Privacy Policy — Valko
1. Overview
This Privacy Policy explains what data we collect when you use Valko, how we use it, and your rights over it.
Summary: We store your Google profile and conversation history. We do not store raw audio. We do not sell your data or use it to train AI models. You can delete your account and all data at any time.
2. Data We Collect
2.1 Account Data
When you sign in with Google we receive your email, display name, profile picture URL, and a unique Google user ID. We do not access your Google contacts, calendar, files, or other Google services.
2.2 Conversation Data
Every message you send and every AI response is stored in our database (text, timestamp, model used, estimated cost). Conversation history is kept for 90 days after a session ends by default. You can request earlier deletion at any time.
2.3 Voice Transcription
Voice input is either processed by your browser's native Speech API (audio never reaches our servers) or by server-side Whisper (audio is transcribed and immediately discarded — only the resulting text is stored).
2.4 Usage Data
We collect anonymized usage signals (features used, session duration, error logs) to improve the service. This data is not linked to your identity in our analytics.
2.5 Payment Data
Payment is processed by Stripe. We never store your card number or CVV. Stripe provides us only with subscription status, payment method type, and billing email.
2.6 Cookies and Local Storage
We use a signed session cookie (va_session, 7 days, HttpOnly, Secure) for authentication, and localStorage for UI preferences (never sent to our servers). We do not use tracking, advertising, or third-party analytics cookies.
3. How We Use Your Data
Account data identifies you and enables account-related emails. Conversation history powers your history view and provides AI context. Usage signals improve the product. Payment data manages your subscription. We do not sell data, train AI models on your conversations, or show ads.
4. Who We Share Data With
We share data only with: Anthropic (Claude responses), Google (Gemini responses, Sign-In, Cloud TTS), Stripe (payment processing), and Cloudflare (DNS and DDoS protection). We share no data with any other third parties.
5. Data Security
All data is transmitted over TLS/HTTPS and encrypted at rest. If you provide your own API keys (BYOK), they are stored with AES-256-GCM encryption and decrypted only at call time. If you believe your account is compromised, contact office@inctasoft.com immediately.
6. Your Rights (GDPR)
If you are in the EEA, UK, or equivalent jurisdiction, you have rights to access, rectify, erase, port, restrict, or object to processing of your data. To exercise any right, email office@inctasoft.com with subject "Privacy Request". We respond within 30 days.
You may also lodge a complaint with the Bulgarian data protection authority (CPDP): www.cpdp.bg
7. Data Retention
Account data: until deletion + 30 days. Conversation history: 90 days after session. Payment records: 7 years (legal requirement). Security logs: 90 days. Anonymized analytics: 12 months.
8. International Transfers
Inctasoft is based in Bulgaria (EU). Data may be processed by providers outside the EU (Anthropic, Google, Stripe) under standard contractual clauses approved by the European Commission.
9. Children's Privacy
We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us at office@inctasoft.com.
10. Changes to This Policy
We will notify you of material changes by email or in-app notice. The date at the top of this page shows when this version was published.
11. Contact
Inctasoft OOD (EIK 206353354)
46 Patriarch Evtimiy Blvd, Sofia 1000, Bulgaria
office@inctasoft.com
Last updated: 4 May 2026