Privacy Policy

2.1 Customer Account Data

When you register for or use KarmaCX Services, we collect:

• Name, email address, phone number
• Company name, address, billing details, VAT number
• Login credentials and authentication data
• Account preferences and settings

2.2 Customer Data (Processed on Your Behalf)

When you use our Services to interact with your end-user customers, we process the following categories of data on your behalf:

• Customer messages, chat transcripts, email correspondence, and voice transcripts
• Metadata such as timestamps, IP addresses, device identifiers, session identifiers, and geolocation data
• Customer identifiers (names, email addresses, phone numbers, account identifiers) as provided by you or collected via your integrations
• Any personal data you upload, transmit, or store through the Services, including via knowledge bases, APIs, or integrations
• In limited cases where you enable features requiring it: health-related data or other special categories of data (processed only with appropriate legal safeguards)

2.3 Usage and Technical Data

• Log data, API calls, request/response metadata, performance metrics
• Browser type, operating system, device type, IP address, referrer URLs
• Cookies and similar tracking technologies (see Section 13)
• Analytics data regarding feature usage, session duration, and user interactions

3.1 Service Delivery

• Provide, maintain, and improve the Services
• Process customer support interactions and generate AI-powered responses
• Manage user authentication, access control, and account administration
• Provide human-in-the-loop review and escalation features

3.2 Business Operations

• Process billing, invoicing, and payment transactions
• Communicate with you regarding service updates, invoices, support, and account management
• Respond to inquiries and provide customer support

3.3 Analytics and Improvement

• Analyse usage patterns and system performance
• Improve AI model accuracy and service features
• Detect, prevent, and respond to fraud, abuse, security risks, and technical issues

3.4 Legal and Compliance

• Comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of KarmaCX, our users, or the public

5.1 Subprocessors

• AI model providers: OpenAI, Anthropic, Google (Gemini) for AI inference and processing under strict data protection agreements that prohibit use of Customer Data for training general-purpose models
• Cloud infrastructure providers: For hosting, storage, and compute services (e.g., AWS, Google Cloud, Azure)
• Payment processors: For billing, invoicing, and payment processing
• Analytics and monitoring services: For system performance, error tracking, and service improvement

All subprocessors are bound by data protection agreements consistent with GDPR requirements, including Standard Contractual Clauses where applicable.

5.2 Legal and Regulatory Disclosures

We may disclose personal data to legal and regulatory authorities, law enforcement, courts, or other third parties where required or permitted by law, including to comply with legal obligations, enforce our rights, or protect the safety of our users or the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

6.1 Customer Account Data

Retained for the duration of your account and for a reasonable period thereafter to comply with legal, tax, and accounting obligations (typically up to seven years).

6.2 Customer Data

Retained according to your instructions, for the duration of your subscription, and for a limited recovery period following termination (typically thirty days). You may request earlier deletion or export of your data.

6.3 Usage and Technical Data

Retained for the period necessary to operate, maintain, and improve the Services, typically up to twenty-four months, unless longer retention is required by law or for security purposes.

7.1 Encryption Architecture

• Encryption in transit: All data transmitted between clients and KarmaCX infrastructure is encrypted using TLS 1.2 or higher
• Encryption at rest: All stored data, including Customer Data and personal data, is encrypted using AES-256 encryption or equivalent
• Key management: Encryption keys are managed using industry-standard key management systems with strict access controls

7.2 Data Masking and Controlled Unmasking

To protect sensitive personal data from exposure, KarmaCX implements data masking and controlled unmasking mechanisms:

• Automatic masking: Sensitive fields such as email addresses, phone numbers, and other personally identifiable information are automatically masked in logs, analytics, and user interfaces accessible to KarmaCX personnel
• Controlled unmasking: Access to unmasked data is restricted to authorised personnel with a legitimate business need and is subject to role-based access controls, audit logging, and time-limited access grants
• Audit trails: All unmasking actions are logged and reviewed regularly to ensure compliance with internal policies and data protection laws

These measures ensure that personal data is visible only when necessary for service delivery, support, or compliance, and that such access is traceable and accountable.

7.3 Additional Technical and Organisational Measures

• Secure authentication mechanisms, including multi-factor authentication (MFA) for administrative access
• Role-based access controls (RBAC) and principle of least privilege
• Regular security testing, vulnerability assessments, and penetration testing
• Logging, monitoring, intrusion detection, and automated threat response
• Staff training on data protection, security, and confidentiality
• Confidentiality agreements with employees, contractors, and subprocessors
• Incident response and breach notification procedures
• Regular audits, compliance reviews, and third-party assessments

7.4 Breach Notification

In the event of a personal data breach, KarmaCX will notify affected customers and, where required, supervisory authorities within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33 and other applicable laws.

9.1 Your California Rights

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to Limit: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

9.2 Categories of Personal Information

We collect and process the following categories of personal information:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, billing records)
• Internet/network activity (browsing history, interactions with our service)
• Professional information (company name, job title)
• Inferences (preferences, characteristics derived from your activity)

9.3 Exercising California Rights

To exercise your California privacy rights, contact us at support@karma-bot.comwith "California Privacy Request" in the subject line. We will verify your identity and respond within 45 days. You may designate an authorized agent to make requests on your behalf by providing written authorization.

Notice: We do not sell personal information and have not sold personal information in the past 12 months. We do not share personal information for cross-context behavioral advertising.

11.1 AI System Classification

Our AI system is classified as a limited-risk AI system under the EU AI Act. It generates customer support responses and requires transparency obligations but is not considered high-risk.

11.2 AI Processing Details

• Purpose: Automated customer support response generation and conversation management
• AI Providers: OpenAI (GPT models), Anthropic (Claude models)
• Training Data: AI models are pre-trained by providers; your data is NOT used to train models for other customers
• Human Oversight: Optional approval workflows available; confidence thresholds for automated responses
• Limitations: AI may produce inaccurate responses; human escalation available for complex queries
• Transparency: End users can be notified they are interacting with an AI system

11.3 AI Accuracy and Limitations

While our AI achieves high accuracy on common support queries, it may occasionally produce incorrect or inappropriate responses. We implement confidence scoring, approval workflows, and human escalation to mitigate these risks. You maintain full control over whether AI responses are automatically sent or require human review.

14.1 Cookie Categories

• Essential cookies: Required for website functionality (authentication, security)
• Analytics cookies: Google Analytics, Vercel Analytics (with IP anonymization)
• Preference cookies: Remember your settings and preferences

14.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect website functionality. For analytics cookies, you can opt-out through our cookie consent banner or browser settings.