Privacy policy

You give us:

• Account info — email, username, and (optionally) display name and profile picture.
• List content — the links, titles, descriptions, and images you add to your lists.
• Payout details (creators of paid lists only) — your bank, NUBAN, and verified account-holder name. We pass these to our payment partner; we don’t store your full bank credentials.
• Anything else you send us — e.g. emails to support.

We collect automatically:

• Basic request data — IP address, browser type, pages viewed, timestamps. Used to operate the Service and prevent abuse.
• A session cookie (kurlio_sid) — an anonymous identifier used to count list views without double-counting the same visitor. It doesn’t identify you personally.
• Auth cookies — set by Supabase to keep you signed in.

From third parties:

• Payment partner — when you buy or sell a paid list, our payment provider tells us the transaction succeeded, the amount, and a transaction reference. We don’t see or store your card number.

• Run and improve the Service.
• Authenticate you and keep your account secure.
• Process payments and pay creators.
• Detect fraud, abuse, and violations of our Terms.
• Respond to support requests.
• Comply with legal obligations.

We don’t sell your personal data. We don’t run ads on Kurlio.

By design, your profile, public lists, and the links and descriptions inside them are visible to anyone on the internet. Your email, payout details, private lists, and saved lists are not.

• Supabase — our database, auth, and file storage provider.
• Our payment partner — to process purchases and pay out creators.
• Hosting and infrastructure providers — to serve the site.
• Law enforcement or regulators — when legally required.

The Kurlio Chrome extension is a thin client over the same account you use on this website. It exists to let you save the current tab or any link into one of your Kurlio lists without leaving the page.

What the extension accesses:

• The URL, title, and favicon of the tab you are currently viewing — only after you explicitly click Save in the popup or pick a context-menu item. No background scanning, no page-content reads, no continuous monitoring.
• Your Kurlio lists, fetched from this site so the popup’s dropdown is populated. Same data the dashboard shows.

What the extension stores locally:

• The id of your most recently used list in chrome.storage.local. Lets the right-click menu save without re-asking. Local-only, never transmitted, cleared when you sign out.

How the extension authenticates:

• Cookie piggyback. The extension calls kurlio.xyz with the session cookie your browser already holds from when you signed in on the website. The extension never reads, mints, or stores authentication tokens.

What the extension does not do:

• It does not read browsing history, bookmarks, or content from pages you visit.
• It does not include analytics, telemetry, or third-party trackers.
• It does not load remote code at runtime. All JavaScript that runs in the extension is bundled into the version published on the Chrome Web Store.
• It does not request additional permissions beyond activeTab, storage, contextMenus, notifications, and host access to kurlio.xyz.

Where extension-saved data ends up is the same place as web- saved data: in your Kurlio account on the Service, governed by everything else in this policy.

Our database is hosted in the EU (Ireland). Your data may be transferred to and processed in countries outside Nigeria, including for payment processing and email delivery. We rely on appropriate safeguards under applicable law for these transfers.

• Account data — for as long as your account is active.
• Public list content — until you delete it or delete your account.
• Transaction records — kept for at least 7 years to meet tax and accounting obligations.
• Logs — typically 30–90 days.

To delete your account, email jide.fabanwo@gmail.com. We’ll delete or anonymise your personal data within 30 days, except where we’re required to keep it (e.g., financial records).

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your account and associated data.
• Object to or restrict certain processing.
• Receive a copy of your data in a portable format.

Email jide.fabanwo@gmail.comto exercise any of these — including account deletion. We may need to verify your identity first, and will confirm by email once it’s done.

Kurlio is not intended for children under 13. If you believe a child has given us personal data, email jide.fabanwo@gmail.comand we’ll delete it.

We use HTTPS, encrypted storage at rest, row-level access controls in our database, and least-privilege access for staff and tooling. No system is perfectly secure — if you spot a vulnerability, please email jide.fabanwo@gmail.com before disclosing publicly.

If we make material changes, we’ll notify you by email or in-app at least 14 days before they take effect.

For anything privacy-related: jide.fabanwo@gmail.com.