Privacy & Security

Effective date: May 4, 2026

Safe · secure · private

Built to meet every legal and security requirement of the platforms we connect to.

Krewva runs on industry-standard authentication, encrypted infrastructure, and scoped payments infrastructure. Every integration follows OAuth scopes — never bypassed, never overreaching. Your data flow stays within the legal terms of every platform you connect.

OAuth-scoped access Encrypted at rest + in transit Data export and deletion controls Scoped payments infrastructure Notarized desktop app Audit exports for business plans

Krewva (“Krewva,” “we,” “us”) builds an AI assistant that helps you read and reply to messages across the services you already use. This policy explains what we collect, why we collect it, where it goes, and how you stay in control. We use plain language. If something below is unclear, email us at support@krewva.com.

Who this policy applies to

This policy covers your use of the Krewva macOS desktop app, the Krewva iOS app, and the Krewva backend services accessed via krewva.com and its subdomains.

What we collect, by service

Krewva only requests access to the data needed to draft helpful replies on your behalf. The actual permissions we ask for are listed below. The app will surface each connector before you grant access; nothing is connected silently.

Gmail

Scope requested: https://www.googleapis.com/auth/gmail.modify (Google’s combined read, modify, and send permission). With this scope Krewva can:

Google Drive

Scope requested: https://www.googleapis.com/auth/drive.readonly (read-only). We use this to look up documents referenced in a conversation so the reply has the right context. We do not modify or delete files in your Drive. Some users may opt into broader write scopes for advanced workflows; you will see a separate consent screen if so.

Google Calendar

Scopes requested: https://www.googleapis.com/auth/calendar.readonly and https://www.googleapis.com/auth/calendar.events. We read your calendar to detect conflicts and meeting context, and we write event responses or create events after you approve them.

Slack

Scopes requested: app_mentions:read, channels:history, channels:read, chat:write, im:history, im:read, im:write, and users:read. These let Krewva see channels and direct messages where you are a member, and post replies you have approved. We do not access workspaces you are not a member of.

WhatsApp

Krewva connects to WhatsApp Web using the standard 8-digit phone pairing flow. Once linked, Krewva can read your conversations and send messages you have approved. WhatsApp messages stay end-to-end encrypted in transit between WhatsApp clients; Krewva processes the plaintext on your behalf as a linked client, the same way the WhatsApp web app does.

iMessage

On macOS, Krewva reads from your local iMessage database (~/Library/Messages/chat.db) with your permission and sends new messages by automating the Messages app. iMessage data stays on your Mac except when needed to draft a reply (see “AI processing” below).

Account and identity

We collect your email address and a unique account identifier from Amazon Cognito (our identity provider) so we can authenticate you and link the data above to your account.

Limited Use of Google user data

Krewva’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Krewva uses Google user data only to:

Krewva does not:

How your data is processed

AI processing (subprocessor disclosure)

To draft replies, Krewva sends the relevant message thread, Calendar context, and Drive snippets to a third-party large language model API operated by DeepSeek (deepseek.com). Only the content needed to produce the draft is sent on each request. DeepSeek is contractually prohibited from using your data to train its models.

We may switch or add additional AI providers in the future. If we do, we will update this section before that change takes effect.

Storage and security

Retention

We keep your message bodies, drafts, and connector context for as long as your account is active and using the Service. If your account is inactive for 90 consecutive days, we automatically purge cached message bodies, generated drafts, and your voice profile artifacts from our database. Lightweight metadata (account record, message identifiers, timestamps, audit log entries) is retained beyond that window so we can honor a reactivation, investigate abuse, and meet our security and compliance obligations.

When you delete your account, we delete your stored data within 30 days, with three exceptions: (a) audit and security logs are retained for up to 12 months to investigate incidents; (b) billing and tax records are retained for up to 7 years where required by US tax law; and (c) backups are overwritten on a rolling 35-day cycle, after which deleted data is no longer recoverable. Connector access tokens are revoked and purged within 24 hours of account deletion.

Your control over your data

Sharing

We do not sell your personal information. We share data only with:

Children

Krewva is not intended for, and we do not knowingly collect data from, children under 13 (or the equivalent age of digital consent in your jurisdiction). If you believe a child has provided us personal information, contact support@krewva.com and we will delete it.

International users

Krewva is operated from the United States and your data is processed in the United States (Amazon Web Services, us-east-1). By using Krewva you consent to this transfer. We rely on the EU–US and UK Extension to the Data Privacy Framework, and on Standard Contractual Clauses where applicable, to lawfully transfer personal data out of the EEA, the UK, and Switzerland.

Your rights under the GDPR and UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK GDPR) gives you the rights below. Krewva acts as the data controller for your account information and as a processor for the message content you connect to the Service.

Changes to this policy

If we make material changes we will notify you in the app and update the effective date above. Your continued use of Krewva after a change indicates acceptance of the revised policy.

Contact

Questions, requests, or concerns: support@krewva.com.