Legal
Privacy Policy
Last updated: March 7, 2026
Privacy Policy
Effective Date: March 7, 2026 Last Updated: March 7, 2026
This Privacy Policy ("Policy") describes how Comedia Technologies Private Limited ("Company," "we," "us," or "our"), incorporated under the Companies Act, 2013, with its registered office at #1207/343 & 1207/1/343/1, 9TH Main, 7th Sector, HSR Layout, Bangalore, Karnataka, India, 560102, collects, uses, discloses, and protects personal data in connection with the Kyra platform, website (kyratech.io), APIs, SDKs, and related services (collectively, the "Service").
This Policy applies to:
- Visitors to kyratech.io and related websites ("Website")
- Customers and Authorized Users of the Service ("Customers")
- Individuals whose personal data is processed through the Service as part of Customer workloads ("End Users")
If you are an End User whose data is processed by a Customer's AI agents, please contact that Customer directly regarding their data practices. Company acts as a data processor on behalf of the Customer in that context.
1. Legal Basis and Applicable Law
Company is subject to the Digital Personal Data Protection Act, 2023 (DPDPA) of India as a Data Fiduciary. For Customers and individuals located in the European Economic Area, the United Kingdom, or Switzerland, Company complies with the General Data Protection Regulation (GDPR) and its national implementations as a Data Processor in respect of Service Data, and as a Data Controller in respect of account and website data. For customers in other jurisdictions, Company applies the standards described in this Policy as a baseline.
Legal bases for processing personal data (where GDPR applies):
| Purpose | Legal Basis |
|---|---|
| Providing the Service under contract | Article 6(1)(b) — Performance of contract |
| Billing and payment processing | Article 6(1)(b) — Performance of contract |
| Security monitoring and fraud prevention | Article 6(1)(f) — Legitimate interests |
| Sending product updates and notices | Article 6(1)(b) or (f), or consent |
| Marketing communications | Article 6(1)(a) — Consent |
| Legal compliance | Article 6(1)(c) — Legal obligation |
2. Information We Collect
2.1 Information You Provide Directly
Account Information: When you register for an account, we collect your name, email address, organization name, and password hash (passwords are never stored in plain text). Google OAuth users do not have a stored password.
Billing Information: We collect billing address and payment method details. Full payment card numbers are processed by our payment processor (Stripe) and are not stored on Company systems. We retain only tokenized payment references and the last four digits of card numbers for your records.
Communications: If you contact us by email or support channels, we retain those communications and any personal data contained within them.
Profile Information: You may optionally provide profile information such as a job title or profile image URL.
2.2 Information Collected Automatically
Usage Data: We collect information about how you interact with the Service, including pages visited, features used, evaluation counts, agent registrations, dashboard events, and timestamps.
Log Data: Our servers automatically record log data including IP addresses, browser type, operating system, referring URLs, and error events. Log data is retained for up to 90 days.
Cookies and Tracking Technologies: We use session cookies for authentication and preference cookies for dashboard settings. We do not use third-party advertising cookies. See Section 8 for details.
Device Information: We collect device type, operating system version, and browser version to support compatibility.
2.3 Service Data (Customer-Controlled)
When Customers use the Service, we process Service Data on their behalf as a data processor. Service Data may include:
- Agent Data: Tool call parameters, execution context, session metadata, gate evaluation records, and audit events generated by Customer's AI agents
- Policy Data: Policy documents, compliance configurations, explicit policy records, and escalation records uploaded or generated by Customer
- Governance Ledger Entries: Records of gate decisions, verdicts, tier classifications, and aggregated row counts per session
Company does not access, review, or use Service Data for any purpose other than providing and improving the Service and complying with legal obligations. Service Data is logically isolated per Customer organization using per-org database namespacing.
2.4 Information from Third Parties
We may receive information from third-party integration partners (e.g., Slack, when Customers configure escalation notifications) solely to operate the integration on the Customer's behalf.
3. How We Use Personal Data
We use personal data for the following purposes:
3.1 Providing the Service To create and manage accounts, authenticate users, process API requests, operate the gate pipeline, store audit records, send escalation notifications, and deliver all features described in the Documentation.
3.2 Billing and Payments To process subscription fees, calculate overage charges, generate invoices, and manage payment methods.
3.3 Customer Support To respond to support requests, diagnose technical issues, and communicate about the Service.
3.4 Service Improvement To analyze anonymized, aggregated usage patterns to improve the Service's performance, accuracy, and features. We do not use individually identifiable data for model training without explicit consent.
3.5 Security and Fraud Prevention To detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity, including monitoring for anomalous API usage patterns.
3.6 Legal Compliance To comply with applicable law, respond to lawful requests from government authorities, enforce our Terms of Service, and protect the rights, property, or safety of Company, Customers, or others.
3.7 Communications To send transactional emails (account confirmations, password resets, billing receipts, service notices) and, where you have opted in, product updates and announcements. You may opt out of non-transactional communications at any time.
4. How We Share Personal Data
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
We may share personal data in the following circumstances:
4.1 Sub-processors and Service Providers
We engage third-party service providers to help operate the Service. These providers act as data processors and are contractually bound to process personal data only on our instructions and in accordance with appropriate data protection standards.
Current categories of sub-processors include:
| Category | Purpose |
|---|---|
| Cloud infrastructure | Hosting, storage, compute |
| Database provider | MongoDB Atlas — per-org data storage |
| Payment processor | Stripe — billing and payment |
| Email delivery | Transactional email (account and billing notices) |
| LLM provider | Anthropic Claude API — gate pipeline inference |
| Communication | Slack — escalation notifications (Customer-configured) |
| Analytics | Anonymized product analytics |
A current list of named sub-processors is available upon request at legal@kyratech.io.
4.2 Business Transfers
In connection with a merger, acquisition, reorganization, or sale of all or substantially all of Company's assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. We will provide notice before personal data is transferred and becomes subject to a different privacy policy.
4.3 Legal Requirements
We may disclose personal data if required to do so by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of Company; (c) prevent or investigate possible wrongdoing; or (d) protect the personal safety of users or the public.
We will, to the extent permitted by law, provide advance notice to Customers before disclosing their Service Data in response to a legal demand, so they may seek a protective order.
4.4 With Your Consent
We may share personal data with third parties when you have given explicit consent to do so.
5. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 1 year post-closure |
| Billing records | 7 years (statutory requirement) |
| Audit trail and session data | Per Customer's plan (configurable; default 90 days) |
| Governance ledger entries | Per Customer's plan (configurable) |
| Support communications | 3 years from closure of ticket |
| Server log data | 90 days |
| Anonymized analytics | Indefinite |
Customers may configure audit data retention periods within the Service dashboard, subject to plan-level minimums. Following account termination, Service Data is retained for 30 days to allow export, then deleted in accordance with Company's secure deletion procedures.
6. Data Security
Company implements technical and organizational security measures appropriate to the risk of processing, including:
- Encryption in transit: All data transmitted between customers, SDKs, and Company infrastructure is encrypted using TLS 1.2 or higher
- Encryption at rest: Service Data stored in databases and object storage is encrypted at rest using AES-256
- Access controls: Role-based access controls restrict employee access to Customer data to those with a documented operational need
- Audit logging: Internal access to production systems is logged and subject to periodic review
- Tamper-evident audit chain: Customer audit records are protected by a cryptographic hash chain that makes post-hoc modification detectable
- Vulnerability management: Company maintains a vulnerability disclosure program and conducts periodic security assessments
No method of transmission or storage is 100% secure. While we take these measures seriously, we cannot guarantee the absolute security of Service Data. In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, Company will notify affected Customers within 72 hours of becoming aware, in accordance with applicable law.
7. Your Rights
Depending on your location and applicable law, you may have the following rights with respect to your personal data:
7.1 Right of Access: You may request a copy of the personal data we hold about you.
7.2 Right to Rectification: You may request correction of inaccurate or incomplete personal data.
7.3 Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to legal retention requirements.
7.4 Right to Restriction: You may request that we restrict processing of your personal data in certain circumstances.
7.5 Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, machine-readable format.
7.6 Right to Object: Where processing is based on legitimate interests, you may object to processing. We will cease unless we demonstrate compelling legitimate grounds that override your interests.
7.7 Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
7.8 Right against Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where necessary for a contract, authorized by law, or based on explicit consent.
7.9 Rights under India's DPDPA: Indian residents have the right to access, correct, and erase personal data held by Company, and to nominate a person to exercise these rights on their behalf.
To exercise any of these rights, contact us at legal@kyratech.io. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
Note for Customers: If you are an End User whose data was processed by a Customer's AI agents, please submit your request to that Customer directly. Company will assist Customers in responding to such requests as required.
8. Cookies
The Service uses the following categories of cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Authentication session, CSRF protection | Session |
| Functional | Dashboard preferences, timezone | 1 year |
| Analytics | Anonymized product usage (no cross-site tracking) | 1 year |
We do not use advertising or cross-site tracking cookies. You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in to the Service.
9. International Data Transfers
Company is incorporated in India and processes data on infrastructure located in [PRIMARY REGION]. When we transfer personal data outside India or the EEA to sub-processors in other countries, we implement appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers from the EEA
- Data processing agreements incorporating equivalent protections, for transfers from India
- Adequacy decisions where applicable
A copy of applicable transfer mechanisms is available upon request at legal@kyratech.io.
10. Children's Privacy
The Service is not directed to children under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete it promptly. If you believe we have collected such data, contact us at legal@kyratech.io.
11. Links to Third-Party Services
The Service may contain links to third-party websites or integrations with third-party platforms (e.g., Slack, GitHub). This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use.
12. Changes to This Policy
We may update this Policy periodically to reflect changes in our practices, the Service, or applicable law. We will post the revised Policy with an updated "Last Updated" date. For material changes, we will provide at least 30 days' advance notice by email to the address associated with your account, or by a prominent notice within the Service. Your continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes.
Previous versions of this Policy are available upon request.
13. Contact and Data Protection Officer
For privacy-related questions, requests, or complaints:
Privacy Team
Comedia Technologies Private Limited #1207/343 & 1207/1/343/1, 9TH Main, 7th Sector, HSR Layout, Bangalore, Karnataka, India, 560102 legal@kyratech.io
For GDPR-related inquiries from EEA residents, you may also contact our designated representative or lodge a complaint with the supervisory authority in your EU member state of habitual residence. For Indian residents, complaints may be submitted to the Data Protection Board of India once established under the DPDPA.
We aim to respond to all privacy inquiries within 30 calendar days.
This Privacy Policy was last updated on March 7, 2026.