Privacy Policy

Talentee LLC ("Kolva", "we", "us", or "our") operates the Kolva platform at kolva.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile application, and related services (collectively, the "Service"). We are committed to protecting your personal data and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations. By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

We collect information that you provide directly to us, information we obtain automatically when you use the Service, and information from third-party sources.

We use the information we collect to: • Provide, maintain, and improve the Service • Process transactions and send related information (invoices, confirmations) • Send technical notices, updates, security alerts, and support messages • Provide AI-powered features including briefings, debriefs, client analysis, churn prediction, route optimization, and coaching insights • Generate analytics, reports, and performance metrics for your team • Monitor and analyze trends, usage, and activities in connection with the Service • Detect, investigate, and prevent fraudulent transactions and unauthorized access • Personalize the Service based on your role, preferences, and usage patterns • Comply with legal obligations and enforce our terms AI Processing: Our AI features use your business data (visit history, sales data, client interactions) to generate insights, predictions, and recommendations. AI-generated content is based on patterns in your data and should be reviewed by humans before acting on it. We use OpenAI and Anthropic APIs for AI processing — your data is sent to these providers under strict data processing agreements and is not used to train their models.

We do not sell your personal data. We may share information in the following circumstances: • With your team: Data you enter is visible to authorized team members based on role permissions (admin, manager, supervisor, commercial) • Service providers: We use third-party services for hosting (Vercel), database (Supabase), payments (Stripe), email (Resend), AI processing (OpenAI, Anthropic), and analytics • CRM/ERP sync: Data flows bidirectionally with your connected business systems as configured by your administrator • Legal requirements: We may disclose information if required by law, subpoena, or government request • Business transfers: In connection with a merger, acquisition, or sale of assets • With your consent: When you explicitly authorize sharing with a specific third party All third-party service providers are bound by data processing agreements and are prohibited from using your data for any purpose other than providing services to Kolva.

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods: • Account data: Retained until account deletion, then purged within 30 days • Visit and sales data: Retained for the duration of your subscription plus 90 days • AI-generated insights: Retained for 12 months, then automatically archived • Chat and voice data: Retained for 6 months unless you request earlier deletion • Log and analytics data: Retained for 24 months in anonymized form • Backup data: Retained for 30 days after primary data deletion • Trial/demo data: Automatically deleted 7 days after trial expiration When you request data deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law.

We implement industry-standard security measures to protect your data: • Encryption in transit: All data transmitted using TLS 1.3 • Encryption at rest: Database encrypted using AES-256 • Access controls: Role-based access control (RBAC) with row-level security (RLS) enforced at the database level • Authentication: Secure password hashing (bcrypt), session management, optional two-factor authentication • Infrastructure: Hosted on SOC 2 compliant infrastructure (Vercel, Supabase/AWS) • Monitoring: 24/7 automated security monitoring and anomaly detection • API security: Rate limiting, API key hashing (SHA-256), request validation • Penetration testing: Regular third-party security assessments • Employee access: Strict need-to-know basis with audit logging No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

Kolva collects precise GPS location data during field visit check-in and check-out. This data is essential for: • Verifying visit completion and calculating time spent at client locations • Generating route optimization recommendations • Providing real-time team visibility to managers (Live Map feature) • Calculating distances and travel metrics Location data is only collected when you actively check in or check out of a visit. We do not track your location continuously or in the background. You can decline location permissions, but some features (check-in verification, route optimization) will be limited. Location data is stored as geographic coordinates and is subject to the same security and retention policies as other personal data.

We use cookies and similar technologies for: • Essential cookies: Authentication, session management, security (400-day persistent login for PWA) • Preference cookies: Language, theme, and display preferences • Analytics cookies: Understanding usage patterns and improving the Service • Performance cookies: Monitoring application performance and errors We do not use advertising or third-party tracking cookies. You can control cookies through your browser settings, but disabling essential cookies will prevent you from using the Service. See our Cookie Policy for detailed information.

Depending on your jurisdiction, you may have the following rights: • Right to access: Request a copy of the personal data we hold about you • Right to rectification: Request correction of inaccurate or incomplete data • Right to erasure: Request deletion of your personal data ("right to be forgotten") • Right to restrict processing: Request limitation of how we use your data • Right to data portability: Receive your data in a structured, machine-readable format • Right to object: Object to processing based on legitimate interests • Right to withdraw consent: Withdraw consent at any time where processing is based on consent • Right to non-discrimination: Exercise your rights without discriminatory treatment (CCPA) To exercise any of these rights, contact us at privacy@kolva.ai. We will respond to verified requests within 30 days (or as required by applicable law). Your company administrator can also export or delete data through the Kolva admin panel.

Kolva is operated by Talentee LLC in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on: • Standard Contractual Clauses (SCCs) approved by the European Commission • Data Processing Agreements with all sub-processors • Adequacy decisions where applicable Our sub-processors (Supabase, Vercel, Stripe, OpenAI, Anthropic) maintain their own EU data transfer mechanisms and certifications.

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. We will notify you of any material changes by: • Posting the updated policy on our website with a new "Last Updated" date • Sending an email notification to account administrators • Displaying an in-app notification Your continued use of the Service after changes take effect constitutes acceptance of the revised policy. We encourage you to review this policy periodically.

If you have questions about this Privacy Policy or our data practices, contact us at: Talentee LLC Attn: Privacy Team Wilmington, Delaware, United States Email: privacy@kolva.ai Website: https://kolva.ai Data Protection Officer: dpo@kolva.ai For EU residents, you also have the right to lodge a complaint with your local data protection authority.