Privacy Policy

Last updated: July 2, 2026 — CV Project S.r.l.

1. Data Controller

The data controller is CV Project S.r.l., registered office at Via Giuseppe Romita 85, 15011 Acqui Terme (AL), Italy — VAT no. IT02707630063. Contacts: email info@cvproject.it, certified email (PEC) cvprojectsrl@pec.it. Website: korelab.app.

2. Data Collected

KoreLab collects and processes the following categories of data:

We do not use third-party analytics or profiling tools.

3. Purposes and Legal Basis

4. Data Retention

We retain data for as long as necessary to provide the service and to comply with legal obligations:

After account deletion, data is removed from our systems within 30 days, except where legal obligations apply.

5. Third-Party Sharing

KoreLab relies on the following data processors (Art. 28 GDPR):

All non-EU providers operate under Standard Contractual Clauses (SCC) and Data Processing Agreements. No data is sold to third parties or used for advertising purposes.

5-bis. Controlled sharing of the certification file with the consultant/auditor

At the company's initiative, KoreLab lets you generate a snapshot — a read-only, immutable, point-in-time copy of the certification file — to share with your HACCP consultant via a revocable, expiring link.

5-ter. KoreLab AI assistant

The "KoreLab AI" assistant processes your input only when you actively use it (not in the background). It sends your question and, on plans with full AI, the relevant context data (e.g. manual excerpts, products, recipes) needed to answer. In "vendor" mode (at KoreLab's expense) the content is transmitted to Anthropic (USA) and, as a fallback, OpenAI (USA) via API; if you use your own API keys (BYOK), the content goes to the provider you chose. AI providers used via API do not use your content to train their models. We recommend not entering unnecessary personal data in your questions. AI responses are generated automatically and may contain inaccuracies: always verify them, especially on regulatory and food-safety topics.

6. Your Rights

Under the GDPR (Arts. 15-22) you have the right to: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing.

You can exercise portability (Art. 20) and account and data deletion (Art. 17) on your own, directly in the app (Account → Privacy & GDPR) or from the public page app.korelab.app/privacy.html#elimina-account. For the other rights, write to info@cvproject.it: we respond within 30 days.

7. Cookies

KoreLab uses only technical/functional cookies necessary for the service to function (authenticated session, preferences) and LocalStorage to store the user session. No profiling or third-party advertising cookies are used. Fonts are self-hosted (no calls to Google Fonts). For details see the Cookie Policy.

8. Data Security

We adopt appropriate technical and organizational measures: TLS/HTTPS encryption for all communications, database encrypted at rest (Supabase), Row Level Security (each user can access only their own data), JWT-based authentication, no payment data stored (handled by Stripe), and automatic database backups.

9. International Transfers

The database and authentication (Supabase) are hosted in the European Union (Frankfurt). Some other providers (Stripe, Vercel, Netlify, Resend, Anthropic, OpenAI, Google) may process data in the USA. Such transfers comply with Chapter V of the GDPR through Standard Contractual Clauses (SCC) approved by the European Commission, Data Processing Agreements with each provider and, where applicable, adherence to the EU-U.S. Data Privacy Framework.

10. Minors

KoreLab is a service intended for professionals and businesses. We do not knowingly collect data from anyone under 18. If you are a parent or guardian and believe your child has provided personal data, contact us at info@cvproject.it.

11. Changes to This Policy

We reserve the right to update this policy. Substantial changes will be communicated by email to registered users, and the updated version will always be available on this page with the date of the last change.

12. Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority. In Italy: Garante per la protezione dei dati personali — Piazza Venezia 11, 00187 Rome — garanteprivacy.it. Users in other countries may contact the authority of their own state.

13. Contact

For any questions regarding this policy: info@cvproject.it