Privacy Policy

Last updated: May 16, 2026

Karmaa (“we”, “us”, or “our”) is an AI-powered human resource management platform built for Indian small and medium enterprises. We take the privacy and security of your data seriously. This policy explains what information we collect, how we use it, and your rights regarding that information.

1. Information We Collect

Account Information

When you create an account or are added by your organisation’s administrator, we collect:

  • Full name and work email address
  • Department, designation, and reporting structure
  • Date of joining and employment status
  • Profile photo (if provided via Google sign-in)

Payroll and Financial Information

If your organisation uses our payroll features, we process:

  • Salary structure (CTC, basic, HRA, allowances)
  • Bank account details (account number, IFSC code, bank name)
  • PAN number and tax regime preferences
  • Tax declarations under sections 80C, 80D, 80CCD, 80E, 80G, and 24(b)
  • PF and ESI contribution records

Leave and Attendance Data

  • Leave balances, requests, and approval history
  • Attendance records (clock-in/out times, work type)

AI Interaction Data

When you use the AI chatbot (“Ask Karmaa”), we process your queries to generate responses. Queries are not stored beyond the current session unless your organisation has enabled chat history. The AI does not learn from your queries.

Policy Documents

HR policy documents uploaded by administrators are processed (chunked and indexed) to power the AI chatbot. These documents are stored securely and accessible only to members of your organisation.

2. How We Use Your Information

We use the collected information to:

  • Provide and operate the Karmaa platform
  • Calculate payroll, taxes (TDS, PF, ESI, professional tax), and generate payslips
  • Process leave requests and manage attendance
  • Generate HR documents (offer letters, experience certificates, etc.) using AI
  • Answer employee queries about company policies via the AI chatbot
  • Send transactional emails (magic link sign-in, notifications)

We do not sell your data to third parties. We do not use your data for advertising. We do not use your data to train AI models.

3. Data Storage and Security

  • Database: Your data is stored in a PostgreSQL database hosted on Neon (neon.tech), with servers in the Asia-Pacific region.
  • Application hosting: The application is hosted on Vercel’s edge network with automatic HTTPS encryption.
  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest.
  • Multi-tenancy: Each organisation’s data is logically isolated using tenant-scoped access controls. Employees of one organisation cannot access another organisation’s data.
  • Authentication: We use industry-standard authentication (NextAuth.js) with JWT-based sessions and HMAC-signed magic link tokens.

4. Third-Party Services

We use the following third-party services to operate the platform:

  • Google OAuth: For sign-in authentication. We receive your name, email, and profile photo from Google. Google’s privacy policy applies to their processing.
  • Anthropic (Claude): For AI chatbot and document generation. Your policy chunks and queries are sent to Anthropic’s API for processing. Anthropic does not use API inputs for model training.
  • Resend: For sending magic link sign-in emails. Only your email address is shared with Resend for email delivery.
  • Neon: For database hosting. All data is stored on Neon’s infrastructure.
  • Vercel: For application hosting and edge delivery.

5. Data Retention

We retain your data for as long as your organisation maintains an active account with us. When an organisation deletes their account, we delete all associated data within 30 days. Individual employee data is retained according to Indian labour law requirements (typically 3 years after employment ends for payroll records).

6. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Withdraw consent for optional data processing
  • Nominate another person to exercise your rights

To exercise these rights, contact your organisation’s HR administrator or reach out to us directly.

7. Cookies

We use essential cookies only — specifically, a session cookie to maintain your signed-in state. We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Children’s Privacy

Karmaa is a workplace tool and is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes via email or an in-app notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this privacy policy or our data practices, contact us at:

Karmaa
Email: privacy@karmaa.in
Registered in India