1. Scope and controller
Kanvly is operated by Decods LLC, 1621 CENTRAL AVE #8709, CHEYENNE, WY 82001, United States. For account, billing, marketing site, support, and product operations data, Decods LLC is generally the controller. For workspace content that customers and invited users add to Kanvly, the customer or workspace owner is generally the controller and Kanvly acts as a processor or service provider.
This policy applies to kanvly.com, Kanvly marketing pages, Kanvly accounts, workspaces, public intake forms, support requests, billing flows, and related product communications.
2. Information we collect
- Account profile data: name, handle, email, initials, avatar, authentication providers, and account timestamps.
- Workspace data: workspace names, members, roles, boards, lists, cards, labels, comments, checklists, notes, pages, visibility settings, and activity.
- Contact and intake data: names, email addresses, company details, messages, public intake form submissions, lead import previews, and support or sales requests.
- Billing data: plan, included seat count, billing email, cardholder name where applicable, Stripe customer and subscription identifiers, App Store transaction identifiers, payment brand/last four digits where available, renewal status, tax and invoice metadata.
- Authentication and security data: session identifiers, password hashes, OAuth state, reset tokens, audit events, rate-limit metadata, IP-derived abuse prevention signals, and operational logs.
- AI data: AI chat messages, prompts, assistant responses, selected workspace context, AI usage limits, and AI settings.
- Analytics and device data: marketing page events, approximate device/browser data, referral data, jurisdiction-aware consent mode, and analytics choice status.
- Uploads: profile avatars, note images, card attachments, file names, image captions, attachment metadata, and imported content that users intentionally submit to the product.
3. How we use information
| Purpose | Examples | Legal basis where applicable |
|---|---|---|
| Provide and secure the service | Create accounts, authenticate users, keep sessions active, save workspaces, enforce roles, prevent abuse, and run backups. | Contract performance, legitimate interests, and legal obligations. |
| Operate collaboration features | Boards, cards, comments, checklists, pages, notes, notifications, member invites, public intake forms, and workspace settings. | Contract performance and customer instructions. |
| Billing and plan management | Stripe checkout, App Store subscriptions, 3-day paid plan trials where available, subscription status, tax calculation, invoices, receipts, refunds, and billing portal access. | Contract performance and legal obligations. |
| Support and communications | Respond to contact forms, support messages, password reset email, invite email, service updates, and optional marketing emails. | Contract performance, consent, and legitimate interests. |
| Analytics | Understand marketing page performance with Google Analytics where allowed by jurisdiction or after consent. | Consent where required; legitimate interests with opt-out where permitted. |
| AI features | Generate Kanvly AI responses using the prompt, chat history, and relevant workspace context. | Contract performance and customer instructions. |
4. AI data
Kanvly AI may read workspace context by default when a user sends an AI request, so the assistant can answer with relevant board and workspace context. Workspace settings may provide additional AI controls. Kanvly does not authorize OpenAI to train models on customer data submitted through Kanvly-controlled AI requests.
AI chat history and usage metadata may be retained with the workspace account so users can review, export, and manage the work they created.
Kanvly AI is not designed to process regulated health, payment card, government identity, legal advice, financial advice, or other highly sensitive data unless covered by a separate written agreement and appropriate safeguards.
5. Cookies and analytics
Kanvly uses strictly necessary cookies and local storage for authentication, product preferences, and consent status. Marketing analytics use Google Analytics on marketing pages only where allowed by jurisdiction or after the visitor accepts analytics cookies. We do not use advertising pixels, behavioral retargeting, or sale/share of personal data for ads. See the Cookie Policy.
6. Sharing and subprocessors
We do not sell personal data. We share data with service providers only as needed to operate Kanvly, including hosting, payment processing, email delivery, analytics after consent, OAuth/SSO, and AI features. The current public subprocessor list is available on the Subprocessors page.
7. International transfers
Kanvly is operated by a United States company and currently runs production infrastructure onHetzner Online GmbH in Germany. Some subprocessors may process data in the United States or other countries. Where required, Kanvly relies on appropriate transfer safeguards such as data processing terms, standard contractual clauses, and equivalent contractual protections.
8. Retention
| Data type | Default retention |
|---|---|
| Active account and workspace data | For as long as the account or workspace remains active, or as needed to provide the service. |
| Deleted account data | Removed from active systems when deletion is completed, subject to retained workspace content, legal records, and backups. |
| User uploads | For as long as the related account, workspace, note, card, or attachment remains active, unless deleted earlier or retained as required for security, backup, legal, or dispute reasons. |
| Backups | up to 30 days |
| Audit and security logs | up to 12 months unless a longer period is required for security, legal, tax, or contract reasons |
| Contact, sales, and support submissions | up to 24 months after the last interaction unless a longer period is needed for legal or business records |
| Billing, tax, invoice, and payment records | up to 7 years where required for tax, accounting, fraud prevention, and payment records |
| Google Analytics data | According to Google Analytics property settings and applicable consent choices. |
9. Privacy choices and rights
Users can update profile data, notification settings, AI settings, and workspace controls in the product. Authenticated users can export account data and delete account access from Settings. You may also use Kanvly support to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, or review of a privacy request.
California, EEA, UK, and other privacy laws may provide additional rights. We honor applicable rights without discrimination. Kanvly does not sell personal information and does not share it for cross-context behavioral advertising.
10. U.S. state privacy notice
Some U.S. state privacy laws may require additional disclosures about categories of personal information collected, purposes of use, retention, and disclosures to service providers. Kanvly collects the categories described in this policy for the business and service purposes described above, retains them according to the retention section, and discloses them to service providers and processors listed on the Subprocessors page. Kanvly does not sell personal information and does not share it for cross-context behavioral advertising.
| Category | Examples | Purpose |
|---|---|---|
| Identifiers | Name, email, account ID, OAuth IDs, session and security identifiers. | Account creation, authentication, support, security, and billing. |
| Commercial information | Plan, subscription status, renewal status, receipts, invoice and transaction metadata. | Billing, tax, fraud prevention, accounting, and subscription management. |
| Internet or network activity | Marketing page analytics, product security logs, rate-limit metadata, and device/browser metadata. | Security, abuse prevention, diagnostics, and marketing measurement after consent where required. |
| User content | Workspace notes, boards, cards, comments, AI chats, uploads, captions, attachments, and public pages created by users. | Providing, securing, backing up, exporting, deleting, and supporting the service. |
11. Children
Kanvly is not directed to children. Users must be at least 16 years old and old enough to use Kanvly under the laws that apply to them. We do not knowingly collect personal data from children under 13. If you believe a child provided personal data, contact us and we will take appropriate steps.
12. Security
Kanvly uses administrative, technical, and organizational safeguards designed to protect the service, including HTTPS, secure session cookies, password hashing, rate limiting, workspace access controls, backups, and audit-friendly operational logging. No online service can guarantee perfect security. More detail is available on the Security page.
13. Changes and contact
We may update this policy as Kanvly changes or legal requirements evolve. If changes are material, we will take reasonable steps to notify users through the product, website, or email. Questions and privacy requests should be sent to Kanvly support.