Effective Date: 7 May 2026 • Version 2.0

This document supersedes the Privacy Policy dated 26 March 2026. If you have questions, contact [email protected].

Overview

The Karak (“Platform”, “we”, “us”, “our”) is operated by The Karak, accessible at www.thekarak.in. We run three interconnected services:

The Karak Blog — a content and editorial platform for founders, earners, and curious minds.
Aurora — an AI-powered decision intelligence tool for startup founders, embedded within the Platform as a WordPress plugin.
The Karak Consulting — an online consulting and session-booking service connecting users with expert practitioners.

This Privacy Policy explains how we collect, use, store, share, and protect your information across all three services. It also explains your rights under applicable Indian law, including the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”), and, where applicable, the Digital Personal Data Protection Act 2023 (“DPDP Act”).

By using the Platform, you agree to the practices described in this Policy. If you do not agree, please discontinue use of the Platform.

1. Information We Collect

1.1 Account & Identity Information

When you create an account or register on the Platform, we may collect:

Full name
Email address
Phone number (optional unless required for a booking)
Personal details name, education, work details, specializations, etc
Profile details: startup name, role, industry, and stage of venture
Login credentials, or authentication tokens from third-party providers (Google, LinkedIn)
Profile photograph (if provided)

1.2 Usage & Technical Data

We automatically collect the following when you visit or interact with the Platform:

IP address and approximate geolocation (city/country level)
Device type, operating system, and browser version
Pages visited, time spent, and navigation paths
Referral source (how you arrived at the Platform)
Clicks, scroll depth, and interaction events
Error logs and crash reports

1.3 Aurora AI Tool Data

Aurora is an AI-powered decision intelligence tool. When you use Aurora, we collect:

Questions and prompts you submit (your “Inputs”)
Any context you provide about your startup, stage, or decision
Responses generated by Aurora (“Outputs”)
The projects you create and the research saved within them
Session history: timestamps, question sequences, follow-up branches selected
Agent mode selected (Explore Freely, PM Agent, CFO Coach)
Stage and filter preferences set within Aurora
Feedback signals: helpful / not helpful ratings on responses

Aurora does not currently accept file uploads (e.g. pitch decks). If this changes, this Policy will be updated.

1.4 Consulting Platform Data

When you use The Karak Consulting service, we collect:

Booking details: session type, preferred date and time, consultant requested
Payment transaction metadata: amount, currency, date, status, and reference number
Pre-session intake information you submit (background, goals, questions)
Post-session notes and feedback ratings
Communication records: messages exchanged through the Platform booking system

We do NOT store full card numbers, CVV codes, or banking credentials. Payment processing is handled by third-party PCI-DSS compliant payment gateways (see Section 5.1).

1.5 Content & Engagement Data

When you interact with The Karak Blog:

Articles read, bookmarked, or shared
Newsletter subscription status and email engagement (opens, clicks)
Comments or responses submitted

1.6 Cookies & Tracking Technologies

We use cookies, web beacons, and similar technologies. These fall into four categories:

Essential cookies: Required for login sessions, security tokens, and core Platform functionality. Cannot be disabled without breaking the service.
Analytics cookies: Used to understand how the Platform is used (e.g. Google Analytics, aggregated page view data). No personally identifiable information is shared with analytics providers.
Preference cookies: Store your settings such as language, sidebar preferences, and Aurora project selections.
Marketing cookies: Used only if you have explicitly opted in to receive personalised communications.

You can manage non-essential cookies via your browser settings or the cookie preference centre on the Platform. Disabling essential cookies will affect Platform functionality.

2. How We Use Your Information

2.1 To Provide and Operate the Platform

Authenticate your identity and maintain your account
Display content, tools, and features appropriate to your subscription or access level
Process and manage consulting bookings and payments
Deliver Aurora AI responses based on your inputs
Save your Aurora project history and recent research within your account

2.2 To Improve Our Products and Services

Analyse usage patterns to identify bugs, performance issues, and improvement opportunities
Train, fine-tune, and evaluate Aurora’s AI models using aggregated and, where necessary, anonymised interaction data (see Section 3 for detail and your opt-out rights)
Conduct internal research on founder decision-making patterns using de-identified data

2.3 To Communicate With You

Send account-related notifications (booking confirmations, payment receipts, account alerts)
Deliver newsletters and content updates if you have subscribed
Respond to support requests and inquiries
Notify you of material changes to this Policy or our Terms of Service

2.4 For Safety, Security, and Legal Compliance

Detect and prevent fraud, abuse, and unauthorised access
Monitor for violations of our Terms of Service
Comply with applicable legal obligations, court orders, or regulatory requirements
Protect the rights and safety of our users, consultants, and the Platform

3. Aurora AI — Specific Data Practices

This section applies specifically to the Aurora AI tool and supplements the general provisions above.

3.1 How Aurora Processes Your Inputs

When you submit a question to Aurora, your Input is:

Transmitted over an encrypted connection (HTTPS) to our backend server hosted on Render.
Processed by a large language model (“LLM”) provided by OpenAI (currently GPT-4o-mini with web search). Aurora’s backend sends your Input, along with relevant context from our founder evidence database, to OpenAI’s API.
Used to retrieve relevant evidence from our proprietary database of founder decisions (stored on Supabase).
Combined with retrieved evidence to generate an Output, which is returned to you.

OpenAI processes your Input under OpenAI’s own API privacy and data usage terms. OpenAI does not use API-submitted data to train its models by default, subject to OpenAI’s current policies. We recommend reviewing OpenAI’s privacy policy at openai.com.

3.2 Use of Your Aurora Data to Improve Aurora

We may use your Aurora Inputs and Outputs in the following ways to improve the service:

To evaluate the quality and accuracy of Aurora’s responses.
To identify gaps in our founder evidence database.
To test new features and response formats.

Before using your data for improvement purposes, we: (a) aggregate it with data from other users; (b) remove or pseudonymise identifying information; and (c) do not expose your specific questions or company details to other users.

You may opt out of having your Aurora Inputs and Outputs used for model improvement by contacting us at [email protected]. Opting out does not affect the quality of Aurora’s responses to you.

3.3 What You Should Not Submit to Aurora

Aurora is designed for founder decision-making questions. You should not submit to Aurora:

Highly confidential trade secrets or proprietary source code
Sensitive personal data of third parties (employees, customers, investors) without their consent
Complete financial statements, cap table details, or term sheets (use only the relevant facts needed for your question)
Passwords, API keys, or authentication credentials
Information that is subject to attorney-client privilege or legal hold

Aurora’s Outputs are generated automatically and are for informational purposes only. They do not constitute financial, legal, investment, or professional advice. Always consult a qualified professional for important decisions.

3.4 Aurora Project Data

When you create a Project in Aurora:

Your project name, description, and selected stage are stored in our database against your user account.
Questions asked within a project and Aurora’s responses are stored as research records associated with that project.
A session summary is generated periodically and stored to provide context for future sessions.

You can delete a project and its associated data from within the Aurora interface. Deletion is permanent and cannot be undone.

4. The Karak Consulting — Specific Data Practices

4.1 Information Shared With Consultants

When you book a consulting session, we share the following with the relevant consultant:

Your name and contact details (as provided in your account)
Your pre-session intake information
Relevant profile context (industry, stage, role) to enable a productive session

Consultants engaged through The Karak Consulting are bound by confidentiality obligations. They are not permitted to use your information for purposes other than delivering the booked session.

4.2 Session Records

Session notes, recordings (if any, and only with explicit prior consent), and feedback are retained for:

Quality assurance and dispute resolution purposes
Enabling you to access your session history within the Platform

Sessions are not recorded without explicit prior written consent from all participants.

4.3 Payments

Payment processing is handled by third-party providers. We currently use [payment gateway, e.g. Razorpay / Stripe]. We receive and store only:

Transaction amount and currency
Transaction date and time
Transaction status (success, failed, refunded)
A transaction reference ID for support purposes

Full card numbers, CVV codes, expiry dates, and bank account details are never transmitted to or stored by The Karak.

5. Sharing of Information

We do not sell your personal data. We share data only as described below.

5.1 Service Providers

We share data with trusted third-party service providers who help us operate the Platform, under contractual obligations to process your data only as instructed:

Provider / Category	Purpose	Data Shared
OpenAI (API)	Aurora LLM responses	Your Aurora Inputs and relevant context
Supabase	Database (founder evidence, user data, projects)	All structured user and project data
Render	Aurora backend hosting	Processed in transit; no persistent storage
WordPress / Hostinger	Platform hosting and CMS	Website usage data; account data
Google Analytics	Usage analytics	Anonymised and aggregated usage data only
Payment gateway (Razorpay / Stripe)	Payment processing for consulting bookings	Booking amount, date; no card details
Email service provider	Transactional and newsletter email	Name and email address

5.2 Consulting Practitioners

As described in Section 4.1, relevant profile and session information is shared with the consultant assigned to your booking.

5.3 Legal and Regulatory Disclosure

We may disclose your data to government authorities, courts, or law enforcement where required by applicable Indian law, or where disclosure is necessary to protect the rights, safety, or property of our users or The Karak.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your data for as long as your account is active, or as long as is necessary to fulfil the purposes described in this Policy.

Account and profile data: Retained while your account is active and for 12 months after account deletion, for audit and dispute resolution purposes.
Aurora Inputs and Outputs (project research): Retained while the project exists. Deleted promptly when you delete the project. Anonymised aggregate usage data may be retained indefinitely.
Consulting session records: Retained for 3 years from the session date for quality assurance and legal purposes.
Payment transaction metadata: Retained for 7 years to comply with Indian financial record-keeping requirements.
Usage and technical data (logs): Retained for 90 days in identifiable form; aggregated anonymised analytics retained indefinitely.
Email communications: Retained for the duration of the relationship and for a reasonable period thereafter.

You may request deletion of your account and data at any time (see Section 8). Certain data may be retained beyond your deletion request where required by law or legitimate business interest.

7. Data Security

We implement reasonable and appropriate technical and organisational measures to protect your data, including:

HTTPS / TLS encryption for all data in transit between your browser and our servers
Encryption at rest for sensitive data stored in our database
Row-Level Security (RLS) on our Supabase database, ensuring users can only access their own data
Access controls: Aurora backend data is accessible only to authenticated users via API keys and WordPress nonces
Third-party security: Our service providers (OpenAI, Supabase, Render, Hostinger) maintain their own security programmes and certifications
No storage of payment credentials: Full card and banking details are never transmitted to or stored by The Karak

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you become aware of any security vulnerability or breach, please notify us immediately at [email protected].

8. Your Rights

Under applicable Indian law (including the DPDP Act 2023, the IT Act 2000, and the SPDI Rules 2011), you have the following rights with respect to your personal data:

Right to access: Request a copy of the personal data we hold about you.
Right to correction: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data. We will comply unless retention is required by law or legitimate business necessity.
Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect processing already carried out.
Right to restrict processing: Request that we limit how we use your data in certain circumstances.
Right to data portability: Request a copy of your Aurora project data and research in a commonly used machine-readable format.
Right to grievance redressal: Lodge a complaint with our Grievance Officer (see contact details below).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing your request.

9. Children’s Privacy

The Platform is intended for adults (18 years and older). The Karak Consulting and Aurora are professional tools designed for founders and business professionals.

We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at [email protected] and we will delete it promptly.

10. International Data Transfers

Our service providers operate infrastructure in multiple countries. Specifically:

OpenAI processes data on servers in the United States.
Supabase may process data in the United States or other jurisdictions depending on your selected region.
Render (our backend host) operates in the United States.

By using the Platform, you consent to the transfer of your data to these jurisdictions. Where required, we take steps to ensure that such transfers are subject to appropriate safeguards, including data processing agreements with our service providers.

We are monitoring the implementation of the Digital Personal Data Protection Act 2023 and will update our cross-border transfer practices as and when the Act’s provisions on such transfers come into force.

11. Cookies Policy

In addition to the overview in Section 1.6, here is how to manage cookies:

Browser controls: All major browsers allow you to view, manage, delete, and block cookies. Visit your browser’s help documentation for instructions.
Opt-out tools: For Google Analytics, you may use the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout).
Essential cookies cannot be disabled: Some cookies are strictly necessary for the Platform to function (e.g. login session cookies). Blocking these will prevent you from using core features.

We do not use cookies for behavioural advertising targeting without explicit consent.

12. Links to Third-Party Websites

The Platform may contain links to third-party websites, including social media platforms, news outlets, and tools referenced in our editorial content. These sites operate under their own privacy policies.

We are not responsible for the privacy practices, content, or security of any third-party website. We encourage you to review the privacy policy of any website you visit via a link from the Platform.

13. Grievance Officer

In accordance with the Information Technology Act 2000 and the rules thereunder, we have designated a Grievance Officer:

Grievance Officer: The Karak Team

Email: [email protected]

Website: www.thekarak.in

Response time: Within 30 days of receiving a complaint

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will:

Post the updated Policy on this page with a revised “Effective Date” at the top.
Send a notification to your registered email address for significant changes.
Display a prominent notice on the Platform for 30 days following a material update.

Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree with the changes, you should discontinue use and may request deletion of your account.

15. Contact Us

For any privacy-related queries, requests, or complaints, please contact:

The Karak