Karmaflow.ai Data Retention and Usage Policy
Last Updated: June 1, 2026
This Data Retention and Usage Policy ("Policy") explains how Karmaflow Inc. d/b/a Karmaflow.ai ("Karmaflow.ai", "we", "us") retains and uses data on behalf of its customers. It supplements, and should be read together with, the Karmaflow Terms of Service, the Data Processing Addendum (DPA), and the Platform Security Overview. Capitalized terms not defined here have the meanings given in the Terms or the DPA. Where this Policy and the DPA differ on a data-protection matter, the DPA controls.
This Policy describes our default practices. As Controller, the Customer determines the purposes and retention periods for Customer Personal Data and may configure shorter retention or request deletion as described below.
1. Scope
This Policy applies to Customer Data processed through the Services, including:
- User-generated data that you or your end users submit (for example, inputs, prompts, messages, uploaded content, and conversation records).
- Agent-generated data produced by the Services (for example, Outputs, transcripts, summaries, classifications, actions taken, and entries in the audit ledger).
- Derived and analytical data produced by downstream processing (for example, aggregated metrics, structured memory records, knowledge-graph projections, and reporting).
- Operational data generated by running the Services (for example, access logs, audit logs, and diagnostics).
2. Data residency and where data is stored
Primary processing and permanent storage occur in Canada. The platform is hosted on Google Cloud Platform in the Montreal region (northamerica-northeast1). Core databases, application logic, conversation logs, analytics, business intelligence data, audit logs, and access records remain within Canadian infrastructure and are subject to Canadian privacy law (PIPEDA, and Quebec's Law 25 where applicable) by default.
Data residency outside North America is available as a paid option by written agreement and requires appropriate transfer safeguards.
3. Retention by default (in-life)
While your account is active, we retain Customer Data by default and do not delete it on our own initiative or on a fixed schedule. We delete in-life data only when you request it or when you configure a shorter retention window. This applies to user-generated data, agent-generated data, derived and analytical data, and operational logs described in Section 1.
We retain this data by default because it is your working record: the Services include a native CRM and a complete, replayable audit ledger, and you need continuous access to that data to operate. Cross-session memory, compounding intelligence, and analytics all rely on the continuity of the underlying data. Deleting it on our own initiative would remove records you depend on.
Default retention does not override your control. You determine how long data is kept, and you can shorten retention or request deletion at any time as described in Section 4. Post-termination deletion is described in Section 8.
4. Customer control over retention
As Controller, you remain responsible for setting retention periods appropriate to your own legal and regulatory obligations, including data-minimisation and retention-limitation requirements under applicable Data Protection Laws. We provide the following controls:
- Configurable retention windows. You can configure shorter retention for supported data categories so that data is deleted on the schedule you set rather than retained by default.
- Deletion on request. You can request deletion of specified Customer Data, or of an end user's data, and we will action it in the ordinary course, subject to legal retention requirements and backup cycles (Section 9).
- Data subject rights. We assist you in responding to data subject requests (access, correction, deletion, portability, restriction, objection, and opt-out) as set out in the DPA.
- Redaction and minimisation. Where configured, redaction schemas are applied before logging and before write-back to the platform's memory and analytics layers, and identity controls limit what an agent is exposed to for a given task.
5. Processing in the United States (transient only)
Some inference is performed by third-party model and speech providers located in the United States (for example, large language model inference and speech recognition or synthesis). This processing is transient. Data is sent for inference and a result is returned; it is not stored persistently outside Canada by us.
No persistent storage of Customer Data occurs outside Canada, except to the limited extent required to comply with applicable law or valid legal process (see Section 7). All such transfers are encrypted in transit using TLS 1.3. Our subprocessors are contractually prohibited from storing, retaining, or using Customer Data for model training or any secondary purpose.
6. How we use data
We use Customer Data only to provide, secure, support, and operate the Services for you, and as permitted by the Terms and the DPA. In particular:
- No training of foundation models. We do not use Customer Data, prompts, embeddings, retrieval context, or Outputs to train or improve foundation models, including third-party models. We flow these restrictions down to our subprocessors and model vendors.
- Aggregated and de-identified telemetry. We may use aggregated, de-identified telemetry (for example, volumes, latencies, and error rates) to operate and improve the Services. This data does not identify you, your end users, or any individual.
- No sale or sharing. We do not sell or share Customer Personal Data as those terms are defined under the CCPA/CPRA.
7. Legal holds and law enforcement
We may retain, or process in another location, the minimum amount of Customer Data required to comply with applicable law, regulation, or a valid legal request. Where we are legally permitted to do so, we will notify you of a legally binding request for disclosure, will challenge requests that are unlawful or overbroad, and will disclose only the minimum data required.
8. Retention after termination
When the Services or an applicable subscription or Order Form end, the deletion terms in the Terms of Service (Section 10) and the DPA (Section 3.7) apply:
- You have a 90-day window after expiration or termination to export Customer Data via self-service, or to request one no-cost bulk export by secure transfer.
- After that window, we delete Customer Data and backups within 30 days, except where retention is required by law.
- We provide a deletion certificate on request.
The table below summarises what happens to each category of data through the wind-down stages. All timelines run from the effective date of termination.
| Data category | While account active | Export window (Days 0 to 90) | After export window (within 30 days) |
|---|---|---|---|
| User-generated data (inputs, conversations, uploads) | Retained; deleted only on your request | Available for self-service or bulk export | Deleted, including from backups, unless legally required |
| Agent-generated data (Outputs, transcripts, actions, audit ledger) | Retained; deleted only on your request | Available for export | Deleted, including from backups, unless legally required |
| Derived and analytical data (metrics, memory records, knowledge-graph projections) | Retained; deleted only on your request | Available for export where applicable | Deleted or fully de-identified, unless legally required |
| Operational and access logs | Retained per security needs | Available on request | Deleted on the standard log cycle, unless legally required |
| Aggregated, de-identified data (non-identifying) | Retained | Not applicable | May be retained, as it does not identify any person |
| Backups | Encrypted, retained on a rolling cycle; not deleted on our initiative while active | Not separately exportable | Purged as backups age out of the rolling cycle |
While your account is active, we do not delete Customer Data on our own initiative; we act on your deletion requests and your configured retention settings. Where a legal hold or valid legal process requires retention, the minimum necessary data is preserved for the required period and deleted once the obligation ends. Backups are not individually editable; a pending deletion is applied to active systems promptly and to residual backup copies as those backups age out of the rolling cycle.
9. Backups
We maintain encrypted backups for resilience and disaster recovery within our Canadian Google Cloud environment, on a daily and weekly cadence. Backups are retained on a rolling basis and are overwritten or deleted in the ordinary backup cycle; the longest-lived backup containing Customer Data ages out within 30 days. A deletion request is applied to active systems promptly; residual copies in backups are removed as those backups age out of the rolling cycle, which may take up to 30 days. Restored data is re-subjected to any deletion requests that were pending at the time of backup.
10. Subprocessor retention
Each subprocessor temporarily retains operational logs (for example, transactional metadata, delivery records, or session diagnostics) for a period defined by its own retention policy. You are entitled to request access to, or a copy of, logs pertaining to your account at any time.
Our model-inference subprocessors retain prompts and responses for a limited period for abuse monitoring and to meet their own legal, security, and policy-enforcement obligations, after which the data is deleted unless a longer period is required by law. We require by contract that these subprocessors not store, retain, or use Customer Data for model training or any secondary purpose, and that any disclosure to a public authority be limited to what is compelled by valid legal process and to the minimum data required. The current published windows are:
| Subprocessor | Function | Published retention window |
|---|---|---|
| OpenAI | Large language model inference | Up to 30 days for abuse monitoring, then deleted unless a longer period is required by law |
| Anthropic (Claude) | Large language model inference | Not retained by default for most API features; where retained, up to 30 days, and longer only where content is flagged for a policy violation or where required by law |
| Google (Gemini) | Large language model inference | Up to 55 days for abuse monitoring, then deleted unless a longer period is required by law |
These windows are current as of June 1, 2026 and follow each provider's then-current published policy, which may change. Several subprocessors support reduced or zero-retention arrangements; customers with heightened compliance requirements may request a shortened period, and we will facilitate that request on their behalf. Our current subprocessors are listed at karmaflow.ai/sub-processors.
11. Changes to this Policy
We may update this Policy from time to time. For material changes that adversely affect your rights or obligations, we will provide advance notice as described in the Terms. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
12. Contact
Questions about this Policy, or requests relating to retention, deletion, or data subject rights, can be sent to legal@karmaflow.ai. Security documentation and review requests can be sent to security@karmaflow.ai.