Privacy Policy

Effective date: February 19, 2026 · Version 1.0

This Privacy Policy describes how Kvill collects, uses, stores, and shares your personal data. It applies to all users of the kvill.ru service. By registering or using the Service, you agree to this Policy.

1. Who We Are (Data Controller)

The data controller (operator) responsible for your personal data is:

IE Leontyev Artyom Alexandrovich (ИП Леонтьев А.А.)
INN: 615531331796 · OGRNIP: 326508100069940 · Russian Federation

The person responsible for organizing personal data processing is Leontyev Artyom Alexandrovich. For any privacy-related questions, contact us at artmlo@mail.ru (subject: "Personal Data").

The Service is intended for users aged 18 and older. We do not knowingly collect data from minors. If we learn that we have processed data from a person under 18 without a legal representative's consent, we will take steps to delete that data promptly.

2. What Data We Collect

Categories of data subjects: registered users of the Service; visitors to the website (technical data only).

Operations performed: collection, recording, organization, accumulation, storage, updating, retrieval, use, transfer, anonymization, blocking, deletion, and destruction of personal data.

Data you provide directly

Email address (used for login and notifications)
Name (if provided via Google OAuth or by you)
Content you create: prompts, uploaded files (documents, images, spreadsheets), generated presentations
Payment information (processed by T-Bank; Kvill does not store card details)

Data collected automatically

IP address and approximate location (country/city)
Browser type, operating system, device type
Pages visited, session duration, feature usage statistics
Technical identifiers (session tokens stored in localStorage)

We do not collect special categories of personal data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, financial data).

3. How We Use Your Data

Purpose	Legal basis	Data used
Account registration and authentication	Consent; contract performance	Email, name, password hash
Providing the AI generation service	Contract performance	Prompts, uploaded files, presentation data
Payment processing	Contract performance; legal obligation	Payment reference, amount, transaction status
Communications (support, notifications)	Contract performance; consent	Email, message content
Security and fraud prevention	Legitimate interest of the operator	IP, session data, usage patterns
Service improvement and analytics	Consent	Anonymized usage statistics
Legal compliance	Legal obligation	Transaction records, tax data

4. Cookies and Local Storage

We use technical cookies and browser localStorage to:

Maintain your login session;
Store your preferences (e.g., theme settings);
Ensure correct operation of the Service.

Technical cookies are required for the Service to function and cannot be disabled. We do not use marketing, advertising, or tracking cookies. We do not share cookie data with third parties for advertising purposes.

5. Third-Party Recipients and International Transfers

For the Service to function, we share certain data with these third-party service providers:

Recipient	Country	Purpose	Data shared
Supabase Inc. (AWS)	Germany (eu-central-1)	Database, authentication, storage	Email, name, password hash, presentation data, chat history
Anthropic, PBC	United States	AI content generation (Claude API)	Text of your prompts (without identifying information where possible)
Google LLC	United States	OAuth authentication (if you sign in with Google)	Email, name (provided by Google upon your authorization)
T-Bank (АО «Т-Банк»)	Russia	Payment processing	Payment amount, transaction ID (card details go directly to T-Bank)

International transfers notice: Data is transferred to the United States (Anthropic, Google) for AI processing and authentication. The US does not provide a level of data protection equivalent to that in the European Economic Area or Russia. These transfers are made on the basis of your consent and contractual necessity. We have Data Processing Agreements with Anthropic and Google. Anthropic does not use API prompt data to train its models.

All data transfers are carried out under contractual arrangements (Data Processing Agreements) designed to protect your rights. We transfer only the minimum data necessary for each provider to perform their function.

We have notified the Russian data protection authority (Roskomnadzor / РКН) of our cross-border data transfers as required by applicable law.

6. Data Retention

Data category	Retention period
Account data (email, name)	Duration of account existence + 30 days after deletion
Presentations and generated content	Duration of account existence; deleted with account
Payment records	4 years (required by tax law)
Technical logs (IP, session)	90 days
Anonymized analytics	Indefinitely (not personal data)

Data deletion procedure

Upon account deletion, personal data is removed from the primary database within 30 days;
Backup copies containing personal data are destroyed within 90 days (backup rotation policy);
Data in third-party systems is deleted per our agreements with those providers;
Destruction is performed in a manner that prevents further processing of personal data.

7. Your Rights

You have the right to:

Access — obtain a copy of the personal data we hold about you;
Rectification — correct inaccurate or incomplete data;
Erasure — request deletion of your personal data;
Restriction — request that we limit processing of your data;
Objection — object to processing based on our legitimate interests;
Data portability — receive your data in a structured, machine-readable format;
Withdraw consent — revoke consent at any time; this does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email artmlo@mail.ru (subject: "Personal Data Request") from the email address associated with your account. We may ask for additional verification to confirm your identity. We will respond within 30 days.

If you withdraw consent to process your personal data, your account will be deactivated and your data deleted within 30 days, except data we are legally required to retain (e.g., tax records are kept for 4 years).

8. Security

We implement technical and organizational measures to protect your personal data:

All data is transmitted over encrypted connections (HTTPS / TLS 1.2+);
Passwords are stored as hashed values (not in plain text);
Database access is controlled via Row-Level Security (RLS) policies;
Access to personal data is restricted to the minimum necessary;
Third-party providers are required to maintain appropriate security standards.

Incident response

In the event of a personal data breach, we will:

Notify the competent supervisory authority (Roskomnadzor) within 24 hours of becoming aware of the breach;
Submit a full incident report within 72 hours;
Notify affected data subjects as soon as reasonably possible.

9. Changes to This Policy

We may update this Privacy Policy. When we make material changes (such as new data categories or new recipients), we will notify you by email and, where required by law, request fresh consent.

The current version is always available at kvill.ru/privacy-en.

10. Contact and Complaints

For any privacy-related questions or requests: artmlo@mail.ru

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. In Russia, this is Roskomnadzor (pd.rkn.gov.ru). In the EU, you may contact the supervisory authority in your country of residence.

Data Controller Details

Controller IE Leontyev Artyom Alexandrovich (ИП Леонтьев А.А.) Tax ID (ИНН) 615531331796 Registration no. 326508100069940 (ОГРНИП) Country Russian Federation DPO / Contact artmlo@mail.ru Supervisory authority Roskomnadzor (РКН), pd.rkn.gov.ru