kKronavi
Privacy PolicyTerms of ServiceData Processing AgreementCookie Policy

Legal

Draft — pending legal review. This addendum has not yet been reviewed by a qualified attorney. It is provided in good faith for beta pilots. Enterprise customers should request a redlined version before signing.

Data Processing Addendum

Effective April 16, 2026

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Kronavi Terms of Servicebetween Kronavi (operated by Magnetiq Leads LLC, d/b/a Kronavi, “Processor”) and the Customer (“Controller”). It applies where Kronavi processes personal data on behalf of the Customer in connection with the Kronavi service.

1. Parties and scope

The Customer acts as the data controller— determining the purposes and means of processing. Kronavi acts as the data processor— processing personal data only on documented instructions from the Customer and only as necessary to deliver the Service.

This DPA covers personal data that Kronavi accesses, stores, or processes in order to provide the audit, mutation, and intelligence features described in the Terms of Service.

2. Nature and purpose of processing

Kronavi processes personal data solely to:

  • Authenticate and authorise the Customer’s access to the Service.
  • Retrieve data from the Customer’s connected GoHighLevel (“GHL”) account to run audits, generate findings, and produce remediation plans.
  • Apply approved changes to the Customer’s GHL account on explicit instruction.
  • Deliver transactional communications about the Service (billing, security, audit summaries).

3. Categories of data subjects and data types

  • Customer’s administrators: email address, hashed password, GHL API credentials (encrypted), session tokens (encrypted, short-lived).
  • Customer’s End Users (via GHL):contact records, CRM records, tags, pipeline stages, workflow configurations, and other metadata that exists inside the Customer’s GHL sub-account. Kronavi reads this data to produce audit findings; it is not stored long-term by Kronavi beyond the active audit pipeline window.

Kronavi does notintentionally collect special-category personal data (health, biometric, etc.). If any such data exists inside a Customer’s GHL account, the Customer is responsible for ensuring appropriate safeguards are in place before connecting Kronavi.

4. Sub-processors

Kronavi uses the following sub-processors. Kronavi will notify Customers of material sub-processor changes with at least 14 days’ notice before the change takes effect.

Sub-processorRoleData location
SupabaseDatabase, authentication, and storageUnited States (us-east-1)
VercelWeb application hostingUnited States (iad1)
DigitalOceanEngine (backend) hostingUnited States (NYC1)
Anthropic / Vercel AI GatewayLarge language model inferenceUnited States
ResendTransactional email deliveryUnited States
StripePayment processing and subscription managementUnited States

5. Security measures

  • Encryption in transit:all traffic between the Customer’s browser, the Kronavi web app, and the engine is carried over TLS 1.2+. The engine endpoint enforces HTTPS with an HSTS header.
  • Encryption at rest: GHL API keys, private integration tokens, session headers, and session cookies are encrypted at rest using AES-GCM with keys held outside the database. Passwords are hashed by Supabase Auth and are never stored in plaintext.
  • Tenant isolation:Supabase row-level security policies restrict every customer row to that customer’s account. Engine routes validate the JWT before any data access.
  • Minimal retention: End User PII from GHL audit runs is not retained beyond the active audit pipeline window. Diagnostic logs are retained for up to 30 days.
  • Access control: production infrastructure access is restricted to authorised Kronavi personnel only.

6. Data subject rights

As the Controller, the Customer is responsible for handling data subject requests (access, rectification, erasure, portability, restriction) from their End Users. Where Kronavi’s assistance is required (e.g. to locate or delete specific records), Kronavi will respond to written requests from the Customer within 5 business days.

7. Breach notification

In the event Kronavi becomes aware of a personal data breach affecting Customer data, Kronavi will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include, to the extent known at the time: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

8. Deletion and return on termination

Upon termination of the Customer’s account or upon written request, Kronavi will delete or return all Customer personal data within 30 days, unless retention is required by applicable law. Diagnostic logs and audit trails may be retained for the legal retention period and then securely deleted.

9. Audit rights

The Customer may, no more than once per calendar year and upon at least 30 days’ written notice, audit Kronavi’s data processing activities to verify compliance with this DPA. Audits must be conducted during normal business hours, must not unreasonably disrupt operations, and are subject to reasonable cost reimbursement for Kronavi’s time. Customers may also request a copy of any applicable third-party security certifications in lieu of a direct audit.

10. Governing law

This DPA is governed by the same law and jurisdiction as the Terms of Service (State of Delaware, United States). To the extent required by EU/UK GDPR or equivalent regulation, the parties agree to execute Standard Contractual Clauses or equivalent transfer mechanisms upon request.

11. Contact

Questions about this DPA or data processing requests? Email legal@kronavi.com.