Privacy Policy

Effective Date: March 19, 2026

Last Updated: March 19, 2026

Applies to: comaxy.ai and the CoMaxy AI Chrome Extension

1. Who We Are

CoMaxy AI is operated by Kratuva Inc., a Delaware C-Corporation. We build remote team management software that helps businesses understand whether their team members are working their scheduled hours.

Contact: privacy@comaxy.ai

2. What Data We Collect

2.1 Account Data

  • Name and email address
  • Company name
  • Password (hashed and encrypted via Clerk)
  • Billing information (processed by Stripe)

2.2 Activity Data (Chrome Extension)

Collected only during scheduled work hours.

  • Domain name of active browser tab (e.g. github.com)
  • Active browser time (seconds with mouse/keyboard activity)
  • Idle time (seconds with no activity)
  • Break time (manually clicked Take a Break)

NOT collected: screenshots, keystrokes, page content, full URLs, passwords, or data outside work hours.

2.3 Technical Data

  • IP address, browser type, operating system
  • Session tokens and cookie identifiers
  • Log data including access times and API requests

3. Chrome Extension Disclosures

Permissions used:

  • tabs: To read domain name of active tab during tracked session
  • activeTab: To determine which tab is focused
  • storage: To store session tokens and activity cache locally
  • alarms: To schedule 1-minute checks and 5-minute syncs
  • idle: To detect when user has been inactive 60+ seconds

Data is collected only when: user is authenticated, current time is within scheduled shift window, and active tab is not the CoMaxy AI dashboard.

Outside work hours the extension is completely inactive.

4. How We Use Your Data

  • To provide CoMaxy AI and generate adherence reports
  • To authenticate your account and process payments
  • To send transactional emails
  • To improve the product using anonymised aggregate data
  • To comply with applicable laws

5. How We Share Your Data

We do not sell your data. Sub-processors:

  • Supabase: database hosting (AWS US East)
  • Clerk: user authentication
  • Stripe: payment processing (PCI-DSS certified)
  • Netlify: web application hosting
  • PostHog: anonymised product analytics
  • Resend: transactional email delivery

6. Data Retention

  • Account data: duration of subscription plus 90 days
  • Activity data: 12 months by default
  • Billing records: 7 years (US financial requirements)
  • Personal data deleted within 90 days of account deletion

7. Security

  • Data in transit: encrypted using TLS 1.2 or higher
  • Data at rest: encrypted using AES-256
  • Authentication via Clerk with MFA support
  • Row-level security enforces org data isolation

8. Your Rights

Access, correct, delete, or export your personal data.

Email privacy@comaxy.aiwith subject “Privacy Rights Request”.

EU and EEA users may lodge complaints with their local data protection supervisory authority.

9. Cookies

We use cookies for authentication, analytics, and performance. Strictly necessary cookies cannot be disabled. See our Cookie Policy for full details.

10. Children

CoMaxy AI is for business use by individuals 18 and older. We do not knowingly collect data from minors.

11. Changes to This Policy

We may update this policy. Material changes communicated by email. Updated date shown at top of this page.

12. Contact