/ legal / privacy

Privacy Policy

Effective date: 13 May 2026 · Last updated: 27 May 2026
Working draft, pending counsel review. Treat this as informative — not a contract — until we mark it as in-force.

This Privacy Policy describes how Kashi Technologies Private Limited ("Kashi", "we", "us") collects, uses, shares, and protects information when you use our products — Cloudbrief, Paperbrief — and the websites kashilabs.ai, app.kashilabs.ai, paperbrief.app, cloudbrief.app, and kashitechnology.com (together, the "Services").

On this page
  1. Who we are
  2. What we collect
  3. How we use it
  4. Legal bases for processing
  5. Who we share data with
  6. Subprocessors
  7. How long we keep it
  8. How we protect it
  9. Your rights
  10. Children
  11. Changes to this policy
  12. Contact

1. Who we are

Kashi Technologies Private Limited is a company incorporated in India. For purposes of the EU/UK GDPR we are the data controller for the personal data we collect through the Services. Under the Digital Personal Data Protection Act, 2023 (India) we are the Data Fiduciary.

2. What we collect

2.1 Information you give us

  • Account data: name (optional), email address, password hash (if you set one), TOTP secret (encrypted) when you enable 2FA. We do not store your password in plain text.
  • Workspace data: the name you choose for your workspace, members you invite (their email addresses), the role you assign them.
  • Billing data: we do not store payment card numbers. Payments are processed by Razorpay (and, in some regions, Stripe). We store the payment provider's customer / subscription identifiers and invoice metadata returned to us.
  • Communications: emails you send to support@kashilabs.ai or other addresses, and any feedback you submit.

2.2 Information that flows through the Services

This is data that you choose to give the products to operate on. We hold it on your behalf, do not use it for our own purposes, and do not sell it.

  • Cloudbrief: AWS access keys and IAM identifiers you provide so the product can read your account; the metric, log, cost, and configuration data we fetch via read-only IAM (CloudWatch, Cost Explorer, RDS Performance Insights, ALB, CloudTrail); the AI-generated analysis reports we produce from that data; and, when you enable database deep-dives, the database hostnames, read-only credentials, and SSH-tunnel keys you supply.
  • Paperbrief: documents you upload (PDF, DOCX, etc.); the text and embeddings we derive from them; chat conversations you have with those documents; and any matrices you build over them.

2.3 Information we collect automatically

  • Authentication cookies: a short-lived state cookie during SSO sign-in. See the Cookie Policy.
  • Server logs: standard request logs (IP address, user-agent, URL path, timestamp, status code) retained for operational debugging and security.
  • Audit log: security-relevant actions inside the product — sign-in events, AWS credential changes, database connection actions, impersonation — written to an append-only audit table.

2.4 What we do not collect

  • We do not run third-party advertising trackers, Google Analytics, Meta Pixel, or similar.
  • We do not collect biometric, health, financial, or government-issued ID data.
  • We do not access write-permissioned AWS APIs. The IAM template you install grants Get* / List* / Describe* only.

3. How we use it

  • To deliver the Services — run analyses, generate reports, answer chat queries about your documents, send the daily Cloudbrief email, charge your subscription.
  • To keep the Services secure — detect abuse, rate-limit OTP and login attempts, investigate suspected unauthorised access, write audit-log rows.
  • To communicate with you — service emails (sign-in codes, daily reports, billing receipts, security alerts) and, only with your consent, occasional product updates.
  • To improve the Services — aggregated, de-identified analysis of how features are used. We do not train AI models on your data, and we do not share your content with anyone other than the subprocessors named below who help us run the Services.
  • To comply with law — respond to lawful orders, enforce our Terms, prevent fraud.

5. Who we share data with

We share personal data only with the categories below:

  • Subprocessors we engage to run the Services — see the table in section 6.
  • Other users in your workspace — if you invite teammates, they will see your name and the workspace activity you produce. Workspace owners and admins see all member activity.
  • Law-enforcement and regulators — only where we have a genuine legal obligation to disclose, and where lawful we will tell you first.
  • Acquirers — if Kashi Technologies is involved in a merger, acquisition, or sale of assets, your information may transfer with the business. We will notify you and explain your choices.

We do not sell personal data. We do not share it with advertisers.

6. Subprocessors

These third parties process personal data on our behalf to deliver the Services. Each is engaged under a contract that obliges them to protect the data and use it only for the purpose we specify.

SubprocessorPurposeWhere
Amazon Web Services, Inc. Compute, database, object storage, email delivery (SES) for the Services. India (Mumbai region, ap-south-1)
Anthropic PBC AI inference for analysis and chat (Claude models). USA
OpenAI, OpC Text embeddings for document search (Paperbrief only). USA
Razorpay Software Pvt Ltd Payments, subscriptions, invoices. India
Stripe, Inc. Payments outside India (when enabled). USA, Ireland
Cloudflare, Inc. DNS, CDN, edge protection, Pages hosting for marketing sites. Global edge network
GitHub, Inc. Source code, deployment workflows (no customer data). USA
Sentry / Functional Software, Inc. Application error monitoring (when enabled). Scrubbed of obvious PII. USA / EU

We will give you reasonable notice before adding or replacing a subprocessor. Business customers with a signed DPA can subscribe to subprocessor-change notifications.

7. How long we keep it

  • Account data: while your account is active. You may delete your account at any time; we will erase or anonymise your personal data within 30 days, save for items we must keep by law (e.g. tax records).
  • Workspace content (documents, reports, chat history, matrices): retained for the lifetime of the workspace. Deleted within 30 days of workspace deletion. Encrypted backups containing deleted content may persist for up to 90 days before they roll off.
  • AWS / database credentials: retained while the connection is active; erased on deletion of the connection. The CloudFormation user / database role you create on your side can also be revoked unilaterally at any time.
  • Audit logs & server logs: retained for 365 days for security and compliance, then purged.
  • Billing records: retained for the duration required by Indian tax law (currently 8 years).

8. How we protect it

  • TLS 1.2+ on every connection between you and the Services.
  • AWS access keys, SSH private keys, and TOTP secrets are encrypted at rest with PostgreSQL pgcrypto using a key held in AWS Systems Manager Parameter Store.
  • Document content is held in S3 with bucket-level encryption (SSE-S3); per-object presigned URLs are short-lived (15 minutes).
  • Database backups are encrypted at rest by RDS / EBS.
  • Two-factor authentication (TOTP) is available for password accounts. SSO sign-in inherits your identity provider's authentication strength.
  • Every admin-side action is recorded to an append-only audit table.
  • We run automated security scans (CodeQL, custom prompt-injection checks) on every commit.

No system is perfectly secure. If you suspect your account has been compromised, email security@kashilabs.ai immediately.

9. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and the personal data we hold about you. Some content (e.g. messages you sent to teammates) may persist where erasure would impact their use of the Services.
  • Export your data in a portable format.
  • Object to or restrict certain processing (e.g. marketing emails).
  • Withdraw consent where we relied on consent to process your data.
  • Lodge a complaint with your data-protection authority — or, in India, with the Data Protection Board once it is operational.

Most of these are self-serve in the product (see Settings → Account). For anything else, email privacy@kashilabs.ai. We respond within 30 days.

10. Children

The Services are not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a child, please write to privacy@kashilabs.ai and we will delete it.

11. Changes to this policy

We will update this policy as our Services or the law change. Material changes will be announced by email to account holders at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current revision.

12. Contact

For privacy questions or to exercise your rights: privacy@kashilabs.ai.

For grievances under the DPDP Act, 2023, contact the Grievance Officer: payal.patel@kashitechnology.com.

Postal: Kashi Technologies Private Limited, Fifth floor, office 520, 73 East avenue, Sarabhai road, Vadodara, Gujarat, India. PIN: 390019, India.