Legal

Privacy Policy

Last updated: 7 March 2026

This Privacy Policy explains how Sant Limited ("Keva", "we", "us", "our"), a New Zealand company, collects, uses, stores, and protects your information when you use Keva.support and related services.

1. Information We Collect

We collect the following categories of information depending on how you interact with our service:

Account Data

When you sign up, we receive your name, email address, profile image, and organisation membership details.

Support Ticket Data

Tickets submitted by your customers include sender email, name, subject, and message content. When you connect an email account via IMAP, we access incoming email to create tickets.

Widget Data

End-users interacting with the Keva chat widget may provide their email, name, message content, and browser locale.

Platform Access Data

If you connect platform connectors (WordPress, Shopify, Vercel, Railway, Supabase), we store encrypted API credentials and access data necessary to perform actions on your behalf.

Analytics & Feedback

We collect CSAT survey responses, customer health scores, sentiment analysis results, and A/B experiment assignments.

Audit Logs

We log administrative actions including the user, action type, IP address, and user agent for security and compliance.

Device Information

If you use the Keva iOS app, we collect device tokens for push notifications.

Billing Data

Payment processing is handled entirely by Stripe. We store your Stripe customer ID, subscription status, and usage records — but never your credit card number or bank details.

2. How We Use Your Information

We use your information to:

  • Classify support tickets using AI (category, sentiment, priority, confidence)
  • Generate AI-powered responses and suggested replies
  • Execute platform actions on connected services (e.g. updating a Shopify product)
  • Send notifications via email, Slack, or Microsoft Teams
  • Process billing and track usage against your subscription plan
  • Deliver and analyse CSAT surveys
  • Provide analytics dashboards, health scoring, and reports
  • Run A/B experiments to improve AI response quality
  • Evaluate and execute automation rules you configure
  • Maintain audit trails for compliance
  • Improve and develop the service

3. AI Processing & Automated Decision-Making

Keva uses artificial intelligence to process support tickets. You should be aware of the following:

AI Providers

  • Anthropic Claude — Full ticket content is sent for classification, response generation, and browser agent analysis (accessibility trees and screenshots).
  • Voyage AI — Ticket text and knowledge base content are sent for vector embedding generation used in semantic search.
  • OpenAI / Google — May be used as fallback providers if configured.

Your Controls

You have meaningful control over AI behaviour. You can set confidence thresholds below which AI responses require human approval, configure triage rules to escalate certain ticket categories, and require explicit approval for all AI-generated responses before they are sent to customers. Platform actions (e.g. modifying a Shopify product) always include diff previews and can require approval.

4. Third-Party Services

We share data with the following third-party service providers to operate Keva:

ServiceData SharedPolicy
Authentication ProviderAuthentication tokens, email, name, org membershipSee provider
StripeBilling info, subscription status, payment method tokensView
Anthropic (Claude)Full ticket content for AI classification, response generation, and browser agent analysisView
Voyage AITicket and KB text for vector embeddingsView
InngestEvent metadata for background job orchestration (no ticket content)View
Upstash RedisRate-limiting counters and cache keysView
Slack / Microsoft TeamsNotification content (ticket summaries, escalation alerts)See provider
Sentry (planned)Error reports, stack traces, browser metadataView
PostHog (planned)Product analytics events, feature flag evaluationsView
Google Analytics (planned)Page views, referrer, device/browser metadataView

5. Cookies & Tracking

Essential Cookies

  • Session cookies — Required for authentication.
  • keva_workspace_id — Stores your active workspace selection.
  • NEXT_LOCALE — Stores your language preference.

Functional Storage

  • Theme preference — Stored in localStorage (light/dark/system).

Planned Analytics Cookies

We plan to add Sentry (error tracking), PostHog (product analytics), and Google Analytics (website analytics). When these are enabled, a cookie consent banner will be provided. We will update this section accordingly.

6. Data Storage & Security

  • Data is stored in PostgreSQL hosted on Google Cloud (us-central1 region).
  • All platform credentials and API keys are encrypted at rest using AES-256-GCM with per-record initialisation vectors and authentication tags.
  • All connections use HTTPS/TLS in transit.
  • Tenant data is isolated — each organisation's data is scoped and cannot be accessed by other organisations.
  • Role-based access control (RBAC) is enforced via organisation roles.
  • Security headers include Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and rate limiting.
  • Support ticket message content is stored unencrypted in the database to enable full-text search and AI processing.

7. Data Retention

  • Account and ticket data is retained for the lifetime of your account.
  • Audit logs are retained for a configurable period (default: 365 days).
  • On account deletion, all organisation data (tickets, knowledge base, analytics, automation rules, connectors, and associated records) is permanently deleted via cascading deletion.
  • You may request data export before closing your account.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

Under the GDPR (EU/EEA)

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing
  • Not be subject to solely automated decision-making

Under the CCPA (California)

  • Know what personal information is collected
  • Request deletion of your data
  • Opt out of the sale of personal information — we do not sell your data

Under the NZ Privacy Act 2020

New Zealand residents have the right to access and request correction of their personal information under the Privacy Act 2020. You may also lodge a complaint with the NZ Office of the Privacy Commissioner.

To exercise any of these rights, contact us at privacy@keva.support.

9. International Data Transfers

Your data is processed in the United States via our cloud providers (Google Cloud, Anthropic, Voyage AI, Stripe, and others). Where required, we rely on Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms to ensure adequate protection of your data when it is transferred outside your jurisdiction.

10. Children's Privacy

Keva is a business-to-business service and is not directed at children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via an in-app notification. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Sant Limited

New Zealand

privacy@keva.support

← Back to home