Kaisah

    Privacy Policy

    Last updated: March 2026

    1. Overview

    Kaisah ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our service. This policy applies to merchants (business owners who sign up) and customers (people who use review links).

    2. Information We Collect

    Merchant Account Information

    • Email address (for authentication and communication)
    • Password (securely hashed, never stored in plain text)
    • Business name, category, and sub-category
    • Google Place ID (for review linking)
    • Referral source (if you signed up through a partner)

    Customer Feedback Data

    • Responses to review questions (anonymous)
    • Generated review text
    • Ratings and feedback selections
    • Optional contact information (email or phone) only when a customer chooses to share it so the business can follow up directly

    Important: Customer review responses are anonymous by default. The only personal information we collect from review-flow customers is the email or phone number they voluntarily provide when they want the business to reach out and follow up. This contact information is shared with the merchant only and is never used for marketing or third-party purposes.

    Compliance posture. Kaisah is designed to comply with Google's review content policies and the FTC Final Rule on Consumer Reviews and Testimonials. Every customer who completes the review flow is offered the option to post their review to Google, regardless of sentiment or rating. Private feedback to the business is always offered in addition to, never instead of, the Google review option.

    Analytics Data

    • QR code scan and link open counts
    • Review completion rates
    • Traffic source information (QR, link, direct)
    • Aggregated usage statistics

    Payment Information

    Payment processing is handled entirely by Razorpay. We store your Razorpay subscription ID and payment status, but we never store credit card numbers, bank account details, or other sensitive payment information on our servers.

    3. How We Use Your Information

    • To provide, maintain, and improve the Service
    • To generate personalized reviews based on customer feedback
    • To display analytics and insights on your dashboard
    • To process payments and manage subscriptions
    • To communicate with you about your account
    • To detect and prevent fraud, abuse, or violations of our Terms

    We do not use your account data, customer feedback, or any data you submit inside the app for advertising, profiling, or selling to third parties. Our public blog displays third-party advertising through Google AdSense, which is described in the Cookies and Advertising section below. AdSense applies only to public blog pages and never has access to your account or in-app data.

    4. Legal Basis for Processing

    We process your data based on:

    • Contract performance: Processing necessary to provide the Service you signed up for
    • Legitimate interest: Analytics, fraud prevention, and service improvement
    • Consent: Where you have given explicit consent (e.g., marketing emails)
    • Legal obligation: Where we are required by law to retain or disclose data

    5. Data Storage and Security

    Your data is stored securely using Supabase, which provides enterprise-grade security including:

    • AES-256 encryption at rest
    • TLS 1.2+ encryption in transit
    • Row Level Security (RLS) policies on all database tables
    • Regular security audits and penetration testing
    • SOC 2 Type II compliance

    Our application enforces additional security measures including rate limiting, Content Security Policy headers, and HSTS.

    6. Sub-processors

    We use the following third-party services to deliver the Service. Each sub-processor only receives the minimum data necessary:

    ProviderPurposeData Shared
    SupabaseDatabase, auth, edge functionsAll account and review data
    OpenAIReview text generationAnonymous question responses only
    RazorpayPayment processingEmail, subscription details
    GooglePlaces API, MapsBusiness search queries, Place IDs
    VercelHosting, CDNAccess logs, IP addresses

    7. Data Retention

    We retain data according to the following schedule:

    • Active accounts: Data is retained for the duration your account is active
    • Deleted accounts: All associated data is permanently deleted within 30 days of account deletion
    • Customer reviews: Retained for the lifetime of the associated merchant account
    • Analytics data: Retained for the lifetime of the associated merchant account
    • Payment records: Retained for 7 years as required by Indian tax and financial regulations
    • Server logs: Automatically purged after 90 days

    8. International Data Transfers

    Our infrastructure providers (Supabase, OpenAI, Vercel) may process data in the United States and other countries. Where data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place through the sub-processor's standard contractual clauses and compliance certifications.

    9. Your Rights

    Depending on your jurisdiction, you may have the following rights:

    • Access: Request a copy of all personal data we hold about you
    • Correction: Request correction of inaccurate data
    • Deletion: Delete your account and all associated data via the Settings page
    • Portability: Request a copy of your data
    • Restriction: Request that we limit processing of your data
    • Objection: Object to processing based on legitimate interest
    • Withdraw consent: Where processing is based on consent, withdraw at any time

    To exercise any of these rights, contact us through our Help page. We will respond within 30 days.

    10. GDPR Compliance (EU/EEA Users)

    If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

    • Right to lodge a complaint with your local data protection authority
    • Right to not be subject to automated decision-making
    • Data processing agreements with all our sub-processors

    Our legal basis for processing EU personal data is described in Section 4 above.

    11. Indian Data Protection (DPDP Act)

    We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India. As a data fiduciary, we process personal data based on consent or legitimate use. You have the right to access, correct, and erase your data as outlined in Section 9.

    12. Cookies, Local Storage, and Advertising

    Inside the app we use only essential cookies and browser local storage for authentication and session management. We do not use tracking or advertising cookies anywhere in the application. Specifically:

    • Authentication tokens: Stored securely by Supabase for session management
    • Theme preference: Stored in localStorage for dark/light mode
    • Referral source: Temporarily stored in localStorage if you arrived via a partner link

    Advertising on our blog (Google AdSense)

    Our public blog is supported by advertising served through Google AdSense. This applies only to public blog pages, not to the app, your dashboard, or the review flow. In connection with these ads:

    • Third-party vendors, including Google, use cookies to serve ads based on a user's prior visits to this and other websites.
    • Google's use of advertising cookies enables it and its partners to serve ads to visitors based on their visit to our site and other sites on the internet.
    • You can opt out of personalized advertising by visiting Google Ads Settings. You can also opt out of third-party vendor cookies at aboutads.info.
    • For more on how Google uses data, see How Google uses information from sites that use its services.

    13. Data Breach Notification

    In the event of a data breach that affects your personal data, we will:

    • Notify affected users within a reasonable timeframe of becoming aware of the breach
    • Report the breach to relevant data protection authorities as required by law
    • Provide details of the breach, the data affected, and steps taken to mitigate it
    • Offer guidance on steps you can take to protect yourself

    14. Children's Privacy

    The Service is not intended for use by children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

    15. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

    16. Contact Us

    If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint, please contact us through our Help page.