Privacy Policy

1. Who we are

This Privacy Policy explains how Akaro AI (“Akaro”, “we”, “us”, “our”) collects, uses, stores, and shares personal data when you use our website at akaro.ai, our platform at platform.akaro.ai, our Chrome browser extension, and any related services (collectively, the “Services”).

Akaro AI is a sole proprietorship of Rohan Vij, registered under the Delhi Shops & Establishment Act, 1954 (Registration No. 2026019320), with its place of business at Flat No. 19, Jeevan Bima Apartment, East Arjun Nag, Delhi 110032, India.

For the purposes of GDPR and comparable laws, Rohan Vij is the data controller for personal data processed in connection with our marketing website and our own records about customers. Where we process personal data contained in customer content on behalf of a customer organisation that subscribes to the platform, we act as a data processor under that organisation’s instructions, and the Data Processing Agreement at /legal/data-processing applies.

For privacy questions, contact [email protected].

2. Information we collect

2.1 Information you provide

• Account: name, email address, password (stored only as a bcrypt hash), organisation name, role, and optionally a phone number and profile picture URL.
• Two-factor authentication: if you enable 2FA, we store a TOTP secret used to verify codes.
• Content you upload: documents (PDF, DOCX, XLSX, PPTX, TXT, CSV — currently up to 50 MB per file), URLs for website scraping, chat messages and attachments, questionnaire questions and answers, projects, and comments.
• Third-party connector tokens: OAuth access and refresh tokens for integrations you choose to connect (Google Drive, Notion, Confluence, Slack, Salesforce, HubSpot). Tokens are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256) before storage.
• Support communications: the contents of emails you send to our support or legal addresses.

2.2 Information collected automatically

• Usage and activity logs: actions within the platform (document uploads, chat queries, project changes, logins), associated user identifiers, and timestamps. Stored in our activity log.
• Technical metadata: IP address, user-agent, and browser information included in standard HTTP request logs, used for security, rate-limiting, and debugging.
• Local browser storage: we store your JWT access and refresh tokens and your theme preference in your browser’s localStorage. We do not currently set any tracking cookies on our own domain. See our Cookie Policy.

2.3 Information from Google Sign-In

If you sign in with Google, we receive your Google account identifier, email address, name, and profile picture from Google. We do not receive your Google password. You can revoke our access at any time in your Google account settings.

2.4 Information from connectors and the Chrome extension

If you connect a third-party integration or use our Chrome extension, we access content you explicitly authorise:

• Google Drive: files and folders within the scope you select. Files are imported into your organisation’s knowledge base.
• Google Docs, Sheets, Slides (Chrome extension): content of the document you are viewing, for use in autofill and AI assistance.
• Gmail (Chrome extension): the email thread you are currently viewing, for reply-draft generation. Drafts are inserted into your composer; we do not send emails on your behalf.
• Notion, Confluence, Salesforce, HubSpot, Slack: pages, records, or messages within the workspaces you select, imported into your knowledge base on your instruction.

For each connector, we request the minimum OAuth scopes needed. You can disconnect any connector at any time, which immediately stops further data access; previously imported content remains in your knowledge base until you delete it.

3. How we use information

• To provide the Services — authenticating you, storing your content, generating AI answers, running connector imports, and delivering transactional email (verification, password reset, invitations, mentions).
• To operate, maintain, debug, and improve the Services, including measuring feature usage at an aggregate level.
• To protect the Services against abuse, fraud, and unauthorised access, including rate-limiting and security logging.
• To communicate with you about your account, product updates, and support.
• To comply with applicable law and respond to lawful requests.

We do not sell personal data. We do not use customer content to train any shared AI model. Queries sent to OpenAI are transmitted under OpenAI’s API terms, under which data submitted via the API is not used to train OpenAI’s models by default.

4. Legal bases for processing (EEA / UK)

If you are located in the EEA, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

• Performance of a contract — to provide the Services you have requested.
• Legitimate interests — to operate, secure, and improve the Services, and to contact existing customers about their accounts. We balance these interests against your rights.
• Consent — for marketing emails to non-customers and for optional features you enable. You can withdraw consent at any time.
• Legal obligation — to comply with applicable law.

5. How we share information

We share personal data only in the following limited circumstances:

• Sub-processors acting on our instructions to run the Services. Our current sub-processors are listed at /legal/subprocessors.
• Within your organisation — content and activity you create in Akaro is visible to other members of your organisation according to their role.
• Legal and safety — when required to comply with law, respond to lawful requests, protect our rights, or prevent harm.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy continuing to apply.
• With your consent — any other sharing.

6. International transfers

Akaro is based in India. Public traffic to akaro.ai, www.akaro.ai, and platform.akaro.ai is fronted by Cloudflare’s global anycast edge network, which provides TLS termination, DDoS protection, and a web application firewall; Cloudflare sees request metadata (including source IP address) and, because TLS is terminated at the edge, request and response bodies before they are re-encrypted to our origin. The chat API at api.platform.akaro.ai bypasses Cloudflare and is served directly from our origin to preserve long-lived server-sent event streams. The platform backend runs on a dedicated virtual server hosted by Hostinger in the United States (Boston, Massachusetts). Structured account and content data are stored in MongoDB Atlas (a service of MongoDB, Inc.) in AWS US East (N. Virginia, us-east-1). Vector embeddings used for search are stored on the same server as the backend. API calls for AI features are transmitted to OpenAI, whose processing takes place primarily in the United States.

Where we transfer personal data out of the EEA, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (2021 modules) and equivalent mechanisms, and we implement supplementary measures where required.

7. Retention

We retain personal data only for as long as needed for the purposes described in this policy, or as required by law.

• Account and organisation data: retained while your account is active. On written request to [email protected], we delete account records within 30 days, subject to any legal retention obligations.
• Customer content (documents, chats, projects): retained until you delete it in-product or request bulk deletion. Deletion in-product removes associated embeddings from our vector store.
• Activity logs: currently retained for the lifetime of the organisation. We are working to introduce a configurable retention window; until then, you may request deletion of activity logs via email.
• Backups: our database provider retains encrypted point-in-time backups for up to 30 days; content you delete remains in those backups until the backup window rolls off.
• Transactional email logs (delivery metadata for verification, password reset, invitations) are retained by our email provider for up to 30 days.

8. Your rights

Depending on your location, you may have the rights to access, correct, delete, restrict, or object to our processing of your personal data, and to receive your data in a portable format. EEA residents also have the right to lodge a complaint with a supervisory authority. Indian residents have rights under the Digital Personal Data Protection Act, 2023, including rights of access, correction, and erasure. California residents have rights under the CCPA/CPRA including the right to know, delete, and opt out of “sale” or “sharing” of personal information (we do not sell or share personal information as defined by that law).

To exercise any of these rights, email [email protected]. We will verify your identity and respond within 30 days. If you are an end-user of a customer organisation, we may direct your request to the organisation that controls your data.

9. Security

We take reasonable technical and organisational measures to protect personal data, including TLS 1.2+ in transit, bcrypt for passwords, Fernet encryption for connector tokens, encryption at rest on our database provider, short-lived JWT access tokens, optional two-factor authentication, and principle-of-least-privilege access controls for our team. See the Security page for details. No method of transmission or storage is completely secure; if you believe your account has been compromised, email [email protected].

10. Children

The Services are not directed to individuals under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data, contact [email protected] and we will delete it.

11. Changes

We may update this Privacy Policy from time to time. For material changes, we will give customers at least 30 days’ notice by email or prominent in-product notice before the change takes effect. The “Last updated” date above reflects the current version.

12. Contact

If you are in the EEA and believe we have not addressed your concern, you may lodge a complaint with your local data protection authority.