Privacy policy.
This policy explains what personal data we collect when you sign up for the Kaya waitlist, what we use it for, who has access, and the rights you have under the EU General Data Protection Regulation (GDPR).
Who we are
Kaya is operated by Ashish Verma. We are the data controller under Article 4(7) GDPR. Contact: legal@kayacare.app. Full operator details are in the Impressum.
What data we collect
When you submit the waitlist form at kayacare.app, we collect:
- Your name, email address, and phone number (with country code).
- Your primary language (self-reported).
- An optional free-text note ("what you hope Kaya can help with").
- Technical metadata: a one-way hashed version of your IP address, your browser's user-agent string, and the timestamp of your signup. Raw IP addresses are never written to our database.
Why we collect it
We use your data for three narrow purposes:
- To contact you about Kaya's early access — product updates, and the invitation when your cohort opens.
- To understand the shape of our waitlist (by country, language, needs) so we build the right features first.
- To prevent fraudulent or spam submissions.
Legal basis
Your consent, as defined by Article 6(1)(a) GDPR. You give consent by ticking the box before submitting the form.
How long we keep your data
Until you unsubscribe, or for 24 months after our last contact with you — whichever is sooner. When you unsubscribe (one-click link in every email we send), we keep a record marking your email as unsubscribed so we never contact you again, but we stop all outbound messaging immediately.
On explicit request, we'll fully delete your record from the database — see "Your rights" below.
Who has access to your data
Only Ashish Verma has direct access to the waitlist database. We use the following data processors, each of whom operates under GDPR-compliant terms:
Supabase (supabase.com) — database hosting, EU Frankfurt region. Policy.
Vercel (vercel.com) — web application hosting. Policy.
Resend (resend.com) — transactional email delivery, EU infrastructure. Policy.
Cloudflare (cloudflare.com) — DNS, email routing, and CDN. Policy.
International transfers
Your personal data is stored within the European Economic Area (EEA). Some of our processors are US-parented companies operating EU infrastructure; where transfers outside the EEA may occur (e.g. operational administration, security backups), we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses approved by the European Commission.
Security
We use industry-standard measures: HTTPS everywhere (enforced by the .app HSTS preload), encryption at rest, row-level security on the database, hashed instead of raw IP storage, and access controls on production credentials.
Your rights
Under Chapter III of the GDPR (Articles 15–22), you have the right to:
- Access your data — we'll send you a copy within 30 days.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict processing.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing.
- Withdraw consent at any time, via the unsubscribe link in every email or by emailing us.
To exercise any of these rights, email legal@kayacare.app. You also have the right to lodge a complaint with a supervisory authority — for Germany, that's the BfDI, or the data protection authority of your EU member state of residence.
Cookies & tracking
The waitlist site does not set tracking cookies. We use Vercel Web Analytics for privacy-friendly pageview measurement — it uses no cookies and does not identify individual visitors. Vercel Speed Insights uses localStorage to measure Core Web Vitals; no personal data is collected. No third-party advertising trackers are present.
Changes to this policy
We'll notify waitlist members by email if we make material changes. Non-material changes will be published here with an updated "Last updated" date.
Contact
For any question about your data, or to exercise your rights:
legal@kayacare.app