Privacy Policy
Last updated: June 2026
1. Who we are
kvaka.ai is a property management platform operated by Mladen Rakonjac, Podgorica, Montenegro. We act as the data controller for personal data processed through this service. Contact: privacy@kvaka.ai
2. What data we collect
We collect personal data only to the extent necessary to provide the service:
- Account data: email address and password hash (via Supabase Auth).
- Property and lease data: property addresses, tenant names, lease terms, rent amounts, deposit amounts — all entered by you.
- Financial data: utility bill amounts, payment records, tax assessment data from the Podgorica portal.
- Uploaded documents: PDF bills and scanned documents you upload for OCR processing.
- Email data (optional): if you connect your Gmail account, we access email metadata and attachments only from senders you approve.
- Usage data: pages visited, features used, session duration — collected via PostHog analytics (anonymised IP).
- Technical data: IP address, browser type, device type, referrer URL — collected automatically on each request.
3. Why we process your data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the property management service | Art. 6(1)(b) — performance of a contract |
| Sending rent due and lease expiry reminders | Art. 6(1)(b) — performance of a contract |
| OCR processing of uploaded bills | Art. 6(1)(b) — performance of a contract |
| Platform analytics and improvement | Art. 6(1)(a) — consent (cookie banner) |
| Security and fraud prevention | Art. 6(1)(f) — legitimate interests |
| Legal obligations | Art. 6(1)(c) — legal obligation |
4. Who we share data with
We use the following sub-processors. All international data transfers are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework:
- Supabase — database, authentication, file storage. (US; Standard Contractual Clauses)
- Vercel — hosting and serverless functions. (US; EU edge delivery; Standard Contractual Clauses)
- Google Cloud / Vertex AI — AI/OCR processing of uploaded documents. (global; DPF certified + Standard Contractual Clauses)
- Resend (EU) — transactional email delivery.
- PostHog (EU cloud, eu.posthog.com) — product analytics, only if you consent.
- Upstash (EU) — Redis rate limiting counters (no personal data stored, only request counts).
- Sentry (EU data centre — de.sentry.io) — error tracking and performance monitoring.
We do not sell your personal data to any third party.
5. Cookies
We use the following cookies:
- Essential cookies: Supabase session token (sb-*). Required for login. No consent needed.
- Analytics cookies: PostHog (ph_*, posthog). Used to understand how features are used. Set only after you accept analytics cookies.
- Preference cookies: cookie-consent. Stores your cookie choice. No consent needed.
6. Data retention
- Account and property data: retained for the duration of your account, plus 30 days after deletion.
- Uploaded documents: retained in storage for the duration of your account.
- Analytics data: 1 year rolling window in PostHog.
- Server logs: up to 30 days.
7. Your rights
Under GDPR (and Montenegro's Law on Personal Data Protection), you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — correct inaccurate data via your profile settings or by contacting us.
- Erasure — request deletion of your account and all associated data.
- Portability — request a copy of your data in a machine-readable format by emailing privacy@kvaka.ai (we will respond within 30 days).
- Restriction — restrict processing while a dispute is resolved.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — withdraw analytics consent at any time via the cookie settings.
To exercise any right, email privacy@kvaka.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Agency for Personal Data Protection of Montenegro (azlp.me).
8. Security
All data is encrypted in transit (TLS 1.2+) and at rest. Database access is controlled by Row Level Security policies so each user can only access their own data. Authentication is handled by Supabase Auth with bcrypt password hashing.
9. Children
kvaka.ai is not directed at children under 16. We do not knowingly collect data from anyone under 16.
10. Changes to this policy
We may update this policy. Material changes will be notified by email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.