Privacy Policy

Last updated: March 20, 2026

This Privacy Policy explains how INGI Prosta Spolka Akcyjna ("INGI", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use:

  • the KARIANA website available at https://www.kariana.ai (the "Website")
  • the KARIANA plugin and related services for Unreal Engine 5, including associated tools, model integrations, chat interface, documentation, and updates (the "Software")
  • related support, billing, early access, and account services

In this Privacy Policy, the Website, the Software, and related services are referred to together as the "Service".

1. Data Controller

The data controller responsible for your personal data is:

INGI Prosta Spolka Akcyjna (INGI P.S.A.)
Za Cytadela 128
61-659 Poznan, Poland
Email: hello@kariana.ai

2. Scope

This Privacy Policy applies to personal data processed in connection with the Service.

Depending on how you use KARIANA, the additional contractual terms that govern your use of the Software may include:

  • the KARIANA Early Access License Agreement
  • the KARIANA End User License Agreement
  • an order form or enterprise agreement, if applicable

3. Personal Data We Process

3.1 Data you provide directly

We may process the following information that you provide to us:

  • name
  • email address
  • company name
  • account credentials or authentication-related identifiers
  • billing address and tax information
  • support requests, messages, and feedback
  • information submitted when joining a waitlist, demo list, or early access program

3.2 Payment information

Payments are processed by third-party payment providers. We do not store full payment card numbers on our own servers.

We may receive limited billing-related information such as:

  • payment status
  • subscription plan
  • billing contact details
  • invoice and transaction identifiers
  • country and tax-related information

3.3 Data processed to provide the Software

To provide the Software, we may process inputs, instructions, prompts, configuration data, and project-related data that you intentionally send through the Software or connected workflows.

This processing is limited to what is reasonably necessary to provide the requested functionality, generate outputs, secure the Service, troubleshoot reported issues, and comply with law.

Unless expressly stated otherwise in a separate written agreement or product setting, we do not use your prompt content or project content for advertising purposes or to build generalized marketing profiles about you.

3.4 Telemetry, diagnostics, and usage data

We may process technical and usage information about how the Service is used.

| Access type | Telemetry setting | Notes | |---|---|---| | Early Access | Required for participation | Product analytics and diagnostic telemetry are part of the Early Access program | | Paid subscription | Optional and off by default, except strictly necessary service and security logs | Optional telemetry may be enabled by you or your administrator | | Website visitor | Limited website analytics and cookie-based signals, where permitted | Subject to cookie settings where required |

When telemetry or diagnostic logging is active, the data may include:

  • token consumption and request volume
  • number and type of tool or workflow invocations
  • performance metrics such as latency and response times
  • crash reports and error logs
  • feature usage frequency
  • software version and Unreal Engine version
  • device, browser, and operating system information
  • account, workspace, tenant, or subscription identifiers needed to attribute usage securely

3.5 Website usage data

When you visit the Website, we may automatically process information such as:

  • IP address
  • browser type and version
  • device type
  • pages viewed
  • referring URLs
  • date and time of access
  • approximate geolocation derived from IP address
  • cookie and similar technology data

3.6 Data we do not collect for analytics or product training by default

Unless clearly disclosed otherwise and separately enabled by you, we do not intentionally collect or use the following for telemetry analytics or product training:

  • your Unreal Engine project files in their original file form
  • your source code repositories in their original repository form
  • screenshots or screen recordings from your device
  • clipboard data or keystroke recordings
  • prompt content or project content for optional product analytics

This section does not prevent transient processing of inputs that is technically necessary to provide the Service.

4. Purposes of Processing and Legal Bases

If you are in the EEA, UK, or another jurisdiction requiring a legal basis, we rely on the following bases.

| Purpose | Legal basis | |---|---| | Creating and administering accounts | Performance of a contract, Article 6(1)(b) GDPR | | Providing the Website and Software, including processing prompts and project-related inputs you submit | Performance of a contract, Article 6(1)(b) GDPR | | Processing payments, invoices, renewals, and subscription management | Performance of a contract, Article 6(1)(b) GDPR | | Providing support and responding to product inquiries | Performance of a contract or legitimate interests, Article 6(1)(b) and 6(1)(f) GDPR | | Mandatory Early Access telemetry and diagnostic analysis necessary to evaluate, secure, and improve the pre-release service | Performance of a contract and legitimate interests, Article 6(1)(b) and 6(1)(f) GDPR | | Optional telemetry for paid plans | Consent, Article 6(1)(a) GDPR | | Fraud prevention, abuse detection, account security, and service integrity | Legitimate interests, Article 6(1)(f) GDPR | | Internal product improvement based on non-optional operational logs and incident data | Legitimate interests, Article 6(1)(f) GDPR | | Sending service communications, administrative notices, and legal updates | Performance of a contract or legal obligation, Article 6(1)(b) and 6(1)(c) GDPR | | Sending marketing communications | Consent, Article 6(1)(a) GDPR, or legitimate interests where allowed by law | | Compliance with legal, tax, accounting, and regulatory obligations | Legal obligation, Article 6(1)(c) GDPR | | Establishing, exercising, or defending legal claims | Legitimate interests, Article 6(1)(f) GDPR |

Where we rely on legitimate interests, we do so only where those interests are not overridden by your rights and freedoms.

5. Cookies and Similar Technologies

We use cookies and similar technologies on the Website.

5.1 Types of cookies

| Cookie type | Purpose | Default status | |---|---|---| | Strictly necessary | Security, login, session management, fraud prevention, and core Website functionality | Always active | | Preferences | Remembering settings and user choices | Used only where permitted | | Analytics | Understanding Website traffic and performance | Used only with consent where required |

5.2 Consent management

Where required by law, non-essential cookies or similar technologies are activated only after you give consent through our cookie banner or preference center.

You can also control cookies through your browser settings. Blocking certain cookies may affect Website functionality.

5.3 Retention for cookies

Cookie duration depends on the cookie type. Session cookies expire when you close your browser. Persistent cookies remain for a limited period unless deleted earlier by you.

6. How We Share Personal Data

We may share personal data with the following categories of recipients when reasonably necessary:

  • payment processors and billing service providers
  • cloud hosting and infrastructure providers
  • customer support and communications providers
  • email delivery providers
  • analytics providers, where you have consented or where otherwise permitted by law
  • identity, security, fraud prevention, and authentication providers
  • AI model, inference, or workflow providers used to deliver requested Software functionality
  • professional advisers such as lawyers, auditors, and insurers
  • courts, regulators, law enforcement, or public authorities where legally required
  • a buyer, investor, or successor entity in connection with a merger, acquisition, financing, reorganization, or sale of assets

We do not sell your personal data in the ordinary meaning of that term.

7. International Data Transfers

Some recipients that support our Service may be located outside the EEA, UK, or your home jurisdiction.

When we transfer personal data internationally, we use appropriate safeguards where required, such as:

  • adequacy decisions
  • Standard Contractual Clauses
  • the UK International Data Transfer Addendum or similar approved transfer mechanisms
  • additional contractual, organizational, or technical safeguards where appropriate

8. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to comply with legal, tax, accounting, and dispute-resolution obligations.

| Data category | Typical retention period | |---|---| | Account data | For the duration of the account and up to 12 months after closure, unless longer retention is required | | Billing and tax records | For the period required by applicable tax and accounting law | | Support communications | Up to 24 months after the matter is closed, unless longer retention is necessary | | Early Access telemetry and diagnostic logs | Up to 24 months from collection, unless a shorter period is required by law or a longer period is needed for security or dispute purposes | | Optional paid-plan telemetry | Until consent is withdrawn and thereafter for a limited period reasonably necessary to delete, aggregate, or anonymize records | | Website analytics data | Up to 14 months, subject to your cookie settings | | Security logs | For a limited period reasonably necessary to protect the Service, investigate incidents, and prevent abuse | | Marketing consent records | For the duration of consent and for a limited period thereafter to demonstrate compliance |

We may retain data for longer where required to comply with law, resolve disputes, enforce agreements, or establish, exercise, or defend legal claims.

9. Security

We implement appropriate technical and organizational measures designed to protect personal data, including measures such as:

  • encryption in transit
  • access controls and authentication
  • role-based access restrictions where appropriate
  • logging and monitoring for security purposes
  • secure development and incident-response processes
  • contractual safeguards with service providers

No system is completely secure. We cannot guarantee absolute security.

10. Your Rights

Depending on your location, you may have rights that include:

  • access to your personal data
  • rectification of inaccurate data
  • deletion of data
  • restriction of processing
  • objection to processing based on legitimate interests
  • data portability
  • withdrawal of consent at any time where processing is based on consent
  • complaint to a supervisory authority

To exercise your rights, contact us at hello@kariana.ai.

We may ask for information reasonably necessary to verify your identity before responding.

If you are in Poland, you may also contact:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2
00-193 Warsaw, Poland
https://uodo.gov.pl

11. Early Access, NDA Mode, and Deployment Models

11.1 Early Access

If you participate in Early Access, product analytics and diagnostic telemetry are a condition of participation in that program. If you do not agree with that processing, do not use the Early Access version of the Software.

11.2 Paid plans

For paid plans, optional product telemetry is off by default unless you or your administrator enable it. Strictly necessary service, billing, fraud-prevention, and security logs may still be processed regardless of telemetry settings.

11.3 NDA Mode

Where the Software offers an "NDA Mode" or similar privacy-enhanced mode, that mode is designed to reduce retention and disable optional telemetry for the covered session or environment.

Unless otherwise stated in a separate written agreement, NDA Mode means that INGI will not intentionally retain prompt content or project content after the active request or session except where retention is reasonably necessary to:

  • maintain the active connection or workflow
  • provide the requested functionality
  • investigate a security incident or a bug you specifically report
  • comply with law
  • enforce our agreements or protect the Service against abuse

11.4 Your Cloud and Local deployments

If you use a deployment model described as "Your Cloud" or "Local", certain processing may occur within infrastructure that you control or designate. Your own infrastructure, security settings, and third-party providers may then affect how data is processed.

12. Children

The Service is not intended for individuals under the age of 18, and we do not knowingly collect personal data from children under 18.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If changes are material, we will make reasonable efforts to notify users in advance, such as by:

  • posting the updated version on the Website
  • sending an email to registered users
  • displaying an in-product notice where appropriate

The updated Privacy Policy becomes effective on the date stated at the top, unless a later date is specified.

14. Contact

If you have questions about this Privacy Policy or want to exercise your rights, contact:

INGI Prosta Spolka Akcyjna (INGI P.S.A.)
Za Cytadela 128
61-659 Poznan, Poland
Email: hello@kariana.ai
Website: https://kariana.ai