Skip to content
Kamba
← Back to site Log in

Legal

← All legal documents Privacy Policy Terms of Service Terms of Sale Refund Policy Legal Notice Subprocessors

Questions? Email us at hello@kamba-app.com

Last updated: April 21, 2026

Privacy Policy

Draft: pending legal review. Not yet validated by counsel.

Introduction

Kamba (“we”, “us”, “our”) operates the website at kamba-app.com. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

We are committed to protecting your privacy and handling your personal data transparently and in accordance with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, and applicable Luxembourg data protection law.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Plain language summary

We collect only what we need to provide the Service. We do not sell your data. We do not use advertising trackers. You can delete your account and all associated data at any time.

Data We Collect

We collect three categories of data when you use Kamba:

Category What we collect Why
Account information Email address, display name, hashed password (if you use email sign-in), profile photo URL (if you sign in with Google) To create and manage your account, and to authenticate you
Usage data Furniture projects and designs you create, cut lists, material selections, saved calculations, app preferences (e.g. preferred units and language) To provide the core functionality of the Service and sync your work across sessions
Technical data IP address, browser type and version, operating system, pages visited, timestamps, session identifiers, error logs To maintain security, diagnose bugs, and understand how the app is used so we can improve it
Purchase data Records of the build plans you purchase and unlock, the date of purchase, and the Paddle transaction reference. We never receive or store your payment card details. To deliver the plan you bought, give you ongoing access to it, and keep a record of the transaction

When you buy a build plan, payment is processed by Paddle, which acts as the Merchant of Record for the sale: Paddle takes the payment, issues the invoice, and collects any applicable VAT. Kamba never receives or stores your payment card details. On our side we only keep purchase and unlock records together with the Paddle transaction reference. See our Terms of Sale and our Subprocessors page for details.

We do not collect sensitive personal data (such as health data, biometric data, or government ID numbers).

How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Service. Storing your projects, generating cut lists and calculations, and personalising your experience based on your settings.
  • Account management. Creating your account, authenticating your login, and communicating with you about your account (e.g. password reset emails).
  • Transactional emails. Sending emails directly related to your use of the Service, such as account confirmation, password reset, and important service updates. We do not send marketing emails without your explicit consent.
  • Security and fraud prevention. Monitoring for suspicious activity, investigating misuse, and enforcing our Terms of Service.
  • Service improvement. Analysing aggregated, anonymised usage patterns to understand which features are used, identify bugs, and prioritise improvements. We do not build individual profiles for advertising purposes.
  • Processing purchases. Where you buy a build plan, recording your purchase and unlock, delivering the plan, and giving you ongoing access to it. Payment itself is handled by Paddle as Merchant of Record (see Terms of Sale).
  • Legal compliance. Fulfilling our legal obligations and responding to lawful requests from authorities where required.

We process your personal data on the following legal bases under the EU GDPR: contract performance (to provide the Service you signed up for), legitimate interests (security, fraud prevention, service improvement), and legal obligation (compliance with applicable law).

Where you purchase a build plan, we additionally process your purchase data on the basis of contract performance: to deliver the plan you bought, provide ongoing access, and keep a record of the transaction.

Data Storage & Security

Your data is stored securely using the following measures:

  • Database. Your data is stored in a PostgreSQL database hosted by Neon, a managed cloud database provider. Data is stored in the EU or UK region where possible.
  • Encrypted passwords. If you use email and password sign-in, your password is hashed using bcrypt before storage. We never store plain-text passwords.
  • HTTPS everywhere. All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). We enforce HTTPS across all endpoints.
  • Access controls. Database credentials and API keys are stored as encrypted environment variables. Access to production systems is restricted to authorised personnel only.

While we take reasonable technical and organisational measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

Your Rights

Under EU data protection law (GDPR), you have the following rights regarding your personal data:

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data (“right to be forgotten”). You can also delete your account directly from Account Settings.

Right to restriction

Request that we restrict processing of your data in certain circumstances.

Right to portability

Request a copy of your data in a structured, commonly used, machine-readable format.

Right to object

Object to processing of your data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, email us at hello@kamba-app.com with the subject line “Data Request”. We will respond within 30 days. We may need to verify your identity before fulfilling a request. You also have the right to lodge a complaint with the CNPD, Commission nationale pour la protection des données (Luxembourg), at cnpd.public.lu, or with the supervisory authority in your EU country of residence.

Cookies

Kamba uses a minimal set of cookies that are strictly necessary for the Service to function. We do not use advertising or cross-site tracking cookies.

Cookie Purpose Duration
Session cookie Keeps you logged in to your account across page loads and browser sessions Until you sign out, or 30 days of inactivity
Preference cookie Remembers your settings such as preferred unit system and language 1 year

These cookies are categorised as “strictly necessary” and do not require your consent under the ePrivacy Directive 2002/58/EC (as implemented in Luxembourg), because they are essential for the Service to work.

For privacy-friendly usage analytics we use Plausible Analytics, hosted on an EU-based instance. Plausible is cookieless: it sets no cookies on your device, collects no personal data, and performs no cross-site or advertising tracking. It produces only aggregated, anonymous statistics that help us understand which features are used.

We do not use Google Analytics, Meta Pixel, or any other third-party analytics or advertising cookies. If this changes, we will update this policy and request your consent.

Cookie banner. Because the only cookies we use are strictly necessary and our analytics is cookieless, our position is that no cookie consent banner is required. This position is pending confirmation by legal counsel.

Third-Party Services

We use a small number of trusted third-party services (sub-processors) to operate Kamba. The table below summarises the main ones. For the complete list, including each provider’s role, location, and EU→US data-transfer mechanism, see our dedicated Subprocessors page.

Service Purpose Data shared
Neon Managed PostgreSQL database hosting All data you store in Kamba (encrypted at rest)
Render Application hosting (web server) Data processed in transit while serving the app, plus server and error logs
Cloudflare R2 Storage of files and static assets (e.g. generated PDFs, images) Files and assets generated or used by the Service
Resend Transactional email delivery (e.g. password reset, account confirmation) Your email address and the content of system emails sent to you
Paddle Payment processing as Merchant of Record (checkout, invoicing, VAT) Billing details you enter at checkout (handled by Paddle). Kamba receives only the transaction reference and purchase/unlock status: no payment card details.
Plausible Privacy-friendly, cookieless usage analytics (EU instance) Aggregated, anonymous usage statistics. No cookies and no personal data.
Google Sign-In (optional) OAuth authentication if you choose to sign in with Google Your Google account email, name, and profile photo. We do not receive your Google password.

We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.

We may disclose your data if required to do so by law, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

Data Retention

We retain your personal data for as long as your account is active and for as long as necessary to provide you with the Service.

  • Active accounts. Your account data, projects, and designs are retained for the duration of your account.
  • Account deletion. When you delete your account (via Account Settings or by emailing us), we permanently delete your personal data and all associated projects within 30 days. Anonymised, aggregated data derived from your usage (which cannot be used to identify you) may be retained for analytical purposes.
  • Backups. Deleted data may persist in encrypted database backups for up to 90 days, after which it is permanently purged.
  • Legal holds. In some circumstances (such as a legal dispute), we may be required to retain certain data for longer than the above periods.

You can delete your account at any time from your Account Settings page. Account deletion is permanent and cannot be undone.

Contact

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us:

  • Email: hello@kamba-app.com
  • Website: kamba-app.com

We aim to respond to all privacy-related enquiries within 5 business days. For formal data subject access requests (DSARs), we will respond within 30 days as required by law.

Kamba Sàrl-s, Sandweiler, Luxembourg. RCS Luxembourg B307982. Full publisher details: Legal Notice.

Kamba © 2026 Kamba