Privacy Policy

Last updated: April 20, 2026

1. Who We Are

Kostiak Systems operates Kostiak Green, located in Asunción, Paraguay. Contact: privacy@kostiak.pro

2. Information We Collect

Account information: business name, email, password (bcrypt hash — never stored plain text), billing info (processed by Paddle — we don't store card details), cannabis license number (optional).

Usage data: pages visited, features used, search queries, API calls, login timestamps, IP addresses, browser type.

Communications: email content if you contact us.

We do NOT collect: your customers' data, POS transaction data, or precise physical location.

3. How We Use Your Information

To provide and improve the Platform, process payments, send weekly market intelligence briefs and alerts, respond to support requests, detect fraud, and comply with legal obligations. We do not sell data to third-party advertisers or share with other operators.

4. Data Sharing

Service providers: Paddle.com (payments), Google Cloud Platform (infrastructure and database), SendGrid (email). All bound by data protection agreements.

Legal requirements: if required by law or court order.

Business transfers: you will be notified before any acquisition or merger.

5. Data Retention

Account data: 30 days after deletion. Usage logs: 12 months. Billing records: 7 years (legal requirement). Support communications: 3 years.

Deletion requests: privacy@kostiak.pro

6. Data Security

TLS 1.3 encryption in transit. Bcrypt password hashing (12 rounds). Row-Level Security on database. JWT authentication with expiration. Rate limiting on all API endpoints. Secrets via Google Cloud Secret Manager.

We will notify you within 72 hours of any breach affecting your account.

7. Your Rights

You may request: access to your data, correction of inaccurate data, deletion of your data, a portable copy, or opt-out of marketing. Email privacy@kostiak.pro. Response within 30 business days.

California residents (CCPA): we do not sell personal information. Email privacy@kostiak.pro with "CCPA Request".

EEA/UK (GDPR): lawful basis is contract performance (subscribers), legitimate interests (security), and consent (marketing). You may lodge complaints with your local data protection authority.

8. Cookies

Session cookies (required for login) and preference cookies (dashboard settings) only. No advertising cookies or third-party tracking pixels.

9. Contact

privacy@kostiak.pro · Kostiak Systems · Asunción, Paraguay

Last Updated: April 20, 2026 · Kostiak Systems · Asunción, Paraguay