Kalleo

Legal

Privacy Policy

Last updated: June 2025

1. What We Collect

We collect only what is necessary to provide the Service:

  • Account information — name, email address, and hashed password (via Supabase Auth).
  • Study data — your answers, ratings, spaced repetition state, and daily activity, used to power your personalized study sessions.
  • Exam data — your exam attempts, scores, and domain breakdowns.
  • Subscription data — your plan status and billing period, received via Paddle webhooks. We do not store payment card details.
  • Usage data — basic server logs (IP address, timestamp, endpoint) retained for up to 30 days for security and debugging.

2. How We Use It

Your data is used exclusively to:

  • Authenticate you and maintain your session.
  • Run the SM-2 spaced repetition algorithm to surface the right cards at the right time.
  • Show you your progress, streaks, and domain scores.
  • Process and manage your subscription.
  • Send transactional emails (email confirmation, password reset). No marketing without consent.

3. Third-Party Services

We use a small number of sub-processors:

  • Supabase — database and authentication (hosted on AWS). Your data is stored in the EU-West-1 region by default.
  • Paddle — payment processing and subscription management. Paddle acts as Merchant of Record and processes payments under their own privacy policy.
  • Vercel — hosting and edge runtime for the web application.

We do not sell your data. We do not use third-party analytics (no Google Analytics, no tracking pixels).

4. Data Retention

We retain your account and study data for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days.

5. Your Rights

You have the right to access, correct, or delete your personal data. You can delete your account at any time from Settings → Account. For other requests, contact us at support@getkalleo.com and we will respond within 30 days.

6. Security

All data is transmitted over HTTPS. Passwords are never stored in plaintext — authentication is handled by Supabase Auth. We apply the principle of least privilege to database access.

7. Cookies

We use a single session cookie set by Supabase Auth to maintain your login. No tracking or advertising cookies are used.

8. Changes to This Policy

If we make material changes, we will notify you by email and update the date above. Continued use of the Service after changes constitutes acceptance.

9. Contact

Privacy questions or data requests: support@getkalleo.com.