Privacy Policy

Data controller

Klura AB
Bergsundsgatan 23, 117 37 Stockholm, Sweden
Contact: privacy@klura.app

Data we collect

• Account & identity. Your email address and, where you use an OAuth provider (Google, Microsoft, Apple, or Facebook), the name and avatar your provider shares with us.
• Device registry. Device name, platform (operating system), last-seen timestamp, and TLS certificate fingerprint — used to identify your registered devices and show their live presence.
• Connection & IP metadata. IP addresses and connection timestamps used for P2P session signaling (hole-punch, NAT traversal). These are short-lived and not stored beyond session establishment.
• Cloudflare request logs. Standard HTTP request logs (IP, User-Agent, path, timestamp) retained by Cloudflare as our infrastructure provider.
• Product analytics. Aggregated usage events (page-views, CTA clicks) via PostHog, EU-hosted. Do Not Track is respected — if your browser sends DNT: 1, we do not initialize PostHog.

Why we process your data (GDPR legal bases)

• Performance of contract (Art. 6(1)(b)). Account creation, device registration, and P2P session signaling are necessary to provide the service.
• Legitimate interests (Art. 6(1)(f)). Security, fraud prevention, and aggregated product analytics (PostHog) that help us improve Spegla.

Processors we use

• Supabase. Authentication (GoTrue) and PostgreSQL database for account and device data. Data residency: EU (eu-north-1, Stockholm).
• Cloudflare. Edge network, Worker compute, and R2 object storage. Our Worker fronts all client-facing traffic; no client speaks directly to Supabase.
• PostHog (EU). Product analytics hosted at eu.i.posthog.com. We send anonymous event names and paths; person profiles and IP forwarding are disabled. A pseudonymous device identifier is stored in your browser's local storage so we can count unique visitors — no email, name, or account identifier is ever sent.

Data residency

Account and device data is stored in the EU (Supabase, eu-north-1 region). Analytics data is stored on PostHog's EU-hosted infrastructure. Cloudflare may cache edge traffic globally as part of normal CDN operation.

Retention

Account and device data is retained while your account is active. You may request deletion at any time (see below). Session signaling metadata is deleted within 24 hours. Cloudflare request logs follow Cloudflare's standard retention policy.

Your rights

Under the GDPR you have the right to access, correct, port, restrict processing of, or erase your personal data. To exercise any of these rights, email privacy@klura.app. We will respond within 30 days.

If you signed in via Facebook you can also request deletion directly through our data-deletion page.

Changes to this policy

We will post any material updates here with a new effective date. Continued use of Spegla after a change constitutes acceptance of the updated policy.