Privacy Policy
TL;DR
1. Overview
This Privacy Policy explains how KALAI ("we", "us", "our") handles information in connection with CorvusTunnel, a self-hosted AI agent control tool and relay service.
The short version: we don't collect personal data through the software or the relay service. CorvusTunnel is designed with privacy as a core principle.
2. The Software (Self-Hosted)
CorvusTunnel runs entirely on your own machine. We have no access to:
- Your prompts, agent responses, or file contents
- Your terminal I/O or code
- Your configuration, tokens, or keys
- Any data processed by AI agents under your control
The software does not "phone home" or transmit telemetry, analytics, or usage data to KALAI or any third party.
3. The Relay Service (roost.corvustunnel.com)
The relay service at roost.corvustunnel.com facilitates real-time communication between your local CorvusTunnel server and your mobile client. Here's what the relay processes:
| Data | Stored? | Details |
|---|---|---|
| Session IDs | Ephemeral | Random identifiers, auto-deleted after 2-hour TTL |
| Message content | Never | All content is E2E encrypted — relay cannot read it |
| IP addresses | Never | Not logged or stored |
| User accounts | N/A | No accounts exist — the relay is anonymous |
| Encryption keys | Never | Keys are exchanged directly via QR code, never through relay |
Zero-Knowledge Architecture: All message content passing through the relay is encrypted with NaCl SecretBox (XSalsa20-Poly1305). The relay never possesses the encryption keys and therefore cannot read, analyze, or store any user content. It is cryptographically impossible for the relay to access your data.
4. End-to-End Encryption
CorvusTunnel uses strong, modern encryption:
- Key exchange: X25519 Diffie-Hellman, delivered via QR code (never through the relay)
- Message encryption: NaCl SecretBox (XSalsa20-Poly1305)
- What's encrypted: All user prompts, agent responses, file contents, terminal I/O
The relay sees only opaque, encrypted blobs. It cannot distinguish a code review from a file upload.
5. Audit Logs
CorvusTunnel generates audit logs of all operations (prompts sent, outputs received, approvals given). These logs:
- Exist only on your own machine, in the
./logs/directory - Are stored in JSONL format for easy parsing
- Are never transmitted to KALAI or any third party
- Are entirely under your control — you can delete them at any time
6. Website Analytics
The CorvusTunnel website (corvustunnel.com) does not use any analytics, tracking pixels, cookies, or third-party scripts. We do not track visitors in any way.
7. Third-Party Services
CorvusTunnel does not share data with any third-party services. The only external service connections are:
- Google Fonts: Loaded on the website for typography (subject to Google's Privacy Policy)
- Cloudflare: Optional tunnel service for self-hosted deployments (subject to Cloudflare's Privacy Policy)
8. GDPR & KVKK Compliance
General Data Protection Regulation (GDPR)
Since CorvusTunnel does not collect, process, or store personal data, the GDPR obligations typically associated with data controllers or processors do not apply in practice. We hold no personal data to protect, restrict, or delete.
KVKK (Kişisel Verilerin Korunması Kanunu)
Under the Turkish Personal Data Protection Law (Law No. 6698, "KVKK"), KALAI confirms:
- We do not collect or process personal data through CorvusTunnel
- The relay service processes only anonymous, ephemeral session identifiers
- No personal data is transferred domestically or internationally
- No personal data is stored on any KALAI systems
9. Your Rights Under KVKK
Under Article 11 of the KVKK, you have the right to:
- Learn whether your personal data is processed
- Request information about processing if your data has been processed
- Learn the purpose of processing and whether data is used in accordance with its purpose
- Know the third parties to whom your personal data has been transferred
- Request rectification if personal data is incomplete or inaccurate
- Request deletion or destruction of personal data
- Request notification of the above to third parties
- Object to results that arise exclusively from automated processing
- Claim compensation for damages arising from unlawful processing
Since we do not hold any personal data, any request under these rights will be answered with confirmation that no personal data exists in our systems.
To exercise your rights, contact: privacy@kalai-tech.com
10. Children's Privacy
CorvusTunnel is a developer tool and is not directed at children under 16. We do not knowingly collect any information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Since we don't collect personal data, we have no way to notify you directly — please check this page periodically.
12. Contact
For privacy-related inquiries:
KALAI — Data Protection
Email: privacy@kalai-tech.com
Web: kalai-tech.com
For general legal inquiries: legal@kalai-tech.com