Privacy Policy
Last updated: February 24, 2026 · Effective: February 24, 2026
Kaven is built on a privacy-first architecture. The framework you purchase includes LGPD/GDPR compliance features. This policy governs how we collect and process data related to the Kaven website and purchase flow — not the data your tenants process using the framework.
1. Overview
This Privacy Policy explains how Chris Rodrigues, operating as Kaven ("Kaven," "we," "us," or "our"), collects, uses, stores, and protects personal data when you visit kaven.site, join our waitlist, or purchase our products.
We process personal data in compliance with:
- LGPD — Lei Geral de Proteção de Dados (Brazil, Law No. 13,709/2018)
- GDPR — General Data Protection Regulation (EU/EEA)
- CCPA — California Consumer Privacy Act (where applicable)
2. Data We Collect
2.1 Waitlist Registration
When you join our waitlist, we collect:
- Email address — to send launch notifications and product updates
- Name (optional) — for personalized communication
- IP address — for fraud prevention and geographic analytics
- Browser/device information — for analytics
Legal basis (LGPD/GDPR): Consent (Art. 7, I — LGPD; Art. 6(1)(a) — GDPR). You can withdraw consent at any time via unsubscribe link.
2.2 Purchase Data
When you purchase Kaven, payment processing is handled entirely by Paddle Payments Inc. We receive only the following from Paddle after a successful transaction:
- Email address associated with your purchase
- Purchased tier and transaction ID
- Country (for tax purposes, handled by Paddle)
We do not receive or store credit card numbers, billing addresses, or payment method details. These are processed and retained by Paddle under their Privacy Policy.
Legal basis: Contract performance (Art. 7, V — LGPD; Art. 6(1)(b) — GDPR).
2.3 Product Access
To grant access to the GitHub repository, course platform, and Discord community, we process:
- Email address (for account provisioning)
- GitHub username (if you connect via GitHub OAuth)
- Discord user ID (for server access role assignment)
2.4 Support Communications
When you contact us for support, we retain email correspondence to provide assistance and improve our product. We do not use support data for marketing without explicit consent.
2.5 Analytics
We may collect anonymized, aggregated analytics data about website usage (page views, click patterns, referral sources). Where analytics tools are used, we configure them to minimize personal data collection. We do not sell analytics data.
3. How We Use Your Data
- Order fulfillment — provisioning GitHub access, course access, Discord roles
- Transactional emails — purchase confirmation, access credentials, update notifications
- Product updates — notifying you of new releases during your update entitlement period
- Customer support — responding to inquiries and resolving issues
- Security & fraud prevention — detecting abuse, unauthorized access, or policy violations
- Legal compliance — meeting obligations under applicable law
We do not: sell your data, share it with advertisers, use it for profiling unrelated to product improvement, or send unsolicited marketing without consent.
4. Third-Party Data Processors
We share data with the following third-party processors under data processing agreements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Paddle Payments Inc. | Payment processing, Merchant of Record | Email, purchase details, billing data | USA / UK |
| GitHub (Microsoft) | Code repository access | Email, GitHub username | USA |
| Discord Inc. | Community access | Email (invite), Discord ID | USA |
| Amazon Web Services (AWS SES) | Transactional email delivery | Email address, message content | USA (us-east-1) |
| Vercel Inc. | Website hosting | IP address, request logs | USA / Global |
Each processor is bound by their own privacy policy and applicable data protection regulations. Transfers to the USA are conducted under Standard Contractual Clauses (SCCs) where applicable.
5. Cookies & Tracking
The Kaven website uses minimal cookies:
- Strictly necessary cookies — essential for website functionality (no consent required)
- Analytics cookies — anonymous usage statistics (opt-out available)
We do not use third-party advertising cookies or tracking pixels. You can disable cookies via your browser settings without affecting core site functionality.
6. Data Retention
- Waitlist emails — retained until you unsubscribe or request deletion
- Purchase records — retained for 5 years for accounting and legal compliance (LGPD Art. 16, II)
- Support correspondence — retained for 2 years after case resolution
- Audit logs — 90 days (configurable) per our audit service implementation
- Analytics data — anonymized within 90 days
Upon expiration of retention periods, data is permanently deleted or anonymized using secure deletion methods.
7. Security Measures
Kaven is built with security as a core architectural principle. Measures protecting your data include:
- HTTPS/TLS encryption for all data in transit
- Encryption at rest for sensitive stored data
- Row-level security and tenant isolation in all database queries
- Ed25519 cryptographic signing for module distribution integrity
- Audit logging for all access and modification events
- OWASP Top 10 mitigations throughout the codebase
- Access controls with principle of least privilege
No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you as required by applicable law (LGPD Art. 48; GDPR Art. 33).
8. Your Rights (GDPR — EU/EEA Residents)
If you are located in the EU/EEA, you have the following rights under the GDPR:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") |
| Restriction (Art. 18) | Request limited processing of your data |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time without affecting prior processing |
To exercise these rights, contact us at privacy@kaven.site. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.
9. Your Rights (LGPD — Brazilian Residents)
Under Brazil's LGPD (Art. 18), you have the right to:
- Confirmation of the existence of processing
- Access to your personal data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Portability of your data to another provider
- Deletion of data processed with your consent
- Information about third parties with whom data has been shared
- Information about the possibility of denying consent and the consequences
- Revocation of consent
To exercise LGPD rights, contact our Data Protection Officer (DPO) at privacy@kaven.site. We will respond within the timeframes established by the LGPD and ANPD guidelines.
10. International Data Transfers
Your data may be transferred to and processed in countries outside Brazil or the EU, including the United States, where our third-party processors operate. These transfers are conducted with appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all processors
- Adequacy decisions where applicable
11. Children's Privacy
Kaven is a developer tool intended for professionals aged 18 and older. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has submitted data to us, contact us at privacy@kaven.site and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services. When we make material changes, we will notify you by email (if we have your email address) and update the "Last updated" date at the top of this policy. Continued use of our services after the effective date constitutes acceptance of the updated policy.
13. Contact & Data Protection Officer
For privacy-related inquiries, data subject requests, or concerns:
- Email: privacy@kaven.site
- Data Controller: Chris Rodrigues (Kaven)
- Website: kaven.site
For payment-related data, contact Paddle at paddle.com/legal/privacy.