Privacy Policy

Privacy Policy

Last updated: May 8, 2026

1. Data Controller

NIBBLE društvo s ograničenom odgovornošću za usluge Prilesje 18, 10000 Zagreb, Croatia OIB: 96011589399 Email: hello@kopai.app

2. Supervisory Authority

Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka) Selska cesta 136 HR-10 000 Zagreb Croatia Website: https://azop.hr

3. Data We Collect

We collect the following types of data:

Account Information

• Email address
• Organization name
• User ID (generated by authentication system)

Authentication Data

Managed by Supabase (our authentication provider):

• Email address
• Password hashes (never stored in plain text)
• Session tokens
• Account creation and last login timestamps

Tenant Configuration

• Allowed CORS origins (URLs authorized to access your data)
• API token names and descriptions
• Token types (backend or frontend)
• Token expiration settings

OpenTelemetry Data

Traces, logs, and metrics sent by your applications:

• Application telemetry data (spans, events, measurements)
• Service names and attributes
• Timestamps and trace IDs
• Custom attributes you include in your telemetry

Marketing-Site Usage Analytics

Self-hosted OpenTelemetry Real User Monitoring (RUM) on kopai.app and its subdomains. Disabled until you click “Accept All” in the cookie banner. When enabled, we capture:

• A random tab-scoped session identifier (session.id, UUID v4 stored in sessionStorage, deleted on tab close)
• Pages visited and their order; clicks on Sign-up / Demo call-to-action buttons
• Web Vitals (LCP, FCP, CLS, INP, TTFB) and the list of static resources each page loaded
• Browser metadata reported by your browser (user-agent string, language, platform, mobile flag, screen and viewport dimensions, device pixel ratio, network class)
• Coarse Cloudflare-derived attributes about your network location (cloud.region from ISO country code, cloudflare.colo from Cloudflare data centre code) — never your IP itself

For an exhaustive list, see the Cookie Policy. We do not capture form contents, search queries, keystrokes, mouse movements, scroll positions, or JavaScript stack traces from the marketing site.

Authenticated Dashboard Telemetry

When you are signed in to the Kopai dashboard at app.kopai.app, the same OpenTelemetry browser SDK runs without a separate consent step (covered by your acceptance of the Terms of Service). It tags the browser-side spans with:

• session.id — same tab-scoped UUID as on the marketing site
• enduser.id — your Supabase user UUID (the sub claim of your access-token JWT). This identifier is stable per registered user account and lets us answer support questions like “what request did this specific user make”.
• tenant.id — the tenant whose data the dashboard tab is currently viewing
• user.roles — your role within that tenant (["owner"], ["admin"], or ["member"])
• Browser, viewport, network, and Cloudflare attributes as listed above

enduser.id and tenant.id are personal data under GDPR. They are processed under contract performance (Art. 6(1)(b)) for service delivery and support. They are not stamped on telemetry while you are on the public login page.

Security and Technical Data

• IP addresses (visible to Cloudflare for security, rate limiting, and fraud prevention; not stored as a span attribute by our analytics SDK)
• User agent strings (from HTTP request logs)
• Request logs and audit trails
• API access patterns

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary to provide our observability services:

• Account creation and authentication
• OpenTelemetry data ingestion, storage, and visualization
• API token management
• Dashboard access and data queries

Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate business interests:

• Security monitoring and fraud prevention
• Service performance optimization
• Technical troubleshooting and support
• Product improvements and feature development

Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent:

• Analytics cookies and Real User Monitoring (RUM)
• Marketing communications (if you opt in)

You can withdraw consent at any time by adjusting your cookie settings or contacting us.

5. Purpose of Processing

We use your personal data for the following purposes:

Service Delivery

• OpenTelemetry data ingestion: Receive traces, logs, and metrics via OTLP (gRPC and HTTP protocols)
• Data storage and management: Store your telemetry data securely in ClickHouse
• Visualization and dashboards: Display your observability data in web-based dashboards
• Query and analysis: Enable you to search, filter, and analyze your telemetry data

Account Management

• Authentication: Verify your identity and manage secure access to your account
• API token management: Generate and manage backend and frontend access tokens
• CORS configuration: Control which frontend origins can access your data
• User dashboard access: Provide access to ClickHouse credentials and token information

Communications

• Service notifications: Send transactional emails via Resend (password resets, account changes)
• Technical updates: Notify you about service status, maintenance, or security issues
• Support responses: Reply to your questions and support requests

Service Improvement

• Performance monitoring: Track website performance using OpenTelemetry RUM
• Error tracking: Identify and fix technical issues affecting user experience
• Usage analytics: Understand how users interact with our service to improve features
• Product development: Inform decisions about new features and improvements

Security and Compliance

• Fraud prevention: Detect and prevent unauthorized access or abuse
• Rate limiting: Prevent excessive API usage that could degrade service performance
• Security monitoring: Monitor for suspicious activity and potential security threats
• Audit logging: Maintain records for security and compliance purposes

6. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

OpenTelemetry Data (Traces, Logs, Metrics)

Retention period varies by pricing tier (to be defined in pricing plans):

• Free tier: 7 days (planned)
• Paid tiers: 30-365 days depending on plan (to be defined)
• You can request earlier deletion of your telemetry data at any time

Account Information

• Active accounts: Retained while your account is active
• Deleted accounts: Data retained for 30 days after account deletion, then permanently deleted
• Inactive accounts: Accounts inactive for 2+ years may be deleted with 30-day email notice

Access Tokens

• Active tokens: Retained until revoked or expired
• Revoked tokens: Immediately deleted from active database
• Expired tokens: Deleted 90 days after expiration

Authentication Data

Managed by Supabase according to their retention policy:

• Session tokens expire based on configured session length
• Login history retained while account is active

Logs and Security Data

• Application logs: 90 days
• Audit logs: 1 year for security and compliance
• Access logs: 90 days

Email Communications

• Transactional emails: Records retained 1 year for support purposes
• Support correspondence: Retained 2 years after case closure

You can request deletion of your data at any time by contacting hello@kopai.app. We will comply with deletion requests within 30 days, except where retention is required by law.

7. Third-Party Processors

We work with the following third-party service providers who process personal data on our behalf:

Processor	Purpose	Location	Data Shared
Hetzner	ClickHouse database hosting	Germany, Finland (EU)	OpenTelemetry data (traces, logs, metrics), tenant metadata, organization names
Supabase	User authentication	EU (Frankfurt region)	Email addresses, password hashes, user IDs, session tokens
Resend	Transactional email delivery	USA (GDPR-compliant via EU-U.S. DPF)	Email addresses, user names, email content
Cloudflare	CDN, static site hosting, TLS termination	Global edge network	IP addresses, user agent strings, page requests, cookies

Data Processing Agreements

We ensure all processors comply with GDPR through Data Processing Agreements (DPAs) that include:

• Appropriate technical and organizational security measures
• Confidentiality obligations
• Assistance with data subject requests
• Data breach notification procedures
• Restrictions on sub-processing

Processor Security

All processors have been evaluated for:

• GDPR compliance and certifications
• Security measures (encryption, access controls)
• Data residency and international transfer safeguards
• Incident response capabilities
• Regular security audits

8. International Transfers

Most of your data is stored and processed within the European Union:

Primary Data Storage (EU)

• Hetzner (Germany, Finland): All ClickHouse databases hosting your OpenTelemetry data
• Supabase (Frankfurt): User authentication and account data

Transfers Outside EU/EEA

Resend (United States)

Purpose: Transactional email delivery (password resets, notifications)

Data Transferred: Email addresses, user names, email content

Legal Basis: Resend is certified under the EU-U.S. Data Privacy Framework (DPF). The DPF provides adequate data protection safeguards as recognized by the European Commission. Resend’s DPF certification ensures:

• Compliance with EU data protection principles
• Independent dispute resolution mechanisms
• Enforcement by the U.S. Federal Trade Commission
• Annual recertification requirements

Learn more: Resend Privacy Policy

Cloudflare (Global Network)

Purpose: Content delivery, DDoS protection, TLS termination

Data Transferred: IP addresses, user agent strings, cookies, page requests

Legal Basis: Cloudflare processes data across its global edge network but maintains GDPR compliance through:

• EU Data Processing Addendum
• Standard Contractual Clauses (SCCs)
• EU data residency options for sensitive data

Learn more: Cloudflare GDPR Compliance

Your Rights Regarding International Transfers

You have the right to:

• Request information about international transfers affecting your data
• Object to transfers where appropriate safeguards are not in place
• Request that your data be processed only within the EU (may limit service availability)

Contact hello@kopai.app for questions about international data transfers.

9. Your Rights Under GDPR

You have the following rights:

• Right to access (Art. 15): Request copies of your personal data
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”)
• Right to restriction (Art. 18): Request limitation of data processing
• Right to data portability (Art. 20): Receive your data in machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent

To exercise these rights, contact: hello@kopai.app

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS)
• Encryption at rest
• Access controls
• Regular security assessments

11. Cookies and Tracking

We use cookies for authentication and service functionality. For complete details, see our Cookie Policy.

Essential Cookies (Required)

These cookies are necessary for the service to function and cannot be disabled:

• Supabase authentication cookies (sb-*): Required for secure login and session management
• CSRF protection cookies (__Secure-csrf): Security tokens to prevent cross-site request forgery
• Cloudflare security cookies (__cf_bm): Bot management and DDoS protection

Analytics Storage (Optional - Requires Consent)

These browser-storage entries help us improve the marketing site (technically localStorage / sessionStorage rather than HTTP cookies, but treated as cookies under the ePrivacy Directive):

• kopai-cookie-consent (localStorage): records your cookie banner choice so we don’t ask on every page.
• kopai-otel-session (sessionStorage): tab-scoped random UUID v4 (session.id) used to correlate analytics events from the same browsing session. Deleted automatically when you close the tab.

For the full list of attributes captured by the analytics SDK while consent is granted (page paths, Web Vitals, browser/viewport/network metadata, Cloudflare-derived cloud.region and cloudflare.colo), see the Cookie Policy.

Managing Your Cookie Preferences

You can control analytics at any time:

• Use the cookie consent banner shown on your first visit.
• Click Reject analytics in the footer of every page to withdraw consent in a single click — the SDK shuts down immediately, the session ID is deleted, and no further analytics events leave your browser.
• Click Cookie Settings in the footer to reset and re-prompt the banner.
• Configure your browser to block third-party cookies.

Note: Blocking essential cookies will prevent you from logging in to your account.

For detailed information about each cookie, duration, and purpose, see our full Cookie Policy.

12. Children’s Data

We do not knowingly collect data from individuals under 16 years of age without parental consent, in accordance with Croatian GDPR implementation.

13. Changes to This Policy

We will notify users of material changes to this privacy policy via email and by updating the “Last updated” date.

14. Contact and Complaints

For privacy questions: hello@kopai.app

To file a complaint with the Croatian DPA: Croatian Personal Data Protection Agency Selska cesta 136, HR-10 000 Zagreb Website: https://azop.hr

---

This privacy policy complies with the General Data Protection Regulation (GDPR) and Croatian implementation law.

Note: We are assessing applicability of the Digital Services Act (EU 2022/2065). Updates will be published if required.