This policy explains how Kasava (“we”, “us”) handles information for the Kasava platform (web app, APIs, and Chrome extension). If anything is unclear or you need a DPA, contact `support@kasava.dev`.

Information We Collect

- Account: name, email, auth identifiers via GitHub OAuth/Supabase.

- Workspace: organization name, members, roles, plan and usage.

- Content you provide: prompts, chat messages, uploaded files, repository metadata/content, issues/PRs, and related context you connect.

- Integrations: OAuth tokens and connection metadata for services you choose (e.g., GitHub, Linear, Jira, Slack, Google Drive, Notion). Tokens are scope-limited and stored encrypted.

- Usage & diagnostics: device/IP, event logs, performance metrics; cookies/local storage for authentication and preferences.

- Billing: subscription status and invoice metadata via Stripe (we do not store full card numbers).

How We Use Information

- Provide, secure, and operate the service and AI features.

- Connect and sync with services you authorize; maintain organization/workspace settings.

- Improve reliability and performance; prevent abuse and fraud.

- Process payments and send essential service communications.

- Comply with law and enforce terms.

Processing by Vendors

- Hosting/infra: Cloudflare (Workers, R2, KV), PostgreSQL/Supabase.

- AI providers: Anthropic, Voyage and similar model providers process content to generate responses; we opt out of provider training where controls exist.

- Payments: Stripe processes payment data; its privacy terms apply.

- Optional product analytics: If enabled by your organization, we may collect aggregate usage (no document/repo content). Providers may include PostHog/Amplitude/Mixpanel; disabled by default unless configured.

Sharing

- With service providers under contract who help us run the service.

- With third‑party services you connect, strictly to perform requested actions.

- For legal compliance, safety, and to enforce agreements.

- In a merger, acquisition, or transfer; you’ll be notified where required.

- We do not sell personal data.

Retention

- We keep information while your account is active and as needed to provide the service, meet legal obligations, or resolve disputes. You may request deletion at any time.

- Chrome extension (Bug Detector) recordings: stored locally and in our backend when you submit; typical retention up to 30 days or until you delete.

Security

- Encryption in transit (TLS) and at rest (AES‑256‑GCM for sensitive data).

- Row‑level security and audit logging for data access.

- Access controls and key management with least privilege.

International Transfers

We process data in the US.

Your Rights

- Access, correct, delete, or export your data; object or restrict certain processing where applicable.

- Manage integrations and revoke access at any time.

- To exercise rights, email `support@kasava.dev`. We’ll respond as required by applicable law.

Children

Kasava is not intended for individuals under the age of 16. We don’t knowingly collect data from children; contact us to remove any such data.

Changes

We may update this policy from time to time. Material changes will be communicated (e.g., email or in‑app). Continued use means you accept the updated policy.

Contact

Email: support@kasava.dev