Koliva

Privacy Policy

Last updated: 19 May 2026

1. What we collect

  • Account data: email, display name, password (hashed via the auth service).
  • Billing data: Stripe processes payments; we store the Stripe customer/subscription IDs and invoice metadata, not card numbers.
  • Inputs you upload: photos, voice samples, prompts, reference assets.
  • Generated outputs: videos, images, audio.
  • Usage data: credit ledger entries, generation history, technical logs (request IDs, IP, user-agent).

2. Why we process it

  • Contract performance (Art. 6(1)(b) GDPR): running the service you paid for.
  • Legitimate interest (Art. 6(1)(f)): fraud prevention, abuse detection, service improvement.
  • Legal obligation (Art. 6(1)(c)): financial records retention, tax / VAT compliance.
  • Consent (Art. 6(1)(a)): marketing emails, voice cloning, B2B gating attestations.

3. Where it goes

We send prompts and reference inputs to AI providers strictly as needed to generate the output you requested. Current subprocessors include:

  • fal.ai — video model routing
  • Anthropic, Google — language and vision models
  • ElevenLabs — voice cloning + synthesis
  • Cloudflare R2 — asset storage
  • Stripe — payments
  • Resend — transactional email

A current list (with addresses, locations, and the categories of data sent) is available on request.

4. How long we keep it

  • Generated assets: per your subscription tier's retention window (7–365 days), then auto-archived.
  • Account data: until you request deletion.
  • Financial records: retained for the statutory period (typically 7 years under Romanian fiscal law) regardless of deletion request.
  • Logs: 30 days, then aggregated.

5. Your rights

Under GDPR you have the rights of access, rectification, erasure, restriction, portability and objection. Exercise them from your account settings:

  • Export my data downloads a JSON bundle of everything we hold (Art. 20).
  • Delete my account queues anonymization and removes inputs/outputs from R2 (Art. 17).

You may also email hello@koliva.ai or lodge a complaint with the Romanian DPA (ANSPDCP) or your local supervisory authority.

6. Security

TLS in transit, encryption at rest in R2, JWT-based service auth, audit logging of all ledger movements. We disclose security incidents to affected users without undue delay (Art. 34 GDPR).

7. Children

The service is not directed at users under 16. We do not knowingly collect data from minors and will delete it if discovered.

8. Updates

Material changes will be emailed to active users before taking effect. The current version is always the one on this page.