Privacy policy.

Last updated · 24 April 2026

This policy explains what personal data we collect when you sign up for the Kaya waitlist, what we use it for, who has access, and the rights you have under the EU General Data Protection Regulation (GDPR).

Who we are

Kaya is operated by Ashish Verma. We are the data controller under Article 4(7) GDPR. Contact: legal@kayacare.app. Full operator details are in the Impressum.

What data we collect

When you submit the waitlist form at kayacare.app, we collect:

Your name, email address, and phone number (with country code).
Your primary language (self-reported).
An optional free-text note ("what you hope Kaya can help with").
Technical metadata: a one-way hashed version of your IP address, your browser's user-agent string, and the timestamp of your signup. Raw IP addresses are never written to our database.

If you purchase a paid plan (e.g. Kaya Founding Member), our payment processor Paddle additionally collects and stores: your billing email, billing country (required for EU VAT), and a tokenised reference to your payment method. We never see or store your card number or full payment details — those live with Paddle and their PCI-compliant payment providers. We only receive: the order ID, the email you paid with, the product purchased, the amount, and the VAT status. This data is used to grant you access to paid features and to issue refunds when requested.

If you translate text or speech in the Kaya app at /app/, that content is sent to our translation providers (see "Who has access to your data" below) for the duration of the request only. We do not store translation content or audio on our servers.

Why we collect it

We use your data for three narrow purposes:

To contact you about Kaya's early access — product updates, and the invitation when your cohort opens.
To understand the shape of our waitlist (by country, language, needs) so we build the right features first.
To prevent fraudulent or spam submissions.

Legal basis

Your consent, as defined by Article 6(1)(a) GDPR. You give consent by ticking the box before submitting the form.

How long we keep your data

Until you unsubscribe, or for 24 months after our last contact with you — whichever is sooner. When you unsubscribe (one-click link in every email we send), we keep a record marking your email as unsubscribed so we never contact you again, but we stop all outbound messaging immediately.

On explicit request, we'll fully delete your record from the database — see "Your rights" below.

Who has access to your data

Only the Kaya operator named in the Impressum has direct access to the waitlist database. We use the following data processors, each of whom operates under GDPR-compliant terms:

Supabase (supabase.com) — database hosting, EU Frankfurt region. Policy.

Vercel (vercel.com) — web application hosting. Policy.

Resend (resend.com) — transactional email delivery, EU infrastructure. Policy.

Cloudflare (cloudflare.com) — DNS, email routing, and CDN. Policy.

Paddle (paddle.com) — payment processing and Merchant of Record for paid plans. Handles billing, EU VAT, and refunds. Contracting entity: Paddle.com Market Ltd (UK) or Paddle B.V. (Netherlands), depending on your location. Policy.

Google (Gemini API), Groq, MyMemory, Hugging Face — translation and transcription providers. Translation content is transmitted for the duration of the request only; these providers do not retain it for their own use under their current API terms. Gemini · Groq · MyMemory · Hugging Face.

International transfers

Your personal data is stored within the European Economic Area (EEA). Some of our processors are US-parented companies operating EU infrastructure; where transfers outside the EEA may occur (e.g. operational administration, security backups), we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses approved by the European Commission.

Security

We use industry-standard measures: HTTPS everywhere (enforced by the .app HSTS preload), encryption at rest, row-level security on the database, hashed instead of raw IP storage, and access controls on production credentials.

Your rights

Under Chapter III of the GDPR (Articles 15–22), you have the right to:

Access your data — we'll send you a copy within 30 days.
Rectify inaccurate data.
Erase your data ("right to be forgotten").
Restrict processing.
Data portability — receive your data in a structured, machine-readable format.
Object to processing.
Withdraw consent at any time, via the unsubscribe link in every email or by emailing us.

To exercise any of these rights, email legal@kayacare.app. You also have the right to lodge a complaint with a supervisory authority — for Germany, that's the BfDI, or the data protection authority of your EU member state of residence.

Cookies & tracking

The waitlist site does not set tracking cookies. We use Vercel Web Analytics for privacy-friendly pageview measurement — it uses no cookies and does not identify individual visitors. Vercel Speed Insights uses localStorage to measure Core Web Vitals; no personal data is collected. No third-party advertising trackers are present.

Changes to this policy

We'll notify waitlist members by email if we make material changes. Non-material changes will be published here with an updated "Last updated" date.

Contact

For any question about your data, or to exercise your rights:
legal@kayacare.app