← Back to kitakuya

kitakuya

Privacy Policy

This Privacy Policy explains how Kitakuya ("we", "us", "our") collects, uses, discloses, and protects your personal data when you use our platform at kitakuya.com and app.kitakuya.com (the "Service").

Kitakuya is operated from Vienna, Austria. This policy complies with the General Data Protection Regulation (GDPR / DSGVO), the Austrian Datenschutzgesetz (DSG), and takes into account the rights of users under the Philippine Data Privacy Act (RA 10173).

1. Controller

Kitakuya
Alexios Tsagarakis
Josef-Bindtner-Gasse 5
1180 Vienna
Austria
Email: [email protected]
Phone: +43 660 854 4446

2. What Data We Collect

We collect the following personal data when you create an account and use our services:

• Account information: email address, name
• Profile information: TIN (Tax Identification Number), address, country of residence, date of birth
• Signature: drawn signature image for W-8BEN forms and contracts. Although not classified as biometric data under Art. 9 GDPR when used solely for document execution, we recognize its sensitivity and apply additional safeguards.
• Payment data: PayPal email, Stripe customer ID (processed by third-party payment providers — see Section 5)
• Invoice and contract data: client names, client emails, invoice amounts, contract terms
• Authentication tokens: JSON Web Tokens (JWTs) stored in browser localStorage for session management
• OTP verification data: one-time codes and their expiry timestamps, generated and stored during email-based authentication
• Usage data: page views, feature interactions, button clicks, session replays (anonymized). We use PostHog (EU Cloud instance) for product analytics. Session replays mask sensitive form fields (password, TIN, signature, payment information) by default. IP addresses are truncated before storage. We do not link replay data to your account identifier.
• Server logs: IP addresses and request metadata logged by our hosting provider (DigitalOcean, Frankfurt, Germany) and CDN (Cloudflare) for security and operational purposes, retained for 14 days.

Note on TIN and date of birth: Under the GDPR, these are not classified as "special categories" of personal data (Art. 9 DSGVO). However, we recognize they are sensitive in nature. We only collect them because they are required for IRS W-8BEN forms, contracts, and BIR compliance. We do not use them for any other purpose.

Data minimization: We collect only the personal data necessary to provide our services. Optional fields are clearly marked. You can use Kitakuya without filling out W-8BEN, contract, or invoice features if you do not wish to provide TIN, DOB, or signature data — these features will simply be unavailable.

3. How We Collect Data

We collect data when you:

• Create an account (via OTP email or Google OAuth)
• Fill out your profile (TIN, address, DOB, signature)
• Create invoices, contracts, or W-8BEN forms
• Connect a payment method (PayPal, Stripe)
• Contact our support team

4. Legal Basis for Processing (Art. 6 DSGVO)

We process your personal data under the following legal bases:

• Consent (Art. 6(1)(a)): By creating an account and using our services, you consent to the collection and processing of your personal data as described in this policy
• Contractual necessity (Art. 6(1)(b)): We need your data to provide our services — create invoices, generate W-8BEN forms, process payments, and manage contracts
• Legal obligation (Art. 6(1)(c)): We retain certain data (invoices, tax forms) to comply with Austrian tax record-keeping requirements (BAO §132 — 7 years) and Philippine BIR requirements (10 years)

5. Third-Party Data Processors

We engage the following processors who may access your data. Each is contractually obligated to process data only per our instructions and in compliance with the GDPR:

• Stripe — payment processing (subscriptions). EU-US DPF certified.
• PayPal — payment processing (invoice payments). EU-US DPF certified.
• PayMongo — Philippine payment processing (GCash, Maya, card). SCCs in place.
• Resend — email delivery (OTP codes, invoice emails, contract emails). EU-US DPF certified.
• Google — OAuth sign-in (authentication only). EU-US DPF certified.
• Cloudflare — CDN, DNS, and anonymized web analytics. EU-US DPF certified.
• PostHog — product analytics (EU Cloud instance, Frankfurt). Session replays with masked fields. EU-US DPF certified.
• Meta Platforms (Facebook) — marketing analytics (Meta Pixel). Conversion tracking and ad attribution for Meta Ads campaigns. EU-US DPF certified.
• DigitalOcean — server hosting (Frankfurt, Germany — EEA). SCCs in place.

Data is stored on servers in the European Economic Area (EEA). Where data is transferred to third parties outside the EEA, we rely on the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) as transfer safeguards.

W-8BEN form transfer: When you generate a W-8BEN form, you may choose to send it to your US client (e.g., via email through Resend). In this case, you are the controller of that downstream transfer — we facilitate the transmission but do not control how your US client processes your data.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except for:

• Invoice and financial records: Retained for 10 years (the longer of Austrian BAO §132 which requires 7 years, and Philippine BIR which requires 10 years, applied uniformly for operational simplicity).
• W-8BEN forms: Retained for the duration of your business relationship with US clients and applicable audit periods.

7. Data Security

We implement appropriate technical and organizational measures (Art. 32 DSGVO) including:

• HTTPS encryption (TLS 1.3) for all data in transit
• Database-level encryption at rest (DigitalOcean managed disks, AES-256)
• Access controls — no employee or third party has direct database access
• Regular security updates

8. Cookies and Local Storage

Kitakuya uses the following storage technologies:

• Local storage (browser): Stores your authentication token (JWT) and your theme preference (light/dark mode). This is essential for the Service to function. No cookies are used for analytics or tracking.
• Cloudflare cookies: Cloudflare may set strictly functional cookies for security and bot detection (__cf_bm, cf_clearance). These are necessary for our CDN and security infrastructure.
• PostHog analytics: Cookie-free analytics. PostHog uses in-browser event capture without setting cookies, with IP truncation and field masking enabled.
• Meta Pixel (Facebook): Marketing tracking technology for ad attribution and conversion measurement. Meta Pixel sets cookies and transmits event data to Meta Platforms. This is a non-essential tracking technology and is activated only for users who consent via our cookie consent banner. You may opt out at any time by clearing your cookies or adjusting your consent preferences.

Under Austrian law (§ 165 TKG 2021), essential storage does not require consent. Non-essential tracking technologies (such as the Meta Pixel) require your prior consent. We provide a cookie consent banner to obtain this consent before activating any non-essential tracking.

9. Your Rights

Under the GDPR (Art. 15–22 DSGVO)

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to restriction of processing (Art. 18): Limit how we use your data
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interest
• Right to lodge a complaint (Art. 77): With the Austrian Data Protection Authority (dsb.gv.at)

Under the Philippine Data Privacy Act (RA 10173)

If you are based in the Philippines, in addition to your GDPR rights, you have rights under RA 10173 including the right to access, correction, erasure, and to lodge a complaint with the National Privacy Commission (privacy.gov.ph). For PH-specific data protection inquiries, contact us at [email protected].

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by law.

10. Automated Decision-Making

Kitakuya provides automated tax estimates and document templates. These are informational tools and do not constitute legal, tax, or financial advice. No decisions producing legal effects on you are made solely on the basis of automated processing within the meaning of Article 22 GDPR.

11. Data Protection Officer

Under Art. 37 DSGVO, a Data Protection Officer (DPO) is required only for large-scale processing of special categories of data. As a small business, we are not required to designate a DPO under GDPR. However, to comply with §21 of the Philippine Data Privacy Act, we have designated Alexios Tsagarakis as our Data Protection Officer. Contact: [email protected].

12. Data Breaches

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the Austrian Data Protection Authority within 72 hours as required by Art. 33 GDPR, and notify affected users without undue delay where required under Art. 34 GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email and/or a prominent notice on our platform. Continued use of our services after such changes constitutes acceptance of the updated policy.

14. Contact

Kitakuya
Alexios Tsagarakis
Josef-Bindtner-Gasse 5
1180 Vienna
Austria
Email: [email protected]
Phone: +43 660 854 4446
DPO: [email protected]
Supervisory authority (GDPR): Österreichische Datenschutzbehörde
Supervisory authority (PH): National Privacy Commission