Privacy Policy

We use the information we collect to:

• —Provide, operate, and improve the Quelvo service
• —Authenticate you and your portal clients
• —Send transactional emails (magic links, billing receipts, digests)
• —Enforce plan limits and detect abuse
• —Respond to support requests
• —Comply with legal obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Quelvo connects to your Notion workspace via an OAuth integration you explicitly authorize. We request only the minimum scopes necessary. Your Notion access token is encrypted at rest using AES-256-GCM and is never exposed to portal clients or third parties. You can revoke Quelvo’s access at any time from your Notion settings.

We share data only with service providers necessary to operate the platform:

• —Clerk — authentication and identity management
• —Notion Labs — to query databases on your behalf
• —Stripe — payment processing
• —Resend — transactional email delivery
• —Vercel — infrastructure and hosting (including Blob storage)
• —Neon — PostgreSQL database hosting
• —Upstash — Redis caching

Each provider processes data only as directed by us and under appropriate data processing agreements. We may also disclose information if required by law or to protect the rights and safety of Quelvo and its users.

We retain your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required by law or legitimate business interests (e.g., billing records).

Portal client email addresses are removed when you delete the corresponding portal or client record. Magic-link tokens expire after 15 minutes and are deleted immediately upon use.

We apply industry-standard security practices: encryption in transit (TLS), encryption at rest for sensitive credentials, HTTP-only cookies for session tokens, and rate-limiting on authentication endpoints. However, no system is perfectly secure. If you believe your account has been compromised, contact us immediately at info@quelvo.co.

Quelvo uses cookies for session management. Portal client sessions use an HTTP-only, SameSite=Lax cookie scoped to the portal slug. We do not use third-party advertising or tracking cookies. Vercel Analytics collects anonymous, privacy-preserving usage data with no cross-site tracking.

Depending on your location, you may have rights to access, correct, or delete your personal data, object to processing, or request data portability. To exercise any of these rights, email us at info@quelvo.co. We will respond within 30 days.

If you are located in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

Quelvo is not directed at children under 13. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top and, for material changes, notify account holders by email. Continued use of Quelvo after changes take effect constitutes acceptance of the revised policy.

Questions about this policy? Reach us at info@quelvo.co.