Privacy Policy

1. Data Controller

The data controller is CV Project S.r.l., based in Italy, reachable at support@korelab.app.

2. Data Collected

• Registration data: email address, password (encrypted).
• Operational data: ingredients, recipes, products, suppliers, packaging, and price lists entered by the user.
• Payment data: processed entirely by Stripe Inc. KoreLab does not store credit card data.
• Usage data: access logs, browser version, IP addresses for security and diagnostics.
• Google Calendar data (optional): OAuth tokens for calendar sync, stored encrypted. KoreLab only accesses calendar events it creates (scope calendar.events).
• KoreLab AI data (PRO plan only, optional): messages sent to the AI assistant are transmitted to Anthropic PBC to generate responses. KoreLab does not store the content of AI conversations after the response. Only usage volume (token count) is logged to calculate the monthly budget.

3. Purposes and Legal Basis

• Providing the KoreLab SaaS service (contract performance — Art. 6.1.b GDPR).
• Payment processing via Stripe (contract performance).
• Sending service communications (updates, subscription expiry notices) — legitimate interest.
• Google Calendar sync — only with the user's explicit consent (Art. 6.1.a GDPR).
• KoreLab AI assistant (PRO only) — message processing via Anthropic PBC to generate responses. Legal basis: contract performance (Art. 6.1.b GDPR).
• Compliance with legal and tax obligations (Art. 6.1.c GDPR).

4. Data Retention

Data is retained for the duration of the contractual relationship and for 10 years thereafter for tax obligations. Operational data (recipes, products, etc.) is deleted on user request or account closure. Google Calendar tokens are deleted immediately upon disconnection.

5. Third-Party Sharing

• Supabase Inc. — database and authentication (EU servers).
• Stripe Inc. — payment processing.
• Google LLC — only if the user enables Google Calendar sync.
• Anthropic PBC — only if the PRO user uses KoreLab AI. Messages are transmitted to Anthropic's API to generate responses. Anthropic is subject to its own privacy policy (anthropic.com/privacy).
• Vercel Inc. — application hosting.

No data is sold to third parties or used for advertising purposes.

6. Your Rights

Under the GDPR you have the right to: access, rectify, erase (right to be forgotten), restrict processing, data portability, and object to processing. To exercise these rights write to support@korelab.app.

7. Cookies

KoreLab uses only technical cookies necessary for the service to function (authenticated session). No profiling cookies or third-party advertising cookies are used.

8. Contact

For any questions regarding this policy: support@korelab.app