1. Data controller
The data controller is KUBA S.R.L., Via di Sottomonte, 355, 55100 Lucca, Italy, VAT No. 02763370463.
Privacy and data subject requests: support@kubalabs.com.
2. When Kuba acts as controller vs processor
Kuba acts as controller for data relating to website visitors, demo requests, merchant accounts, contracts, billing, support and direct commercial communications with the merchant.
Kuba may act as processor when processing end customers’ data on behalf of a merchant to provide automations, broadcasts, inbox, AI features and WhatsApp messaging under the merchant’s instructions.
The merchant remains controller of its end customers’ data and is responsible for the lawfulness of contact lists, consents, legal bases and message content sent via Kuba.
3. Categories of data processed
Depending on the relationship and features used, we may process:
- identification and contact data: name, surname, email, phone;
- account data: user ID, email, session, role, ecom_id;
- business data: company name, VAT, address, city, postcode, country, referral source;
- ecommerce data: store, domain, products, collections, orders, amounts, currency, tracking, customer history;
- WhatsApp data: numbers, chats, messages, templates, message status, media, WhatsApp profile, number quality;
- end customer data: name, surname, phone, orders, tags, lists, segments, interactions, inferred preferences;
- AI data: prompts, conversations, company facts, customer facts, chat categories, AI actions, store policies, embeddings;
- technical data: IP, logs, errors, telemetry events, WebSocket connections, push subscriptions;
- billing data: plan, tier, trial, usage metrics, payment provider, subscription ID.
4. Purposes and legal bases
| Purpose | Data involved | Legal basis |
|---|---|---|
| Website browsing and security | Technical data, logs | Legitimate interest / service request |
| Demo booking | Contact data | Pre-contractual measures |
| Account creation and app use | Account and business data | Contract |
| WhatsApp / Meta connection | WhatsApp data and credentials | Contract |
| Shopify / WooCommerce integration | Store, orders, customers, products | Contract |
| Flows and broadcasts | End customers, messages | Merchant instructions / contract |
| Inbox and customer service | Chats and messages | Contract / merchant instructions |
| Kuba Premium AI | Chats, orders, catalogue, facts, policies | Contract / merchant instructions |
| Billing and invoicing | Plan, usage, payments | Contract / legal obligation |
| Support and Intercom | Email, user ID, ecom_id, tickets | Contract / legitimate interest |
| Security, logs and abuse prevention | Technical data | Legitimate interest |
| Tax and legal obligations | Contract and invoice data | Legal obligation |
5. Website, demo and third-party technologies
The marketing website https://www.kubalabs.com is built with Astro and may use Google Fonts.
The contact/demo page embeds Zoho Bookings via Nimbuspop (fuzzymarketing.zohobookings.eu) and bookings.nimbuspop.com/assets/embed.js.
Technical cookie kuba_locale (365 days) for language preference. sessionStorage kuba:scroll-positions for scroll restoration on the home SPA.
Google Tag Manager (container GTM-KZFXNJRT) manages website tags and measurement tools centrally; any analytics tags (e.g. GA4) are configured in GTM, not installed directly in the site code. Meta Pixel, Clarity, LinkedIn Insight Tag and similar marketing tools are not directly installed in the codebase; if added, they will be managed as required.
6. Platform app.kubalabs.com
The application https://app.kubalabs.com uses SvelteKit and communicates with https://api.kubalabs.com (Rust/Actix-web backend, PostgreSQL via SQLx).
Authentication via Supabase (JWT). Session may be stored in the browser (localStorage) until logout or expiry.
UI preferences in localStorage (e.g. hide_data, chat_ghost_mode). Intercom Messenger for in-app support. WebSocket for real-time updates. Usage/error telemetry. Web push subscriptions if enabled.
7. WhatsApp, Meta and messaging
Kuba uses WhatsApp Cloud API / Meta to send and receive messages, manage templates, WhatsApp profile, number quality, webhooks, delivery status and media.
Messages may include text, approved templates, images, documents, video, buttons and interactive replies.
Where supported, historical WhatsApp conversations (e.g. SMB history sync) up to 180 days may be synced for service continuity.
The merchant must provide adequate notice and obtain required consents from end customers for marketing communications.
8. Ecommerce, Shopify and WooCommerce
Kuba may connect to Shopify via OAuth and GraphQL to process orders, products, customers, fulfillment, inventory, discounts, checkout and store legal policies.
The backend supports or may support WooCommerce and other platforms via dedicated setup.
Access tokens and credentials are stored encrypted. The merchant must have authority to connect the store and data processed.
9. Kuba Premium and AI
Kuba Premium may use AI providers including Anthropic (Claude), OpenAI, Google Gemini, DeepSeek and others configured, plus embedding/search (e.g. Voyage AI) and audio features (e.g. ElevenLabs) where active.
Purposes include automated replies, chat classification, product suggestions, message analysis, company/customer facts, and use of store policies and catalogue as context.
AI does not produce solely automated decisions with legal or similarly significant effects on individuals in a binding manner without appropriate human oversight.
The merchant must configure prompts, limits and instructions and supervise AI use in compliance with Meta/WhatsApp policies and applicable law.
10. Suppliers and subprocessors
We rely on third-party suppliers to deliver the service. The list may change over time. Kuba keeps providers updated and, where required, regulates relationships through data processing agreements (DPAs).
| Provider | Purpose |
|---|---|
| Supabase | Authentication and related database services |
| PostgreSQL / database provider | Application data storage |
| Meta / WhatsApp Cloud API | WhatsApp communications |
| Shopify | Ecommerce, app billing, integrations |
| WooCommerce | Ecommerce integration, if active |
| Intercom | In-app customer support |
| Anthropic | AI services (Claude) |
| OpenAI | AI services |
| Google (Gemini, Fonts) | AI and/or web fonts |
| DeepSeek | AI services, if active |
| Voyage AI | Embeddings / AI search, if active |
| ElevenLabs | AI/audio features, if active |
| Stripe | Payments, if used |
| Zoho / Zoho Bookings / Nimbuspop | CRM, demo booking |
| S3-compatible storage | Media and files |
| Cloudflare | DNS and technical services |
| SMTP provider | Transactional email |
| 17track | Shipment tracking |
| Hosting provider (e.g. Railway) | Backend/API hosting, where used |
11. Transfers outside the EEA
Some providers (e.g. Meta, Google, Anthropic, OpenAI, Cloudflare, hosting or storage) may process data outside the European Economic Area.
Where applicable, Kuba implements GDPR safeguards such as adequacy decisions, Standard Contractual Clauses or supplementary measures.
Further details may be requested at support@kubalabs.com.
12. Data retention
| Category | Indicative period |
|---|---|
| Website technical logs | As needed for security/operation, typically up to 12 months |
| Demo and commercial contacts | Up to 24 months from last contact, unless objected |
| Account and contract | For the duration of the relationship |
| Deleted account | Soft delete and access block; technical retention up to 30 days unless legal obligations apply |
| Billing and invoices | Up to 10 years where required by law |
| Chats, messages, end customers | For service duration or per merchant instructions |
| AI data, facts, policy chunks | For service duration or until deletion, unless legally required |
| Security logs and telemetry | Up to 12 months, unless incidents or disputes require longer |
| Language cookie (kuba_locale) | 365 days |
Periods may vary based on legal obligations, data subject requests or merchant instructions as controller for end customer data.
13. Security
- encrypted storage of external credentials and tokens;
- Supabase JWT authentication;
- HMAC verification for webhooks;
- access controls based on user_id / ecom_id;
- Row Level Security (RLS) where implemented;
- account soft delete with limited technical retention;
- logging, monitoring and limited internal access.
14. Data subject rights
You may exercise, where applicable, rights of access, rectification, erasure, restriction, objection, portability and withdrawal of consent (if consent-based).
Send requests to support@kubalabs.com. We will respond within applicable legal timeframes.
If your request relates to messages received from a merchant via WhatsApp, Kuba may direct you to the merchant as controller or assist the merchant as processor under the applicable agreement.
15. Supervisory authority complaint
You have the right to lodge a complaint with your competent supervisory authority. In Italy: Garante per la protezione dei dati personali (www.garanteprivacy.it).
16. Changes to this notice
Kuba may update this notice. The updated version will be published on this page with the revision date.
Controller: KUBA S.R.L. · Via di Sottomonte, 355, 55100 Lucca, Italy · support@kubalabs.com