Boldvio Legal
Privacy Policy
Last updated: 30 April 2026 · Effective immediately on registration.
This Privacy Policy explains how Kusari Group sh.p.k. ("Boldvio", "we", "us") collects, uses, and protects your personal data when you visit boldvio.com or use the Boldvio platform. We are the data controller for the personal data described below.
1. Who We Are
Boldvio is operated by Kusari Group sh.p.k., a limited liability company registered in the Republic of Kosovo with the Kosovo Business Registration Agency (ARBK).
- Legal name: Kusari Group sh.p.k.
- Registration number (UIN): Pending ARBK registration
- Registered office: Republic of Kosovo
- Privacy contact: infoboldvio@boldvio.com
2. Data We Collect
We only collect what we need to operate the service. Specifically:
2.1 Information you give us
- Account details — your email address, a password (stored only as a one-way bcrypt hash, never in plain text), the store name you choose, and the URL slug for your store.
- Billing information — when you subscribe to a paid plan, your card details are collected and processed by our payment processor (Stripe). We never see or store full card numbers; we receive only a token, the last four digits, the brand, and the expiry date.
- Support correspondence — any email or message you send us, plus our replies, kept so we can help you and so we have a record of past requests.
- Marketing-feature inputs — if you use Boldvio's optional marketing tools, the briefs, brand assets, and creative prompts you submit are processed to generate ads and copy on your behalf.
2.2 Information collected automatically
- Server logs — IP address, user agent, request path, response status, and timestamp. Used for security, debugging, and abuse prevention. Retained for 30 days.
- Strictly necessary cookies — a session cookie that keeps you logged in and a CSRF token cookie. We do not use third-party analytics or advertising cookies on boldvio.com itself.
2.3 Information from third parties
- When you connect your own ad accounts (Meta, Google Ads, TikTok) to Boldvio, we receive the access tokens and account metadata you authorise via those platforms' OAuth flows. We use these tokens only to perform actions you request.
3. How We Use Your Data
We use personal data only for the purposes listed below:
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and operate your account | Email, password hash, store details | Performance of contract |
| Bill you for paid plans | Email, payment token, billing address | Performance of contract |
| Send service emails (receipts, security alerts, downtime notices) | Email, account state | Performance of contract / legitimate interest |
| Prevent fraud and abuse | IP, device fingerprint, login patterns | Legitimate interest |
| Run marketing tools you opt into | Briefs, ad-account tokens, creative inputs | Performance of contract / consent |
| Comply with legal obligations | Whatever is requested by law | Legal obligation |
We do not sell your personal data, and we do not use your data to train machine-learning models for unrelated purposes.
4. Legal Basis
For users in Kosovo, processing is governed by Law No. 06/L-082 on Personal Data Protection (LPPD). For users in the European Economic Area or the United Kingdom, we additionally process personal data on the bases set out in Articles 6(1) of the General Data Protection Regulation (GDPR) — specifically: performance of a contract, legitimate interests, consent where required, and legal obligation. The lawful basis for each purpose is set out in the table above.
5. Sub-processors and Third Parties
We use a small number of trusted vendors to operate the service. Each is bound by a data processing agreement and may only act on our instructions.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services, Inc. | Hosting, storage, email delivery | Frankfurt (eu-central-1) |
| Stripe, Inc. | Payment processing | Ireland / United States (SCCs) |
| Anthropic, PBC | AI text and image generation for marketing tools | United States (SCCs) |
| Cloudflare, Inc. | DNS and DDoS protection | Global edge |
| Google LLC (Google Ads API) | Only when you connect a Google Ads account | European Union / United States (SCCs) |
| Meta Platforms, Inc. (Marketing API) | Only when you connect a Meta ad account | European Union / United States (SCCs) |
6. International Transfers
Where personal data leaves Kosovo or the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent safeguards under the LPPD. Production data is hosted in the EU (Frankfurt). Some sub-processors process data in the United States; in those cases, SCCs are in place.
7. How Long We Keep Data
- Account data — for as long as your account is active, plus 90 days after deletion to absorb accidental cancellations and dispute windows.
- Billing records — for 7 years, as required by Kosovo tax law.
- Server logs — 30 days, then automatically purged.
- Support tickets — 2 years from the last reply.
- Marketing-tool inputs — for the lifetime of your account; deleted on request or on account closure.
8. Your Rights
Under Kosovo's LPPD and the GDPR you have the following rights, which you can exercise at any time by emailing infoboldvio@boldvio.com:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
- Restriction — pause processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
We aim to respond to all requests within 30 days. If you believe we have mishandled your data, you can also lodge a complaint with the Information and Privacy Agency of Kosovo (AIP) at aip.rks-gov.net, or with your national supervisory authority if you are in the EU/EEA or UK.
9. Security
We protect your data with TLS 1.2+ in transit, encryption at rest in AWS, hashed passwords (bcrypt), strict IAM access boundaries, audit logging, and least-privilege production access. No system is completely secure, but if we ever discover a personal-data breach likely to result in risk to you, we will notify you and the AIP within 72 hours, as required by the LPPD.
10. Children
Boldvio is intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us personal data, please email infoboldvio@boldvio.com and we will delete it.
11. Change of Operating Company
We may transfer your personal data to a successor entity in connection with a corporate restructuring, sale, merger, or change of operating company within the same group. We will notify affected users by email at least 30 days before any such change takes effect, and you will retain the right to delete your account and data before that date. The successor will be bound by terms at least as protective as this Policy.
12. Changes to This Policy
We may update this Policy from time to time. The "Last updated" date at the top will always show the current version. Material changes (anything that meaningfully expands the data we collect or what we do with it) will be announced by email at least 14 days before they take effect.
13. Contact Us
If you have any questions, requests, or concerns about this Policy or how we handle your data, please email infoboldvio@boldvio.com or write to:
Kusari Group sh.p.k.
Republic of Kosovo
UIN: Pending ARBK registration
Email: infoboldvio@boldvio.com