This Privacy Policy describes how Kabavo LLC ("Ksara", "we", "us", or "our"), a company registered in the Republic of Belarus (TIN/UNP 193832940), collects, uses, stores, and protects your personal data when you use the Ksara platform at ksara.ai (the "Service").
By accessing or using Ksara, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.
1. Data Controller
The data controller responsible for your personal data is:
Kabavo LLC
42 Kalvariyskaya St., Minsk 220140, Republic of Belarus
Email: k@kbv.by
Phone: +375 (29) 184-77-34
2. Data We Collect
2.1 Account Data
When you register, we collect:
- Full name
- Email address
- Password (stored as a salted bcrypt hash — we never store plaintext passwords)
- Workspace name and role within the workspace
2.2 Advertising Platform Data
When you connect ad accounts (Meta Ads, Google Ads, TikTok Ads, etc.), we collect:
- OAuth tokens (encrypted with AES-256-GCM at rest)
- Campaign, ad set, and ad-level performance metrics (impressions, clicks, spend, conversions, revenue)
- Creative assets metadata (thumbnails, ad copy, format type)
- Account-level settings and structure
We do not collect end-user personal data (e.g., customer names, emails, or payment details) from your ad accounts. We only access aggregated performance metrics.
2.3 Organic Social Data
If you connect organic social accounts (e.g., TikTok Creator), we collect:
- Profile information (username, follower/following counts, bio)
- Post-level metrics (views, likes, comments, shares)
- Growth snapshots over time
2.4 Uploaded Data
You may upload CSV files containing ad statistics. This data is stored in our database and associated with your workspace. You can delete uploaded batches at any time.
2.5 Usage Data
We automatically collect:
- IP address and approximate geolocation (country/city level)
- Browser type, operating system, and device type
- Pages visited, features used, and timestamps
- Referral source
2.6 Cookies and Tracking
We use cookies and similar technologies as described in our Cookie Policy.
3. How We Use Your Data
We process your data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of contract |
| Authenticating your identity and managing sessions | Performance of contract |
| Syncing and displaying your ad platform data | Performance of contract |
| Sending transactional emails (password reset, alerts) | Performance of contract |
| Improving the Service through aggregated analytics | Legitimate interest |
| Detecting fraud and preventing abuse | Legitimate interest |
| Sending product updates and marketing communications | Consent (opt-in) |
| Complying with legal obligations | Legal obligation |
4. Data Storage and Security
4.1 Encryption
- In transit: All connections use TLS 1.3 encryption
- At rest: OAuth tokens and sensitive credentials are encrypted using AES-256-GCM with unique initialization vectors
- Passwords: Stored as one-way bcrypt hashes with per-user salt
4.2 Infrastructure
- Application hosted on Vercel (SOC 2 Type II certified)
- Database hosted on PostgreSQL with automated daily backups
- Backups encrypted and retained for 30 days
4.3 Access Controls
- Role-based access control (RBAC) within workspaces: Owner, Admin, Manager, Viewer
- Session tokens expire after 15 minutes (access) and 7 days (refresh)
- API rate limiting on all authentication and sensitive endpoints
5. Data Sharing
We do not sell your data. We share data only in these cases:
- Service providers: Hosting (Vercel), database (PostgreSQL provider), analytics (Vercel Analytics) — under data processing agreements
- Ad platforms: OAuth token exchange only (Meta, Google, TikTok) — no data is sent back to these platforms
- Payment processors: If applicable, for subscription billing only
- Legal requirements: When required by law, court order, or governmental authority
We do not use your advertising data to train machine learning models, sell to third parties, or share with competitors.
6. International Data Transfers
Your data may be processed in countries outside the Republic of Belarus, including the United States (where our hosting infrastructure is located). When data is transferred internationally, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses (SCCs) with service providers
- Encryption of all data in transit and at rest
- Compliance with applicable data protection regulations
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Ad performance metrics | Until account deletion or manual removal |
| OAuth tokens | Until disconnection or token expiry |
| Uploaded CSV data | Until manual batch deletion or account deletion |
| Usage logs | 90 days (rolling) |
| Sync and job logs | 30 days (rolling) |
| Database backups | 30 days |
8. Your Rights
You have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your account and all associated data
- Portability: Receive your data in a structured, machine-readable format (JSON/CSV)
- Restriction: Request that we limit processing of your data
- Objection: Object to data processing based on legitimate interest
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email k@kbv.by. We will respond within 30 calendar days.
9. Account Deletion
You can request full account deletion by emailing k@kbv.by or through the Settings page in your dashboard. Upon deletion:
- All personal data is permanently removed within 30 days
- All connected ad account tokens are immediately revoked and destroyed
- All uploaded data and sync history is permanently deleted
- Backups containing your data expire within 30 days
10. Children's Privacy
Ksara is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a prominent notice within the Service at least 14 days before the changes take effect.
12. Contact
For any questions about this Privacy Policy or your data, contact us at:
Kabavo LLC
42 Kalvariyskaya St., Minsk 220140, Republic of Belarus
Email: k@kbv.by
Phone: +375 (29) 184-77-34
Working hours: Monday — Friday, 10:00 — 19:00 (GMT+3)