Privacy Policy

Last updated: January 28, 2026

Data Collection

Koru collects minimal personal information necessary to provide our career companion services. This includes your name, email, and the professional insights you choose to share through our journal feature.

How We Use Your Information

Your data is used exclusively to provide personalized career insights and growth recommendations. We never sell or share your personal information with third parties for marketing purposes.

AI Processing

Koru uses artificial intelligence to analyze your career information and provide personalized insights. When you use our AI features, your data is processed by the following services:

  • Google Vertex AI (Gemini) — Processes text for career analysis and insights. Production models run on EU endpoints with GDPR-compliant data processing agreements. Preview models may temporarily use US endpoints.
  • Google Cloud Speech-to-Text — Converts voice recordings to text. Audio is processed on EU endpoints and not retained after transcription.

AI-generated insights are stored to provide continuity in your career journey. You can delete all AI-generated content at any time from your profile settings.

Data Storage and International Transfers

Your data is stored and processed by the following services:

  • Convex — Our primary database provider, hosted in the United States. Convex maintains SOC 2 Type II certification and implements encryption at rest and in transit.
  • Clerk — Handles authentication and user management with data centers in the US and EU.

For users in the European Economic Area (EEA), transfers to US-based services are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Security

We implement industry-standard security measures to protect your information. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. We conduct regular security reviews and maintain strict access controls.

Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and similar laws, you have the following rights:

  • Right to Access — Request a copy of all personal data we hold about you.
  • Right to Rectification — Correct any inaccurate or incomplete personal data.
  • Right to Erasure — Request deletion of your personal data ("right to be forgotten").
  • Right to Data Portability — Export your data in a machine-readable format.
  • Right to Restrict Processing — Limit how we use your data in certain circumstances.
  • Right to Object — Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent.

To exercise these rights, visit your profile settings or contact us at privacy@koru.careers. We will respond to your request within 30 days.

Data Retention

We retain your data for as long as your account is active. When you delete your account, we remove all personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal claims).

Contact Us

For privacy-related questions, concerns, or to exercise your data rights, please contact us:

Email: privacy@koru.careers

If you are in the EU and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority.