Legal

Privacy Policy

Effective 27 May 2026

This Privacy Policy explains how NIMUGIRE Business Ltd (Kigali, Rwanda), operator of the KoraStudio platform (“KoraStudio”, “we”, “us”), collects, uses, stores, and shares personal data when you visit korastudio.rw, create an account, or use any KoraStudio service (the “Service”).

We operate primarily under the Rwandan Law N° 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. Where we serve customers in the European Economic Area, we apply equivalent safeguards inspired by the EU General Data Protection Regulation (GDPR) — including a clear lawful basis for every processing activity, data-subject rights, and processor agreements with our sub-processors.

1. Information We Collect

1.1 Information you provide

  • Account data: name, email address, password hash, phone number (optional).
  • Studio data: studio name, logo, branding, plan, billing details.
  • Customer-of-customer data: the contact details, project files, invoices, and messages of your clients that you upload — you are the controller of this data; we process it for you.
  • Payment data: handled by our payment processor (Paypack); we receive metadata (amount, reference, status) but not your MoMo PIN or bank credentials.
  • Support data: messages you send via the contact form, email, or live chat.

1.2 Information collected automatically

  • Usage data: pages visited, features used, request timestamps, errors encountered.
  • Device data: IP address, browser type, operating system, screen size, referrer.
  • Cookies and similar technologies — see section 5.

1.3 Information from third parties

If you sign in with a social provider (Google, etc.), we receive your name, email, and avatar URL as authorised by you. If a Paypack payment succeeds or fails, we receive a webhook with the transaction status.

2. How We Use Your Information

  • To operate the Service: authenticate you, render your dashboard, deliver client portals, store files, run AI features.
  • To process payments: initiate mobile-money charges, record invoices, send receipts.
  • To communicate with you: transactional notifications, security alerts, replies to your support requests.
  • To improve the Service: aggregated, de-identified analytics that help us understand what features are useful.
  • To keep the Service secure: detect abuse, prevent fraud, enforce our Terms of Service.
  • To comply with law: respond to lawful requests from Rwandan authorities and meet our regulatory obligations.

We do not sell your personal data, and we do not use Customer Content to train third-party AI models. AI features process content on a per-request basis through providers bound by confidentiality and data-retention controls.

3. Data Storage & Hosting

We use trusted infrastructure providers to operate KoraStudio. Data may be stored in regions outside Rwanda; where this happens we rely on the provider's certifications (ISO 27001, SOC 2 Type II) and contractual safeguards.

  • Supabase — primary database and authentication. Data is hosted in a Supabase project we control.
  • Vercel — application hosting and edge delivery for the web app.
  • Cloudflare R2 — file storage for the files you and your clients upload (project deliverables, portfolio media, invoice PDFs).

Backups are encrypted at rest and retained for up to 30 days. Network traffic between you and KoraStudio is encrypted in transit (HTTPS/TLS 1.2+).

4. Third-Party Services (Sub-processors)

We share the minimum necessary data with carefully selected sub-processors to deliver specific features. Each is bound by a data-processing agreement and obligated to handle data on our behalf.

  • Paypack — mobile-money payments (MTN MoMo, Airtel Money). Receives payer phone number, amount, and reference.
  • Africa's Talking — SMS delivery (for notifications and the contact form). Receives recipient phone number and message body.
  • Resend — transactional email delivery. Receives recipient email address and the email content.
  • Cloudflare R2 — object storage for uploaded files (see section 3).
  • AI providers — the LLM provider powering AI cowork, captions, and website generation. Receives the prompt and content you submit for that specific request; no long-term training on your content.

We may add or change sub-processors as the platform evolves. Material changes will be reflected in this Policy with a revised effective date.

5. Cookies & Similar Technologies

We use a minimal set of cookies, all of them strictly necessary or first-party:

  • Session cookies — keep you signed in; expire when you log out or after inactivity.
  • CSRF tokens — protect against cross-site request forgery on forms and mutations.
  • Preference cookies — remember UI settings (e.g. theme, last-used studio).

We do not use third-party advertising or cross-site tracking cookies. You can block cookies in your browser, but doing so may break sign-in and other essential features.

6. Your Rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your account and personal data (subject to legal retention obligations).
  • Restriction — limit how we process your data while a question is being resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to specific processing activities, including direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact hello@korastudio.rw. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the National Cyber Security Authority (NCSA) of Rwanda or with your local data-protection authority.

7. Data Retention

  • Account & studio data: retained for as long as your account is active, and for 30 days after termination to allow recovery and export.
  • Customer Content (files, projects, invoices): retained for the lifetime of the account; deleted on request or 30 days after account closure.
  • Billing records: retained for up to 10 years as required by Rwandan tax law.
  • Server logs: retained for up to 90 days for security and debugging.
  • Backups: rotated and overwritten within 30 days.

8. Children

KoraStudio is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. International Transfers

Some sub-processors (notably Vercel, Cloudflare, Resend, and AI providers) process data outside Rwanda. We rely on the recipient's appropriate safeguards (certifications, contractual clauses) to ensure your data remains protected.

10. Changes to This Policy

We may update this Privacy Policy as the Service evolves. The effective date at the top of this page reflects the most recent revision. Material changes will be announced via dashboard banner or email at least 14 days before they take effect.

11. Contact

NIMUGIRE Business Ltd
Operator of KoraStudio · Data Controller
Kigali, Rwanda
Email: hello@korastudio.rw
Contact form: korastudio.rw/contact

See also our Terms of Service.