Karu

Legal

Privacy Policy

Karu helps food businesses turn recipes, purchases, sales and other files into costs, margins and operational decisions. This policy explains what data we process and why.

15 July 2026

1. Data controller

The service operates under the Karu brand and is operated by Caipora Labs.

Address: Porto, Portugal. For privacy questions, contact admin@caiporalabs.com.

2. Data we process

We process account and authentication data such as email, user ID and information needed to keep a session.

When you use the application, we process the data you choose to upload or enter, such as recipes, products, ingredients, suppliers, prices, sales, costs, documents and business settings.

We may also process technical data such as IP address, browser, device, error events and usage, according to your cookie choices.

3. How we use data

We provide, secure and improve Karu; process documents and data into drafts; calculate costs and margins; show alerts and actions; manage accounts, teams, plans and payments; answer support requests; prevent abuse; and meet legal obligations.

AI proposes data and interpretations, while Karu keeps official data behind human review and approval.

4. Legal bases and sharing

We process data when needed to provide the service and perform the contract, meet legal obligations, protect the service and pursue proportionate legitimate interests. We ask for consent where required, including for optional measurement.

We share data only with necessary providers, including Clerk for authentication, Supabase for storage and database, Railway for hosting, Sentry for errors, PostHog and Vercel Analytics for authorised measurement, OpenRouter for AI features where applicable, Lemon Squeezy for payments and Resend for email.

5. Retention and security

We keep data while the account and service relationship require it, or for periods required by law. Exact periods depend on the data type and will be refined in Karu's operational retention policy.

Business owners can download a workspace data export and permanently delete a business from Settings. Archiving is also available as a non-destructive option.

We apply access controls, business-level separation, encryption in transit and proportionate security measures. No online service can guarantee absolute security.

6. Your rights

Depending on the situation, you may request access, correction, deletion, restriction, portability or objection, and withdraw consent. You may also complain to your local data protection authority.

You can export or permanently delete your business workspace from Settings, or contact us through the Contact page. We may reasonably verify your identity.

7. Changes

We may update this policy when the service, providers or legal obligations change. The update date appears at the top of this page. Material changes will be communicated through appropriate channels.