Carae — Privacy Policy

Status: Approved — awaiting solicitor / DPO review at a later date.

Effective: TBD on publication Version: privacy-v1

⚠️ Pre-launch checklist (see also the "carae-legal-pre-launch-checklist" cron):

Replace [Legal entity name TBD] with the registered Irish company name.

Replace [Address TBD] with the registered office address.

Replace "TBD on publication" with the actual go-live date.

Have a DPO / solicitor review. Data Controller: [Legal entity name TBD] of [Address TBD], Ireland DPO contact: [email protected]

TL;DR (this section is informational; the legally binding text is below)

We host all your data in Frankfurt, Germany (Hetzner). No US data transfers.
Your messages and memories are isolated per-user in our database via Postgres row-level security.
We do not sell your data, ever.
We do not encrypt your message content end-to-end — that would prevent the AI from working. Your messages are stored in plaintext on our servers, where our small operations team has technical access (heavily restricted, audited, and used only when strictly necessary, e.g. to debug a fault you've reported).
LLM providers (Anthropic, OpenAI, Groq, Google) see your messages as plaintext when we send them for processing. We have Data Processing Agreements with each provider.
You can export everything we have on you at any time, and delete your account in 24h.
We use zero third-party tracking — no Google Analytics, no advertising pixels, no behaviour-tracking SDKs.

If you need stronger guarantees than this — e.g. end-to-end encrypted messaging where even our staff cannot read your content — Carae is not the right product for you. Consider Tutanota, Signal, or Proton Mail.

1. Who we are

Carae is operated by [legal entity TBD], a private limited company registered in Ireland. We are the Data Controller for the personal data described in this Policy. Our DPO can be reached at [email protected].

We are EU-headquartered, EU-hosted, and EU-staffed. We do not transfer your personal data outside the European Economic Area except where strictly necessary to operate the Service (see Section 6 on LLM providers).

2. What personal data we collect

2.1 Data you provide

Account data: your name, email address, phone number (if you sign up via Telegram), country, timezone, and the career/life-situation description you give during onboarding.
Messages: the content of every message you send to the Service, including text, voice transcripts, photos, and document attachments.
Long-term memories: facts the Service extracts from your conversations and stores so it remembers them across sessions (e.g. "user's son's name is Liam", "user commutes by train").
Skills configuration: which Skills you have installed and any per-Skill settings.
Integration credentials: OAuth tokens for connected services (Google Calendar, Gmail, etc.). These are encrypted at rest with AES-256-GCM envelope encryption (see Section 4).

2.2 Data we collect automatically

Service logs: request timestamps, error traces, IP address (truncated to /24 for IPv4, /48 for IPv6), and the version of the bot/app you used. Retained for 30 days.
Audit logs: records of significant account events (signup, plan change, Skill install/uninstall, integration connect/disconnect, payment events, deletion requests) for fraud prevention and your own data-export requests. Retained for 3 years or as long as your account exists, whichever is shorter.
Stripe billing data: Stripe processes your payment information and shares with us only the limited subset needed for invoicing (last 4 digits of card, billing country, subscription status). Stripe is the data controller for the full card details; we are not.

2.3 Data we do NOT collect

Web-tracking pixels, ad-network identifiers, third-party cookies, or fingerprinting
Your contacts or address book unless you explicitly connect Gmail/Calendar
Location data (we use timezone, not GPS)
Audio recordings of voice mode beyond the transcript and a 30-day debug retention

3. Why we use your data (legal bases under GDPR Article 6)

Purpose	Legal basis	Examples
Operating the Service	Contract performance (Art. 6(1)(b))	Receiving messages, generating replies, running scheduled jobs, executing Skill actions
Long-term assistant memory	Contract performance + your consent during onboarding	Storing facts you've told us so the assistant remembers across sessions
Billing	Contract performance	Charging your subscription, handling refunds
Fraud prevention and abuse detection	Legitimate interest (Art. 6(1)(f))	Audit logs, rate-limit enforcement, integrity checks
Customer support	Contract performance + legitimate interest	Investigating fault reports you submit
Legal compliance	Legal obligation (Art. 6(1)(c))	Responding to lawful requests, tax records

We do not use your messages or memories for marketing, ad targeting, or to train any model.

4. How we secure your data

4.1 Database isolation

Your data lives in a Postgres database in Frankfurt with row-level security enforced at the database engine level. Application code can only read or write rows belonging to the authenticated user — cross-user reads are technically blocked, not just policy.

4.2 OAuth tokens

Tokens for connected services (Google, Microsoft, etc.) are encrypted using a per-user data-encryption key (DEK) wrapped by a key-encryption key (KEK). The KEK is held in a separate secure store. Tokens are never logged, displayed, or transmitted in plaintext after the initial OAuth flow.

4.3 Operator access (be honest with the user)

Carae is operated by a small team. To deliver the Service we need engineers and support staff to be able to investigate problems. This means:

Production database access is restricted. Direct read access is gated behind 2FA + audit logging. Direct write access (other than by deployed services) is reserved for emergency response and is logged.
We can technically read your message content if we choose to. We do not do so casually. Our internal policy is that operators only access user data when:
- You have explicitly asked us to (e.g. "I think you forgot something, can you check?")
- We are investigating a fault you reported
- We are responding to a lawful request from a competent authority
- We are responding to a security incident
Every such access is logged. We do not permit fishing expeditions, employee curiosity, marketing analysis, or model training on user data.
End-to-end encryption is not offered. A personal AI assistant works on the content of your messages — encrypting that content from us would also encrypt it from the AI. If end-to-end encryption is a hard requirement for you, please use a different product.

4.4 Backups

Daily encrypted backups are taken to a separate Hetzner storage bucket in Frankfurt with 30-day retention. Backups are deleted after 30 days. Backup access is restricted to two named operators.

5. How long we keep your data

Category	Retention
Messages	While your account is active, up to a maximum of 90 days. Older messages are summarised into long-term memories and the originals deleted.
Long-term memories	While your account is active. Deleted within 24 hours of `/forgetme`.
Integration tokens	Until you disconnect the integration or delete your account.
Service logs (technical)	30 days
Audit logs (security)	3 years
Billing records	7 years (Irish tax-law minimum)
Backups	30 days
`deletions_log` (no PII)	Indefinite, for fraud prevention

After account deletion: messages, memories, integration tokens, scheduled jobs, and Skill configurations are removed within 24 hours. Audit logs and billing records are retained for the legal periods above; backups age out within 30 days.

6. Who we share your data with

We share the minimum necessary personal data with:

6.1 Large language model providers (sub-processors)

When you send the Service a message, we send the message content and recent conversation context to one of our LLM providers for processing. Providers used:

Anthropic (Claude models) — US-headquartered, with EU data-processing options. Their API does not retain customer prompts beyond a 30-day operational retention window unless we opt in (we do not).
OpenAI (GPT models) — US-headquartered, EU residency tier where available.
Groq (Llama models) — US-headquartered, used as a fast fallback for short prompts.
Google (Gemini models) — US-headquartered, EU options where available.

Each provider's standard Data Processing Agreement applies to our use of their API. These DPAs are incorporated by reference in the providers' commercial terms (which we accept by being a paying customer of their API) and bind them to act as data processors under GDPR Article 28. They commit not to use API content for training of public models. We have no influence over their security beyond what those contracts grant.

Links to the applicable DPAs:

Anthropic: https://www.anthropic.com/legal/dpa
OpenAI: https://openai.com/policies/data-processing-addendum
Groq: https://groq.com/legal/dpa
Google Cloud: https://cloud.google.com/terms/data-processing-addendum

This is the most significant data-flow most users should understand. When you message Carae, your message is processed by one of the above. If this is unacceptable to you, the Service is not suitable for you.

6.2 Infrastructure providers (sub-processors)

Hetzner Online GmbH — Frankfurt, Germany. Hosts Postgres, Redis, application servers, backups.
Stripe Payments Europe — Dublin, Ireland. Processes subscriptions and top-up payments.
Cloudflare — DNS only. No content proxying.
Resend — transactional email (signup confirmations, deletion confirmations).

6.3 Lawful requests

We will respond to lawful requests from Irish or EU authorities. We will challenge requests we believe are overbroad or unlawful, and will inform affected users where the law permits. We have not received any government data requests as of the date below.

We do not voluntarily share data with any third party other than the sub-processors above.

7. International transfers

Service infrastructure is hosted in the EU (Frankfurt, Dublin). However, when your messages are processed by an LLM provider headquartered in the US, the request transits to the provider's API endpoint, which may be served from US infrastructure depending on the provider's region selection.

We rely on:

The EU-US Data Privacy Framework, where the provider is certified;
Standard Contractual Clauses (Module 2: Controller to Processor) for any provider that is not DPF-certified;
Article 49(1)(b) GDPR (necessary for performance of a contract) as the secondary basis where DPF/SCC do not cover an edge case.

If you object to your messages being processed in the US, the Service is not suitable for you. We are tracking the EU AI Act and will move to EU-resident inference where commercially feasible (Mistral, Aleph Alpha, etc.).

8. Your rights under GDPR

You have the right to:

Access the data we hold on you. Use /mydata in the bot, or email [email protected].
Rectify incorrect data. Use the bot or email us.
Erase ("right to be forgotten"). Use /forgetme in the bot. We will action within 24 hours.
Restrict processing in certain circumstances. Email [email protected].
Portability — receive your data in a machine-readable format (JSON). Use /mydata.
Object to processing based on legitimate interests. Email [email protected].
Withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or the supervisory authority of your country of habitual residence.

We aim to respond to all rights requests within 30 days.

9. Children

The Service is not directed at, and we do not knowingly accept users under, the age of 18. If we become aware of an account belonging to a minor, we will delete it.

10. Changes

We may update this Policy. Material changes will be notified to active users 30 days before they take effect. The version in force at any time is identified by privacy-vN and visible at carae.ai/privacy.

11. Contact

Privacy and data-protection requests: [email protected]
General contact: [email protected]
Postal: [Address TBD]

End of Privacy Policy — DRAFT v1.