§ Legal

Privacy Policy

What we collect, why we collect it, and what rights you have over your data.

Effective April 20, 2026

1. Who we are

Aktara (“we”, “our”, “us”) operates the Aktara quantitative decision simulator at aktara.ai. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it.

For privacy inquiries or to exercise your rights, contact us at privacy@aktara.ai.

2. Data we collect

We collect the following categories of personal data:

  • Identity and contact data — your name, email address, and profile image, depending on how you choose to log in (Google OAuth, email one-time code). We do not store passwords.
  • Workspace data — workspace name, industry, business context, team membership, and roles (owner, admin, member, viewer).
  • Simulation inputs — business details, pricing parameters, product catalogues, customer metrics, and decision descriptions you enter when running simulations.
  • Simulation results — the probability distributions, percentile estimates, behavioural flags, and scenario comparisons generated from your inputs.
  • Outcome records — actual results you voluntarily record against past simulations, used to compute your personal calibration (Brier) score.
  • Uploaded files — the financials, customer/team data, and qualitative notes you upload (CSV, XLSX, PDF, JSON, etc.). Stored encrypted at rest; see Section 6 for retention and processing details.
  • Usage data — pages visited, features used, and session duration, collected via server logs.
  • Payment data — billing details are processed directly by Stripe and are never stored on our servers.

3. How we use your data

We use your data only for the following purposes:

  • To authenticate you and maintain your session
  • To run simulations and return results to you
  • To compute and display your personal Brier calibration score
  • To aggregate anonymised outcomes into our benchmark dataset (no personal identifiers are included)
  • To send transactional messages — sign-in codes, billing receipts
  • To investigate abuse, enforce our Terms, and comply with legal obligations

We do not sell your personal data. We do not use your simulation inputs to train models that are shared with other customers without your explicit consent.

4. Legal basis for processing (GDPR)

For users in the EEA, UK, or Switzerland, we process personal data under the following legal bases:

  • Contract — processing your account and simulation data is necessary to deliver the service you signed up for.
  • Legitimate interests — improving the product, preventing abuse, and maintaining security, where these do not override your rights.
  • Consent — for optional analytics or marketing communications, where we ask for it explicitly.
  • Legal obligation — where we are required to process data by law.

5. Third-party processors

We share data with the following sub-processors solely to deliver the service. Each is bound by a data processing agreement and is prohibited from using your data for their own purposes.

ProcessorPurposeData sharedLocation
GoogleOAuth sign-inName, email, Google account IDUSA
NeonPrimary database host (serverless Postgres)All application data — account, workspaces, uploaded files, pilot runs, outcomesUSA
UpstashRedis — rate limiting and transient storage of email sign-in OTP codesEmail address, OTP code (TTL-limited), request IP for rate limitsUSA
ResendTransactional email (OTP codes, receipts, contact form)Email addressUSA
AnthropicAI inference — file classification, analyst chatParsed file contents and descriptions you submit to the chatUSA
OpenAIAI inference — reasoning composer inside the decision engineWorld-model JSON derived from your uploaded dataUSA
InngestBackground job queue for long-running decision runsRun metadata (workspace id, run id); the input payload is durably stored only for the duration of the jobUSA
StripePayment processing (billing only)Billing details (processed directly by Stripe)USA
VercelHosting and edge infrastructureAll data in transit; server logsUSA / Global edge
Vercel BlobObject storage for uploaded filesFiles you upload (CSV, XLSX, PDF, etc.)USA / Global edge

When data is transferred outside the EEA or UK, we rely on the EU Standard Contractual Clauses or an adequacy decision as the transfer mechanism.

6. Uploaded files and model training

All customer data enters Aktara through files you upload directly — financial statements, customer/team data, and qualitative notes. We do not connect to or pull data from any third-party SaaS provider (Stripe, Shopify, QuickBooks, etc.). This is an intentional choice: it keeps you in full control of what we see, and keeps us outside the developer-terms regimes that restrict how AI may use that data.

How we use uploaded data:

  • Per-workspace decision runs — values parsed from your uploads (revenue, headcount, churn, etc.) feed your own decision runs and are never shared with other customers.
  • Model calibration across customers — only bucketed, non-personally- identifiable features derived from your data (e.g., industry vertical, size tier, churn bucket) may be pooled with other customers’ features to tune our model. This happens only when you explicitly opt in under Settings → Training consent (default opt-out). Raw uploaded values are never pooled.
  • Outcome pairs — when you record an actual outcome against a past decision, the pair of (predicted, actual) is used as a calibration signal. This pair contains no raw upload data.
  • Delete an upload — removing a file from the Data tab deletes the stored object and parsed JSON immediately. Derived bucketed features already contributed to past calibration runs cannot be individually withdrawn, but you can email privacy@aktara.ai to request exclusion from future calibration runs.

7. Data retention

We retain your account and simulation data for as long as your account remains active. If you request account deletion, we will remove your personal data within 30 days. Anonymised aggregate benchmark data derived from your simulations may be retained indefinitely as it contains no personal identifiers.

Financial records related to Stripe transactions may be retained for up to 7 years to meet legal and accounting obligations.

8. How to opt out

You can opt out of data collection and processing at any time:

  • Account settings — log in to your account settings and update your user account to manage communication preferences and optional data processing.
  • Delete your account — removing your account stops all data collection. Contact privacy@aktara.ai to request deletion.
  • Email opt-out — unsubscribe via the link in any email we send, or update preferences in account settings.
  • Demo mode — use Aktara without logging in to avoid any personal data being collected.

9. Your rights

Depending on your location, you may have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your personal data
  • Restrict or object to certain processing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent for optional processing at any time
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@aktara.ai. We will respond within 30 days. The same address can be used to appeal any decision we make about your request.

10. Cookies

We use strictly necessary session cookies to maintain your signed-in state. These cannot be opted out of while using the service. For full details, see our Cookie Policy.

11. Children's privacy

Aktara is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@aktara.ai and we will delete it promptly.

12. Security

All data is encrypted in transit using TLS 1.2 or higher. Session tokens are signed with a server-side secret. We perform periodic security reviews and welcome responsible disclosure at security@aktara.ai.

No method of transmission or storage is 100% secure. We will notify affected users without undue delay in the event of a personal data breach.

13. Changes to this policy

We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. The effective date at the top of this page will always reflect the latest version. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

14. Contact

For any questions about this policy: privacy@aktara.ai

For security disclosures: security@aktara.ai

Or use our contact form.