Privacy Policy
Last updated: May 29, 2026 — CV Project S.r.l.
1. Data Controller
The data controller is CV Project S.r.l., based in Italy, reachable at info@cvproject.it.
2. Data Collected
- Registration data: email address, password (encrypted).
- Operational data: ingredients, recipes, products, suppliers, packaging, and price lists entered by the user.
- Payment data: processed entirely by Stripe Inc. KoreLab does not store credit card data.
- Usage data: access logs, browser version, IP addresses for security and diagnostics.
- Google Calendar data (optional): OAuth tokens for calendar sync, stored encrypted. KoreLab only accesses calendar events it creates (scope
calendar.events). - KoreLab AI data (optional, all plans): messages you send to the AI assistant are transmitted via API to Anthropic (with OpenAI fallback), or to your own provider if you use BYOK, to generate responses. Providers do not use the content to train their models; KoreLab does not store conversation content after the response (only usage volume is logged for the monthly budget).
3. Purposes and Legal Basis
- Providing the KoreLab SaaS service (contract performance — Art. 6.1.b GDPR).
- Payment processing via Stripe (contract performance).
- Sending service communications (updates, subscription expiry notices) — legitimate interest.
- Google Calendar sync — only with the user's explicit consent (Art. 6.1.a GDPR).
- KoreLab AI assistant (all plans, on your action) — message processing via the AI providers to generate responses. Legal basis: contract performance (Art. 6.1.b GDPR).
- Marketing (product news): only with your explicit, revocable consent (Art. 6.1.a GDPR).
- Compliance with legal and tax obligations (Art. 6.1.c GDPR).
4. Data Retention
Data is retained for the duration of the contractual relationship and for 10 years thereafter for tax obligations. Operational data (recipes, products, etc.) is deleted on user request or account closure. Google Calendar tokens are deleted immediately upon disconnection.
5. Third-Party Sharing
- Supabase — database and authentication (EU region, Frankfurt).
- Stripe — payment processing and billing.
- Vercel — application hosting (app.korelab.app).
- Netlify — hosting of this website (korelab.app).
- Resend — transactional emails (account confirmation, password recovery) and, with consent, communications.
- Anthropic and OpenAI — "KoreLab AI" assistant (available on all plans): messages you send to the assistant are transmitted via API to generate the response (Anthropic, with OpenAI fallback; or your own BYOK provider). Providers do not use the content to train their models. KoreLab does not store conversation content after the response.
- Google — only if you enable Google Calendar sync (OAuth).
All non-EU providers operate under Standard Contractual Clauses (SCC) and Data Processing Agreements (Art. 28 and Chapter V GDPR). No data is sold to third parties or used for advertising purposes.
6. Your Rights
Under the GDPR you have the right to: access, rectify, erase (right to be forgotten), restrict processing, data portability, and object to processing. To exercise these rights write to info@cvproject.it.
7. Cookies
KoreLab uses only technical/functional cookies necessary for the service to function (authenticated session, preferences). No profiling or third-party advertising cookies are used. Fonts are self-hosted (no calls to Google Fonts). For details see the Cookie Policy.
8. Contact
For any questions regarding this policy: info@cvproject.it