This Privacy Policy explains how Karooli.ai collects, uses, stores, shares, and protects your personal data when you use Vesspr, and your rights as a data subject. Vesspr handles emotional and personal conversations. This data is sensitive. We treat it accordingly — we will never sell your data, and we will never use it for advertising.
1. Introduction
Karooli.ai Private Limited ("Karooli.ai", "we", "us", "our") operates the Vesspr service. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use Vesspr, and describes your rights as a data subject.
Karooli.ai is the data controller in respect of personal data processed through Vesspr. For users in the European Economic Area (EEA) and United Kingdom, Karooli.ai processes personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR respectively. For users in India, Karooli.ai processes personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), as it comes into force.
Please read this Privacy Policy carefully. By using Vesspr, you acknowledge that you have read and understood how we handle your personal data.
NOTE: Vesspr handles emotional and personal conversations. This data is sensitive. We treat it accordingly. We will never sell your data. We will never use it for advertising. Memory is a product feature, not a data asset. Your conversations are yours. Our commitment to your privacy is structural, not aspirational.
2. Data We Collect
2.1 Data You Provide Directly
When you register for or use Vesspr, we collect:
- Account & Onboarding Data: Your name (or preferred name), email address, timezone, general location (city/region), life situation information (living arrangement, occupation status), and preferences you set during onboarding.
- Payment Data: Billing details processed by our payment processor. We do not store full card numbers or banking credentials on our servers.
- Conversation Content: All messages you send to and receive from Vesspr. This forms the basis of the memory system.
- Feedback and Support: Any communications you send to our support or legal team.
2.2 Data Generated Through Use (Memory System)
Vesspr's core functionality depends on a four-layer memory architecture. Data across these layers is generated from your conversations and onboarding:
- Profile Memory: Stable, explicit preferences and settings. Fully visible and editable by you at all times.
- Fact Memory: Factual information about your life that you share in conversation (e.g., relationships, goals, recurring situations). We surface this for your periodic review and you may delete any item.
- Emotional Memory: Behavioural and emotional patterns inferred from your conversation history (e.g., recurring emotional states, avoidance patterns, conversational habits). This layer operates to make Vesspr more contextually aware. A summary is available on request. You may request deletion.
- Thread Memory: Time-stamped records of unresolved conversational threads flagged for follow-up (e.g., an upcoming event you mentioned). These expire automatically within defined periods and can be deleted by you.
2.3 Automatically Collected Technical Data
When you use Vesspr's web interface for onboarding and account management, we may collect:
- Device type and operating system;
- Browser type and version;
- IP address (used for fraud prevention and regional compliance, not persistent tracking);
- Session timestamps and general usage patterns.
We do not use tracking pixels, behavioural advertising cookies, or cross-site tracking of any kind. We use strictly necessary cookies for session management and security.
2.4 Data from Third-Party Platforms
When you connect Vesspr through WhatsApp or Telegram, these platforms transmit your messages to our systems. We do not receive your full WhatsApp or Telegram account profile beyond what is necessary to deliver the Service (typically your phone number or Telegram user ID). Your use of these platforms is separately governed by their own privacy policies.
2.5 Data We Do Not Collect
We do not:
- Collect precise GPS location data;
- Access your contacts, call logs, or other apps on your device;
- Use your data for advertising purposes of any kind;
- Sell your data to third parties;
- Use your conversation content to train third-party AI models (see Section 5 for details on internal model improvement).
3. Legal Bases for Processing (GDPR / UK GDPR)
For users in the EEA and United Kingdom, our legal bases for processing personal data are:
Under India's DPDP Act, our processing of your data is based on: (a) the consent you give at registration; and (b) legitimate uses as defined under the Act, including fulfilment of the service you have contracted for.
4. Sensitive Personal Data
By its nature, Vesspr may receive or infer personal data relating to your mental health, emotional state, relationships, and other sensitive personal matters through your conversations. Under the GDPR, such data may constitute special categories of personal data (in particular, health data). Under the DPDP Act, we treat this data with heightened care as sensitive personal data.
We process this data:
- Only to the extent necessary to deliver the Vesspr Service;
- In accordance with your explicit consent given at onboarding;
- Never for advertising, profiling, or any purpose other than operating and improving the Service;
- With encryption at rest and in transit;
- Subject to strict internal access controls.
You may withdraw consent to the processing of sensitive personal data at any time by deleting your account. Note that withdrawal of consent will make it impossible to continue providing the Service.
5. How We Use Your Data
We use your personal data exclusively for the following purposes:
- Service Delivery: Providing the Vesspr conversational experience, including memory retrieval, proactive message generation, and archetype response generation.
- Account Management: Creating, maintaining, and securing your account; processing payments; sending transactional communications.
- Safety and Moderation: Detecting and responding to harmful, abusive, or illegal content; monitoring for crisis signals in accordance with our safety protocols; conducting human review of flagged conversations in the early service period.
- Service Improvement: Analysing aggregated and anonymised usage patterns to improve the Service. Where we use conversation content to improve our models, this is done on pseudonymised data, and you may opt out by contacting privacy@karooli.ai.
- Legal Compliance: Responding to lawful government requests; enforcing our Terms; resolving disputes.
- Communications: Sending you material service updates, security alerts, and, where you have opted in, product news.
We do not use your data for:
- Targeted advertising of any kind;
- Sale to third parties;
- Building profiles for purposes unrelated to the Service;
- Training third-party AI models.
6. Sharing Your Data
6.1 Service Providers
We share your data with carefully vetted third-party service providers who process data on our behalf and under our instructions. These include:
- Cloud Infrastructure: For hosting, storage, and database services. Data is stored in geographically appropriate regions.
- AI / LLM Providers: Large language model providers whose APIs power conversation generation. Data shared is limited to what is necessary for response generation. Providers are contractually bound to not use your data to train their own models.
- Payment Processors: For secure payment handling. Payment data is handled under PCI-DSS compliant conditions.
- Customer Support Tools: For managing support requests.
All service providers are required to maintain adequate security standards and to process your data only for the purposes specified by Karooli.ai.
6.2 Legal Requirements
We may disclose your data if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation or lawful government request; (b) protect the rights, property, or safety of Karooli.ai, our users, or the public; (c) enforce these Terms.
We will notify you of any such disclosure to the extent permitted by law.
6.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of Karooli.ai's assets, your personal data may be transferred to the acquiring entity. You will be notified of any such transfer and of any changes to the applicable privacy terms, with the option to delete your account prior to the transfer taking effect.
6.4 No Sale of Data
Karooli.ai will never sell, rent, or lease your personal data to any third party. This is a non-negotiable commitment.
7. International Data Transfers
Karooli.ai is incorporated in India. If you are located in a jurisdiction with data transfer restrictions (such as the EEA or UK), your personal data may be transferred to and processed in India and potentially other countries.
Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable;
- Adequacy decisions, where available;
- Other lawful transfer mechanisms as recognised by applicable law.
You may request information about the specific safeguards governing any transfer of your data by contacting privacy@karooli.ai.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
Where you exercise your right to erasure (see Section 9), we will delete your data within 30 days, unless retention is required by law.
9. Your Rights
9.1 Rights Under GDPR / UK GDPR (EEA and UK Users)
If you are located in the EEA or UK, you have the following rights:
- Right of Access: You may request a copy of the personal data we hold about you, including a memory summary.
- Right to Rectification: You may correct inaccurate or incomplete personal data.
- Right to Erasure: You may request deletion of your personal data. We will comply within 30 days except where retention is required by law.
- Right to Restriction: You may request that we restrict processing of your data in certain circumstances.
- Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
- Right to Object: You may object to processing based on legitimate interests.
- Rights related to Automated Decision-Making: Vesspr uses AI to generate responses and initiate contact. You have the right not to be subject to decisions that produce legal or similarly significant effects based solely on automated processing. Vesspr's initiations are contextual features, not significant legal decisions.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.
9.2 Rights Under DPDP Act (Indian Users)
If you are located in India, you have the following rights under the DPDP Act:
- Right to Access: The right to a summary of personal data processed and the processing activities.
- Right to Correction and Erasure: The right to correct inaccurate data and to erase data no longer necessary for the purpose it was collected.
- Right to Grievance Redressal: The right to have grievances addressed within defined timelines.
- Right to Nominate: The right to nominate an individual to exercise your rights on your behalf in the event of your incapacity.
9.3 How to Exercise Your Rights
To exercise any of the above rights, contact privacy@karooli.ai with your full name, account email, and the specific right you wish to exercise. We will respond within 30 days (or such shorter period as required by applicable law). We may ask for verification of your identity before processing your request.
If you are an EEA user and believe we have not resolved your complaint satisfactorily, you have the right to lodge a complaint with your national supervisory authority.
10. Security
Karooli.ai implements technical and organisational security measures appropriate to the sensitivity of the data we process. These include:
- End-to-end encryption of conversations in transit;
- Encryption of all personal data and memory data at rest using industry-standard protocols;
- Strict internal access controls — only a minimal set of authorised personnel have access to personal data, on a need-to-know basis;
- Regular security assessments and penetration testing;
- Incident response procedures with user notification obligations.
No security system is impenetrable. In the unlikely event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by applicable law.
You also play a role in security. Please use a strong, unique password for your account and do not share access with others.
11. Cookies and Tracking
Vesspr's web interface (used for onboarding and account management) uses a limited set of cookies:
The Vesspr service as delivered through WhatsApp and Telegram does not use browser cookies.
12. Children's Privacy
Vesspr is not directed at, and does not knowingly collect personal data from, individuals under 18 years of age. If we become aware that a user is under 18, we will immediately suspend the account and delete all associated personal data.
If you are a parent or guardian and believe your child has used Vesspr, please contact privacy@karooli.ai immediately.
13. Mental Health Data — Special Commitments
We recognise that users may share information of a deeply personal and sensitive nature, including information relating to mental health, trauma, grief, relationships, and emotional states. We make the following specific commitments with respect to this data:
- We will never sell or monetise mental health-related data in any form;
- We will never use mental health-related data for insurance underwriting, employment screening, credit scoring, or any other consequential purpose;
- We will never share mental health-related data with law enforcement except where we are legally required to do so, or where there is an imminent risk to life;
- We will conduct human safety review of conversations flagged for crisis signals only for the purpose of user safety, and such reviewers are bound by strict confidentiality obligations;
- Emotional Memory data is used only to improve the quality of your Vesspr experience and is not disclosed to any third party.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our practices, or our service. Where changes are material, we will notify you at least 30 days in advance via email or in-app notification. The "Last Updated" date at the top of this document indicates when the most recent revision was made.
Your continued use of Vesspr after the effective date of any revised Privacy Policy constitutes your acceptance of the revised terms.
15. Contact and Data Protection
For all privacy-related enquiries, requests, or complaints: