Privacy Policy

Last updated: May 2026

1. Introduction

khoai.io is a cloud-based inventory and store management platform that helps businesses track stock, manage orders, and collaborate with their teams. This Privacy Policy explains how khoai.io ("we", "us", or "our") collects, uses, stores, and protects your personal and business information when you use our website, mobile application, and services at khoai.io.

By creating an account or using our services, you agree to the practices described in this policy. If you do not agree, please do not use khoai.io.

2. Information We Collect

Account Data

  • Full name
  • Email address
  • Phone number (optional)
  • Password (stored as a secure hash β€” we never store plaintext passwords)

Business Data

  • Business name
  • Business address
  • Business phone number

Inventory and Transaction Data

  • Items (names, SKUs, descriptions, prices, quantities)
  • Transactions (purchases, sales, adjustments)
  • Transfers between storehouses
  • Supplier and client records

Usage Data

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Timestamps of access

Cookies

  • Session cookie (for authentication)
  • CSRF cookie (for security)

3. How We Use Your Information

  • Provide, operate, and maintain the khoai.io service
  • Authenticate your identity and manage sessions
  • Send transactional emails (account verification, password resets, team invitations)
  • Process billing and subscription management
  • Improve the service through aggregated, anonymized usage analytics
  • Respond to support requests

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract performance β€” to provide the khoai.io service you subscribed to, including account management, billing, and support
  • Legitimate interest β€” to improve and secure our services, prevent fraud, and analyze aggregated usage patterns
  • Legal obligation β€” to comply with applicable laws, regulations, and legal processes
  • Consent β€” where you have given explicit consent for specific processing activities, such as receiving marketing communications

5. Data Sharing

We do not sell, rent, or trade your personal or business data to third parties.

We share data only with the following service providers, solely to operate the khoai.io service:

  • Xendit β€” payment processing for subscriptions and add-ons
  • Resend / SendGrid β€” transactional email delivery
  • Cloud hosting provider(s) β€” frontend hosting infrastructure
  • Cloud hosting provider(s) β€” backend hosting infrastructure
  • MongoDB Atlas β€” database hosting

Each provider is contractually obligated to protect your data and use it only for the purposes we specify.

6. International Data Transfers

Your data may be stored and processed in jurisdictions outside your country of residence, including but not limited to the United States and Singapore, through our hosting and infrastructure providers.

We ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. Where required, we rely on standard contractual clauses or other approved transfer mechanisms.

7. Data Security

We take the security of your data seriously and implement the following measures:

  • All data is encrypted in transit using TLS (HTTPS)
  • Data at rest is encrypted via MongoDB Atlas encryption
  • Session cookies are httpOnly and secure, preventing client-side access
  • CSRF protection is enabled on all state-changing requests
  • Rate limiting is applied to prevent abuse
  • Passwords are hashed using industry-standard algorithms

8. Data Retention

  • Account data is retained while your account is active and for 30 days after account deletion to allow for recovery.
  • Inventory, transaction, and business data is permanently deleted when the associated business is deleted.
  • Usage logs are retained for up to 90 days for security and debugging purposes, then automatically purged.

9. Your Rights

You have the right to:

  • Access β€” view all personal and business data stored in your account
  • Correction β€” update inaccurate information from your account settings
  • Deletion β€” delete your account and all associated data
  • Data export β€” export your inventory and transaction data via CSV
  • Restrict processing β€” request that we limit how we use your data in certain circumstances
  • Object β€” object to processing of your data based on legitimate interest
  • Lodge a complaint β€” file a complaint with a data protection authority in your jurisdiction

10. Cookies

khoai.io uses the following cookies:

  • Session cookie β€” an httpOnly cookie used to maintain your authenticated session
  • CSRF cookie β€” used to protect against cross-site request forgery attacks

We do not use third-party tracking cookies, advertising cookies, or analytics cookies from external providers.

11. Children

khoai.io is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child under 16 has provided us with personal data, please contact us at human.khoai@gmail.com and we will promptly delete the information.

12. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the data potentially affected, and the measures taken to address and mitigate the impact.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email using the address associated with your account. The updated policy will also be posted on this page with a revised "Last updated" date.

14. Contact

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us at:

human.khoai@gmail.com