Legal · aravo

Privacy Policy

Last updated: May 2026

1. Who we are

aravo is a SaaS platform for time tracking, projects, reports, billing, and quotes for freelancers, independent professionals, and small teams. The service is developed and operated by Kavaju Resa. If you have questions about this policy, you can contact us at hola@aravo.app.

2. Information we collect

To provide the service, we collect the following information:

  • Account and authentication data: email address, user identifier, and, if you choose Google OAuth, basic information provided by Google to sign you in.
  • Work data: time entries, descriptions, tasks, tags, clients, projects, invoices, quotes, Toggl-compatible imports or exports, amounts, statuses, and generated documents.
  • Workspace data: workspace name, members, roles, invitations, invited emails, access requests, and preferences such as language, time zone, numbering, branding, or document settings.
  • Shared report data: links, permissions, visibility settings, comments, and names or emails of invited people or access requesters.
  • Billing data: active plan, subscription status, billing cycle, customer or subscription identifiers, and payment events managed by Polar. We do not store full credit card numbers.
  • Technical and session data: session tokens, language preference, theme, active workspace, analytics consent, minimal security logs, and data required to keep the session active and operate the app.

Most of this data is entered by you directly or generated through normal product actions.

3. How we use the data

We use your data to provide and maintain aravo: authenticating users, saving and displaying content, calculating reports, generating PDFs, managing workspaces, sending invitations, processing imports, applying plan limits, administering billing, answering support requests, preventing abuse, and improving the product.

The basis for this processing is mainly the service you request from us. We may also process certain data based on our legitimate interest in security, fraud prevention, and operational improvement; legal obligations where applicable; and consent for product analytics.

4. Analytics and usage metrics

With your explicit consent, we use PostHog (posthog.com) to collect behavioral metrics inside the product. The goal is to understand which features are used, detect friction, and improve the overall experience.

When you accept the cookies notice, PostHog may register:

  • Pages visited inside the panel and on the public website.
  • Actions performed, such as creating time entries, invoices, quotes, projects, tasks, or shared links.
  • Your user identifier, email address, and active plan, so events can be associated with an account when you are signed in.

Important: automatic form capture is disabled. We do not deliberately send PostHog client names, time descriptions, invoice amounts, quote contents, or equivalent work data. We record interaction events and limited properties, not the contents of your documents.

Analytics data is stored exclusively on servers in the European Union (PostHog's EU infrastructure), which complies with the requirements of the General Data Protection Regulation (GDPR). Analytics data is retained for a maximum of 12 months.

We do not sell, rent, or share your analytics data with third parties for advertising or commercial purposes.

How to control your consent

The analytics notice appears on your first visit. If you decline it, PostHog will not record any activity. If you accept and later change your mind, you can revoke your consent by writing to hola@aravo.app or by deleting the aravo-analytics-consent entry from your localStorage.

5. Service providers

To operate aravo we use the following third parties as data processors:

  • Supabase — authentication, database, storage for PDFs, and operational files.
  • Cloudflare — web hosting, CDN, serverless functions, network protection, and scheduled tasks.
  • Polar — checkout, subscription portal, taxes, receipts, and payment management as merchant of record.
  • Resend — transactional email, such as invitations, billing notices, and account lifecycle messages.
  • Google — OAuth authentication if you choose to sign in with Google.
  • PostHog — product analytics (only with consent).

Each provider operates under its own terms, security measures, and privacy policy. Some providers may process data outside your country of residence; where relevant, we use providers with reasonable contractual and operational safeguards for SaaS services.

6. Security and storage

Work data is stored mainly in Supabase/Postgres and, when you generate documents, in Supabase Storage. We apply reasonable measures such as session-based authentication, user and workspace access controls, Row Level Security on exposed tables, restricted use of service keys, encryption in transit through HTTPS/TLS, and provider security measures for storage at rest.

aravo does not provide end-to-end encryption for the content you enter. This means the application and its backend services must be able to process your time entries, clients, projects, invoices, quotes, and reports to display data, generate documents, share links, and provide support where needed. Do not use aravo to store passwords, private keys, technical secrets, medical data, or other highly sensitive information that is not necessary to manage your professional activity.

No system is completely secure. If you suspect unauthorized access or a security issue, contact us as soon as possible.

7. Data retention and deletion

We retain your data while your account or workspace remains active and for as long as needed to provide the service, comply with legal obligations, resolve incidents, prevent abuse, or maintain minimal billing and security records.

You can request account deletion from the settings area in your panel. Deletion is scheduled with a 60-day grace period; during that period you can reactivate the account by signing in again. If you have an active professional subscription, renewal may be scheduled for cancellation at the end of the current period.

When the grace period ends, we delete from production the authentication account and associated data we directly control, including time entries, clients, projects, tasks, invoices, quotes, shared links, generated PDFs, and account settings, except for minimal data we must retain for legal, accounting, anti-fraud, security, or audit reasons. Backups may retain traces temporarily until they rotate or are overwritten according to our providers' technical cycles.

If you own a workspace with other active members, you may need to transfer ownership before scheduling account deletion to avoid affecting shared data belonging to other people.

8. User rights

Users in the European Union (GDPR)

If you reside in the European Economic Area, you have the following rights under Regulation (EU) 2016/679 (GDPR):

  • Right of access (Art. 15): request which personal data we hold about you.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17): request deletion of your data.
  • Right to portability (Art. 20): receive your data in a structured format.
  • Right to object (Art. 21): object to data processing for analytics.

To exercise your rights, contact us at hola@aravo.app. We aim to reply in under 30 business days. You can also manage certain data directly from the panel, including editing, document exports, and account deletion. If you believe we have not handled a request properly, you may contact the data protection authority that applies in your jurisdiction.

Users in California, United States (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • The right to know what personal information we collect.
  • The right to request deletion of your personal information.
  • The right not to be discriminated against for exercising your privacy rights.

aravo does not sell personal information. We do not transfer your data to third parties for commercial or advertising purposes.

Users in Latin America

If you live in Latin American countries with data protection legislation (such as Law 25.326 in Argentina, LGPD in Brazil, or the Federal Data Protection Law in Mexico), you have similar rights of access, rectification, cancellation, and objection. Contact us to exercise them.

9. Privacy infantil

aravo is a professional platform built for adults (freelancers, contractors, and operational agencies). Our software service is not directed to minors under any circumstance, and we do not intentionally collect or store personal data relating to anyone under 18 years of age. If you are a parent or legal guardian and confirm that a minor has provided information, please contact us by email so we can stop and remove it promptly.

10. Changes to this policy

We may update this privacy policy to reflect product changes, providers, technical measures, or legal requirements. If changes are material, we will try to notify you through the website, the panel, or the email associated with your account. The last updated date indicates the current version.

11. Contact

For questions about the processing of your data, this policy, or the exercise of your rights, contact us at:

hola@aravo.app