Privacy Policy

Summary

Komaru is a solo project. We collect the minimum data needed to run the service. We do not sell or share data for advertising. We do not use cookies on this landing page. Payments are processed by LemonSqueezy as Merchant-of-Record — they handle billing data and tax compliance. Analytics are cookieless via Plausible.

This policy aligns with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and Vietnam's Law on Cybersecurity.

1. Who we are

Data controller: Komaru (a solo project), based in Hà Nội, Vietnam.
Contact: komarununi.business@gmail.com

For all privacy-related questions or requests under GDPR, CCPA, or local law, email the address above. Replies within 24 hours; substantive response within 30 days.

2. What data we collect

2.1 Information you provide

• Email address — if you sign up for the free tier, subscribe to our Substack newsletter, or purchase Pro / Bundle.
• Text content — the draft text you paste into the filter is processed in your browser and on Komaru's filter server. We do not store your draft text after the filter run completes.
• Payment information — collected directly by LemonSqueezy. We never see your card number, CVV, or full billing address.

2.2 Information collected automatically

• Aggregate analytics via Plausible (cookieless): page views, referrer, country (from IP, not stored), screen size, browser type. No personal identifiers.
• Filter usage events: anonymous counts of demo paste, filter run, character count buckets (e.g. "500-2k"), and flag count buckets (e.g. "1-5"). No content stored.

2.3 What we do NOT collect

• No cookies on the landing page or filter
• No tracking pixels from Facebook, Google, or any ad network
• No fingerprinting
• No drafts retained after filter run (text discarded immediately)
• No keystroke logging beyond debounced character count for analytics buckets

3. How we use your data

• Service delivery: run the filter, deliver Pro features, send Bundle download links
• Communication: transactional emails (account confirmations, payment receipts, refund notifications) and the newsletter (only if you opt in)
• Improvement: aggregate analytics to understand which patterns get flagged most often and improve the rule library
• Legal compliance: tax records (handled by LemonSqueezy as MoR), responding to lawful requests

4. Legal basis (GDPR)

Under GDPR Article 6, we process personal data on the following bases:

• Contract (Art. 6.1.b): to deliver the service you purchased (Pro / Bundle)
• Consent (Art. 6.1.a): for newsletter signup (you opted in; you can opt out at any time)
• Legitimate interest (Art. 6.1.f): for cookieless aggregate analytics that do not identify individuals
• Legal obligation (Art. 6.1.c): tax records, anti-fraud, lawful requests

5. Third-party processors

We use three external services. Each is contractually bound to GDPR-compliant data processing.

6. International data transfers

Komaru is based in Vietnam. Our processors (LemonSqueezy, Plausible, Substack) are based in the United States and the European Union. Where data is transferred outside the EEA / UK, transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards offered by each processor.

7. Your rights

Under GDPR, UK GDPR, and CCPA you have the right to:

• Access any personal data we hold about you
• Rectify incorrect or incomplete data
• Erase your data ("right to be forgotten")
• Restrict processing
• Object to processing based on legitimate interest
• Portability: receive your data in a structured, machine-readable format
• Withdraw consent at any time (e.g. unsubscribe from the newsletter)
• Lodge a complaint with a supervisory authority (e.g. your country's data protection regulator)

To exercise any of these rights, email komarununi.business@gmail.com. Identity verification may be required. Substantive response within 30 days.

8. Data retention

• Filter draft text: discarded immediately after filter run. Never stored.
• Email addresses: retained while you have an active account or newsletter subscription. Deleted within 90 days of account deletion or unsubscribe.
• Payment records: retained by LemonSqueezy for 7 years (or as required by tax law in your jurisdiction).
• Analytics: aggregate-only, no personal data, retained indefinitely.

9. Security

All data is transmitted over HTTPS. Email and subscriber data is stored encrypted at rest. Access is limited to the founder. We follow industry standard practices for a solo project of this scale, but no system is perfectly secure. If a breach affects your data, we will notify you within 72 hours of becoming aware, in accordance with GDPR Article 33.

10. Children's data

Komaru is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with their data, contact us and we will delete it.

11. Changes to this policy

We may update this policy as the service evolves or as regulations change. Material changes (anything affecting your rights or how we use your data) will be announced via the newsletter and on the landing page banner at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Email: komarununi.business@gmail.com
Async-only: we do not take phone or video calls. Email replies within 24 hours.