Privacy Policy

Last updated · 2026-05-15

Kontra ("we," "us," "our") provides invoicing and contract software for freelancers and creators. This Privacy Policy explains what data we collect, why we collect it, and what rights you have. We're based in the EU and the GDPR applies by default to everything we do.

Plain-English summary:We collect the minimum data we need to make Kontra work. We don't sell anything to anyone. Your data lives on EU servers. You can delete it permanently anytime from Settings.

1. Data we collect

Account data

• Email address (used to log you in and send transactional emails)
• Hashed password (if you sign up with email/password)
• Google account profile (if you sign in with Google — name + email only)

Business data you put into Kontra

• Your business details (name, address, org number, VAT number, logo)
• Client details you save (name, email, address, org number)
• Invoices and contracts you create
• Payment method handles you save (Swish number, PayPal email, IBAN, etc.) — we never see actual transactions, just the routing info

Technical data

• IP address and browser type, kept in standard server logs for security/abuse prevention
• Authentication tokens (managed by Supabase, our auth provider)

Payment data (for paid subscribers)

• Stripe handles all card data — we never see your card numbers. We only store your Stripe customer ID and subscription status.

2. How we use your data

• To run the service: store and display your invoices, contracts, and clients
• To send transactional emails (invoice receipts, contract signing notifications, payment reminders) — you can opt out of any of these from Settings → Notifications
• To process subscription payments via Stripe
• To prevent abuse and fraud (rate limiting, audit logging)

We do not use your data for advertising. We do not sell or rent your data to anyone. We do not profile or track you across other websites.

3. Where your data is stored

Your data is stored in the EU on Supabase's eu-west-3 region (Paris). The web app is hosted on Vercel's cdg1 region (Paris). Email delivery is handled by Resend (US-based, GDPR-compliant transfers under Standard Contractual Clauses). Payment processing is handled by Stripe (US-based, same SCCs). Upstash provides the rate-limit datastore (EU region). Notion stores the early-access waitlist only. These are our sub-processors — no other third parties touch your data.

4. Your rights under GDPR

• Access (Article 15): download a complete JSON of every row Kontra holds about you from Settings → Your data. One click, no waiting for a ticket.
• Rectification (Article 16): edit your business info, payment methods, branding, etc. directly in Settings. For anything you can't edit yourself, email us.
• Deletion (Article 17): permanently delete your account from Settings → Danger zone. Wipes every row tied to your user_id within 30 days; audit-log entries are retained per Section 5.
• Portability (Article 20): the same JSON export at Settings → Your data is machine-readable. Per-invoice/contract PDFs are downloadable individually.
• Objection (Article 21): opt out of any non-essential email from Settings → Email notifications. Client-facing transactional emails (invoices and contract signing links) stay on because they're part of the service you bought.
• Withdraw consent (Article 7(3)): change your cookie-banner choice anytime from the Cookies link in the footer.
• Complaint: if you believe we've violated your rights, file a complaint with Sweden's data protection authority, IMY, at imy.se.

5. How long we keep your data

Active accounts: as long as the account exists. After account deletion: all user-owned rows are permanently removed within 30 days. Audit-log entries that prove the account deletion itself (`account.deleted`) are kept indefinitely with the `user_id` set to NULL (anonymized) — they record only that the deletion happened, not who it happened to. Audit-log entries linked to signed contracts (legal evidence) are retained indefinitely per the law on signed documents.

6. Cookies

We use a small set of first-party cookies — the auth session, your theme preference, and a record of your cookie-banner choice. No analytics or marketing cookies today. If we add any, the consent banner will ask first. Full breakdown at /cookies.

7. Children

Kontra is not intended for users under 18. We don't knowingly collect data from minors.

8. Contact

Questions about this policy or your data? Email hello@usekontra.com. We aim to respond within one business day.