Privacy policy

The controller of your personal data is:

• Legal name: Koalab Tech — Cristian Alejandro Muñoz Cardona
• Tax ID (NIT): 1017126012-3
• Address: Calle 45F #77A - 33, Medellín, Colombia
• Contact email: privacidad@koalab.tech
• Website: koalab.tech

2.1 Data you provide directly

• Registration data: name, email address and password.
• Billing data: name, country, payment data (handled by our payment processor; we do not store card data).
• Service configuration: WooCommerce store URLs, consumer keys/secrets, price rules and sync settings.
• Communications: messages you send us via support or email.

2.2 Automatically collected data

• Usage data: pages visited, features used, access dates and times.
• Technical data: IP address (anonymized for analytics), browser type, operating system, session identifiers.
• Behavioral analytics: navigation events recorded by Google Analytics and PostHog to improve the product.
• Conversion events: key actions (registration, subscription) recorded via Meta Pixel and Google Tag Manager to measure and optimize advertising campaigns.
• Cookies and similar technologies: see our Cookie policy.

2.3 Communication preferences

• When you subscribe to marketing communications, we record your preference and consent date.

2.4 Third-party data

• We do not purchase or obtain personal data from external sources other than those indicated.

We process your data on the following legal bases:

• Performance of contract: to provide the contracted Service — synchronizations, account management, billing and transactional communications.
• Legitimate interest: to improve the Service, prevent fraud and analyze internal product performance in aggregate form.
• Consent: for analytics cookies (Google Analytics, PostHog), marketing cookies (Meta Pixel, GTM) and sending marketing communications. You may withdraw this consent at any time.
• Legal obligation: when the law requires retaining or disclosing data (e.g. tax obligations).

We do not sell your personal data. We may share it only with the following recipients:

• Vercel Inc. — Frontend infrastructure: The frontend is hosted on Vercel, which may process web traffic data. See Vercel's Privacy Policy.
• Railway Corp. — Backend infrastructure: The application server is hosted on Railway. See Railway's Privacy Policy.
• MongoDB, Inc. — Database (MongoDB Atlas): User data and settings are stored in MongoDB Atlas. See MongoDB's Privacy Policy.
• Polar Software Inc. — Merchant of Record: Polar handles payments, subscriptions and billing. Koalab does not store card data. See Polar's Privacy Policy.
• Google LLC — Google Analytics and GTM: We use Google Analytics to measure site usage; the IP is anonymized. See Google's Privacy Policy.
• Meta Platforms — Meta Pixel: We use the Meta Pixel to measure conversions and optimize campaigns. See Meta's Data Policy.
• PostHog Inc. — PostHog: Product analytics platform to understand user interaction with the Service. See PostHog's Privacy Policy.
• Resend Inc. — Email delivery: We use Resend for transactional and marketing emails (with your consent for the latter). See Resend's Privacy Policy.
• Public authorities: when required by law or a court order.

Several providers are located in the United States or other countries outside the European Economic Area (EEA). Specifically:

• Vercel Inc. — USA (Standard Contractual Clauses)
• Railway Corp. — USA (Standard Contractual Clauses)
• MongoDB, Inc. — USA (Standard Contractual Clauses)
• Google LLC — USA (Standard Contractual Clauses, Data Privacy Framework)
• Meta Platforms Inc. — USA (Standard Contractual Clauses)
• PostHog Inc. — USA (Standard Contractual Clauses)
• Resend Inc. — USA (Standard Contractual Clauses)
• Polar Software Inc. — USA (Standard Contractual Clauses)

For all providers we ensure that adequate legal safeguards (DPA, SCCs or others) are in place before sharing personal data.

We retain your data for the following periods:

• Active account data: while the account is active.
• Data after cancellation: up to 30 days to allow export, then deleted unless legally required.
• Billing data: the period required by applicable tax law (typically 5–7 years depending on country).
• Sync history: depending on the contracted plan (30, 90 or 365 days).
• Security logs: up to 12 months.

Depending on the regulations applicable in your country, you have the following rights:

• Access: know what data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data when no longer necessary.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest.
• Restriction: request that we restrict processing in certain circumstances.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise these rights, write to privacidad@koalab.tech. We will respond within a maximum of 30 business days.

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority in your country.

The Service is intended for persons over 18 years of age acting as merchants or business owners. We do not intentionally collect data from minors. If you are aware that a minor has provided us with personal data without parental consent, please contact us for deletion.

We implement appropriate technical and organizational measures, including:

• Encrypted transmission via HTTPS/TLS.
• Passwords stored with cryptographic hash (bcrypt).
• WooCommerce API credentials encrypted at rest using AES-256.
• Restricted access to production data for the team.
• Authentication via short-lived JWT tokens.

When we make material changes, we will notify you by email or via a prominent notice on the platform with at least 15 days' notice.

For any privacy-related query:

• Email: privacidad@koalab.tech
• Controller: Cristian Alejandro Muñoz Cardona
• Address: Calle 45F #77A - 33, Medellín, Colombia