Privacy Policy

Your data, your rules.

Built for knowledge workers who value privacy. Plain English, no legalese.

Last updated: 28 May 2026 · Effective: 28 May 2026

GDPR Compliant CCPA Compliant No Data Sales No Ad Tracking TLS 1.3 Encrypted AES-256 at Rest

1. Data Controller

Kurae ("we", "us", "our") is the data controller for personal data collected and processed through the Service. If you have questions about how we handle your personal data, or wish to exercise your rights, contact us at privacy@kurae.app.

For EU/EEA users: we are registered under applicable data protection laws and process personal data lawfully under Articles 6 and 9 of the GDPR.

2. What Data We Collect

Account data: When you create an account via Clerk (our authentication provider), we receive your name, email address, profile picture URL, and a unique user identifier. We do not receive or store your password.

Content data: All notes, captures, highlights, tags, and summaries you create in Kurae are stored in our database linked to your user identifier.

Usage data: We log server-side request metadata (timestamps, HTTP status codes, route names, error codes) for debugging and security monitoring. We do not log request bodies or note content in application logs.

Support data: If you use the in-app support chat, conversation messages are processed through our AI pipeline and not stored permanently after the session ends.

Device/technical data: We collect standard HTTP request information (IP address, user agent string) for security and abuse prevention. IP addresses are pseudonymised in logs after 30 days.

4. How We Use Your Data

We use your data solely to:

(a) Provide and improve the Service, including AI-powered features that process your note content on the server to return routing suggestions, distillations, and drafts; (b) Authenticate you and maintain session security via Clerk; (c) Respond to your support requests; (d) Send transactional emails (account verification, password resets, billing receipts); (e) Detect and prevent security incidents, fraud, and abuse; (f) Comply with applicable legal obligations.

We do not: sell, rent, or broker your data; use your content to train or fine-tune AI models; serve you targeted advertising; profile you for commercial purposes.

5. AI Features and Data Transmission

When you trigger AI features, relevant excerpts of your note content are transmitted server-side to our AI inference provider (OpenRouter). This transmission is encrypted in transit (TLS 1.3) and occurs from our servers — your browser never directly contacts AI providers.

OpenRouter routes requests to underlying model providers (e.g. Google AI Studio, NVIDIA, Liquid AI). These providers process the content to generate responses and do not store it after the request completes, per OpenRouter's data processing terms.

You can review OpenRouter's privacy policy at: https://openrouter.ai/privacy

We recommend not including highly sensitive personal data (national ID numbers, financial account numbers, medical records) in your notes.

6. Data Sharing and Sub-Processors

We share personal data only with the following categories of third parties ("sub-processors") who are bound by data processing agreements:

Clerk (authentication) — https://clerk.com/privacy Neon (PostgreSQL database hosting) — https://neon.tech/privacy Vercel (application hosting and CDN) — https://vercel.com/legal/privacy-policy OpenRouter (AI inference routing) — https://openrouter.ai/privacy Stripe (payment processing) — https://stripe.com/privacy — they process billing data under their own controller obligations

We do not share personal data with any other third parties unless required by law, court order, or to protect the safety of users or the public.

If we sell or transfer the business, your data may be transferred to the acquirer, who will be bound by these policies.

7. Data Storage, Security, and Retention

Storage location: Your data is stored in a Neon PostgreSQL database hosted in the United States (AWS us-east-1). If you are in the EU/EEA, data is transferred under Standard Contractual Clauses (SCCs) as required by Chapter V GDPR.

Encryption: Data in transit is encrypted using TLS 1.3. Data at rest is encrypted by Neon using AES-256. Database credentials are never stored in code — they are environment variables managed by Vercel.

Retention: We retain your data for as long as your account is active. If you delete your account, your data is deleted within 30 days; database backups are retained for a further 7 days before deletion.

Security incidents: We will notify affected users and relevant supervisory authorities of data breaches within 72 hours of becoming aware, in accordance with Art. 33 GDPR.

8. Your Rights

Depending on your jurisdiction, you have some or all of the following rights:

Right of access: Obtain a copy of the personal data we hold about you. Right to rectification: Correct inaccurate or incomplete data. Right to erasure ("right to be forgotten"): Request deletion of your data. Right to restriction: Request that we limit processing of your data. Right to data portability: Receive your data in a structured, machine-readable format. Right to object: Object to processing based on legitimate interests. Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

California residents (CCPA/CPRA): You have the right to know what data we collect, the right to delete, the right to opt-out of sale (we do not sell data), and the right to non-discrimination for exercising your rights.

To exercise any of these rights, email privacy@kurae.app with "Privacy Request" in the subject line. We will respond within 30 days (extendable to 90 days for complex requests with notice). We may need to verify your identity before processing requests.

You also have the right to lodge a complaint with your local supervisory authority (for EU users: your national Data Protection Authority; for UK users: the Information Commissioner's Office at https://ico.org.uk).

9. Cookies and Tracking

We use strictly necessary cookies only:

__clerk_db_jwt: Clerk authentication token. Essential for login state. Session cookie. __session: Clerk session identifier. Essential for authentication. Session cookie. __cf_bm: Cloudflare bot management. Used by Vercel's CDN infrastructure. 30-minute expiry.

We do not use advertising cookies, third-party analytics cookies, or tracking pixels. We do not participate in cross-site tracking. If we add optional analytics in future, we will: (a) disclose it here with at least 14 days' notice; (b) require opt-in consent; (c) provide granular controls.

10. Children's Privacy

The Service is not directed at children under 16 (or 13 in jurisdictions where this is the minimum age). We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it immediately. If you believe a child has provided data to us, contact privacy@kurae.app.

11. Changes to This Policy

We will notify you of material changes to this policy via email and an in-app notification at least 14 days before they take effect. Minor changes (e.g., clarifications, updated sub-processor links) will be updated here without notice.

Continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy. This policy was last updated on 28 May 2026.

12. Contact

Privacy requests and questions: privacy@kurae.app Security vulnerabilities: security@kurae.app Legal and compliance: legal@kurae.app

We respond to all privacy requests within 30 days and security reports within 24 hours.

To exercise your rights or ask questions: privacy@kurae.app — we respond within 30 days.