Privacy Policy
Last updated: July 2, 2026 — CV Project S.r.l.
1. Data Controller
The data controller is CV Project S.r.l., registered office at Via Giuseppe Romita 85, 15011 Acqui Terme (AL), Italy — VAT no. IT02707630063. Contacts: email info@cvproject.it, certified email (PEC) cvprojectsrl@pec.it. Website: korelab.app.
2. Data Collected
KoreLab collects and processes the following categories of data:
- Identification and company data: first name, last name, email address, password (encrypted) and — for billing — company name, VAT number, SDI code, PEC, address.
- Operational data: ingredients, recipes, products, suppliers, packaging, and price lists entered by the user.
- Payment data: handled entirely by Stripe (PCI DSS Level 1 certified provider). KoreLab does not receive, process or store card data.
- Usage data: access logs, browser version, IP addresses for security and diagnostics.
- Google Calendar data (optional): OAuth tokens for calendar sync, stored encrypted. KoreLab only accesses calendar events it creates (scope
calendar.events). - Content sent to the AI assistant (optional, all plans): the questions and data you choose to submit to "KoreLab AI" (see section 5-ter).
We do not use third-party analytics or profiling tools.
3. Purposes and Legal Basis
- Providing the KoreLab SaaS service (contract performance — Art. 6.1.b GDPR).
- Managing subscriptions and billing (legal obligation — Art. 6.1.c GDPR).
- Necessary service communications (e.g. account confirmation, password recovery) — contract performance (Art. 6.1.b GDPR).
- Google Calendar sync — only with the user's explicit consent (Art. 6.1.a GDPR).
- KoreLab AI assistant (all plans, on your action) — message processing via the AI providers to generate responses (Art. 6.1.b GDPR).
- Service improvement and security — legitimate interest (Art. 6.1.f GDPR).
- Marketing (product news and tips): only with your explicit consent, optional and revocable at any time via the unsubscribe link in every email or by writing to info@cvproject.it (Art. 6.1.a GDPR).
4. Data Retention
We retain data for as long as necessary to provide the service and to comply with legal obligations:
- Account data: until the user deletes the account.
- Billing data: 10 years (Italian tax obligation).
- Technical data and logs: 12 months at most.
- Google Calendar tokens: deleted immediately upon disconnection.
After account deletion, data is removed from our systems within 30 days, except where legal obligations apply.
5. Third-Party Sharing
KoreLab relies on the following data processors (Art. 28 GDPR):
- Supabase — database and authentication (EU region, Frankfurt).
- Stripe — payment processing and billing.
- Vercel — application hosting (app.korelab.app).
- Netlify — hosting of this website (korelab.app).
- Resend — transactional emails (account confirmation, password recovery) and, with consent, communications.
- Anthropic and OpenAI — providers of the "KoreLab AI" assistant model (see section 5-ter).
- Google — only if you enable Google Calendar sync (OAuth).
All non-EU providers operate under Standard Contractual Clauses (SCC) and Data Processing Agreements. No data is sold to third parties or used for advertising purposes.
5-bis. Controlled sharing of the certification file with the consultant/auditor
At the company's initiative, KoreLab lets you generate a snapshot — a read-only, immutable, point-in-time copy of the certification file — to share with your HACCP consultant via a revocable, expiring link.
- What it contains: certification status (requirements, manual, limits/CCPs) and operational records, including the operator's name and any simple electronic signature (PIN) of whoever made the entry. It does not include raw re-import data or secrets (PINs are never included).
- Legal basis: performance of the consulting contract / the company's legitimate interest (Art. 6.1.b/f GDPR). Sharing is decided and activated exclusively by the company.
- Roles: KoreLab processes the data as the company's processor (Art. 28 GDPR); the consultant is a recipient designated by the company and receives a static snapshot, not real-time access.
- Duration and revocation: the link has an expiry set by the company and can be revoked at any time. Revocation prevents new openings but cannot erase copies the consultant may have already downloaded.
- Retention: the shared copy is deleted when the link expires or is revoked; opening logs are kept for 12 months at most.
5-ter. KoreLab AI assistant
The "KoreLab AI" assistant processes your input only when you actively use it (not in the background). It sends your question and, on plans with full AI, the relevant context data (e.g. manual excerpts, products, recipes) needed to answer. In "vendor" mode (at KoreLab's expense) the content is transmitted to Anthropic (USA) and, as a fallback, OpenAI (USA) via API; if you use your own API keys (BYOK), the content goes to the provider you chose. AI providers used via API do not use your content to train their models. We recommend not entering unnecessary personal data in your questions. AI responses are generated automatically and may contain inaccuracies: always verify them, especially on regulatory and food-safety topics.
6. Your Rights
Under the GDPR (Arts. 15-22) you have the right to: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing.
You can exercise portability (Art. 20) and account and data deletion (Art. 17) on your own, directly in the app (Account → Privacy & GDPR) or from the public page app.korelab.app/privacy.html#elimina-account. For the other rights, write to info@cvproject.it: we respond within 30 days.
7. Cookies
KoreLab uses only technical/functional cookies necessary for the service to function (authenticated session, preferences) and LocalStorage to store the user session. No profiling or third-party advertising cookies are used. Fonts are self-hosted (no calls to Google Fonts). For details see the Cookie Policy.
8. Data Security
We adopt appropriate technical and organizational measures: TLS/HTTPS encryption for all communications, database encrypted at rest (Supabase), Row Level Security (each user can access only their own data), JWT-based authentication, no payment data stored (handled by Stripe), and automatic database backups.
9. International Transfers
The database and authentication (Supabase) are hosted in the European Union (Frankfurt). Some other providers (Stripe, Vercel, Netlify, Resend, Anthropic, OpenAI, Google) may process data in the USA. Such transfers comply with Chapter V of the GDPR through Standard Contractual Clauses (SCC) approved by the European Commission, Data Processing Agreements with each provider and, where applicable, adherence to the EU-U.S. Data Privacy Framework.
10. Minors
KoreLab is a service intended for professionals and businesses. We do not knowingly collect data from anyone under 18. If you are a parent or guardian and believe your child has provided personal data, contact us at info@cvproject.it.
11. Changes to This Policy
We reserve the right to update this policy. Substantial changes will be communicated by email to registered users, and the updated version will always be available on this page with the date of the last change.
12. Supervisory Authority
You have the right to lodge a complaint with the competent supervisory authority. In Italy: Garante per la protezione dei dati personali — Piazza Venezia 11, 00187 Rome — garanteprivacy.it. Users in other countries may contact the authority of their own state.
13. Contact
For any questions regarding this policy: info@cvproject.it