Legal · GDPR Art. 30

Records of Processing Activities

Last updated: July 13, 2026. Kyrovo publishes its ROPA voluntarily even though we are exempt under Art. 30(5) — we believe you should be able to see exactly how your data flows through our systems.

Available in 8 languages via the language switcher (top-right). The English version is authoritative.

Controller: Kyrovo · hello@getkyrovo.com

Data Protection contact: dpo@getkyrovo.com

EU/UK representative: Appointed on request per Art. 27 for users in the EEA/UK.

Account creation & authentication

Legal basis
Art. 6(1)(b) contract
Data subjects
Registered users
Categories of data
Email, hashed password, display name, sign-in timestamps
Recipients / processors
Supabase (processor)
International transfers
EU region primary; SCCs 2021/914 for any egress
Retention
Life of account + 30 days encrypted backup
Security measures
TLS 1.3, AES-256 at rest, RLS row-scoped to auth.uid()

Compute Kyrovo scores & 90-day plan

Legal basis
Art. 6(1)(a) + Art. 9(2)(a) explicit consent (wellbeing = special category)
Data subjects
Registered users who complete the check-in
Categories of data
Self-reported energy/motivation/detachment, job title, industry, tasks, income, expenses, savings
Recipients / processors
Supabase (storage); Lovable AI Gateway (plan draft, numeric scores only, no identifiers)
International transfers
EU region primary; SCCs for AI Gateway
Retention
Until user deletes account (immediate) or 24 months of inactivity
Security measures
RLS scoped to auth.uid(); AI Gateway receives no email/name/employer

Subscription billing & tax compliance

Legal basis
Art. 6(1)(b) contract + Art. 6(1)(c) legal obligation (tax)
Data subjects
Paying users
Categories of data
Email, Stripe customer ID, subscription tier, billing country, invoice history
Recipients / processors
Stripe (processor + independent controller for fraud/AML)
International transfers
Stripe US ← EU under SCCs + Stripe DPA
Retention
7 years post-cancellation (EU/UK tax law)
Security measures
Card data never touches Kyrovo servers; Stripe Elements + PCI-DSS Level 1

Transactional & opt-in reminder emails

Legal basis
Art. 6(1)(b) contract (transactional); Art. 6(1)(a) consent (reminders)
Data subjects
Registered users
Categories of data
Email, first name, subscription state, notification preferences
Recipients / processors
Lovable-managed transactional email provider
International transfers
EU primary; SCCs where applicable
Retention
Until user unsubscribes or deletes account; suppression list kept indefinitely per CAN-SPAM
Security measures
DKIM + SPF + DMARC enforced

Security logging, abuse prevention

Legal basis
Art. 6(1)(f) legitimate interest (network security)
Data subjects
All visitors
Categories of data
IP address, user-agent, sign-in events, rate-limit hits
Recipients / processors
Cloudflare (edge + WAF); Supabase auth logs
International transfers
Cloudflare global network under DPA + SCCs
Retention
30 days (edge logs); 90 days (auth logs)
Security measures
Logs are not linkable to check-in content; access restricted to on-call engineer

Customer support

Legal basis
Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interest
Data subjects
Users who email us
Categories of data
Email, message content the user chooses to send
Recipients / processors
Kyrovo staff mailbox
International transfers
EU-hosted mailbox
Retention
24 months from last message
Security measures
IMAP over TLS; 2FA on mailbox

Data-subject rights

Under GDPR (EU/UK), CCPA/CPRA, WA MHMDA, VA CDPA, CO CPA, CT CTDPA, UT UCPA, and India's DPDP Act you may: access, rectify, delete, port, restrict, object, withdraw consent, and appeal a refusal. Exercise any right in Settings (once signed in), via Privacy Preferences, or by emailing dpo@getkyrovo.com. We respond within 30 days (GDPR) / 45 days (US state laws), extendable once by 60 days for complex requests.