Privacy Policy

Privacy Policy

Last updated: December 12, 2025

1. Data Controller

NIBBLE društvo s ograničenom odgovornošću za usluge Prilesje 18, 10000 Zagreb, Croatia OIB: 96011589399 Email: hello@kopai.app

2. Supervisory Authority

Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka) Selska cesta 136 HR-10 000 Zagreb Croatia Website: https://azop.hr

3. Data We Collect

We collect the following types of data:

Account Information

• Email address
• Organization name
• User ID (generated by authentication system)

Authentication Data

Managed by Supabase (our authentication provider):

• Email address
• Password hashes (never stored in plain text)
• Session tokens
• Account creation and last login timestamps

Tenant Configuration

• Allowed CORS origins (URLs authorized to access your data)
• API token names and descriptions
• Token types (backend or frontend)
• Token expiration settings

OpenTelemetry Data

Traces, logs, and metrics sent by your applications:

• Application telemetry data (spans, events, measurements)
• Service names and attributes
• Timestamps and trace IDs
• Custom attributes you include in your telemetry

Usage Analytics

OpenTelemetry Real User Monitoring (RUM) when you visit our website:

• Page views and navigation paths
• Performance metrics (page load time, resource timing)
• JavaScript errors and stack traces
• Browser type, operating system, device type

Security and Technical Data

• IP addresses (for security, rate limiting, and fraud prevention)
• User agent strings
• Request logs and audit trails
• API access patterns

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary to provide our observability services:

• Account creation and authentication
• OpenTelemetry data ingestion, storage, and visualization
• API token management
• Dashboard access and data queries

Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate business interests:

• Security monitoring and fraud prevention
• Service performance optimization
• Technical troubleshooting and support
• Product improvements and feature development

Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent:

• Analytics cookies and Real User Monitoring (RUM)
• Marketing communications (if you opt in)

You can withdraw consent at any time by adjusting your cookie settings or contacting us.

5. Purpose of Processing

We use your personal data for the following purposes:

Service Delivery

• OpenTelemetry data ingestion: Receive traces, logs, and metrics via OTLP (gRPC and HTTP protocols)
• Data storage and management: Store your telemetry data securely in ClickHouse
• Visualization and dashboards: Display your observability data in web-based dashboards
• Query and analysis: Enable you to search, filter, and analyze your telemetry data

Account Management

• Authentication: Verify your identity and manage secure access to your account
• API token management: Generate and manage backend and frontend access tokens
• CORS configuration: Control which frontend origins can access your data
• User dashboard access: Provide access to ClickHouse credentials and token information

Communications

• Service notifications: Send transactional emails via Resend (password resets, account changes)
• Technical updates: Notify you about service status, maintenance, or security issues
• Support responses: Reply to your questions and support requests

Service Improvement

• Performance monitoring: Track website performance using OpenTelemetry RUM
• Error tracking: Identify and fix technical issues affecting user experience
• Usage analytics: Understand how users interact with our service to improve features
• Product development: Inform decisions about new features and improvements

Security and Compliance

• Fraud prevention: Detect and prevent unauthorized access or abuse
• Rate limiting: Prevent excessive API usage that could degrade service performance
• Security monitoring: Monitor for suspicious activity and potential security threats
• Audit logging: Maintain records for security and compliance purposes

6. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

OpenTelemetry Data (Traces, Logs, Metrics)

Retention period varies by pricing tier (to be defined in pricing plans):

• Free tier: 7 days (planned)
• Paid tiers: 30-365 days depending on plan (to be defined)
• You can request earlier deletion of your telemetry data at any time

Account Information

• Active accounts: Retained while your account is active
• Deleted accounts: Data retained for 30 days after account deletion, then permanently deleted
• Inactive accounts: Accounts inactive for 2+ years may be deleted with 30-day email notice

Access Tokens

• Active tokens: Retained until revoked or expired
• Revoked tokens: Immediately deleted from active database
• Expired tokens: Deleted 90 days after expiration

Authentication Data

Managed by Supabase according to their retention policy:

• Session tokens expire based on configured session length
• Login history retained while account is active

Logs and Security Data

• Application logs: 90 days
• Audit logs: 1 year for security and compliance
• Access logs: 90 days

Email Communications

• Transactional emails: Records retained 1 year for support purposes
• Support correspondence: Retained 2 years after case closure

You can request deletion of your data at any time by contacting hello@kopai.app. We will comply with deletion requests within 30 days, except where retention is required by law.

7. Third-Party Processors

We work with the following third-party service providers who process personal data on our behalf:

Processor	Purpose	Location	Data Shared
Hetzner	ClickHouse database hosting	Germany, Finland (EU)	OpenTelemetry data (traces, logs, metrics), tenant metadata, organization names
Supabase	User authentication	EU (Frankfurt region)	Email addresses, password hashes, user IDs, session tokens
Resend	Transactional email delivery	USA (GDPR-compliant via EU-U.S. DPF)	Email addresses, user names, email content
Cloudflare	CDN, static site hosting, TLS termination	Global edge network	IP addresses, user agent strings, page requests, cookies

Data Processing Agreements

We ensure all processors comply with GDPR through Data Processing Agreements (DPAs) that include:

• Appropriate technical and organizational security measures
• Confidentiality obligations
• Assistance with data subject requests
• Data breach notification procedures
• Restrictions on sub-processing

Processor Security

All processors have been evaluated for:

• GDPR compliance and certifications
• Security measures (encryption, access controls)
• Data residency and international transfer safeguards
• Incident response capabilities
• Regular security audits

8. International Transfers

Most of your data is stored and processed within the European Union:

Primary Data Storage (EU)

• Hetzner (Germany, Finland): All ClickHouse databases hosting your OpenTelemetry data
• Supabase (Frankfurt): User authentication and account data

Transfers Outside EU/EEA

Resend (United States)

Purpose: Transactional email delivery (password resets, notifications)

Data Transferred: Email addresses, user names, email content

Legal Basis: Resend is certified under the EU-U.S. Data Privacy Framework (DPF). The DPF provides adequate data protection safeguards as recognized by the European Commission. Resend’s DPF certification ensures:

• Compliance with EU data protection principles
• Independent dispute resolution mechanisms
• Enforcement by the U.S. Federal Trade Commission
• Annual recertification requirements

Learn more: Resend Privacy Policy

Cloudflare (Global Network)

Purpose: Content delivery, DDoS protection, TLS termination

Data Transferred: IP addresses, user agent strings, cookies, page requests

Legal Basis: Cloudflare processes data across its global edge network but maintains GDPR compliance through:

• EU Data Processing Addendum
• Standard Contractual Clauses (SCCs)
• EU data residency options for sensitive data

Learn more: Cloudflare GDPR Compliance

Your Rights Regarding International Transfers

You have the right to:

• Request information about international transfers affecting your data
• Object to transfers where appropriate safeguards are not in place
• Request that your data be processed only within the EU (may limit service availability)

Contact hello@kopai.app for questions about international data transfers.

9. Your Rights Under GDPR

You have the following rights:

• Right to access (Art. 15): Request copies of your personal data
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”)
• Right to restriction (Art. 18): Request limitation of data processing
• Right to data portability (Art. 20): Receive your data in machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent

To exercise these rights, contact: hello@kopai.app

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS)
• Encryption at rest
• Access controls
• Regular security assessments

11. Cookies and Tracking

We use cookies for authentication and service functionality. For complete details, see our Cookie Policy.

Essential Cookies (Required)

These cookies are necessary for the service to function and cannot be disabled:

• Supabase authentication cookies (sb-*): Required for secure login and session management
• CSRF protection cookies (__Secure-csrf): Security tokens to prevent cross-site request forgery
• Cloudflare security cookies (__cf_bm): Bot management and DDoS protection

Analytics Cookies (Optional - Requires Consent)

These cookies help us improve the service:

• OpenTelemetry RUM tracking: Performance monitoring and error tracking
  • otel-rum-session: Session tracking for performance analysis
  • otel-rum-consent: Stores your cookie consent preference

Data collected by RUM analytics:

• Page views and navigation patterns
• Page load times and resource timing
• JavaScript errors and stack traces
• Browser type, OS, and device information
• Anonymized IP addresses

Managing Your Cookie Preferences

You can control analytics cookies by:

• Using the cookie consent banner when you first visit our site
• Clicking “Cookie Settings” in the footer to update preferences anytime
• Configuring your browser to block third-party cookies

Note: Blocking essential cookies will prevent you from logging in to your account.

For detailed information about each cookie, duration, and purpose, see our full Cookie Policy.

12. Children’s Data

We do not knowingly collect data from individuals under 16 years of age without parental consent, in accordance with Croatian GDPR implementation.

13. Changes to This Policy

We will notify users of material changes to this privacy policy via email and by updating the “Last updated” date.

14. Contact and Complaints

For privacy questions: hello@kopai.app

To file a complaint with the Croatian DPA: Croatian Personal Data Protection Agency Selska cesta 136, HR-10 000 Zagreb Website: https://azop.hr

---

This privacy policy complies with the General Data Protection Regulation (GDPR) and Croatian implementation law.

Note: We are assessing applicability of the Digital Services Act (EU 2022/2065). Updates will be published if required.