Privacy policy
Last updated: April 11, 2026
Chorrie, Inc. d/b/a Kilvin ("Kilvin," "we," "our," or "us") values your privacy. This Privacy Policy describes how we collect, use, and protect personal information when you engage Kilvin for custom software development, access software we build for you, or otherwise use our websites, client portal, and related services (collectively, the "Service").
By using the Service, you agree to this Privacy Policy. If your organization has a separate signed agreement, BAA, or Data Processing Addendum with us, that agreement controls in case of conflict.
1. Information We Collect
Account Information. We collect your name, email, organization, and role for authentication and account management.
Client Data. In the course of building software for you, we receive and process data you provide or that we integrate with on your behalf — including business records, user lists, and data from third-party systems you connect (e.g., custodians, CRMs, market-data providers). You determine what data flows into the Service.
Credentials & Secrets. Credentials for third-party systems you authorize us to integrate with are stored in an encrypted vault at rest. We store only provider-issued tokens where possible and do not retain raw credentials beyond what is necessary to operate the Service.
Billing Information. Payment processing is handled by Stripe. We do not collect, store, or have access to your payment card information.
Usage & Telemetry. We collect error logs, feature usage metrics, and device information via PostHog, AWS, and our AI providers to operate, secure, and improve the Service.
Regulated Data. Where an engagement involves Protected Health Information (PHI) or other regulated data, we process it only under a duly executed Business Associate Agreement (BAA) or equivalent data processing terms.
2. How We Use Information
We use the information we collect to:
Provide, operate, maintain, secure, and improve the Service and the software we build for you
Authenticate and authorize users
Deliver engagements, integrations, and support under an SOW
Respond to inquiries and provide customer support
Process billing and manage accounts
Comply with legal and regulatory obligations
We do not sell, rent, or trade your personal information, and we do not share it with advertisers or data brokers.
Authentication and Third-Party Integrations
User authentication is managed through Clerk. AI-assisted development and any AI features in delivered software are powered by LLM providers with zero data retention (ZDR) enabled where available, so data submitted to those providers is not stored or used for model training.
Data Sharing and Disclosure
We share personal information only with third-party service providers necessary to operate and deliver the Service, including:
Stripe — payment processing
Clerk — user authentication
Supabase — application database and backend
AWS — cloud infrastructure and storage
PostHog — product analytics
Anthropic, OpenAI, Google (Gemini) — AI model providers (ZDR enabled where available)
This list may change as the Service evolves; material changes will be reflected in updates to this Policy.
Data Retention and Deletion
Personal information is retained for as long as your engagement or account remains active. Upon termination or account deletion, your data is generally retained for thirty (30) days to allow for recovery, after which it is permanently deleted, subject to any legal or BAA-mandated retention requirements. Clients under a HIPAA BAA are governed by the retention terms in that agreement.
6. Security
We implement reasonable technical and organizational measures to protect your information, including:
Encryption at rest for stored credentials and client data
Secure cloud infrastructure hosted on AWS and Supabase
SOC 2 Type II-aligned practices across our environment
A HIPAA-compliant environment available to qualifying clients under a signed BAA
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Your Privacy Rights
You may update your account information at any time within the Service. To request access to, correction of, or deletion of your personal data, contact us at privacy@kilvin.ai. Clients subject to HIPAA, GDPR, CCPA, or other privacy regulations retain all rights afforded under those laws.
8. International Data Transfers
The Service is operated from the United States. If you are accessing it from outside the US, your information may be transferred to and processed in the United States, which may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to such transfer and processing in accordance with this Policy and applicable law.
9. Contact Information
Email: privacy@kilvin.ai
Mailing Address: Chorrie, Inc. d/b/a Kilvin, 122 Greenwich Avenue, Apt 4, New York, NY 10011, USA
10. Changes to This Privacy Policy
We may update this Privacy Policy at any time. Changes will be reflected by an updated "Last Updated" date. Your continued use of the Service following any changes constitutes acceptance of the revised policy.