Privacy Policy

What we collect

When you join the waitlist, we collect your email address and, optionally, your name. Your email and name are stored securely in Supabase, our data storage provider.

To help us review and verify new waitlist requests, we also send a short internal notification via Telegram. This is an admin-only alert, not a database, visible only to the site administrator, and may include your email, optional name, time of request, and basic technical context (such as IP address, browser type, referring page, and approximate country). It is used solely to review incoming requests.

When you create an account, authentication is handled by Supabase. We do not see or store your password in plain text. We store account-related information needed for the service, such as your email address, profile name where provided, wishlist, and visited lists.

We use strictly necessary authentication cookies to keep you logged in and make account features work. We do not use advertising cookies, tracking pixels, or cross-site tracking.

We also use Vercel Web Analytics for basic, cookieless, aggregated site usage data. It does not place a cookie, does not track you across websites, and is not used for advertising or individual profiling.

What you need to provide

During our invite-only beta, joining the waitlist requires an email address; your name is optional. Without an email, we cannot add you to the waitlist.

Creating an account requires an email and a password (via our authentication provider). Without them, wishlist and visited features are not available.

If we open a public version of the site in the future, browsing the guide will not require you to share personal data unless you choose to create an account or join a waitlist.

Legal basis for processing

We process your data on the following bases under GDPR:

• Contract performance or pre-contractual request: to create and manage your account, and to fulfil your waitlist request.
• Legitimate interest: to maintain the security and integrity of the service, and to understand usage in aggregated form.
• Legitimate interest: to send an internal admin notification when a new waitlist request is submitted, so the individual publisher can review and verify it promptly.

We do not rely on consent for core account or waitlist processing. We do not use your data for automated decision-making or profiling.

Why we use it

We use your information to:

• manage your waitlist request,
• create and maintain your account,
• keep your wishlist and visited lists available across sessions,
• send essential service-related emails (invite, password reset),
• understand usage patterns in aggregated form so we can improve the site,
• protect the security and integrity of the service.

How we share data

We do not sell your personal data.

We share data only with the essential service providers that help us operate the website: Supabase (authentication and data storage), Vercel (hosting), and Resend (transactional email delivery for invites and password resets). All act on our instructions. We also use Telegram solely as a private admin channel, accessible only to the site administrator, to notify when a new waitlist request is submitted. Those notifications may include the email address, optional name, time of request, and basic technical context such as IP address, browser information, referral page, request path, and approximate country. Telegram is not used as a database for waitlist data; notifications are retained only for admin review and deleted once the request is approved or rejected.

Supabase stores account and waitlist data in the European Union. Vercel Web Analytics is cookieless and gives us aggregated information about visits and performance. Resend processes email addresses solely to deliver transactional messages.

Our service providers (Supabase, Vercel, Resend, and Telegram) act as processors on our instructions under their respective data processing terms. Some may process data outside the European Economic Area; where they do, we rely on appropriate safeguards such as EU Standard Contractual Clauses or equivalent mechanisms offered by those providers.

How we protect your data

We work with reputable providers, limit access to personal data, and use industry-standard safeguards such as encrypted connections (HTTPS) and secure authentication. No method of transmission or storage is completely secure, but we handle your data carefully and only keep what we need.

Retention

We keep waitlist data until your request has been handled, withdrawn, or deleted. Account data is kept while your account remains active. Wishlist and visited lists are kept until you remove them or ask us to delete your account.

Telegram notifications (including any technical context they contain) are kept only until the waitlist request is approved or rejected, then deleted. They are not retained beyond that review.

If you request deletion, we will remove your personal data from active systems within 30 days, unless we need to keep limited information for legal, security, or backup reasons. Backup copies may remain for a limited period before being overwritten.

Your rights

If you are located in the EU, you have the right to:

• access the personal data we hold about you,
• correct inaccurate or incomplete data,
• request deletion of your data,
• request restriction of certain processing,
• object to processing based on legitimate interest,
• request a copy of your data in a portable format.

To exercise any of these rights, including requesting deletion of your account and associated personal data, email us at legal@thekayover.com. We may need to verify your identity before completing certain requests, and we will respond within the timeframe required by GDPR. You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or your local data protection authority.

Changes to this policy

We may update this policy from time to time. The latest version is always available on this page, with the date at the top.