Privacy Policy — Valkurai

⚠ This policy has been drafted in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles. It is pending final legal review before publication. If you have questions about our privacy practices in the interim, contact privacy@valkurai.com.

Overview

Valkurai is a financial governance layer for AI agents. It evaluates payment requests before they reach a payment rail. Valkurai is not a payment processor. It does not store payment card numbers, bank account details, or any financial account credentials. The personal information Valkurai collects is limited to what is necessary to operate the service.

1. Who this policy applies to

This policy applies to:

Operators — organisations and individuals who register AI agents and use the Valkurai API and dashboard
Approvers — individuals designated by Operators to review and approve FLAGGED transactions
Viewers — individuals given read-only access to an Operator's audit log
Visitors to valkurai.com

This policy does not apply to the end users of AI agents — Valkurai does not collect information about the people on whose behalf agents act. Valkurai's contract is with the Operator.

2. What information Valkurai collects

2.1 Account and registration information

Email address — collected when you register an agent. Used for notification delivery, account recovery, and billing communications.
Agent name — a label you provide when registering an agent. Not personal information but associated with your account.
Phone number (optional) — provided if you enable SMS notifications. Used for FLAGGED transaction alerts on Pro and Enterprise plans.
Billing information — name and payment details collected by Stripe on our behalf. Valkurai does not store card numbers. Stripe's privacy policy governs billing data.

2.2 Transaction data

Transaction descriptions — the text your AI agent provides when requesting a payment. Primary input to Gate 3 intent classification.
Vendor names and amounts
Transaction categories and currencies
Transaction outcomes — SAFE, FLAGGED, BLOCKED, or PENDING_APPROVAL
Gate 3 classification results — intent classification, reason, and confidence score

2.3 Approval and decision data

Approver identity — email address of the person who approved or denied a FLAGGED transaction
Approval timestamp
Denial reason (where provided)

This information is the EU AI Act Article 9 compliance evidence. It is stored in the immutable audit log and retained for 10 years.

2.4 Technical and usage data

API request metadata — HTTP headers (excluding raw Agent Key), IP addresses, request timestamps
Framework metadata — the agent framework used (LangChain, CrewAI, OpenAI, Anthropic) if provided
Dashboard usage — pages visited, actions taken (stored in CloudWatch)

3. How Valkurai uses your information

Purpose	Lawful basis	Data used
Providing the Service — evaluating transactions, sending notifications, storing audit records	Contract (necessary to perform the service)	All categories in clause 2
Improving the Service — updating rule engine patterns, improving intent classification accuracy	Legitimate interest / Consent (ToS clause 9)	Aggregate, anonymised transaction data only
Compliance — responding to regulatory requests, OAIC notifications	Legal obligation	As required by the specific obligation
Security — detecting abuse, investigating incidents	Legitimate interest	API request metadata, transaction patterns
Billing and account management	Contract	Email address, billing information

4. Who Valkurai shares information with

Valkurai does not sell personal information. Valkurai shares information only as follows:

Recipient	What is shared	Why	Basis
Amazon Web Services (AWS) ap-southeast-2	All Valkurai data	Infrastructure provider — compute, storage, AI inference, email, SMS, notifications	AWS Data Processing Addendum. AWS SOC 2 Type II certified. Data does not leave ap-southeast-2 at Phase 1.
Stripe Payments Australia Pty Ltd	amountCents, currency only. No personal data. No card data.	Payment execution rail on SAFE outcomes	Stripe's own terms and Privacy Policy. Stripe is an independent data controller for payment data.
Brevo	Operator email address, registration metadata	Operator onboarding and marketing email sequences only	Brevo Data Processing Agreement. EU-based processor.
Regulatory authorities	As legally required	Legal obligation	Privacy Act s16B, court order

5. Data retention

Data category	Retention period	Reason
Transaction audit records (TX)	10 years from creation	EU AI Act Article 9(9) and Australian financial record retention
Approval records	10 years from creation	EU AI Act Article 9 attribution evidence
Account information (email, phone)	Duration of relationship + 2 years	Notification obligations and account recovery
Billing records	7 years	Tax and accounting requirements
API request logs (CloudWatch)	2 years	Security investigation and operational troubleshooting
Idempotency records	24 hours	Functional only — duplicate request prevention

Account closure, data export and erasure

When you close your Valkurai account, your API and dashboard access is revoked immediately. Transaction and approval audit records are retained for 10 years as required by EU AI Act Article 9(9). Within 7 days of closure, a presigned export URL is generated for a complete archive of your audit records. After this window, no further export is provided.

After the 7-day export window closes, approved_by email addresses in approval records are replaced with a one-way PBKDF2-SHA256 hash. This satisfies EU AI Act Art. 9(7) attribution requirements while minimising retained personal data.

Right to erasure (GDPR Art. 17): Submit requests to legal@valkurai.com. During the 10-year retention period, erasure of audit records is refused under Art. 17(3)(b) (legal obligation) and Art. 17(3)(e) (legal claims). A written response stating the legal basis is provided within 30 days.

6. Security

Zero-knowledge Agent Key storage — raw Agent Keys are never stored. Only a cryptographic hash is retained.
Encryption at rest — all DynamoDB data encrypted with AES-256 via AWS KMS.
Encryption in transit — TLS 1.2 minimum, TLS 1.3 preferred, enforced by API Gateway.
Access control — IAM least-privilege for all AWS resources. RBAC in the dashboard.
Audit logging — all infrastructure changes logged in AWS CloudTrail.
Third-party penetration testing — conducted before enterprise customer onboarding and annually thereafter.
SOC 2 Type II — in progress. Report available to enterprise customers on request under NDA.

7. Your rights

Right	How to exercise it	Response time
Access — request a copy of personal information Valkurai holds about you	Email privacy@valkurai.com with your account email	30 days
Correction — request correction of inaccurate personal information	Email privacy@valkurai.com with details of the correction required	30 days
Deletion — request deletion of your personal information	Email privacy@valkurai.com. Note: audit log records are retained for 10 years.	30 days
Withdraw consent — withdraw consent to Aggregate Data use (ToS clause 9)	Email privacy@valkurai.com. Effective prospectively from date of receipt.	Acknowledged within 5 business days
Complaint — lodge a complaint about our privacy practices	Email privacy@valkurai.com first. If unresolved within 30 days, contact OAIC at oaic.gov.au.	30 days for internal review

8. Notifiable Data Breaches

If Valkurai becomes aware of a data breach likely to result in serious harm, Valkurai will notify affected individuals as soon as practicable and notify the OAIC within 72 hours where the breach affects 5,000 or more Australians or is otherwise required by the NDB scheme. A summary will be published on status.valkurai.com.

Note on key storage and breach impact: because Valkurai uses zero-knowledge key storage, a breach of the DynamoDB table does not expose usable Agent Keys. A breach would expose transaction records, approval records, and email addresses.

9. Cookies and website data

Session cookies — strictly necessary for dashboard authentication. Cannot be disabled without losing dashboard access.
No third-party analytics cookies at launch.
No advertising cookies. Valkurai does not run advertising.

10. Children's privacy

The Service is not directed at children under 18. Valkurai does not knowingly collect personal information from children. Contact privacy@valkurai.com if you believe a child has provided personal information.

11. Changes to this policy

Valkurai may update this policy from time to time. Material changes will be notified to Operators by email at least 14 days before the change takes effect.

Privacy contact

Privacy enquiries	privacy@valkurai.com
Organisation	Tech Compass Pty Ltd (ABN 31 632 578 342), trading as Valkurai
Address	103/2 Furzer St, Phillip ACT 2606, Australia
OAIC	oaic.gov.au — 1300 363 992