Plain English.
No legal sludge.

Account data: your email, business name, ABN, postcode, phone, business hours, terms text, and the logo you upload. You choose what to enter. anything optional can stay blank.

Quote data: customer name, address, phone, email, the dimensions and options you key in, and the calculated price. You own this. We treat it as your data, not ours.

Usage data: which pages you visit on karven.com.au, basic device metadata (browser, OS, viewport), and the timestamp of each action. We use this to debug and improve, never to profile you.

Billing data: handled entirely by Stripe. We never see or store your card number. We get back a customer ID and a subscription status. that's it.

Application data sits in Supabase (Postgres) hosted in Sydney (ap-southeast-2). Logos sit in Supabase Storage in the same region.

Customer-facing PDFs are generated on demand and delivered as a download. they're not stored on our servers permanently. The quote-acceptance link uses a 30-day token that expires automatically.

Email delivery is handled by Resend. Quote emails carry your sender name and the customer's address. Resend retains delivery logs per their own retention policy; we do not store the email body.

We use your data to run Karven for you. calculate quotes, generate PDFs, deliver emails, charge subscriptions, send the occasional product update. That's the full list.

We never sell, rent or trade your data to a third party. We never use your customer data to train a public model. We never run cross-tenant analytics that mix one tradie's data with another's.

Under the Australian Privacy Principles you can: ask what we hold about you, ask for it to be corrected, ask for it to be deleted, and complain to the Office of the Australian Information Commissioner if you think we've messed up.

Account deletion is one email to hello@karven.com.au. We action it within 7 days. Your quotes, customers, logo, profile and billing record are wiped. Stripe retains its own minimal billing history for tax-law reasons.

We set one functional cookie for keeping you signed in. We do not run advertising trackers, fingerprinting scripts, or third-party retargeting pixels.

If we add product analytics in the future (PostHog), it will be self-hosted, cookie-free, and respect Do-Not-Track. We will update this page before flipping it on.

Data is encrypted in transit (TLS 1.3) and at rest. Tenant isolation is enforced at the database level via Postgres row-level security. not at the application layer. so a code bug in one place can't leak across tenants.

We test the isolation in CI on every commit (npm run verify:rls). We take pull requests off the menu when a test fails.

Karven is a B2B product for licensed Australian tradies. We do not knowingly collect data from anyone under 16. If you think a child has signed up, email us and we'll delete the account.

If we change anything material, you'll get an email at the address on your account at least 14 days before the change takes effect. Minor edits (typo fixes, clarifications) update the page silently with a fresh "last updated" date at the top.

Questions, complaints, deletion requests: hello@karven.com.au. Australian customers can also lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.