Legal
Privacy Policy
Effective date: May 15, 2026
This Privacy Policy explains how Karuka AI LLC (“Vaaha”, “we”, “us”) collects, uses, stores, and shares information when you use the Vaaha platform at vaaha.ai and any related services (collectively, the Service). By using the Service you agree to the practices described here.
1. Information we collect
Account information
When you sign up we collect your name, email address, and password (hashed) or, if you sign in via Google, the email, name, and profile image returned by Google’s OAuth flow. We never receive your Google password.
Content you upload
The Service is designed for you to upload business documents and create business records. That includes contracts, invoices, purchase orders, regulatory filings, company formation papers, EIN letters, product photos, brand assets, partner / supplier information, and related notes. Anything you upload is your content — see § 4 of the Terms of Service for the rights you grant us to process it.
Derived data
When you use AI features (contract analysis, redline generation, brand briefs, document extraction, etc.) we generate analyses, summaries, redlines, suggestions, and embeddings from your content. These are stored alongside the source content and are treated with the same privacy protections.
Usage and diagnostic data
We collect IP addresses, browser type, pages visited, timestamps of actions, and similar operational metadata so the Service can run reliably, surface errors, and enforce abuse protections.
Cookies
We use a single first-party session cookie to keep you signed in. It is HTTP-only, Secure, and SameSite=Lax. We do not use third-party advertising cookies or cross-site tracking technologies.
2. How we use your information
- To provide and operate the Service (authentication, file storage, AI analysis, search, exports).
- To generate the outputs you ask for — contract redlines, document extractions, summaries, recommendations, branded exports.
- To improve the Service: aggregated, de-identified usage patterns help us prioritize features and fix bugs. We do not use the content of your documents to train any external AI model. If we later develop internal models specific to the Service, we will use only de-identified, aggregated data and will disclose that change in an updated version of this policy.
- To communicate with you about your account, security events, and product changes. We may also send marketing emails about new features and offerings; you can opt out at any time using the unsubscribe link in those emails or by updating your account preferences.
- To comply with legal obligations and enforce our Terms of Service.
- To safeguard the Service and our users by detecting, investigating, and preventing fraud, abuse, and security incidents.
3. Subprocessors and third-party services
Vaaha relies on the following third parties to deliver the Service. Each receives only the data necessary to perform its function and is bound by its own privacy commitments.
- Amazon Web Services — application hosting, database, file storage, queues, and TLS termination, in U.S. regions.
- Anthropic, PBC — Claude models for AI analysis, classification, and generation.
- OpenAI — GPT models for select multi-model consensus tasks.
- Google LLC — Gemini models for select tasks; Google OAuth for sign-in if you choose that option.
- Voyage AI — text embeddings and reranking to power semantic search over your files.
Each of these subprocessors acts as a “service provider” under the California Consumer Privacy Act and a “processor” under the EU/UK General Data Protection Regulation, pursuant to data processing agreements that restrict their use of your data to providing the Service to us. Each subprocessor’s own data handling is governed by its respective privacy and API policies, available on their websites.
Where a customer requires it, we will provide at least 30 days’ advance notice before a new subprocessor begins processing customer data, so that customers may object or terminate. A Data Processing Agreement (DPA) is available to enterprise customers upon request by emailing contact@karuka.ai.
4. Data storage and security
All data is stored in the United States. Files and databases are encrypted at rest using industry-standard managed encryption. Traffic between you and the Service is encrypted in transit via TLS 1.2 or higher. Each user’s files are stored under a per-user storage prefix, and API requests are scoped to the authenticated user.
We take reasonable administrative, technical, and organizational measures to protect your information, but no system is perfectly secure. If you believe your account has been compromised, contact us immediately.
5. Retention
We retain your data for as long as your account is active. When you delete content (e.g. archive a contract, delete an invoice), the record is soft-deleted via a deleted_at timestamp and removed from your views immediately; the underlying row remains in our database for a recovery period (currently 30 days) before permanent deletion. You can request immediate hard deletion of your entire account by contacting us.
Operational and security logs (including IP addresses, audit trails, and abuse-detection signals) may be retained for up to 180 days after account deletion to investigate security incidents, prevent fraud, and comply with legal obligations.
6. Security incidents and breach notification
If we become aware of a security incident that affects your personal data, we will notify you and applicable supervisory authorities in accordance with applicable law, generally within 72 hours of discovery. Our notification will describe the nature of the incident, the categories of data affected, the steps we are taking to address it, and any actions you may need to take to protect yourself. If you believe your account has been compromised, contact us immediately at contact@karuka.ai.
7. Automated decision-making and AI outputs
The Service uses AI to generate analyses, redlines, recommendations, and other outputs from your content. These outputs are surfaced to you for your review and action — they are not used to make automated decisions about you that produce legal or similarly significant effects without your involvement. AI-generated outputs may contain inaccuracies; your use of those outputs is governed by the Terms of Service, which limits our liability for reliance on AI-generated content.
8. Government and legal requests
We may disclose information when required by law, subpoena, court order, or other valid legal process, or where we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Vaaha, our users, or the public. We will notify the affected user of such requests where permitted by law, and will challenge requests that we believe to be overly broad or invalid.
9. Your rights
Depending on where you live, you may have rights under applicable privacy law (including GDPR, UK GDPR, CCPA / CPRA) to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data.
- Request export of your data in a portable format.
- Object to or restrict certain processing.
You can exercise most of these rights directly inside the Service (delete actions, export buttons on each module). For anything you can’t do in-app, email us using the contact details below.
For California residents: under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have specific rights regarding your personal information. We do not sell or share your personal information as those terms are defined under the CCPA, and we have not sold or shared personal information in the preceding 12 months. We do not use or disclose sensitive personal information for purposes other than providing the Service to you. The categories of personal information we collect include: identifiers (name, email), commercial information (account activity), internet or other electronic network activity information (IP addresses, log data), and the content you upload.
10. Children
The Service is intended for business users 18 years of age or older. We do not knowingly collect personal information from anyone under 18.
11. International users
The Service is operated from the United States. If you access it from outside the U.S., you consent to the transfer and processing of your information in the U.S.
12. Changes to this policy
We will post updates to this page and update the “Effective date” above. For material changes (e.g., a new category of data we collect, a new third-party subprocessor handling your data), we will notify active users by email with at least 30 days’ advance notice where feasible, so customers may object or terminate.
13. Contact
For privacy questions, data requests, or to report a security concern, email contact@karuka.ai. The data controller is Karuka AI LLC, registered in the State of Washington, United States.
