Privacy Policy

• Account information: email, hashed password, full name, company name (optional).
• Customer content: data you provide to or generate within Kalpana — chat messages, business mind pages, uploaded documents, and content fetched via connectors you authorize.
• Local files (Kalpana Desktop): file contents from folders you explicitly grant access to. Files never leave your machine unless you instruct Atlas to act on them (e.g., draft an email referencing a document).
• Usage data: IP address, browser/OS, device fingerprint for license enforcement, page views, feature usage.
• Billing data: handled by Stripe; we store only Stripe customer/subscription IDs, not card numbers.

• To operate the Service (run AI tasks, store your data).
• To authenticate you and prevent fraud.
• To send transactional emails (welcome, billing, security alerts). We don’t send marketing without opt-in.
• To improve product reliability via aggregate, non-identifying telemetry.

We share data only with subprocessors needed to deliver the Service:

• Anthropic — LLM inference. Subject to Anthropic’s zero-retention policy when configured.
• Supabase — managed Postgres + storage.
• Vercel — application hosting.
• Stripe — payments.

We never sell your data. We never share it with advertisers. We disclose to law enforcement only on valid legal process and we will challenge overbroad requests where lawful.

We do not train foundation models on your Customer Content. Anthropic, our LLM provider, also does not train on API content. Aggregated, de-identified usage metrics may be used to improve our internal heuristics and routing.

By default, data is stored in the United States (Supabase us-east-2). Enterprise customers can elect EU residency or self-host on their own infrastructure (Helm chart).

We retain Customer Content for the life of your account plus 30 days. Audit logs are retained for 1 year. Billing records are retained for 7 years per US tax law. You can request earlier deletion at any time.

• Access: Export your data from your dashboard or by emailing us.
• Correction: Update profile info anytime.
• Deletion: Delete your account from your dashboard (full deletion completes within 30 days).
• Portability: Export to JSON / CSV.
• GDPR / CCPA: EU and California residents have the rights described above plus the right to object to processing and to file a complaint with a supervisory authority.

• TLS 1.2+ for all traffic.
• Passwords stored as scrypt hashes (we never see plaintext).
• Database access limited to scoped service accounts; no employee has direct access to Customer Content without audited cause.
• Customer Content is encrypted at rest in Supabase Postgres.
• SOC 2 Type II evidence collection in progress.

We use a single first-party cookie (kalpana_admin_session) to keep you signed in. We do not use advertising or tracking cookies.

Kalpana is not intended for users under 16. We do not knowingly collect data from children.

We’ll notify you of material changes by email or in-product notice at least 30 days before they take effect.

Email dhruvstar0526@gmail.com with privacy questions or to exercise your rights.