Data Processing & Your Privacy Choices
How Karl handles personal information for US business customers — our role as a service provider, the Data Processing Addendum, security, and your privacy choices. It supplements our Privacy Policy and Cookie Policy.
1. Business and service provider
For the personal information you put into Karl, or that Karl collects from your customers on your behalf — enquiries, messages, calls, texts, bookings, reviews, contact records — you are the business/controller and Karl is your service provider/processor. We process that information only to provide the service on your documented instructions, and we do not sell it or use it for our own purposes. For your own account and billing data, Karl is the controller (see Privacy Policy).
2. Data Processing Addendum (DPA)
We make a Data Processing Addendum — with CCPA service-provider terms — available to every business customer. It covers the scope and purpose of processing, the categories of personal information and individuals, our obligations, security, our use of sub-processors, and how we assist you with consumer requests and incidents. To request it, email hello@getkarl.io.
3. Handling consumer requests
Where you are the business, we help you respond to your customers' requests to access, correct, delete, or opt out. On your instruction to delete, we remove the relevant personal information across our active systems — and from backups on their normal cycle — within 30 days, unless we are required to keep it by law.
4. SMS and voice
Karl's US plans can send and receive SMS texts and handle phone calls through a Voice AI receptionist. We process this content to deliver the conversations you configure. You remain responsible for the consents and disclosures required by the TCPA and applicable state law for contacting your own customers, and for honoring opt-outs (for example STOP for texts).
5. Sub-processors and change notice
We use vetted sub-processors — including cloud hosting, a marketing-technology platform, analytics, communications and telephony providers, scheduling, and payment processing. They are disclosed by category in our Privacy Policy, and a named list is available under the DPA. We give advance notice before adding or replacing a sub-processor that handles your data.
6. Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit, access controls on a least-privilege basis, logging, and supplier due diligence. Our infrastructure runs on established cloud providers that maintain recognized certifications such as ISO 27001 and SOC 2; Authoricy AB does not currently hold its own independent certification.
7. Incident notification
If we become aware of a security incident affecting personal information we process for you, we will notify you without undue delay and give you the information you need to meet your own notification obligations to regulators and affected individuals.
8. Contact
For any data question, email hello@getkarl.io, attention: Alexander Retzlik. You may also contact your state attorney general.