Skip to main content

Privacy Policy

Last updated: 12 May 2026

This policy explains what personal data Kaarya collects, how we use it, where it goes, and the rights you have under India’s Digital Personal Data Protection Act 2023 (DPDP) and other applicable law.

1. Who we are

Kaarya (“we”, “us”) is operated by Kaarya (Sole Proprietorship) from Bareilly, Uttar Pradesh, India. Our registered address is listed in the site footer and on every tax invoice. For privacy questions, contact privacy@kaaryaai.in.

2. Data we collect

You give us directly

  • Account details: name, email, password (hashed) — managed by Supabase
  • Quiz answers: your skills, goals, experience, available hours, startup capital, risk appetite
  • Chat messages: conversations with the AI mentor
  • Payment info: handled by Dodo Payments — we never see your card details

We collect automatically

  • Usage data: which pages you visit, which maps you generate, milestone progress
  • Device data: browser type, IP address (for security and rate-limiting)
  • Local storage: some milestone progress is stored in your browser

3. How we use your data

  • To generate your personalized Kaarya Map and chat responses
  • To save your maps and progress so you can return to them
  • To process payments and manage your subscription
  • To improve the product (aggregated, non-identifying analytics)
  • To send essential service emails (you can’t opt out of these — they include things like payment receipts and security alerts)
  • To comply with legal obligations

4. Who we share it with (third parties)

Cross-border transfer notice: Some of these providers are outside India. By using Kaarya, you consent to your data being processed in those jurisdictions.
  • Supabase (Singapore region) — authentication and Postgres database; stores account credentials (hashed), quiz submissions, generated maps, and chat history at rest
  • OpenAI (USA) — AI model inference; your quiz answers and chat messages are sent here to generate responses
  • Dodo Payments — payment processing (Merchant of Record; processes globally)
  • Vercel (USA) — application hosting and edge delivery
  • Vercel Analytics — anonymous, cookie-light traffic measurement (only when you accept the cookie banner)

AI model training — what we send and what OpenAI does with it

OpenAI is an inference provider. The quiz answers and chat messages we send them are used to generate the response you see and nothing else: per OpenAI’s published API privacy terms, data submitted through the API is not used to train or fine-tune their models. We do not opt in to any training programme on your behalf and we do not pass your data to any model provider for training, including the OpenAI and Anthropic models we use or evaluate.

We also do not train our own models on your personal data. If we publish aggregated insights (for example “25% of users with skill X picked path Y”), those numbers are computed from data that cannot be re-identified to you.

We do not sell your personal data. We do not share it with advertisers.

5. How long we keep it

  • Account data: as long as your account is active
  • Maps and quiz answers: until you delete them or your account
  • Chat messages: linked to the map they discuss; deleted with the map
  • Payment records: retained for 8 years as required by Indian tax law
  • Deleted account data: purged from active systems within 30 days (backups within 90 days)

6. Your rights under DPDP

As a Data Principal, you have the right to:

  • Access a summary of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Erase your account and all associated data (available in Settings)
  • Withdraw consent for processing (this will end your ability to use Kaarya)
  • Grievance redressal — complain to our Data Protection Officer (below); if unresolved in 30 days, escalate to the Data Protection Board of India

To exercise any of these rights, email privacy@kaaryaai.in. We’ll respond within 30 days.

7. Security

We use HTTPS everywhere, encrypt data at rest, and follow standard access controls. No system is 100% secure — if we discover a breach affecting your data, we’ll notify you and the Data Protection Board within 72 hours as required by DPDP.

8. Children

Kaarya is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, email us and we’ll delete it.

9. Cookies and local storage

We use essential cookies for authentication, session management, and your selected language. These are set without consent because the service cannot function without them.

We use one optional analytics cookie (Vercel Analytics) which is loaded only after you accept the cookie banner. It records anonymous, aggregated page views — no advertising identifiers, no cross-site tracking, no profile building. You can withdraw consent at any time by clearing the kaarya_cookie_consententry in your browser’s storage.

We store quiz progress and milestone state in your browser’s localStorageso you don’t lose it if you refresh or go offline. This data never leaves your device until you submit the quiz.

10. Changes

We’ll update this policy as the service evolves. Material changes will be communicated by email to active users.

11. Contact & grievance officer

Data Protection Officer: Moksh Sethi
Email: privacy@kaaryaai.in
Response time: within 30 days

Questions? Email legal@kaaryaai.in