Privacy Policy

Last updated 5 May 2026

This privacy policy explains how Hana — Kura Cares AI Assistant(“Hana”, “the App”, “we”, “us”), provided by McCall IT Solutions Limited (Auckland, New Zealand), accesses, uses, stores, and shares information when authorised users at Kura Cares connect a Google account to the App.

The App is an internal tool used by staff at Kura Cares to assist with day-to-day administration: searching email, browsing Google Drive, drafting replies, scheduling calendar events, and triaging the inbox. All actions that modify Google data require explicit human approval inside the App before they execute.

1. What Google data we access

When you connect your Google account, you are asked to grant a specific set of OAuth scopes. We only request scopes the App actually uses:

userinfo.email — to identify which Google account is connected.
gmail.readonly — to read messages so Hana can answer questions about your inbox.
gmail.modify (when read/write mode is enabled) — to create drafts and send replies on your behalf after you approve them in the App.
drive.readonly — to list and read files you choose to surface to Hana.
drive.file (when read/write mode is enabled) — to edit, move, or rename files you have explicitly opened with the App.
calendar (when read/write mode is enabled) — to create, update, or cancel calendar events after you approve them in the App.

We do not request scopes for contacts, photos, location data, or any other Google service. You can revoke access at any time at myaccount.google.com/permissions, or by clicking Disconnectin the App’s Settings page.

2. How we use the data

To answer questions you ask the assistant about your own Gmail / Drive / Calendar data.
To draft proposed actions (email replies, file edits, calendar invites, follow-up tasks) which the App queues in a human-in-the-loop approval list. Nothing is sent or changed in your Google account until you click Approve in the App.
To support proactive inbox triage — periodically scanning recent unread email and proposing follow-ups — when explicitly enabled by an administrator. This feature is off by default.

We do not use Google data for advertising, profiling, training models for unrelated customers, or any purpose other than operating the App for you.

3. AI processing

To generate replies, summaries, and triage decisions, the App sends relevant excerpts of Google data to Anthropic’s Claude API as transient prompts. Anthropic processes the data only to return a model response and does not retain prompts for training when used through their API. See Anthropic’s privacy policy for details.

4. Storage and retention

OAuth tokens (access + refresh) are stored encrypted at rest in our managed Postgres database (Supabase, region ap-southeast-2) and are used only to make Google API calls on your behalf.
We do not maintain a copy of your Gmail messages, Drive files, or Calendar events beyond what is necessary to render the current assistant response. Excerpts that appear in conversation history persist only as part of the App’s normal conversation logs.
Audit logs (which actions were proposed, approved, and executed) are retained for operational and compliance purposes for the lifetime of the account.
When you click Disconnect, the App revokes the token with Google and deletes the stored token row. Deleting an account additionally removes audit history within 30 days.

5. Sharing

We do not sell your data. The only third parties that receive Google data are infrastructure providers acting as data processors on our behalf:

Google — the source of the data, accessed via the official APIs.
Anthropic — for transient AI inference (see §3).
Supabase — managed Postgres host (region ap-southeast-2).
Vercel — application hosting.
Clerk — user authentication.

We disclose data only when required by law or with your explicit consent.

6. Your rights

Under the New Zealand Privacy Act 2020 (and equivalent overseas regulations), you may request access to, correction of, or deletion of personal information we hold about you. Contact us at support@kuracares.org to exercise these rights.

7. Google API Services User Data Policy

Hana’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8. Changes to this policy

Material changes will be posted at this URL with an updated “Last updated” date. For substantial changes affecting how Google data is used, we will additionally require you to re-grant consent before continuing.

9. Contact

Questions or concerns about this policy or Hana’s handling of your Google data: support@kuracares.org.