Privacy Policy

1. Who we are

SASU Kaupr Europe ("Kaupr", "we") is the controller of personal data collected via the Kaupr service. We are registered in France with offices at Antibes. For data-protection inquiries, contact privacy@kaupr.com.

2. Whose data we process

We process personal data of two distinct groups:

• Customers — people who create a Kaupr account to install the search widget on their site. We are the controller of their data.
• End users — visitors to a Customer's site who use the embedded Kaupr search widget. The Customer is the controller of end-user data; we act as a processor on the Customer's behalf under our Data Processing Agreement.

3. What we collect about Customers

• Email address (account identifier).
• Plan, billing status, and Stripe customer ID (no card data — Stripe is the controller of payment instruments).
• Catalog metadata that the Customer provides (product titles, descriptions, prices) — used to power the search service.
• Account activity logs — login events, dashboard requests, API calls. Used for security and product analytics.

4. What we collect about end users

When an end user uses the Kaupr widget on a Customer's site, we record:

• The search query text.
• Which results were clicked (rank, product id, timestamp).
• An anonymous session id, generated by the widget (random 16-char string) — used to attribute clicks to searches and orders to clicks.
• User-Agent string (parsed to a device class for analytics).
• IP address (used at log time only to resolve a country code; the IP itself is not joined to other identifiers and is not exposed in the dashboard).
• If the Customer enables order attribution: the order id, cart value, currency, and item count for orders linked to the session id. We do not receive customer name, email, billing address, or any other PII from the Customer's order data.

We do not set tracking cookies on end users. The session id lives in the browser's sessionStorage and is not transmitted outside the Customer's site except as part of API calls to the Kaupr service.

5. Legal basis

For Customer data: contract performance (Article 6(1)(b)) — we need the email and plan to provide the service.

For end-user data processed under the Customer's instructions: the Customer's chosen legal basis (typically legitimate interests in operating an effective search experience). The Customer is responsible for disclosing this in their own privacy notice.

6. Retention

• Customer account: retained while the account is active; deleted on request, with a 30-day grace period during which deletion can be reversed.
• Search analytics: 30-day rolling window in the dashboard; aggregated counters (used for billing and historical trend) may be retained longer in anonymised form.
• Email logs: 12 months for deliverability debugging.

7. Sub-processors

We use the following sub-processors. Each is bound by a data- processing addendum that requires GDPR-equivalent protections.

• Stripe — payment processing (Customer billing data only).
• Resend — transactional email delivery (Customer email address + email content).
• DigitalOcean — hosting infrastructure (all processing).
• Google (Workspace + reCAPTCHA, where applicable)— internal communications and abuse prevention.

We will notify Customers 30 days before adding a new sub-processor.

8. International transfers

Some sub-processors process data outside the European Economic Area (notably Stripe and Resend, which have US presence). We rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework for these transfers.

9. Your rights

If we are the controller of your personal data, you have the rights granted by the GDPR: access, rectification, erasure, restriction, objection, and data portability. To exercise any right, email privacy@kaupr.com. You also have the right to lodge a complaint with the CNIL or your local supervisory authority.

10. Security

We use industry-standard practices: encrypted transport (TLS 1.2+) for all customer-facing endpoints, encrypted storage at rest, role- based access for staff, audit logging on administrative actions.

11. Changes

We will notify you of material changes at least 30 days in advance via the email on your account.