← Kavach

Privacy

Last updated: 2026-05-04

Kavach is a tool for adults caring for an aging loved one. The documents you upload are deeply personal. We treat them that way.

The short version

  • We do not store the documents you upload. They are processed in memory and discarded the moment your care brief is rendered. There is no database row, no S3 object, no backup.
  • Before our AI ever sees the document, we strip out names, SSNs, MRNs, phone numbers, addresses, and other obvious identifiers. The redaction happens server-side, in the same request.
  • The care brief is yours. It is returned to your browser. We do not keep a copy.
  • We do not sell, share, or use your documents to train AI.

What we do collect

We log a small amount of information needed to keep the service running and rate-limit free uploads:

  • An anonymous session cookie (kavach_session) that tracks how many uploads you've used this calendar month against the free tier of 3.
  • Standard server logs from our hosting providers (Vercel, Cloudflare): timestamp, user-agent, IP address, request path. These are retained for the period our providers retain them (typically 7-30 days) and we use them only for security and uptime.
  • File metadata at processing time: page count and byte size. Filename and contents are not stored.

What we send to our AI provider

To generate the care brief, we send the redacted text of your document to Google's Gemini API (the model is Gemini 2.5 Flash). Per Google's paid Generative AI terms, API requests are not used to train Google's models. While Kavach is on the Gemini free tier in early access, requests may be used by Google to improve the model — see Google's Gemini API terms. This is one reason we redact identifying details before any text leaves our servers, and one reason we will move to a paid tier before Kavach goes broadly live.

We also use Vercel for hosting and Cloudflare for DNS. Both may log routine request metadata for security and uptime.

HIPAA — what to know

Kavach in its current early-access version is not a HIPAA-covered service. We have no Business Associate Agreement (BAA) with our AI provider yet. The redaction and non-retention design above is how we keep the risk low — but you should know what we are not, in addition to what we are.

If you are a healthcare professional uploading on behalf of a patient, please do not use Kavach until we publish a HIPAA-compliant tier. Family caregivers uploading their own loved one's documents, with that loved one's permission, are who Kavach is built for.

Your rights

If you are in the EU, UK, California, or other jurisdictions with data-protection laws, you have rights of access, correction, and deletion. Because we do not retain your documents or care briefs, those rights are largely automatic — there is nothing of yours for us to delete after the request finishes. For account-level data (when accounts are introduced) write to hello@shaithilyog.tech.

Children

Kavach is for adults (18+). If you are caring for a minor and want to use Kavach for their records, please write to us before doing so.

Changes

If this policy changes meaningfully, we will update the date above and post a notice on the homepage for 14 days. Continued use after the change date constitutes acceptance.