Privacy Policy
What we collect
Account data. Email, hashed password (scrypt, never plaintext), account activity timestamps.
Events. Scan results and guard events you send us via API key, including finding types, severity, target URLs/paths, and timestamps. You control which events you send.
Technical. IP address and user agent for auth actions and rate limiting.
What we do NOT collect
We do not receive raw prompts, LLM inputs/outputs, or the content the Kaali scanner reads — only the findings and metadata you choose to stream. The Kaali OSS scanner (@kaali/cli) and guard (@kaali/guard) run entirely on your infrastructure; nothing leaves your machine unless you configure it to.
Legal basis (DPDP Act, 2023)
We process your data under §6 consent for account creation and product use, and §7 legitimate use for security abuse detection. You may withdraw consent and request erasure at any time from your dashboard (§12 right to erasure), or by emailing privacy@kaali.io.
Data location & retention
Personal data is stored on servers in Mumbai, India. Event data is retained for 12 months by default; you can delete individual events or wipe your account at any time. On account deletion, all data cascades within 30 days.
Third parties
We use Resend to deliver transactional email (verification, password reset). We do not share your data with anyone else.
Your rights (DPDP §§11–14)
Access, correction, erasure, and grievance. Contact privacy@kaali.io. Data Protection Officer: to be appointed on public launch.
Changes
Material changes will be emailed to registered users at least 14 days before they take effect.