Privacy Policy

1. Introduction

Kertas ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our multi-agent AI document intelligence and workflow automation platform.

By using Kertas, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, organization details
• Documents: PDFs, images, text files, and other documents you upload or connect via integrations
• Content: Chat messages, follow-up tasks, workflow definitions, custom skills, and annotations
• Payment Information: Processed securely through Stripe (we do not store credit card numbers)

2.2 Automatically Collected Information

• Usage Data: API calls, feature usage, credit consumption, workflow executions
• Device Information: Browser type, IP address, device identifiers, operating system
• Log Data: Access times, error logs, performance metrics
• Cookies: Session management, authentication tokens, user preferences

2.3 Information from Third-Party Services

• Google Drive: File metadata and content you authorize us to access
• OAuth Providers: Authentication details from Google OAuth

3. How We Use Your Information

We use the collected information for:

• Core Services: Document processing, AI chat, RAG search, workflow automation, knowledge graph generation
• Multi-Agent Processing: Distributing tasks across 7-8 specialized AI agents for efficient query resolution
• Intelligence Features: Entity extraction, topic taxonomy, conversation compaction, semantic memory
• Account Management: Authentication, credit balance tracking, subscription management
• Platform Improvement: Analyzing usage patterns, improving AI models, optimizing performance
• Communication: Service updates, security alerts, billing notifications
• Compliance: Legal obligations, fraud prevention, abuse detection

4. AI Processing & Third-Party Services

4.1 AI Processing

Your documents and conversations are processed using AI services including:

• BytePlus AI: For embeddings, vision-language processing, and chat completions
• Tavily (Optional): For web search capabilities

These services process your content to provide AI-powered features but do not retain your data for training their models without your explicit consent.

4.2 Infrastructure Partners

• Cloudflare: Hosting, CDN, DDoS protection, serverless compute (Workers, D1, R2, KV, Vectorize)
• Stripe: Payment processing and subscription management
• Resend: Transactional email delivery

5. Data Storage & Security

5.1 Storage Locations

• Documents: Cloudflare R2 (object storage) with AES-256 encryption
• Metadata: Cloudflare D1 (SQLite database)
• Vectors: Cloudflare Vectorize (vector database)
• Cache: Cloudflare KV (key-value store)

5.2 Security Measures

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• EdDSA JWT-based authentication
• Role-based access control (RBAC)
• Multi-tenant data isolation
• Regular security audits and updates
• DDoS protection via Cloudflare

6. Data Sharing & Disclosure

We do not sell your personal information. We may share data in these circumstances:

• With Your Consent: When you authorize sharing via integrations (e.g., Google Drive)
• Within Your Organization: Documents marked as "shared" are accessible to organization members with appropriate permissions
• Service Providers: AI processing (BytePlus), payments (Stripe), email (Resend), hosting (Cloudflare)
• Legal Requirements: When required by law, court order, or to protect our rights
• Business Transfers: In case of merger, acquisition, or asset sale

7. Data Retention

• Active Accounts: Data retained while your account is active
• Deleted Content: Permanently deleted within 30 days of deletion request
• Closed Accounts: Data retained for 90 days, then permanently deleted
• Legal/Billing Records: Retained as required by law (typically 7 years)
• Backups: May persist in backups for up to 90 days

8. Your Rights (GDPR & Privacy Laws)

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Export your data in machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain processing activities
• Withdraw Consent: Revoke consent for data processing at any time

To exercise these rights, contact us at privacy@kertas.ai

9. International Data Transfers

Kertas operates on Cloudflare's global network. Your data may be processed in data centers worldwide. We ensure adequate safeguards through Cloudflare's compliance with EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

10. Children's Privacy

Kertas is not intended for children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe we have collected information from a child, contact us immediately.

11. Cookies & Tracking

We use cookies and similar technologies for:

• Essential: Authentication, session management, security
• Functional: User preferences, language settings
• Analytics: Usage patterns, performance monitoring (anonymized)

You can control cookies through your browser settings, but disabling them may affect functionality.

12. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be notified via email or prominent notice on our platform. Continued use after changes constitutes acceptance.

13. Contact Us

For privacy-related questions or to exercise your rights:

• Email: privacy@kertas.ai
• Website: https://kertas.ai

EU Representative: For GDPR inquiries, contact gdpr@kertas.ai