GDPR & Data Processing
Karl is built to meet the UK GDPR and the EU GDPR. This page sets out how we handle data protection for our business customers. It supplements our Privacy Policy and Cookie Policy.
1. Scope: UK GDPR and EU GDPR
Karl serves businesses in the United Kingdom and Sweden, so both the UK GDPR and the EU GDPR apply to our processing. We apply the same standard of protection to all personal data we handle, regardless of where the customer is based.
2. Our roles: processor and controller
For the personal data you put into Karl, or that Karl collects from your customers on your behalf — enquiries, messages, bookings, reviews, contact records — you are the controller and Karl is your processor. We process that data only on your documented instructions, as set out in our Data Processing Agreement.
For the data about your own relationship with us — your account, billing, and support — Karl is the controller. That processing is described in our Privacy Policy.
3. Data Processing Agreement (DPA)
We make a Data Processing Agreement available to every business customer. It covers the subject matter and duration of processing, the types of personal data and categories of data subjects, our obligations as processor, the security measures we apply, our use of sub-processors, and how we assist you with data-subject requests and breach handling.
To request the current DPA, email hello@getkarl.io.
4. Handling data-subject rights
Where you are the controller, we help you respond to requests from your customers to access, correct, delete, or port their data. On your instruction to delete, we remove the relevant personal data across our active systems — and prompt removal from backups on their normal cycle — within 30 days, unless we are required to retain it by law.
5. Breach notification
If we become aware of a personal data breach affecting data we process for you, we will notify you without undue delay and, where feasible, within 72 hours, with the information you need to meet your own notification duties to a supervisory authority and affected individuals.
6. Sub-processors and change notice
We use vetted sub-processors to deliver the service; they are listed by category in our Privacy Policy, and a named list is available to customers under the DPA. Before adding or replacing a sub-processor that handles your data, we will give you advance notice and a reasonable opportunity to object.
7. International transfers
At launch, data processed by Karl is hosted in the UK and the EEA. Any transfer outside the UK or EEA relies on an adequacy decision or on Standard Contractual Clauses with the UK International Data Transfer Addendum, plus any additional safeguards required. Where this applies, for example providers in the United States or Canada, we keep a record of the transfer mechanism relied on.
8. Security measures
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls and least-privilege, logging, and supplier due diligence. Our infrastructure runs on established cloud providers that maintain recognised security certifications such as ISO 27001 and SOC 2; Authoricy AB does not currently hold its own independent certification.
9. Sector-specific rules
Karl is used by regulated professions. It is configured to avoid regulated advice and to route anything that needs a qualified human to one — for example dental and medical practices (CQC; GDC), veterinary practices (RCVS), and legal and accountancy firms (SRA; ICAEW). Karl supports your compliance; it does not replace your professional obligations.
10. Contact
For any data-protection question, email hello@getkarl.io, marked for our Data Protection lead. You can also complain to the ICO (ico.org.uk) in the UK or IMY (imy.se) in Sweden.