of this Privacy Policy
  • Sending you an email notification (if you have an account)
  • Providing notice through the Service

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data privacy rights, or need to report a security concern, please contact us:

  • Through the Service at curiokeep.app
  • By using the contact features available in the Service

For data protection inquiries, please clearly indicate "Data Protection Request" in your communication to ensure prompt handling. We will respond to your request within 30 days (or as required by applicable law).

14. Additional Information

This Privacy Policy should be read in conjunction with our Terms of Service , which govern your use of the Service.

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Privacy Policy will otherwise remain in full force and effect.

CurioKeep | AI Gift Tracker & Memory Vault