Legal
Privacy Policy
Last updated: May 2026
Overview
Kudoso (“we”, “us”, or “our”) operates kudoso.io and provides testimonial collection software for businesses. This policy explains what data we collect, why we collect it, and how we handle it. We believe privacy should be straightforward, so we've written this to be readable rather than dense.
Questions? Email us at [email protected].
Data we collect
Account data : When you create an account we store your email address and a hashed password (or, if you sign in with Google, your Google account identifier). We do not store your Google password.
Testimonial content : When your customers submit testimonials through your Kudoso campaign pages, we store their name, email address (if requested), written responses, and video uploads. You own this content. We process it on your behalf.
Usage data : We log page views, API request counts, and feature usage (e.g. number of campaigns created) to operate the service and detect abuse. We do not sell or share this data.
Billing data : Payment processing is handled entirely by Polar. We store only a customer identifier and subscription status returned by Polar. We never see or store full card numbers.
Cookies : We set a session cookie for authentication (required to log in), an active-organization cookie to remember which workspace you're using, and no third-party advertising or tracking cookies.
How we use your data
We use the data we collect solely to operate and improve Kudoso:
- Authenticating you and your team members
- Storing and displaying testimonials you've collected
- Running AI analysis (summaries, sentiment) on testimonial content you explicitly trigger
- Sending transactional emails (new testimonial notifications, invitation emails, billing receipts)
- Detecting abuse and enforcing rate limits
- Improving product features based on aggregate, anonymized usage patterns
We do not send marketing emails unless you have explicitly opted in. We do not sell your data or your customers' data to any third party, ever.
AI processing
On the Pro plan, AI summaries are generated automatically in the background when a testimonial is submitted — the testimonial text is sent to Anthropic's API for processing. Sentiment analysis can be triggered manually from your dashboard. Anthropic's privacy policy governs how they handle that content. We do not use your testimonials to train any AI model.
Third-party services
We use the following sub-processors to operate Kudoso:
| Service | Purpose | Data shared |
|---|---|---|
| Hetzner (self-hosted) | Application hosting and database | All app data, stored on our own server in EU |
| Cloudflare | Email delivery, video hosting (Stream), logo storage (R2), custom domain TLS | Email content, video uploads, logo images |
| Anthropic | AI summaries + sentiment analysis | Testimonial text (Pro plan, on submission and on-demand) |
| Polar | Payment processing and billing | Name, email, payment data |
| OAuth sign-in (optional) | Email address and Google account ID if you choose Google sign-in |
Data retention
We retain your account data and testimonials for as long as your account is active. If you delete your account, we delete all associated data within 30 days, except where we are required to retain it for legal or accounting purposes (e.g. billing records for up to 7 years).
Testimonial content submitted by your customers is retained until you delete the campaign or your account, whichever comes first.
Your rights
Depending on where you live, you may have rights including:
- Access : request a copy of data we hold about you
- Correction : ask us to correct inaccurate data
- Deletion : request deletion of your account and associated data
- Portability : export your testimonial data in JSON or CSV
- Opt-out : opt out of any non-essential communications
To exercise any of these rights, email [email protected]. We will respond within 30 days.
Security
All data is encrypted in transit (TLS 1.2+). Our database is self-hosted on a private server and not exposed to the public internet. Your data is logically isolated per organization through application-level access controls. Passwords are hashed using bcrypt. We do not store plaintext credentials of any kind.
If you discover a security vulnerability, please report it to [email protected] rather than opening a public issue. We take security reports seriously and will respond promptly.
Children
Kudoso is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has submitted data through a campaign page, contact us and we will delete it promptly.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you by email or by displaying a notice in the dashboard. The “last updated” date at the top of this page always reflects the current version.
Contact
Kudoso is operated by Ayush Sharma. For privacy-related questions or requests:
[email protected]