Privacy Policy
Effective Date: March 1, 2026
This Privacy Policy explains how Valoks ("Company", "we", "us", "our") collects, uses, stores, and protects your personal information when you use TotalKPI at totalkpi.com ("Service"). This policy applies to all users of the Service.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, you must not use the Service.
For specific information about GDPR compliance and your rights as an EU data subject, please also see our GDPR & Data Protection page.
1. Information We Collect
1.1 Information You Provide
- Account Information: When you sign up via Google or GitHub OAuth, we receive your name, email address, and profile picture from the OAuth provider. We do not receive or store your OAuth provider password.
- Data You Upload: CSV files, metric data, data point values, and data source configurations you create within the Service.
- API Configurations: Third-party API endpoint URLs, HTTP headers (which may include API keys or tokens), and JSON extraction paths you configure for automated data polling.
- Payment Information: When you subscribe to a paid plan, billing information is collected and processed directly by Stripe. We receive only a limited set of transaction details (e.g., subscription status, last four digits of your card, billing email). We never receive or store your full payment card number.
- Communications: Any emails, support requests, or feedback you send to us.
1.2 Information Collected Automatically
- Usage Data: Pages visited within the Service, features used, interactions with the UI, and the time and duration of your sessions.
- Device Information: Browser type and version, operating system, screen resolution, and language preference.
- Log Data: IP addresses, access timestamps, referring URLs, and error logs generated during your use of the Service.
- Cookies: We use strictly essential cookies to maintain your authentication session and remember your preferences. We do not use third-party tracking or advertising cookies. See Section 8 for details.
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing, operating, and maintaining the Service | Performance of contract |
| Authenticating your identity and managing your account | Performance of contract |
| Processing your data sources, generating charts, and computing correlations | Performance of contract |
| Executing server-side API polling on your behalf to fetch data from third-party services | Performance of contract |
| Processing payments and managing subscriptions via Stripe | Performance of contract |
| Sending transactional emails (account confirmations, billing receipts, service notifications) | Performance of contract |
| Monitoring and analyzing usage trends to improve the Service | Legitimate interest |
| Detecting, preventing, and addressing security issues, fraud, and abuse | Legitimate interest |
| Responding to your support requests and communications | Legitimate interest / Performance of contract |
| Complying with legal obligations | Legal obligation |
We do not use your data for profiling, automated decision-making, or targeted advertising.
3. Data Processing and Storage
- Database: Your data is stored in Supabase-hosted PostgreSQL databases located in the European Union.
- API Proxy: When you configure API integrations, our server-side proxy fetches data from the third-party endpoints you specify. The raw API responses are processed in memory to extract the data points you configured - full API responses are not persistently stored. Only the extracted data points are saved to your data source.
- Server-Side Processing: API credentials and headers you configure are stored encrypted and are only used server-side. They are never transmitted to your browser during API polling operations.
- Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
4.1 Service Providers (Sub-Processors)
We use trusted third-party services to operate the Service, each bound by Data Processing Agreements:
| Provider | Purpose | Data Accessed | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication | Account data, metric data, configurations | EU |
| Stripe | Payment processing | Billing and payment information | EU/US (SCCs) |
| OAuth authentication | Name, email, profile picture | EU/US (SCCs) | |
| GitHub | OAuth authentication | Name, email, profile picture | EU/US (SCCs) |
4.2 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request.
4.3 Safety and Rights Protection
We may disclose information if we believe in good faith that it is necessary to protect the rights, safety, or property of Valoks, our users, or the public.
4.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected users before their personal information is transferred and becomes subject to a different privacy policy.
5. Third-Party API Integrations
When you connect external data sources through API integrations:
- We act as a technical intermediary, fetching data from the URLs and endpoints you configure via our server-side proxy.
- Our proxy blocks requests to private, internal, and loopback IP ranges for security purposes.
- We do not monitor, review, or validate the content of data fetched from your configured APIs beyond extracting the data points you specified.
- You are solely responsible for complying with the terms of service and data use policies of any third-party API you connect.
- We are not responsible for the accuracy, availability, or security practices of third-party services.
6. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your account and all associated personal data.
- Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.
- Right to Restrict Processing: Request that we limit processing of your data in certain circumstances.
- Right to Object: Object to processing of your data based on legitimate interest.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
How to exercise your rights: Contact us at [email protected]. We will verify your identity and respond within 30 days. If we need additional time, we will inform you of the extension and the reasons for it. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
EU residents: You also have the right to lodge a complaint with your local data protection supervisory authority. See our GDPR & Data Protection page for more details.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (active accounts) | Retained for the duration of your account |
| Metric data and configurations (active accounts) | Retained for the duration of your account |
| Account data (deleted accounts) | Permanently deleted within 30 days of account deletion |
| Payment records | Retained as required by tax and financial regulations (typically 7 years for transaction records) |
| Server and access logs | Automatically purged after 90 days |
| Aggregated, anonymized analytics | May be retained indefinitely (not linked to individual users) |
8. Cookies
We use only strictly essential cookies that are necessary for the Service to function:
- Session cookies: To maintain your authenticated session.
- Preference cookies: To remember your display and configuration preferences.
We do not use any third-party analytics, tracking, or advertising cookies. Because we only use strictly essential cookies, no cookie consent banner is required under the ePrivacy Directive - however, we provide this disclosure for transparency.
9. Children's Privacy
The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, contact us at [email protected]. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly.
10. International Data Transfers
Our primary data infrastructure is hosted within the European Union. Where data is transferred outside the EU/EEA (for example, to sub-processors such as Stripe, Google, or GitHub), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Verification that receiving organizations maintain adequate data protection standards.
For more details on international transfers and sub-processors, see our GDPR & Data Protection page.
11. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security policies in our database, ensuring users can only access their own data.
- Server-side API proxying so your third-party API credentials are never exposed to the browser.
- Access controls limiting internal access to user data on a need-to-know basis.
- Regular dependency updates and security reviews.
While we take reasonable precautions, no system is completely secure. We cannot guarantee the absolute security of your data. If we become aware of a security breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.
12. Do Not Track
The Service does not respond to "Do Not Track" browser signals because we do not engage in cross-site tracking.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Effective Date" at the top of this page.
- We will notify you by email or through the Service at least 14 days before changes take effect.
- Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
We encourage you to review this policy periodically.
14. Contact
If you have questions or concerns about this Privacy Policy or our data practices, contact us at:
Valoks
Email: [email protected]
For GDPR-specific inquiries, see our GDPR & Data Protection page.