Privacy Policy

Kestor is invoicing and business management software for freelancers and small businesses. This Privacy Policy applies to Kestor, our website, and related services.

Kestor ("Kestor", "we", "us", or "our") is operated from Kosovo.

This Privacy Policy covers personal data related to your account, your use of the service, your communications with us, and customer content processed through Kestor.

For personal data about your account, subscription, support interactions, and relationship with Kestor, Kestor generally acts as the controller because we decide how and why that data is processed.

For customer content you choose to upload or create in Kestor, such as client records, invoices, recurring invoices, payment-related records, notes, and files, Kestor generally acts as a service provider or processor on your behalf in order to provide the service to you.

If you use Kestor to store or manage information about your own clients or customers, you are responsible for making sure you have the right to collect, use, and share that information with Kestor.

If you purchase a subscription through Paddle, Paddle may also provide transaction, billing, renewal, cancellation, tax, fraud, and refund data to Kestor.

• Account and profile data, including name, email address, authentication identifiers, preferences, and settings.
• Customer content, including client names, contact details, invoice data, recurring invoice data, payment-related records, notes, files, and other content you choose to store in Kestor.
• Technical and usage data, including IP address, browser type, device information, pages viewed, in-app actions, approximate location derived from IP, logs, timestamps, crash reports, and diagnostics.
• Communication data, including emails you send us, support requests, and responses to service communications.
• Billing and subscription data, including subscription status, plan information, renewal status, and refund records.

• Directly from you when you create an account or use the service.
• Automatically through analytics, logs, cookies, and similar technologies.
• From service providers involved in authentication, hosting, communication, storage, and monitoring.

• To provide and operate Kestor.
• To authenticate users and secure accounts.
• To store and display invoices, clients, and related records.
• To send transactional emails and service communications.
• To analyze usage and improve the product.
• To detect, prevent, and investigate abuse, fraud, and technical issues.
• To manage subscriptions, renewals, and refunds.
• To comply with legal obligations.
• To enforce our Terms of Service.

Where applicable, we rely on one or more of the following legal bases:

• Performance of a contract.
• Legitimate interests, including product improvement, security, fraud prevention, and service reliability.
• Consent, where required.
• Compliance with legal obligations.

We share personal data only where it is reasonably necessary to operate Kestor, comply with law, protect the service, or carry out instructions connected with your use of the product.

We do not sell personal data.

• With infrastructure, analytics, communication, storage, and monitoring providers that support the operation of Kestor.
• With authentication and security providers that help us sign users in, maintain sessions, and detect misuse.
• With Paddle when necessary to process subscriptions, payments, renewals, cancellations, refunds, fraud checks, tax handling, and related support requests.
• With email and communication providers when we send account, verification, billing, or support-related messages.
• With law enforcement, regulators, courts, or other authorities where required by law or where reasonably necessary to protect rights, safety, security, or the integrity of the service.
• With a buyer, successor, or other participant in a merger, financing, acquisition, restructuring, or sale of assets if Kestor is ever involved in such a transaction.
• At your direction or when required to fulfill a feature you use inside the service.

Kestor currently uses third-party providers that may process personal data depending on their role.

• Paddle for subscription billing, payment processing, renewals, cancellations, refunds, tax handling, and buyer support for Paddle-managed purchases.
• NextAuth for authentication flows.
• Neon Postgres for database infrastructure.
• PostHog for analytics.
• Brevo for email delivery and related communications.
• Resend for email delivery and related communications.
• Backblaze B2 for file storage.
• Sentry for error tracking and monitoring.

Your data may be processed in countries other than your own, depending on where Kestor and our providers operate their infrastructure.

Where required, Kestor relies on contractual commitments, provider data processing terms, adequacy decisions, and similar safeguards intended to support lawful cross-border transfers of personal data.

We keep personal data for as long as reasonably necessary to provide Kestor, comply with legal obligations, resolve disputes, enforce agreements, and maintain security and backup processes.

• Account, profile, and subscription data are generally kept while your account is active and for a reasonable period afterward to support billing, dispute handling, security, and recordkeeping.
• Customer content such as client records, invoices, recurring invoices, payment-related records, notes, and files is generally kept until you delete it, close your account, or ask us to remove it, subject to limited retention for backups, abuse prevention, legal compliance, or dispute resolution.
• Technical logs, security events, and diagnostics are generally kept for shorter periods appropriate for monitoring, troubleshooting, fraud prevention, and service integrity.
• Support emails and other communications may be retained for a reasonable period to respond to requests, document decisions, improve support quality, and protect against misuse.
• Deleted data may remain in temporary backups for a limited period before those backups are overwritten or expire in the ordinary course.

Depending on your location, you may have rights like the ones listed above. Kestor may not yet provide self-service tools for deletion or export.

To make a privacy request, email kestor.team@gmail.com and describe your request clearly. We may ask for additional information to verify your identity or confirm that you are authorized to make the request.

If a request relates to customer content controlled by one of our users, we may direct you to that user first or process the request according to our role in handling that data.

Response timing may vary depending on the nature of the request and applicable law. If we cannot fulfill a request, we may explain why.

• Access your personal data.
• Correct inaccurate data.
• Request deletion of data.
• Object to certain processing.
• Request restriction of processing.
• Request a copy of certain data.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a relevant supervisory authority.

Kestor uses cookies or similar technologies for core service operations and to understand how the product is used.

• Essential cookies or similar technologies used for authentication, session management, security, and fraud prevention.
• Preference technologies used to remember settings such as language or other product choices.
• Analytics technologies used to understand traffic, feature usage, performance, and product reliability.
• If Kestor uses non-essential cookies or similar technologies in situations where consent is required, we will request consent through an appropriate notice or banner.

We use reasonable technical and organizational measures designed to protect personal data, including access controls, provider security features, monitoring, and measures intended to reduce unauthorized access, loss, misuse, or disclosure.

However, no method of transmission, storage, or security control is completely secure, and we cannot guarantee absolute security.

Kestor is not intended for children under 18, and we do not knowingly collect personal data from children.

Kestor may link to or rely on third-party services. Their privacy practices are governed by their own policies.

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the service, by email, or by updating the effective date above.

The version posted on this page is the current version.

For privacy questions, requests, or complaints, contact Kestor.

Operated from Kosovo.

Email: kestor.team@gmail.com