KAALOS

Legal

Privacy policy

Effective 10 May 2026

KAALOS is operated by the team behind kaalos.in. We build a premium business timing intelligence layer that combines panchang calculations, founder/team context, and calendar data to recommend supportive windows for important business work. This policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and how you can exercise your rights over it.

We frame timing intelligence as decision-support, not a guarantee of outcomes. We do not sell personal data. We do not use it to train AI models outside the provider terms we have agreed to. We minimise what we collect and what we send to third-party processors.

1. Who we are

KAALOS (the “Service”) is a business timing intelligence application available at https://kaalos.in. For privacy questions or data-rights requests, write to privacy@kaalos.in. Under the DPDP Act 2023 you may also contact our Grievance Officer (see Section 12).

2. Data we collect

2.1 Information you give us directly

  • Account information: full name, email address, hashed password, time-zone preference.
  • Organisation profile: business name, industry, stage, primary location, default time zone, optional incorporation date / time / place.
  • Founder birth profile (sensitive): birth date, birth time, birth place, latitude/longitude, time zone of birth, precision tier (exact / rectified / approximate / unverified / unknown), optional source note. Collected only with your explicit consent and used only to compute panchang/dasha/Chandra-Bala signals for your scheduling recommendations.
  • Team profiles: name, role, department, professional strengths and constraints, optional birth profile. Team birth data is opt-in only by the individual concerned; founders cannot silently add it. Each team member carries an explicit consent state.
  • Tasks, milestones, and calendar events created inside KAALOS, including title, description, category, priority, duration, and deadline.
  • Advisor (KAALA) conversation history: the messages you exchange with our advisor and the structured responses returned by the model.

2.2 Information we receive through Google APIs

When you choose to connect Google Calendar, KAALOS uses Google APIs with the following scopes and only the following scopes:

  • https://www.googleapis.com/auth/calendar.events — to create a calendar event in your primary calendar after you explicitly accept a recommended timing window. We do not read, modify, or delete any other event.
  • https://www.googleapis.com/auth/calendar.freebusy — to query opaque busy windows so KAALOS does not recommend times that conflict with your existing commitments. Free/busy returns only busy time intervals; it does not return event titles, descriptions, attendees, or locations.

We do not use Google user data for advertising, analytics, or model training. We do not share Google user data with third parties beyond service providers (see Section 5) that are required to deliver the feature you requested. Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.3 Information collected automatically

  • Authentication tokens for Supabase Auth (managed by Supabase). Google OAuth refresh tokens are stored AES-GCM encrypted and decrypted server-side only.
  • Audit logs for sensitive reads/writes (birth-profile access, AI requests, calendar-event creation, integration connect/disconnect, privacy requests). Used for security review and your own audit-history requests.
  • Operational telemetry: error reports and request identifiers. We do not embed third-party trackers on the marketing or app surfaces beyond what is disclosed here.

3. How we use your data

  • To compute panchang/choghadiya/inauspicious-timing / dasha signals for the date and location you specified, via DivineAPI.
  • To run our deterministic scoring engine over candidate windows.
  • To produce AI-generated explanations and the daily brief through OpenAI, using only the evidence bundle we send (calculation IDs, scoring outputs, business and task context, calendar availability, privacy-filtered people summaries).
  • To create internal calendar events you accept; and, if you connected Google Calendar, to push the same event to your primary Google calendar.
  • To send you notifications you have opted into (in-app today; email and WhatsApp are coming soon).
  • To respond to support and privacy requests.
  • To detect and prevent abuse of the Service.

We do not use your personal data, business data, or Google user data to make consequential decisions automatically (for example, hiring, firing, or financial decisions). KAALA (our advisor) provides reflection and timing-support only; it does not silently execute sensitive actions.

4. Legal bases (DPDP and equivalent regimes)

  • Consent for processing of birth profiles, team birth profiles, calendar data, and AI-driven recommendations. Consent is collected at onboarding and can be withdrawn at any time from Settings → Privacy.
  • Contractual necessity for account creation, authentication, and delivery of the core Service.
  • Legitimate interests for fraud prevention, security, and service-improvement work that does not override your rights.

5. Service providers and sub-processors

We share personal data with the following processors only to the extent needed:

  • Supabase (database, authentication, edge functions, storage). Hosted in Supabase's regions.
  • OpenAI (AI workflows). We send only the evidence bundle relevant to your request, never raw birth data unless explicitly required by a workflow you initiated, and we operate under OpenAI's API terms which prohibit using customer data to train their general models.
  • DivineAPI (panchang, choghadiya, dasha and chart calculations). We send the date, location, and where required birth date / time. DivineAPI processes these inputs for the calculation and does not use them to train models.
  • Google (only when you connect Google Calendar). Used solely to query free/busy and to create accepted events.
  • Vercel (Next.js hosting for kaalos.in).

We do not sell personal data. We do not share personal data with advertising networks. Where any of these processors is located outside India, we rely on contractual and technical safeguards.

6. Data retention

  • Account, organisation, and business data: retained while your account is active. Deleted within 30 days of an erasure request (see Section 8).
  • Founder birth profile: retained while consent is in place. Withdrawing consent or deleting the profile removes it within 30 days; cached calculations derived from it are also purged.
  • Team profiles: retained while the individual's consent is in place. Withdrawal of consent removes it within 30 days.
  • Google OAuth tokens: stored AES-GCM encrypted until you disconnect or revoke access via your Google account, then deleted within 24 hours.
  • Audit logs: retained for up to 24 months for security and compliance review, then deleted.

7. Security

  • Row-Level Security on every table that holds organisation-scoped data.
  • Provider secrets (DivineAPI, OpenAI, Google) live in server-side function secrets and never reach the browser.
  • Google refresh tokens are AES-GCM encrypted with a server-only key.
  • Sensitive reads and writes are audit-logged.
  • Birth profiles default to private; managers see suitability summaries, never raw chart judgments.

8. Your rights

You can exercise the following rights through Settings → Privacy or by emailing privacy@kaalos.in:

  • Access — request a JSON export of the data we hold about you.
  • Correction — update inaccurate fields, including birth profile precision.
  • Erasure — request deletion of your founder profile, organisation, and derived recommendations.
  • Withdraw consent — for birth-data processing or Google Calendar access at any time.
  • Disconnect Google — revoke KAALOS's access to your Google Calendar from Settings or directly from myaccount.google.com/connections.
  • Grievance redressal — as required under the DPDP Act 2023.

We aim to respond to verifiable requests within 30 days. Some requests (for example, erasure) may require us to keep limited information to comply with our legal obligations or to defend legal claims; we will tell you when this applies.

9. Children

KAALOS is not intended for users under 18. We do not knowingly collect data from children. Team profiles are designed for consenting adult professionals only. If you believe a child has submitted personal data, write to privacy@kaalos.in and we will delete it.

10. Cookies and local storage

KAALOS uses first-party cookies and local storage to keep you signed in and to remember your preferences. We do not embed third-party advertising cookies. Authentication cookies are managed by Supabase Auth on a domain we control.

11. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-app and by email to active users. The effective date at the top of this page is updated whenever the document changes substantively.

12. Grievance officer (DPDP)

For grievance redressal under India's Digital Personal Data Protection Act 2023, write to grievance@kaalos.in. Include your name, the email associated with your KAALOS account (if any), and a clear description of the grievance. We will acknowledge within 7 calendar days and resolve within 30.

13. Contact

General privacy questions: privacy@kaalos.in
Postal contact: KAALOS, Ahmedabad, Gujarat, India (full address available on request).

14. Google API limited-use disclosure

KAALOS's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as needed to provide or improve user-facing features that are prominent in the requesting application's user interface; we do not use it for serving advertisements; we do not allow humans to read Google user data unless we have your explicit consent for specific messages, are required by law, or it is necessary for security or to comply with our terms; and we do not use Google user data to develop, improve, or train generalised AI/ML models.