Kasava

Privacy Policy

Effective: 2025-09-08

This policy explains how Kasava ("we", "us") handles information for the Kasava platform (web app, APIs, and Chrome extension). If anything is unclear or you need a DPA, contact support@kasava.dev.

Information We Collect

  • Account: name, email, auth identifiers via GitHub OAuth/Supabase.
  • Workspace: organization name, members, roles, plan and usage.
  • Content you provide: prompts, chat messages, uploaded files, repository metadata/content, issues/PRs, and related context you connect.
  • Integrations: OAuth tokens and connection metadata for services you choose (e.g., GitHub, Linear, Jira, Slack, Google Drive, Notion). Tokens are scope-limited and stored encrypted.
  • Usage & diagnostics: device/IP, event logs, performance metrics; cookies/local storage for authentication and preferences.
  • Billing: subscription status and invoice metadata via Stripe (we do not store full card numbers).

How We Use Information

  • Provide, secure, and operate the service and AI features.
  • Connect and sync with services you authorize; maintain organization/workspace settings.
  • Improve reliability and performance; prevent abuse and fraud.
  • Process payments and send essential service communications.
  • Comply with law and enforce terms.

Processing by Vendors

  • Hosting/infra: Cloudflare (Workers, R2, KV), PostgreSQL/Supabase.
  • AI providers: Anthropic, Voyage and similar model providers process content to generate responses; we opt out of provider training where controls exist.
  • Payments: Stripe processes payment data; its privacy terms apply.
  • Optional product analytics: If enabled by your organization, we may collect aggregate usage (no document/repo content). Providers may include PostHog/Amplitude/Mixpanel; disabled by default unless configured.

Sharing

  • With service providers under contract who help us run the service.
  • With third-party services you connect, strictly to perform requested actions.
  • For legal compliance, safety, and to enforce agreements.
  • In a merger, acquisition, or transfer; you'll be notified where required.
  • We do not sell personal data.

Retention

  • We keep information while your account is active and as needed to provide the service, meet legal obligations, or resolve disputes. You may request deletion at any time.
  • Chrome extension (Bug Detector) recordings: stored locally and in our backend when you submit; typical retention up to 30 days or until you delete.

Security

  • Encryption in transit (TLS) and at rest (AES-256-GCM for sensitive data).
  • Row-level security and audit logging for data access.
  • Access controls and key management with least privilege.

International Transfers

We process data in the US.

Your Rights

  • Access, correct, delete, or export your data; object or restrict certain processing where applicable.
  • Manage integrations and revoke access at any time.
  • To exercise rights, email support@kasava.dev. We'll respond as required by applicable law.

Children

Kasava is not intended for individuals under the age of 16. We don't knowingly collect data from children; contact us to remove any such data.

Changes

We may update this policy from time to time. Material changes will be communicated (e.g., email or in-app). Continued use means you accept the updated policy.

Contact

Email: support@kasava.dev