Privacy Policy

1. Introduction

Kreatir Limited (“we,” “us,” or “our”) operates Involok — the invoicing, file delivery, and digital storefront platform available at involok.com. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding that information.

This policy applies to all users of involok.com and the Involok platform, including account holders, their clients, and visitors to any Lokbox storefront hosted on our infrastructure.

2. Information We Collect

2.1 Information you provide

• Account information: name, email address, and password (stored hashed)
• Business profile: business name, logo, brand colors, and other details you choose to add
• Invoice and client data: client names, email addresses, billing details, line items, and amounts
• Files you upload: files attached to invoices or listed in your Lokbox, stored on our infrastructure

2.2 Information collected automatically

• IP address, browser type, and device information
• Pages visited, time of access, and navigation patterns
• Session and authentication tokens

2.3 Information from third parties

When you connect a Stripe account, we receive limited data from Stripe — such as account status, payout details, and transaction records — to operate the platform. We do not store full payment card details; these are handled exclusively by Stripe.

3. How We Use Your Information

• Providing the Service: Operating your account, processing invoices, facilitating payments, delivering files, and running your Lokbox storefront.
• Transactional communications: Sending receipts, invoice notifications, payment confirmations, file delivery links, and account-related alerts.
• Product improvements: Analyzing aggregated, anonymized usage patterns to understand how features are used, identify bugs, and prioritize development. We do not build individual behavioral profiles for advertising purposes.
• Security and fraud prevention: Detecting unauthorized access, abuse, and suspicious activity.
• Legal compliance: Retaining records as required by applicable law and responding to lawful requests from authorities.

We will not use your data for targeted advertising, and we will never sell your personal information to third parties.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only with the following trusted service providers, and only to the extent necessary to operate the platform:

• Stripe: All payment processing and Stripe Connect onboarding. Governed by Stripe's Privacy Policy.
• Supabase: Database and file storage infrastructure. Your account data and uploaded files are stored on Supabase's secure, SOC 2-compliant infrastructure.
• Resend: Transactional email delivery. When we send you an invoice notification or receipt, Resend processes the email address and message content needed to deliver it.

We may also disclose information if required by law, court order, or regulatory authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Kreatir Limited, our users, or the public.

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred to a new entity and becomes subject to a different privacy policy.

5. Data Retention

• Account data: Retained while your account is active. Following account deletion, account data is purged within 90 days, though residual copies in backup systems may persist briefly.
• Invoice records: Retained for the life of the account (and for up to seven years after deletion to meet accounting and tax record-keeping requirements).
• Uploaded files: Retained per the file expiry rules of your plan (Free: 3 days; Activated: up to 30 days; Pro: no expiry). Files are purged on account deletion.
• Access logs: Retained for up to 12 months for security and fraud prevention purposes.

6. Cookies

We use cookies to operate the platform, remember your preferences, and analyze usage. For full details, see our Cookie Policy. We do not use third-party advertising cookies or tracking pixels.

7. Data Security

We implement industry-standard security measures to protect your data, including encrypted data transmission (TLS), hashed password storage, access controls, and regular security reviews.

Payment data is handled exclusively by Stripe, which is PCI DSS Level 1 compliant. We never see or store raw card numbers or bank account details.

While we take these precautions seriously, no system can be guaranteed 100% secure. In the event of a data breach that affects your personal information, we will notify you promptly in accordance with applicable law.

8. Your Rights

All users: You have the right to access, correct, export, or delete your personal information. To exercise these rights, contact us at privacy@involok.com. We will respond to verified requests within 30 days.

EEA/GDPR users: If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right to restrict processing, the right to data portability, and the right to lodge a complaint with your local supervisory authority. Our legal bases for processing include contract performance, legitimate interests, and legal obligations.

California residents (CCPA): If you are a California resident, you have the right to know what personal information we collect, the right to delete it, and the right to opt out of any sale of personal information. We do not sell personal information. You may exercise your rights by contacting us at privacy@involok.com.

9. Children's Privacy

Involok is designed for users 18 years of age and older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that a user is under 18, we will promptly close their account and delete any associated information.

If you believe a minor has created an account on Involok, please contact us at privacy@involok.com and we will investigate and take appropriate action.

10. International Data Transfers

Kreatir Limited is based in the United States. If you are located outside the US, your personal information will be transferred to and processed in the US. We rely on our service providers' compliance mechanisms (including Standard Contractual Clauses for EEA transfers) to ensure adequate protection.

11. Third-Party Links

Involok may contain links to third-party websites, including Stripe's onboarding flow and external documentation. These sites have their own privacy policies, and we are not responsible for their content or practices. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we'll notify you via email or a notice within the platform before the changes take effect. The “Last updated” date at the top of this page indicates when the current version was published.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Email: privacy@involok.com

Website: involok.com

We aim to respond to all privacy inquiries within 5 business days.