1. Introduction
This Privacy Policy describes how Dairakar Inc. ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Dairakar platform (the "Service"), including our website, applications, APIs, and Client Portal.
This policy applies to all users of the Service, including account holders, workspace members, and clients who access scope documents via the Client Portal. By using the Service, you consent to the data practices described in this policy.
We are committed to protecting your privacy and handling your data with transparency and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), and other applicable regulations.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, password (hashed), profile avatar, locale/language preference, timezone, and notification preferences.
- Workspace Information: Workspace name, logo, and organizational settings.
- Project Content: Communications (emails, messages, meeting notes, and documents) you upload; scope items, requirements, assumptions, risks, and baselines generated or created within the Service.
- Client Information: Names and email addresses of clients you invite to the Client Portal; client feedback, approval decisions, and change requests submitted through the portal.
- Payment Information: Billing details are processed by our payment processor, Paddle. We store your subscription plan, billing status, and transaction history, but we do not store full credit card numbers or payment card details.
- Support Communications: Any correspondence you send to our support team, including email content and attachments.
2.2 Information Collected Automatically
- Usage Data: Pages viewed, features used, timestamps, click patterns, and interaction data within the Service.
- Device and Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and language settings.
- Session Data: Session tokens, login timestamps, session duration, active session metadata (IP, user agent, last activity), and authentication method used.
- Audit Logs: Records of user actions within the Service, including project modifications, scope changes, approval actions, member management, and administrative operations. Audit log retention periods vary by plan (30–365 days, or custom for Enterprise).
2.3 Information from Third-Party Integrations
When you connect third-party services (e.g., Gmail, Slack) via OAuth, we collect:
- OAuth tokens (stored encrypted) and connected account identifiers;
- Messages, emails, or communications data that you authorize the Service to access;
- Provider-specific profile information (name, email, avatar) from social login providers (Google OAuth).
We access only the data necessary to provide the Service's communication analysis features and do not access data beyond the scopes you authorize.
2.4 Information from Connected Accounts
If you sign in using a third-party authentication provider (e.g., Google), we receive your name, email address, and profile picture from that provider. We link this information to your Dairakar account.
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 Service Delivery
- Providing, maintaining, and improving the Service;
- Processing your communications through AI Features to extract requirements, detect assumptions, analyze risks, identify missing information, compare scope changes, and generate clarification suggestions;
- Managing your Account, Workspace, projects, and team memberships;
- Generating and delivering scope baselines and client approvals via the Client Portal;
- Processing payments and managing your Subscription Plan.
3.2 Communication
- Sending transactional emails (e.g., account verification, password resets, email change confirmations, workspace invitations);
- Sending in-app notifications and real-time alerts (e.g., project updates, scope changes, client responses);
- Providing customer support;
- Sending service-related announcements and updates.
3.3 Security and Protection
- Detecting and preventing fraud, abuse, and security incidents;
- Managing authentication, including two-factor authentication (2FA) and session management;
- Maintaining audit logs for accountability and compliance;
- Rate-limiting API and portal access to prevent abuse.
3.4 Analytics and Improvement
- Understanding how users interact with the Service to improve user experience;
- Generating aggregated, anonymized statistics about Service usage;
- Improving the accuracy and performance of our AI Features using aggregated, de-identified data patterns (never individual customer content).
3.5 Legal Compliance
- Complying with applicable laws, regulations, and legal processes;
- Responding to lawful requests from public and government authorities;
- Enforcing our Terms of Use.
4. AI Data Processing
Because our Service uses AI extensively, we want to be transparent about how your data interacts with AI systems:
4.1 What Data Is Processed by AI
When you upload communications or trigger AI analysis, the text content of those communications is sent to our AI processing pipeline. This includes:
- Client emails, messages, and meeting notes;
- Existing scope items and baselines (for comparison analysis);
- Document text content.
4.2 Third-Party AI Providers
We use third-party AI providers including OpenAI, Anthropic, Deepseek and Google (Gemini) to power our AI Features. When your data is processed:
- Data is transmitted securely via encrypted connections (TLS);
- We have Data Processing Agreements (DPAs) with each provider that prohibit them from using your Content to train their models;
- Data is processed in real-time and is not persistently stored by third-party providers beyond the duration of the API request;
- We maintain AI usage logs that record token consumption, provider used, model used, and processing status, but not the content of your communications.
4.3 AI Governance
System administrators can configure AI provider settings, model selection, and task-specific configurations through the AI Governance dashboard. Enterprise customers may request additional controls, including provider restrictions and data residency requirements.
4.4 No Automated Decision-Making with Legal Effect
Our AI Features are assistive tools. No automated decisions made by the AI system have legal or similarly significant effects on you or your clients without human review and intervention. All AI outputs require human validation before being acted upon or shared.
4.5 Encrypted Storage of Communications
All communications data processed through our AI Features, including emails, messages, meeting notes, and documents, is stored in encrypted form at rest using AES-256 encryption. This applies to:
- Raw communications uploaded or imported into the Service;
- AI-generated analysis outputs, extracted requirements, assumptions, and risk assessments;
- Temporary processing buffers and cached analysis results.
Encryption keys are managed separately from the data they protect and are rotated on a regular schedule. Access to decrypted data is strictly limited to authorized systems and personnel on a need-to-access basis during active processing.
5. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
5.1 Within Your Workspace
Content and information within a Workspace is accessible to other members of that Workspace based on their assigned roles and permissions (Owner, Admin, Member, Viewer).
5.2 With Your Clients
When you generate client access links, scope baselines, change sets, and response requests are made accessible to clients through the Client Portal. You control what data is shared with clients.
5.3 Service Providers
We engage trusted third-party service providers who assist us in operating the Service:
- Payment Processing: Paddle (billing, subscriptions, invoices);
- AI Processing: OpenAI, Anthropic, Deepseek, Google (AI analysis features);
- Email Delivery: Resend / SMTP providers (transactional emails);
- Real-Time Communication: Laravel Reverb (WebSocket-based notifications);
- Infrastructure: Cloud hosting and database providers.
All service providers are bound by contractual obligations to protect your data and use it only for the purposes for which it was disclosed.
5.4 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
5.5 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
6. Data Security
We implement industry-standard security measures to protect your data. These include:
6.1 Technical Safeguards
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL;
- Encryption at Rest: Sensitive data is encrypted at rest using AES-256 encryption;
- Password Security: Passwords are hashed using bcrypt with a high cost factor (12 rounds);
- Two-Factor Authentication (2FA): Optional TOTP-based 2FA with encrypted recovery codes;
- Session Management: Active session monitoring, ability to revoke individual or all sessions, and session expiration controls;
- Rate Limiting: API and authentication endpoints are rate-limited to prevent brute-force attacks;
- Token-Based Client Access: Client Portal uses cryptographically generated, time-limited tokens. Tokens can be revoked at any time.
6.2 Organizational Safeguards
- Access to production systems and customer data is restricted to authorized personnel on a need-to-know basis;
- Regular security assessments and code reviews;
- Incident response procedures for data breaches;
- Employee security awareness training.
6.3 Breach Notification
In the event of a data breach that affects your personal information, we will notify you and any relevant supervisory authorities within the timeframes required by applicable law (e.g., 72 hours under GDPR). Notification will include the nature of the breach, the data affected, and the steps we are taking to mitigate it.
7. Data Retention
7.1 Active Accounts
We retain your Content and personal information for as long as your Account is active or as needed to provide the Service. Specific retention periods include:
- Account Data: Retained while your Account exists;
- Project Content: Retained while your Account is active;
- Audit Logs: Retained per your Subscription Plan (30, 180, or 365 days, or custom);
- AI Usage Logs: Retained for billing and governance purposes for 90 days;
- Session Data: Active sessions expire per configured lifetime; inactive sessions are automatically purged.
7.2 Deleted Accounts
Upon account deletion, we will:
- Permanently delete your personal information within 30 days;
- Delete your Content within 30 days;
- Retain certain anonymized, aggregated data that cannot be traced back to you;
- Retain records as required by law (e.g., financial records for tax compliance).
7.3 Client Portal Data
Client responses, approvals, and change requests are retained as part of the Workspace's project data. When a client access token is revoked, the client loses access but historical data is retained in the project audit trail.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
8.1 Rights Under GDPR (EEA/UK Residents)
- Right of Access: Request a copy of the personal data we hold about you;
- Right to Rectification: Request correction of inaccurate or incomplete data;
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements;
- Right to Restriction of Processing: Request that we restrict processing of your data in certain circumstances;
- Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON, CSV);
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes;
- Right Regarding Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
8.2 Rights Under CCPA/CPRA (California Residents)
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected;
- Right to Delete: Request deletion of personal information we have collected;
- Right to Correct: Request correction of inaccurate personal information;
- Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary;
- Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights;
- Right to Limit Use of Sensitive Personal Information: You may request limitations on how we use sensitive personal information.
8.3 Exercising Your Rights
To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may require identity verification before processing your request.
You also have the right to lodge a complaint with your local data protection supervisory authority.
9. International Data Transfers
Your information may be processed in countries other than your country of residence, including the United States, where our servers and third-party service providers are located.
For transfers from the EEA/UK to countries without adequate data protection, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Data Processing Agreements (DPAs) with all sub-processors;
- Supplementary security measures as appropriate.
Enterprise customers may request specific data residency arrangements as part of a custom agreement.
10. Cookies and Tracking Technologies
10.1 Cookies We Use
- Essential Cookies: Required for the Service to function, including session cookies, CSRF tokens, and authentication cookies. These cannot be disabled.
- Functional Cookies: Remember your preferences, such as language/locale selection and theme (light/dark mode).
- Analytics Cookies: Help us understand how users interact with the Service. These are anonymized and used only for improvement purposes.
10.2 Managing Cookies
You can manage cookie preferences through your browser settings. Disabling essential cookies may impair the functionality of the Service. For more details, see our Cookie Policy.
10.3 Do Not Track
We respond to Do Not Track (DNT) browser signals. When we detect a DNT signal, we limit data collection to essential service functionality.
11. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will promptly delete such information. If you believe a child has provided us with personal information, please contact us at [email protected].
12. Data Controller and Processor Roles
12.1 When We Are the Data Controller
Dairakar Inc. acts as the data controller for personal data we collect for our own purposes, such as Account information, billing data, usage analytics, and support communications.
12.2 When We Are the Data Processor
For Content you upload (client communications, project data, scope documents), Dairakar Inc. acts as a data processor on your behalf. You, as the Account holder, are the data controller for such Content and are responsible for ensuring you have the legal basis to upload and process that data through the Service.
12.3 Data Processing Agreement (DPA)
Enterprise customers and customers subject to GDPR may request a Data Processing Agreement. Contact [email protected] to execute a DPA.
13. Third-Party Links and Services
The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal information.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will:
- Post the updated Privacy Policy on our website with a revised "Last updated" date;
- Notify you of material changes via email and/or in-app notification at least 30 days before they take effect;
- Obtain your consent for material changes where required by applicable law.
Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Website: dairakar.com
