Privacy Policy

Last updated: May 16, 2026

Vokra AI ("we", "us", or "our") operates Vokra AI (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Service.

1. Information We Collect

1.1 Account and Sign-In Information

When you create or access an account, we collect information needed to identify you and operate your account:

• Email address
• Name
• Password hash if you sign up with email and password
• Connected sign-in provider and provider account identifier if you sign in with Google or GitHub
• Workspace memberships, roles, invitations, and notification preferences

If you use Google sign-in, Vokra AI requests Google profile and email information only to authenticate you, create or link your Vokra AI account, and show your account details in the Service. We do not store Google sign-in access tokens or refresh tokens for ordinary account login.

1.2 Workspace, Agent, and Workflow Data

We collect and store the workspace and agent configuration data you provide, including:

• Workspace names, members, roles, and billing plan information
• Agent names, descriptions, model settings, and system prompts
• Job definitions, schedules, webhook triggers, and job-chain configuration
• Chat threads, human-input responses, and agent execution history
• Agent run messages, tool-call inputs and outputs, status, error details, and token usage metadata

1.3 Credentials, API Keys, and OAuth Tokens

To run agents and integrations, you may choose to store credentials in Vokra AI. These can include:

• LLM provider API keys for providers such as Anthropic, OpenAI, Google AI, Groq, Mistral, AWS Bedrock, Azure OpenAI, Ollama, DeepSeek, Hugging Face, and OpenRouter
• MCP server and integration configuration, including API keys, personal access tokens, headers, database connection settings, and other secrets
• OAuth access tokens, refresh tokens, granted scopes, token expiry, token endpoints, and OAuth client details for connected services

In production, sensitive credentials and stored agent run content are encrypted at rest. OAuth tokens for integrations are linked to the specific agent integration they authorize and are deleted when you disconnect that integration.

1.4 Google Workspace Data

If you connect Google Workspace tools to an agent, Vokra AI requests only the Google OAuth scopes needed by the connector and access level you choose. Current Google connectors may request:

• Gmail scopes for reading Gmail messages and composing or sending drafts and messages
• Google Calendar scopes for reading calendars and events, and creating, updating, or deleting events when enabled
• Google Drive scopes for finding, reading, and managing Drive files and folders when enabled

Depending on your configuration and the task you ask an agent to perform, Google user data processed by Vokra AI may include email metadata and message content, Gmail labels and filters, calendar names and events, Drive file and folder metadata, file contents, and the content of drafts or changes your agent creates. We process this data only when you authorize the connector and use an agent that has access to it.

1.5 Usage, Device, and Diagnostic Data

We automatically collect operational information needed to keep the Service working and secure, including:

• IP address, browser type, device information, and pages or features used
• API requests, agent execution counts, integration usage, and billing usage metrics
• Performance data, application logs, security events, and error reports

1.6 Cookies and Local Storage

We use cookies, browser storage, and similar technologies to maintain sessions, remember preferences, support OAuth flows, and improve Service performance.

2. How We Use Your Information

We use collected information to:

• Provide, operate, secure, and maintain the Service
• Authenticate accounts and manage workspace access
• Execute agents, jobs, chat sessions, schedules, webhooks, and job chains
• Connect agents to LLM providers, MCP servers, and third-party integrations you configure
• Refresh OAuth tokens and maintain authorized integrations until you disconnect them
• Display execution logs, chat history, tool-call history, and audit information in the product
• Process billing, enforce plan limits, and manage subscriptions
• Send service emails such as invitations, password reset messages, security notices, and administrative updates
• Respond to support requests and troubleshoot errors
• Detect, prevent, and investigate fraud, abuse, security incidents, and policy violations
• Comply with legal obligations

3. Google User Data and Limited Use

Vokra AI uses Google user data only to provide or improve user-facing features that you request in the Service. For example, an agent connected to Gmail may read relevant messages to summarize a thread or draft a reply, an agent connected to Google Calendar may read or update events, and an agent connected to Google Drive may find or process files you ask it to use.

Vokra AI does not sell Google user data. Vokra AI does not use Google user data for advertising, retargeting, personalized ads, determining creditworthiness, lending purposes, or training Vokra AI models.

When an agent runs, relevant prompts, instructions, chat messages, and tool results, which may include Google user data if you connected a Google tool, may be sent to the LLM provider you selected for that agent solely to complete the task you requested. Each LLM provider has its own privacy and data processing terms, and you control which provider and credentials are used.

4. Third-Party Data Sharing

4.1 LLM Providers

When your agents execute, prompts, instructions, conversation data, and relevant tool results may be sent to the LLM provider configured for that agent. Supported providers can include Anthropic, OpenAI, Google AI, Groq, Mistral, AWS Bedrock, Azure OpenAI, Ollama, DeepSeek, Hugging Face, and OpenRouter.

4.2 MCP Tools and Integrations

When you connect tools such as Gmail, Google Calendar, Google Drive, GitHub, Slack, Notion, Stripe, Linear, Jira, Confluence, HubSpot, Figma, databases, or custom MCP servers, your agents may send data to or retrieve data from those services according to your configuration and the task being executed.

4.3 Service Providers

We may share data with trusted service providers that help us operate Vokra AI, including:

• Cloud hosting, database, queueing, logging, and infrastructure providers
• Payment processing providers such as Stripe
• Email delivery providers
• Analytics, monitoring, error reporting, and customer support tools

These providers are authorized to use the data only as needed to provide services to us and are expected to protect it under appropriate confidentiality and security obligations.

4.4 Legal Requirements

We may disclose information if required by law, court order, government request, or where necessary to enforce our Terms, protect rights and safety, prevent fraud, or investigate security issues.

5. Data Security

We use administrative, technical, and organizational safeguards designed to protect your data, including:

• HTTPS/TLS for data transmitted to and from the Service
• Encryption at rest for sensitive credentials, OAuth tokens, and stored agent run content in production
• Workspace-level access controls and role-based membership checks
• JWT access tokens, refresh token rotation, and logout invalidation
• Signed OAuth state values and PKCE where supported by the provider
• Webhook verification and token regeneration controls
• Operational logging, monitoring, and security review practices

No method of transmission over the Internet or electronic storage is completely secure. We work to protect your data, but cannot guarantee absolute security.

6. Data Retention and Deletion

We retain data for as long as needed to provide the Service, operate your workspaces, comply with legal obligations, resolve disputes, enforce agreements, and maintain security.

• Account and workspace records are retained while your account or workspace is active, unless deletion is requested or required by law.
• OAuth tokens for connected integrations are retained until you disconnect the integration, remove the agent integration, delete the related workspace data, or request deletion.
• Agent configuration, chat history, execution messages, and tool-call logs are retained to show product history, support debugging, and provide auditability. Product log availability may vary by plan and feature configuration.
• Password reset tokens and short-lived social sign-in exchange codes expire automatically.

You can delete certain agents, jobs, chats, integrations, and credentials in the product. To request account or workspace deletion, contact us using the details below.

7. Your Privacy Rights and Controls

7.1 Access and Portability

You can access account information, workspace data, agent configuration, and execution history through the Service where available. You may also contact us to request a copy of your personal data.

7.2 Correction and Deletion

You can update account profile details and many workspace settings in the product. You can remove stored credentials, disconnect OAuth integrations, and delete product data where the Service provides deletion controls. You may also contact us to request correction or deletion of personal data.

7.3 Opt-Out Rights

You can opt out of non-essential communications by using unsubscribe links where provided or by contacting us. You can also control cookies through your browser settings.

7.4 Do Not Track

We currently do not respond to Do Not Track (DNT) browser signals.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We use appropriate safeguards for international transfers where required.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us.

10. California Privacy Rights (CCPA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act, including the right to know, access, correct, and delete personal information, and the right not to be discriminated against for exercising privacy rights.

We do not sell your personal information.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area or the United Kingdom, you may have rights to access, rectify, erase, restrict, or port your personal data; object to certain processing; and withdraw consent where processing is based on consent.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and may provide additional notice, such as email notification or an in-product notice.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]
Website: https://vokra.ai

14. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.