Privacy Policy
Last updated · 2026-06-12
Kontra ("we," "us," "our") provides invoicing and contract software for freelancers and creators. This Privacy Policy explains what data we collect, why we collect it, and what rights you have. We're based in the EU and the GDPR applies by default to everything we do.
Plain-English summary:We collect the minimum data we need to make Kontra work. We don't sell anything to anyone. Your data lives on EU servers. You can delete it permanently anytime from Settings.
1. Data we collect
Account data
- Email address (used to log you in and send transactional emails)
- Hashed password (if you sign up with email/password)
- Google account profile (if you sign in with Google — name + email only)
Business data you put into Kontra
- Your business details (name, address, org number, VAT number, logo)
- Client details you save (name, email, address, org number)
- Invoices and contracts you create
- Payment method handles you save (Swish number, PayPal email, IBAN, etc.) — we never see actual transactions, just the routing info
Deals address & opportunity data (if you claim a deals address)
- Your chosen alias (e.g. yourname@deals.usekontra.com) and the personal email address you forward copies to
- For emails sent to your deals address that our scanner identifies as genuine brand-deal pitches: a short excerpt (sender, subject, and up to a few hundred characters) shown on the opportunity card — never the full email body. Emails that aren't pitches are forwarded to you and nothing is stored.
- Messages you send from your deals address through Kontra, and brand replies to them — stored in full as your deal correspondence, like any mailbox you own
Technical data
- IP address and browser type, kept in standard server logs for security/abuse prevention
- Authentication tokens (managed by Supabase, our auth provider)
Payment data (for paid subscribers)
- Stripe handles all card data — we never see your card numbers. We only store your Stripe customer ID and subscription status.
2. How we use your data
- To run the service: store and display your invoices, contracts, and clients
- To send transactional emails (invoice receipts, contract signing notifications, payment reminders) — you can opt out of any of these from Settings → Notifications
- To process subscription payments via Stripe
- To surface brand-deal opportunities: emails sent to your deals address are automatically scanned (including by an AI classifier processing the email text) solely to decide whether they're genuine pitches worth showing you. This only ever applies to mail sent to the address you claimed for this purpose — Kontra never reads any other mailbox you own.
- To deliver your mail: every email to your deals address is forwarded in full to the personal address you verified
- To prevent abuse and fraud (rate limiting, audit logging, daily sending caps on the deals address)
We do not use your data for advertising. We do not sell or rent your data to anyone. We do not profile or track you across other websites.
3. Where your data is stored
Your data is stored in the EU on Supabase's eu-west-3 region (Paris). The web app is hosted on Vercel's cdg1 region (Paris). Email delivery is handled by Resend (US-based, GDPR-compliant transfers under Standard Contractual Clauses). Payment processing is handled by Stripe (US-based, same SCCs). Upstash provides the rate-limit datastore (EU region). Notion (US-based, same SCCs) stores the early-access waitlist, beta feedback submissions, and a minimal log of new account signups (name, email, signup date); all of your rows there are removed when you delete your account. If you claim a deals address, two more sub-processors apply: Cloudflare receives and forwards mail sent to that address (GDPR-compliant transfers under SCCs), and Anthropic's Claude API classifies the email text to detect genuine pitches (no training on your data; processed transiently under SCCs). These are our sub-processors — no other third parties touch your data.
4. Your rights under GDPR
- Access (Article 15): download a complete JSON of every row Kontra holds about you from Settings → Your data. One click, no waiting for a ticket.
- Rectification (Article 16): edit your business info, payment methods, branding, etc. directly in Settings. For anything you can't edit yourself, email us.
- Deletion (Article 17): permanently delete your account from Settings → Danger zone. Wipes every row tied to your user_id within 30 days — including your deals address, stored opportunity excerpts, and deal correspondence (the address stops receiving immediately); audit-log entries are retained per Section 5.
- Portability (Article 20): the same JSON export at Settings → Your data is machine-readable. Per-invoice/contract PDFs are downloadable individually.
- Objection (Article 21): opt out of any non-essential email from Settings → Email notifications. Client-facing transactional emails (invoices and contract signing links) stay on because they're part of the service you bought.
- Withdraw consent (Article 7(3)): change your cookie-banner choice anytime from the Cookies link in the footer.
- Complaint: if you believe we've violated your rights, file a complaint with Sweden's data protection authority, IMY, at imy.se.
5. How long we keep your data
Active accounts: as long as the account exists. After account deletion: all user-owned rows are permanently removed within 30 days. Audit-log entries that prove the account deletion itself (`account.deleted`) are kept indefinitely with the `user_id` set to NULL (anonymized) — they record only that the deletion happened, not who it happened to. Audit-log entries linked to signed contracts (legal evidence) are retained indefinitely per the law on signed documents.
6. Cookies
We use a small set of first-party cookies — the auth session, your theme preference, and a record of your cookie-banner choice. No analytics or marketing cookies today. If we add any, the consent banner will ask first. Full breakdown at /cookies.
7. Children
Kontra is not intended for users under 18. We don't knowingly collect data from minors.
8. Contact
Questions about this policy or your data? Email hello@usekontra.com. We aim to respond within one business day.