Koo
Legal

Privacy policy

Last updated: 2026-05-19

This policy explains how Koo, Inc. ("Koo", "we", "us") collects, uses and protects information when you visit koo.co, use the Koo product, or visit a website built and hosted with Koo. It is written to be readable. If anything is unclear, email privacy@koo.co and we'll explain.

This policy is designed to satisfy the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Canada's PIPEDA, Australia's Privacy Act, Brazil's LGPD and equivalent laws. Where a specific right or disclosure is required by one of these regimes, it is called out by name below.

1. Roles: controller and processor

For your own Koo account and any websites you publish through Koo, Koo acts as a data processor on your behalf and you (the website owner) are the data controller for visitors to your site. For information collected directly via koo.co (signups, marketing emails, support requests, billing), Koo is the controller.

Customers processing personal data of EEA, UK or Swiss residents through Koo are covered by our Data Processing Agreement (DPA), which incorporates the European Commission's Standard Contractual Clauses (Module 2 and Module 3) and the UK International Data Transfer Addendum. The DPA is available on request from privacy@koo.co and is automatically incorporated into our terms for paid plans.

2. What we collect

  • Account data: name, email, organisation, password (hashed with bcrypt/argon2) and authentication tokens.
  • Billing data: company name, billing address, VAT/tax ID and the last four digits of your payment card (full card data is held by Stripe, never by us).
  • Product usage: which features you use, errors you hit, browser, OS and approximate location (derived from IP, then discarded), used to improve the product.
  • Site content: the pages, posts, images, forms and form responses you create in Koo.
  • Visitor analytics: aggregate, cookie-less analytics for sites built with Koo (page views, referrers, country-level location, device class).
  • Communications: emails you send us, support tickets, and replies to product updates.
  • Cookies and similar technologies: see section 9.

3. Why we use it & legal bases (GDPR Art. 6)

  • Provide the service: performance of a contract with you (Art. 6(1)(b)).
  • Secure the service, prevent fraud and abuse: legitimate interests (Art. 6(1)(f)).
  • Transactional emails (receipts, security notices, lead notifications): contract (Art. 6(1)(b)).
  • Product updates and marketing: your consent (Art. 6(1)(a)), withdrawable at any time via the unsubscribe link.
  • Comply with legal obligations (tax, accounting, lawful requests): legal obligation (Art. 6(1)(c)).
  • Improve the product via aggregated, pseudonymised analytics, legitimate interests (Art. 6(1)(f)).

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22).

4. Sub-processors

We use a small number of carefully chosen sub-processors to run the service. Each is bound by a written data-processing agreement, confidentiality obligations and the same security standards we apply ourselves.

  • Cloudflare, Inc.: edge hosting, CDN and DDoS protection (US/Global).
  • Supabase, Inc.: managed PostgreSQL database, authentication and file storage (EU/US, customer-selectable).
  • Stripe, Inc.: payment processing (US/EU).
  • Postmark / Resend: transactional email delivery (US/EU).
  • Anthropic, OpenAI, Google: AI model inference for the content engine. Prompts and content sent for inference are not used by these providers to train their models under our enterprise terms.
  • Sentry: error monitoring (EU region).
  • Linear / HubSpot: support and CRM (US).

The current list is maintained at koo.co/security. We give customers 30 days' prior notice (by email and in-app) before adding a new sub-processor; you may object on reasonable grounds, in which case we will work with you in good faith and, if unresolved, you may terminate the affected service.

We do not sell or share personal information as those terms are defined by the CCPA/CPRA. We have not done so in the preceding 12 months.

5. International data transfers

Data may be processed in the United States, the United Kingdom, the European Economic Area and, for inference only, other regions where our AI sub-processors operate. For transfers out of the EEA/UK/Swiss territory we rely on:

  • the EU Commission's Standard Contractual Clauses (2021/914) where the importer is not in an adequacy country;
  • the UK International Data Transfer Addendum (IDTA) for UK transfers;
  • the Swiss FDPIC's adapted SCCs for Swiss transfers; and
  • the EU–US and UK–US Data Privacy Framework where the importer is certified.

We conduct a transfer impact assessment (TIA) for each sub-processor and apply supplementary technical measures (encryption in transit and at rest, key management, access controls).

6. How long we keep it (retention)

  • Account & site content: while your account is active, plus 30 days after deletion (soft-delete window for restore), then purged from primary systems within 7 days and from backups within 35 days.
  • Billing & tax records: 7 years, as required by tax law.
  • Support communications: 3 years from the last interaction.
  • Server and security logs: 90 days.
  • Aggregated, anonymised analytics that cannot identify an individual, retained indefinitely.

7. Your rights

Depending on where you live, you have some or all of the following rights in relation to your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): ask us to delete your data, subject to legal retention.
  • Restriction: ask us to pause processing while a complaint is resolved.
  • Portability: receive your data in a structured, machine-readable format and have it transmitted to another controller.
  • Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your supervisory authority, in the UK, the Information Commissioner's Office (ICO); in the EU, your national DPA.

California (CCPA/CPRA) residents additionally have the right to know the categories of personal information collected and disclosed, to request deletion, to correct inaccurate information, to opt out of any "sale" or "sharing" (we don't do either), to limit the use of sensitive personal information, and to be free from retaliation for exercising these rights. You may designate an authorised agent. Submit requests via privacy@koo.co; we verify identity by matching account details and respond within 45 days.

8. Children

Koo is not directed to children under 13 (or 16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email privacy@koo.co and we will delete it.

9. Cookies & similar technologies

koo.co uses a single first-party session cookie for authentication and a CSRF token cookie. We do not run third-party advertising cookies or cross-site tracking. Sites built with Koo use first-party, cookie-less analytics by default. Where a site owner enables third-party integrations (e.g. Meta Pixel, GA4), responsibility for cookie consent lies with the site owner as controller.

10. Security

We follow industry-standard practices: TLS 1.2+ in transit, AES-256 at rest, least-privilege access, MFA-enforced staff accounts, quarterly access reviews, annual third-party penetration tests, and a documented incident-response plan. Full detail and our compliance posture (SOC 2 roadmap, ISO 27001) is on koo.co/security.

11. Data-breach notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33) and notify affected individuals without undue delay where the risk is high (Art. 34).

12. Changes to this policy

We will notify you by email of any material change to this policy and update the "Last updated" date at the top of the page. Continued use of Koo after the change means you accept the updated policy.

13. Contact & representatives

Controller: Koo, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA.
Privacy questions / data-subject requests: privacy@koo.co.
Data Protection Officer: dpo@koo.co.
EU representative (GDPR Art. 27): available on request.
UK representative (UK GDPR Art. 27): available on request.