Privacy Policy

Effective April 24, 2026 · Plain-English version, no dark patterns.

On this page1. What we collect 2. How we use it 3. What we don’t do 4. Third parties we share with 5. How long we keep it 6. Your rights 7. Security 8. Contact

Kellasa (“we”) is operated by an individual builder. This page tells you exactly what data we collect, why we collect it, and what we never do. If anything is unclear, email hello@kellasa.com and we’ll either explain or revise.

1. What we collect

The minimum required to run a project-management tool with accounts and email:

Account data — your email address, your name, a one-way hashed copy of your password (bcrypt). We never see or store your real password.
Workspace content — the projects, tasks, comments, files, members, roles, and notes you create inside Kellasa. This is yours; we treat it as private to your workspace.
Email events — we log that we sent you an email (verification, reset, invite) so we can debug delivery problems. We log a hash of the recipient address, not the address.
Server logs — short-lived HTTP logs (IP, path, status code, timestamp) for security and debugging. Rotated within 30 days.

2. How we use it

Run the product (sign in, render your workspace, deliver email).
Send essential transactional email — verification, password reset, invites, billing receipts. No marketing email without an explicit opt-in.
Detect abuse (rate-limit signals, signed-in workspaces, audit trails).
Process payments through our payment provider (currently Lemon Squeezy, who acts as the merchant of record).

3. What we don’t do

No third-party advertising. Ever. We have no ad SDKs, no remarketing pixels, no Facebook Pixel, no Google Analytics on logged-in surfaces.
No selling your data. Workspace content is not used to train third-party models, not shared with data brokers, not sold.
No tracking across other sites. We don’t set tracking cookies that follow you off Kellasa.
No reading workspace content for analytics. Server-side metrics count rows (e.g. “total tasks”) but never read titles, descriptions, comments, or attachments.

4. Third parties we share with

Hostinger — hosting + email infrastructure (Frankfurt / US data centers depending on plan).
Neon — managed Postgres database (US East / EU West regions).
Lemon Squeezy — payment processing & merchant of record. Charges flow through them; we receive only minimal data (last-4, customer ID, plan).
Apple / Google — only if you sign in with their SDKs in our mobile apps. We don’t currently use either.

Each is bound by their own privacy policy. We choose vendors that don’t resell data.

5. How long we keep it

Account data: as long as your account exists.
Workspace content: as long as the workspace exists; 30 days of read-only after cancellation, then deleted.
Email send log: 24 hours (in-process counter, not persisted).
Server logs: ≤ 30 days.
Audit / activity events inside a workspace: as long as the workspace exists.

6. Your rights

Wherever you live, you can ask us to:

Export your workspace as CSV — there’s a built-in export under Workspace settings.
Delete your account, your workspace, and the related task data.
Correct any account information that’s wrong.
Object to any specific use of your data.

Email hello@kellasa.com from the address on the account. We aim to respond within 7 days; the legal maximum is 30 (GDPR) / 45 (CCPA).

7. Security

HTTPS everywhere, HSTS preload pending.
Passwords stored as bcrypt hashes; never logged.
Sessions are HMAC-signed cookies (HTTP-only, secure, SameSite=Lax).
Per-IP rate limits on every public-write endpoint.
Webhook signatures verified with timing-safe comparison.
Found a vulnerability? Please email hello@kellasa.com before disclosing publicly.

8. Contact

Anything about this policy: hello@kellasa.com. For account-specific data requests, please email from the address on the account so we can verify you.

← Back to Kellasa