Privacy Policy

Version 2026-05-25.1 — last updated: 2026-05-25

Kivolaro (“Kivolaro”, “we”, “us”) operates kivolaro.com (the “Site”) and provides custom software and AI automation services. This policy explains what information we process, why, on what legal basis, for how long, and how you can exercise your rights.

1. Data controller

Kivolaro — operated by Facundo Menéndez. Contact: hello@kivolaro.com. Full details in the Legal Notice.

2. EU representative / DPO

Kivolaro is established in the U.S. and primarily targets the U.S. market. We have not appointed a formal Data Protection Officer because our processing does not meet the GDPR Art. 37 thresholds. For any privacy inquiry write to hello@kivolaro.com.

3. Data we collect

• Form data. Name, email, company, website, business area, urgency, preferred contact channel, and the message you write. Some forms also include calculator outputs (ROI, budget).
• Technical and usage data. Pages viewed, referrer, approximate location (country-level), device type, IP address (stored as a salted HMAC), user agent (hashed).
• Cookies and similar technologies. Full detail in the Cookie Policy.
• Marketing attribution. If you arrive via a campaign with click IDs (gclid, fbclid, li_fat_id, msclkid, gbraid, wbraid) we retain them to measure conversions.
• Consent records. Every cookie decision is stored with an opaque identifier, the chosen categories, and the legal version in force at that moment.

4. Purposes and legal bases

• Respond to inquiries and commercial proposals. Legal basis: pre-contractual measures at the data subject's request (GDPR Art. 6(1)(b)).
• Operate the Site and protect its integrity. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) in keeping a functional and secure site.
• Analytics and product improvement. Legal basis: consent (GDPR Art. 6(1)(a) + ePrivacy Art. 5(3)) managed via our cookie banner.
• Advertising and conversion measurement. Legal basis: consent. Without it we do not send events to Google Ads or the Meta pixel.
• Compliance with legal obligations. Legal basis: applicable legal obligation (GDPR Art. 6(1)(c)).

5. Advertising, profiling, and automated decisions

If you accept the “Advertising” category we may use advertising identifiers to measure conversions and build similar audiences on Google and Meta. We do not make solely automated decisions with legal effects on you (GDPR Art. 22). The Site does not perform fingerprinting.

6. Processors and recipients

We work with a small set of processors. We keep a Record of Processing Activities (RoPA) listing each processor, its purpose, the data shared, the country, and the transfer mechanism.

• Google LLC — Tag Manager, Analytics 4, and Ads (U.S. / EU).
• Microsoft Corporation — Clarity (U.S.).
• Google LLC — Firebase App Hosting (Cloud Run) and Firestore for hosting and consent records (U.S.).
• Cloudflare, Inc. — DNS only (U.S. / global edge).
• Meta Platforms, Inc. — domain verification only (no pixel loaded today).

We do not sell personal information.

7. International transfers

Most of our processors handle data in the U.S. Transfers are covered by (a) the EU-U.S. Data Privacy Framework where the processor is certified, and (b) the European Commission-approved Standard Contractual Clauses as a backstop. We also apply technical measures such as minimisation (HMAC-hashed IP instead of raw IP) and encryption in transit.

8. Retention periods

• Consent events: 13 months.
• Contact requests / leads: up to 24 months without activity, then anonymised or deleted.
• Active newsletter (when launched): until unsubscribe.
• Security logs: 6-12 months.
• Data subject requests (DSR): 36 months, to demonstrate response to a supervisory authority if required.

9. Your rights

If you are in the EU / EEA, UK, Switzerland, or California, you have the following rights over your personal information:

• Access to the data we hold.
• Rectification if they are inaccurate.
• Erasure (“right to be forgotten”) where applicable.
• Restriction of processing.
• Portability in a structured, commonly used format.
• Objection to processing based on legitimate interest.
• Withdraw consent at any time, without affecting prior lawful processing.
• (CCPA/CPRA) know what information is collected, request deletion, and opt out of sharing.

You can exercise them from the Privacy Center or by emailing hello@kivolaro.com. We respond within 30 days.

10. Complaints to a supervisory authority

If you believe we have processed your data improperly you can lodge a complaint with the supervisory authority of your EU/EEA/UK country of residence. In California you can lodge a complaint with the California Privacy Protection Agency.

11. Mandatory vs. optional data

In our forms we mark which fields are mandatory for us to reply (typically email and message). Optional fields help us understand your need better but are not required. If you do not complete the mandatory ones we will not be able to contact you.

12. Security

We apply reasonable technical and organisational measures: HTTPS enforced, HSTS, Secure / SameSite cookies, role-based access control, secrets in Google Secret Manager, environment separation, encryption at rest in Firestore, salted hashes (HMAC) instead of raw IPs, and encrypted backups.

13. Children

Kivolaro is not directed at children under 16 and we do not knowingly collect their data. If you let us know that a child has submitted a form, we will delete it.

14. Changes to this policy

If we update this policy we bump the version at the top and reflect the new date. Material changes will be announced via a prominent notice in the cookie banner or by email to people with an active relationship.

15. Contact

Questions about this policy: hello@kivolaro.com. To manage cookies use the Privacy Center or the “Configure cookies” link in the footer.