Privacy Policy

1.1.For personal data you submit about your own end users or third parties ("Customer Personal Data"), you act as the Data Fiduciary and Karya acts as a Data Processor, processing it only on your documented instructions to provide the Service.

1.2.For account, registration, billing, support, security, and administration data ("Account Data"), Karya acts as the Data Fiduciary. This Policy describes how we handle Account Data and how Customer Personal Data flows through the Service.

2.1 Information you provide

• Account registration: email address, name, business name, and whether the account is for personal or business use.
• Agent configuration: bot name, system prompt, language preference, response-length settings, channel configurations (e.g. Telegram, WhatsApp, Discord, Signal, Feishu credentials), and enabled features (web search, memory, voice transcription).
• Integration connections: OAuth authorisations for GitHub, Vercel, Netlify, and Google Workspace (calendar, contacts, email — read-only).
• Referral payout details: if you request payouts under the referral programme, your PAN, bank account number, IFSC code, and account-holder name (or UPI ID). PAN, account numbers, and UPI IDs are stored encrypted and are used solely to process payouts and to meet tax-withholding (TDS) and record-keeping obligations.
• Task and board data: titles, descriptions, statuses, priorities, tags, dependencies, and board configurations.
• Communications: support requests, feedback, and messages you send us.

2.2 Information collected automatically

• Session data: IP address, browser user-agent, session token, and session expiry.
• Security and fraud-prevention logs: sign-in attempts (the email entered, IP address, browser user-agent, and success or failure reason), the IP address and device identifier captured at sign-up (used to prevent referral fraud and account abuse), and an audit history of changes to payout methods (including the IP address and user-agent of the change).
• API usage data: endpoint, HTTP method, response status, prompt and completion token counts, cost, model identifier, and timestamp.
• Activity events: event type, action description, associated entity, and timestamp.
• Instance metadata: agent container status, infrastructure provider, and hostname.

2.3 Information from third parties

• OAuth profile data: name, email, and avatar from GitHub and Google as authorised during the OAuth flow.
• Payment status: subscription ID and payment-verification status from Razorpay. We do not receive or store your card details.

• Service delivery: to provide, operate, and maintain the Service, including provisioning and executing AI agents.
• AI processing: to process inputs through a third-party inference provider for agent functionality.
• Authentication: to verify identity, manage sessions, and secure account access.
• Billing: to enforce budget limits, track token usage, process payments, and manage subscriptions.
• Security: to monitor for abuse, detect threats, enforce rate limits, and investigate Terms violations.
• Communications: to send transactional emails (verification, payment confirmations) via Resend.
• Audit trail: to maintain activity logs for security, accountability, and dispute resolution.
• Improvement: to improve and develop the Service using aggregated and anonymised data only.
• Legal compliance: to comply with legal obligations and protect our rights.

We do not sell, rent, or trade your personal data, and we do not share it for advertising purposes.

4.1 Inference processing

User inputs, system prompts, and agent instructions are transmitted to a third-party serverless inference provider (the "Inference Provider") that runs an open-source model on a transient, per-request basis and returns the Output to your Instance. We contractually require the Inference Provider to process those inputs solely to generate your Output and not to retain, log beyond what is operationally necessary, train on, or otherwise reuse your data. We cannot, however, guarantee a third party's internal practices beyond the commitments it has made to us.

4.2 Chat content storage

Chat message content exchanged between you and your AI agent is not stored in KaryaClaw's central database. Only aggregate token counts (prompt and completion) are retained for billing and usage tracking.

4.3 Agent memory

When you enable memory, the agent may store conversation summaries and contextual information within your isolated container Instance. This data persists for the lifetime of the Instance and is destroyed when the Instance is terminated.

4.4 System prompts

System prompts you provide are stored to operate the agent and are transmitted to the Inference Provider with each interaction. They are treated as your Content.

4.5 Skill execution data

When skills execute through connected integrations, data from those services is processed in-memory by the agent and is not stored beyond what the agent writes to tasks, boards, or activity logs.

4.6 No training use

Karya does not use your conversations, Content, or Output to train AI models. The Inference Provider's practices are governed by its own terms; we contractually require that it does not use submitted data for its own model improvement.

4.7 Output monitoring

We do not routinely monitor or review agent outputs, but reserve the right to access agent activity for security investigations, abuse prevention, or legal compliance.

We share data only as necessary to operate the Service, with: the Inference Provider (input/output processing); the cloud / hosting provider (running Instances); Razorpay (payment processing — subscription ID and payment-verification status; and, if you request referral payouts, your PAN and bank account or UPI details, shared with Razorpay/RazorpayX solely to process the payout and meet tax-withholding (TDS) obligations); Resend (transactional email — email address); and GitHub, Vercel, Netlify, and Google Workspace (OAuth tokens, encrypted at rest and in transit, for the integrations you authorise). We may also disclose data where required by law, legal process, or to protect rights and safety. In a merger, acquisition, or asset sale, data may transfer as part of the transaction, with prior notice. We do not sell or trade personal data.

We apply technical and organisational measures including: encryption of OAuth integration tokens and payout details at rest (AES-256-GCM with per-token nonces); irreversible hashing of API key secrets (SHA-256) and password hashing using industry-standard algorithms; optional two-factor authentication and passkey (WebAuthn) sign-in; monitoring and rate limiting of sign-in attempts; per-IP and per-API-key rate limiting; CSRF protection via server-side state tokens; security headers and strict CORS; row-level authorisation filtering all queries by authenticated user; input validation and request-size limits; isolation of each agent in a separate container; secure logging that never records secrets; and circuit-breaker handling of upstream failures. No system is completely secure, and we do not warrant absolute security.

• Account data: retained while your account is active. When you delete your account, your account record and associated data are deleted immediately and your Instance is destroyed.
• Sessions: expire 48 hours after your last activity (extended while you remain active), with an absolute maximum age of 14 days, after which you must sign in again.
• Billing, payout, and usage records: retained only for the period required by accounting and tax law (in India, typically up to 8 years), including referral payout and TDS withholding records, then deleted or anonymised — not indefinitely.
• Audit / activity logs: sign-in attempt logs are retained for 90 days, administrative audit logs for 12 months, transactional email logs for 60 days, and payment webhook records for 30 days, after which they are automatically deleted.
• Agent containers (Instances): paused when your subscription is cancelled or lapses and preserved for a 7-day reactivation window, then permanently deleted (including agent memory stored within the Instance). Deleting your account destroys your Instance immediately.
• Integration tokens: deleted immediately when you disconnect an integration or delete your account.

Consistent with the DPDP Law, we erase personal data when the purpose for which it was collected is no longer served, including where you withdraw consent, unless retention is legally required. Limited copies may persist in encrypted backups for a short period after deletion from active systems.

Under the DPDP Law, and subject to verification of your identity, you have the right to: access a summary of your personal data and our processing; seek correction, completion, updating, and erasure of your personal data; readily withdraw any consent you have given; nominate another individual to exercise your rights in the event of death or incapacity; and access a grievance-redressal mechanism.

Exercising your rights

Contact our Grievance Officer (Section 15). We will respond within the timelines required by the DPDP Law. We may need to verify your identity. You may also request a machine-readable (JSON) export of your Account Data at any time. Where we process Customer Personal Data as a processor, we will refer requests to, or assist, the relevant customer (the Data Fiduciary). Some deletion requests may require account termination, as the agent cannot function without its configuration data.

We use strictly necessary session cookies for authentication; CSRF tokens are held server-side, not as browser cookies. We do not use advertising, remarketing, behavioural-tracking, or profiling cookies, and we do not embed third-party trackers or social pixels on the platform. Our promotion website may use privacy-focused, cookieless analytics. Disabling session cookies will prevent use of the platform.

The Service is for users aged 18 and over and for business use. We do not knowingly collect personal data from children under 18, and undertake no tracking or targeted advertising directed at children. If we learn we have collected such data, we will delete it. Contact us at support@the-karya.com if you believe a child has provided us data.

When you connect OAuth integrations, we store encrypted access tokens solely to provide the requested functionality, along with operational token metadata (team IDs, usernames, authorised scopes). Data accessed through integrations (repositories, deployments, calendar events, contacts, emails) is processed in real time and is not stored beyond what the agent writes to tasks, boards, or activity logs. We request only the minimum scopes necessary, do not use integration data for any other purpose, and delete stored tokens immediately when you disconnect.

Your data may be processed in jurisdictions where our infrastructure, inference, and other service providers operate. Where we transfer personal data outside India, we do so in accordance with the conditions permitted under the DPDP Law and apply appropriate contractual and technical safeguards with the relevant provider.

We process personal data on the basis of your consent and for the legitimate uses permitted under the DPDP Law: to perform our contract with you (account, agent operation, billing, support), to secure the Service and prevent abuse, and to comply with our legal obligations. You may withdraw consent at any time, which will not affect the lawfulness of processing carried out before withdrawal.

On becoming aware of a personal data breach, we will take reasonable steps to contain and remediate it and will notify the Data Protection Board of India and affected Data Principals where and within the timelines required by the DPDP Law. We maintain incident-response procedures to detect, investigate, contain, and respond to incidents, and will assist our customers in meeting their own obligations.

Grievance Officer / Data Protection Contact: Aarya Banthia

• Karya (operating as Karya Infrastructure)
• C4/94, Safdarjung Development Area, Delhi 110016, India
• Email: support@the-karya.com

We will acknowledge and address grievances within the timelines prescribed by the DPDP Law. If unsatisfied, you may complain to the Data Protection Board of India.

We may update this Policy. Material changes will be communicated by email or prominent notice at least fifteen (15) days before taking effect, and the updated Policy will be posted at the-karya.com/privacy. Continued use after the effective date constitutes acknowledgement. Prior versions are available on request.