1. Who we are

Kerva Inc. ("Kerva", "we", "us", or "our") operates Vargus, an AI-native QA testing toolchain. The data controller is Kerva Inc., a Delaware corporation. Contact: hello@kerva.com for privacy requests.

2. Information we collect

2.1 Information you provide to us

  • Account data: name, email address, hashed password, or third-party identity provider identifiers (GitHub).
  • Billing data: our payment processor collects payment details, billing address, and tax information; full card numbers are not stored on our systems.
  • Support and communications: messages and attachments you send us are retained for support and product-improvement purposes.

2.2 Information collected automatically

  • Usage and device data: IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
  • CLI telemetry: anonymous, aggregated data on command usage, error classifications, run durations, and environment metadata (e.g. Node.js version). No source code, file contents, test scenarios, environment variables, or application data is included. Disable via VARGUS_TELEMETRY=0.
  • Cookies and similar technologies: first-party cookies for authentication and preferences; no advertising cookies.

2.3 Information from third parties

Profile information you authorise through identity providers (name, email, avatar URL, account ID).

3. How we use your information

  • Provide, operate, maintain, and secure the Service.
  • Create and manage accounts; authenticate users.
  • Process payments and prevent fraud.
  • Respond to support requests and communicate about the Service.
  • Monitor usage, diagnose technical issues, and improve the Service.
  • Send service announcements, security alerts, and administrative messages.
  • With consent, send product updates (unsubscribe always available).
  • Comply with legal obligations, enforce our Terms, and defend our rights.

4. Legal bases for processing (EEA and UK)

  • Contract: to provide the Service or take pre-contractual steps.
  • Legitimate interests: to secure the Service, prevent abuse, understand usage, and improve the Service.
  • Consent: for optional communications and non-essential cookies (withdrawable at any time).
  • Legal obligation: tax, accounting, and statutory compliance.

5. Sharing your information

We do not sell personal data. We share information only in limited circumstances:

5.1 Service providers

Carefully selected processors are bound by data processing agreements:

  • Hosting and infrastructure: Vercel Inc., Amazon Web Services.
  • Authentication: GitHub, Inc.
  • Payments: Stripe, Inc.
  • Email delivery: our transactional email provider.
  • Error monitoring and analytics: privacy-respecting analytics services.
  • AI model providers: Anthropic, PBC processes testing prompts and does not train on API inputs or outputs by default.

5.2 Legal and safety

We may disclose information if required by law, legal process, a valid government request, or to prevent harm, investigate fraud, or protect rights.

5.3 Business transfers

Information may transfer during a merger, acquisition, financing, reorganisation, or asset sale. We will notify users of any such transfer.

6. How AI model providers process your prompts

Vargus sends testing prompts (test scenarios, CLI outputs, system URLs) to Anthropic's API. By default, Anthropic processes API requests only to return a response and does not use them to train its models. You should avoid including sensitive personal data, credentials, or regulated data in test scenarios.

7. Cookies

First-party cookies for authentication and preferences only; no advertising or cross-site tracking cookies. Consent is requested where required by law for non-essential cookies.

8. Data retention

  • Account data: retained during active status plus up to 24 months thereafter.
  • Billing records: retained per tax and accounting laws (typically 7 years).
  • Website and dashboard logs: up to 90 days.
  • Aggregated telemetry: anonymised form, cannot be linked to users.

Data is deleted or irreversibly anonymised when no longer needed.

9. Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete personal data ("right to be forgotten").
  • Restrict or object to processing.
  • Receive a portable copy of your data.
  • Withdraw consent.
  • Lodge a complaint with your local data protection authority.

California residents have CCPA / CPRA rights including the rights to know, delete, correct, and limit the use of sensitive personal information. We do not sell or share personal information. Exercise rights by emailing hello@kerva.com; we respond within the required legal timeframe.

10. International data transfers

Kerva Inc. is based in the United States; service providers are in the US and other countries. Transfers outside the EEA, UK, or Switzerland use Standard Contractual Clauses and the UK International Data Transfer Addendum as safeguards.

11. Security

We use commercially reasonable administrative, technical, and physical protections including encryption in transit and at rest, least-privilege access controls, and continuous monitoring. Contact us immediately if you suspect your account has been compromised.

12. Children's privacy

The Service is intended for professional developers and is not directed at children under 16. Any unknown collection of children's data is unintentional; contact us if this occurs and we will delete the data.

13. Third-party links

The Service may contain links to third-party sites not operated by Kerva. This Privacy Policy does not apply to those sites; please review their privacy policies.

14. Changes to this policy

We may update this policy and will revise the "Last updated" date accordingly. Material changes will be communicated by email or in the Service at least 14 days before they take effect. Continued use of the Service constitutes acceptance.

15. Contact us

Questions about this Privacy Policy or how we handle your personal data: hello@kerva.com.