Privacy Policy

Effective date: May 4, 2026

Krewva (“Krewva,” “we,” “us”) builds an AI assistant that helps you read and reply to messages across the services you already use. This policy explains what we collect, why we collect it, where it goes, and how you stay in control. We use plain language. If something below is unclear, email us at support@krewva.com.

Who this policy applies to

This policy covers your use of the Krewva macOS desktop app, the Krewva iOS app, and the Krewva backend services accessed via krewva.com and its subdomains.

What we collect, by service

Krewva only requests access to the data needed to draft helpful replies on your behalf. The actual permissions we ask for are listed below. The app will surface each connector before you grant access; nothing is connected silently.

Gmail

Scope requested: https://www.googleapis.com/auth/gmail.modify (Google’s combined read, modify, and send permission). With this scope Krewva can:

• Read messages and threads in your mailbox.
• Read and write labels (so we can mark messages handled or snoozed).
• Create drafts and send messages on your behalf after you approve them.

Google Drive

Scope requested: https://www.googleapis.com/auth/drive.readonly (read-only). We use this to look up documents referenced in a conversation so the reply has the right context. We do not modify or delete files in your Drive. Some users may opt into broader write scopes for advanced workflows; you will see a separate consent screen if so.

Google Calendar

Scopes requested: https://www.googleapis.com/auth/calendar.readonly and https://www.googleapis.com/auth/calendar.events. We read your calendar to detect conflicts and meeting context, and we write event responses or create events after you approve them.

Slack

Scopes requested: app_mentions:read, channels:history, channels:read, chat:write, im:history, im:read, im:write, and users:read. These let Krewva see channels and direct messages where you are a member, and post replies you have approved. We do not access workspaces you are not a member of.

WhatsApp

Krewva connects to WhatsApp Web using the standard 8-digit phone pairing flow. Once linked, Krewva can read your conversations and send messages you have approved. WhatsApp messages stay end-to-end encrypted in transit between WhatsApp clients; Krewva processes the plaintext on your behalf as a linked client, the same way the WhatsApp web app does.

iMessage

On macOS, Krewva reads from your local iMessage database (~/Library/Messages/chat.db) with your permission and sends new messages by automating the Messages app. iMessage data stays on your Mac except when needed to draft a reply (see “AI processing” below).

Account and identity

We collect your email address and a unique account identifier from Amazon Cognito (our identity provider) so we can authenticate you and link the data above to your account.

Limited Use of Google user data

Krewva’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Krewva uses Google user data only to:

• Display your messages, files, and calendar context inside the Krewva app.
• Draft replies, schedule events, or label messages on your behalf, subject to your approval.
• Send aggregated, non-identifying telemetry (e.g. counts of drafts created) so we can debug failures and improve the product.

Krewva does not:

• Sell or transfer Google user data to third parties for advertising, marketing, or any other purpose unrelated to the Krewva service.
• Use Google user data to serve advertisements.
• Allow humans to read your Google user data, except: (a) with your explicit consent for a specific support request, (b) when required to comply with applicable law, or (c) for narrowly scoped, audited internal operations such as security investigation.
• Use Google user data to train, fine-tune, or otherwise develop generalized or third-party AI/ML models.

How your data is processed

AI processing (subprocessor disclosure)

To draft replies, Krewva sends the relevant message thread, Calendar context, and Drive snippets to a third-party large language model API operated by DeepSeek (deepseek.com). Only the content needed to produce the draft is sent on each request. DeepSeek is contractually prohibited from using your data to train its models.

We may switch or add additional AI providers in the future. If we do, we will update this section before that change takes effect.

Storage and security

• Your data is stored in Amazon Web Services (us-east-1 region, United States).
• Data at rest is encrypted using AWS KMS.
• Data in transit is encrypted using TLS 1.2 or higher.
• Access tokens for connected services are stored encrypted and are scoped to your account.

Retention

We keep your message bodies, drafts, and connector context for as long as your account is active and using the Service. If your account is inactive for 90 consecutive days, we automatically purge cached message bodies, generated drafts, and your voice profile artifacts from our database. Lightweight metadata (account record, message identifiers, timestamps, audit log entries) is retained beyond that window so we can honor a reactivation, investigate abuse, and meet our security and compliance obligations.

When you delete your account, we delete your stored data within 30 days, with three exceptions: (a) audit and security logs are retained for up to 12 months to investigate incidents; (b) billing and tax records are retained for up to 7 years where required by US tax law; and (c) backups are overwritten on a rolling 35-day cycle, after which deleted data is no longer recoverable. Connector access tokens are revoked and purged within 24 hours of account deletion.

Your control over your data

• You can disconnect any connected account from inside the Krewva app at any time.
• You can revoke Google access at myaccount.google.com/permissions.
• You can revoke Slack access at slack.com/account/settings → “Apps.”
• You can request deletion of your account and associated data by emailing support@krewva.com. We will confirm deletion within 30 days.

Sharing

We do not sell your personal information. We share data only with:

• Service providers who help us operate Krewva (Amazon Web Services for hosting and storage; DeepSeek for AI inference; Amazon Cognito for authentication).
• Government or legal requests when we are legally compelled, after exhausting reasonable objections.
• A successor entity in the event of a merger, acquisition, or asset sale, subject to the same protections in this policy.

Children

Krewva is not intended for, and we do not knowingly collect data from, children under 13 (or the equivalent age of digital consent in your jurisdiction). If you believe a child has provided us personal information, contact support@krewva.com and we will delete it.

International users

Krewva is operated from the United States and your data is processed in the United States (Amazon Web Services, us-east-1). By using Krewva you consent to this transfer. We rely on the EU–US and UK Extension to the Data Privacy Framework, and on Standard Contractual Clauses where applicable, to lawfully transfer personal data out of the EEA, the UK, and Switzerland.

Your rights under the GDPR and UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK GDPR) gives you the rights below. Krewva acts as the data controller for your account information and as a processor for the message content you connect to the Service.

• Lawful basis. We process your data on the basis of (a) your consent, given when you connect each account; (b) the contract necessary to provide the Service to you; and (c) our legitimate interest in operating, securing, and improving the Service. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Your rights. You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.
• How to exercise. Email support@krewva.com with the request and the email address on your Krewva account. We respond within 30 days. Most rights can also be exercised directly inside the app (disconnect a connector, request deletion).
• Data Protection contact. Privacy questions and data-subject requests can be addressed to our privacy contact at support@krewva.com. We have not formally appointed a Data Protection Officer because we are not required to under Article 37; we will update this section if that changes.
• Right to complain. You have the right to lodge a complaint with your local data protection supervisory authority. In the UK, that is the Information Commissioner’s Office (ico.org.uk). In the EEA, a list of national authorities is available from the European Data Protection Board (edpb.europa.eu).

Changes to this policy

If we make material changes we will notify you in the app and update the effective date above. Your continued use of Krewva after a change indicates acceptance of the revised policy.

Contact

Questions, requests, or concerns: support@krewva.com.