Privacy Policy

Last updated: April 2026

1. Data Controller

Karea is operated by KPilot Labs. For questions about data processing, contact us at [email protected].

2. Data We Collect

  • Account data: name, email address, hashed password, profile picture URL, email verification status, and account role
  • User preferences: UI settings stored as JSON, including display options, sort order, view mode, notification channel preferences, granular notification-type preferences, and productivity widget settings
  • Subscription & trial data: plan tier (free or pro), Stripe customer ID and subscription ID (if you upgrade), trial expiry and grant dates, the reason a trial was granted (signup promo, admin-granted, or student self-claimed), and self-claimed student status
  • Task data: tasks, categories, projects, notes, tags (with colors), deadlines, closing requisites (checklists), task markdown documents, public sharing tokens, task sequence numbers, and associated metadata you create
  • Task history: a detailed audit trail of all field changes on tasks, recording the field name, old value, new value, who made the change, and when
  • Productivity data: if you opt in to hourly check-ins, self-reported focus ratings (focused, okay, or distracted) are stored with timestamps
  • Chat data: AI chat messages, command inputs, AI responses, and a record of actions the AI took on your behalf
  • Team data: team memberships, roles, and invitation records — including the email addresses of people invited to a team who may not yet have a Karea account
  • Notification records: in-app notification history including type, task reference, and read status
  • API keys: key name, permissions (read/write), project scope restrictions, last-used timestamp, and expiry date
  • Bug reports & feedback: title, description, the page URL where the report was submitted, browser user-agent string, report type (bug, feature, or feedback), and admin notes
  • Announcement dismissals: which system announcements you have dismissed and when
  • Resources: files and text documents you upload or create. Text-based resources (code files, markdown, config files) are stored in the database. Binary files (images, PDFs, archives) are encrypted with AES-256-GCM before upload to Cloudflare R2 object storage — the stored content is unreadable without the server-side encryption key
  • Technical data: browser type and IP address, collected for security purposes during requests

3. Legal Basis for Processing

We process your data based on:

  • Contract performance: to provide the task management service you signed up for
  • Legitimate interest: to improve the service, prevent abuse, and maintain security
  • Consent: for optional features like email notifications, browser push notifications, and productivity check-ins

4. Third-Party Services

  • Stripe: payment processor for Pro and Max subscriptions. If you upgrade, your email address and payment information are shared with Stripe to manage billing. See stripe.com/privacy.
  • Cloudflare R2: encrypted object storage for uploaded binary files (images, PDFs, etc.). Files are encrypted with AES-256-GCM on our server before upload — Cloudflare stores only encrypted blobs and cannot read file contents. Text-based files are stored in our database, not on Cloudflare.
  • DeepSeek AI: AI-powered features send your task data to DeepSeek for processing. This includes task titles, descriptions, statuses, notes, category names, assigned user names, closing requisites, tag names, markdown content, and activity history relevant to the request. Passwords and account credentials are never sent.
  • Resend: email delivery service for verification codes, notifications, and recap emails you choose to send.
  • Umami Analytics: self-hosted, cookie-less web analytics at umami.kpilotlabs.com. Collects page views, referrer URLs, browser type, operating system, device type, and country (derived from IP address). No cookies are set, and IP addresses are not stored. Analytics data is aggregated and not linked to individual user accounts.

We do not sell, share, or transfer your data to third parties for advertising or marketing purposes.

5. Public Task Sharing

You can generate a public link to share a specific task. When you do, the task's title, description, status, priority, deadline, assignee, closing requisites, and optionally notes become accessible via that link without authentication. You can revoke a public link at any time from the task detail panel. Revoking the link immediately removes public access.

If you enable anonymous note-posting on a shared task, visitors who leave notes provide a display name and are assigned a random guest token for attribution. This guest identity is also persisted in the visitor's browser localStorage.

6. Resources & File Storage

Resources you create or upload are accessible only to you and to members of the project the resource is linked to (if any). Resources are never shared with third parties or made publicly accessible.

  • Binary files (images, PDFs, archives) are encrypted with AES-256-GCM before being stored on Cloudflare R2. The encryption key is held exclusively on our server. Neither Cloudflare nor anyone with direct bucket access can read file contents.
  • Text-based files (source code, markdown, configuration files) are stored in the database with the same access controls as your task data.
  • Deletion: when you delete a resource, both the database record and the encrypted R2 object (if applicable) are permanently removed.

7. Data Retention

Your data is retained for as long as your account is active. Chat history display is limited to the most recent 25 messages per project in the UI; older messages are retained in the database. API interaction logs, task history records, and productivity check-in data are retained indefinitely while your account is active. You can delete your account and all associated data at any time.

8. Your Rights (GDPR / LOPDGDD)

Under EU and Spanish data protection law, you have the right to:

  • Access: request a copy of all your data
  • Rectification: correct inaccurate data
  • Erasure: delete your account and all data ("right to be forgotten")
  • Portability: export your data in JSON or CSV format
  • Restriction: request limitation of processing
  • Objection: object to certain processing activities

To exercise these rights, use the data export feature in Settings or contact [email protected]. We will respond within 30 days.

9. Cookies & Client-Side Storage

Karea uses essential cookies for authentication (session tokens). We do not use advertising or tracking cookies. Umami, our analytics tool, is cookie-less and does not set any cookies or store personal identifiers.

Karea also uses your browser's localStorage to persist UI preferences (display settings, collapsed sections, hidden stats), guest identity tokens for public task commenting, and other client-side state. localStorage data never leaves your browser unless explicitly submitted.

10. Data Security

We protect your data with: HTTPS encryption in transit, bcrypt password hashing, JWT-based sessions with a 30-day maximum age, role-based access control, AES-256-GCM encryption of uploaded files at rest, and API key authentication for external integrations.

11. Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es or your local EU data protection authority.

12. Changes

We may update this policy. Material changes will be communicated via email or in-app notification.