Privacy Policy

2.1 Personal Information You Provide

• Contact information: name, email address, company name, phone number
• Account information: login credentials, user preferences, security settings
• Communication data: messages sent through contact forms, support tickets, emails
• Demo interactions: inputs provided during product demonstrations
• Billing information: company details for invoicing (we do not store payment card data)
• Customer support data: conversation transcripts, resolution data, customer interaction history
• Protected Health Information (PHI): if applicable, handled under separate HIPAA Business Associate Agreement

2.2 Information Collected Automatically

• Usage data: pages visited, time spent, click patterns, referral sources, feature usage metrics
• Device information: IP address (anonymized for analytics), browser type, device type, operating system
• Cookies and tracking technologies (see Section 15: Cookie Policy)
• Log files: error logs, access logs, system performance data, security event logs
• Unique identifiers: session IDs, device identifiers (for California residents, see Section 9)

2.3 Third-Party Sources

We may receive information from public databases for business contact verification purposes and from integrated third-party services (CRM systems, helpdesk platforms) with your authorization.

2.4 AI-Generated Data

Our AI systems process customer support conversations and may generate insights, categorizations, and response suggestions. This AI-generated data is specific to your organization and is not shared across customers. AI processing is performed by industry-standard providers including OpenAI and Anthropic under data processing agreements that prohibit training on your data.

5.1 Service Providers (Subprocessors)

We engage the following categories of service providers under strict data processing agreements:

• AI service providers: OpenAI, Anthropic (for AI processing with contractual prohibitions on training)
• Cloud hosting providers: Vercel, AWS (data encryption in transit and at rest)
• Analytics services: Google Analytics, Vercel Analytics (IP anonymization enabled)
• Email communication services (with encryption in transit)
• Payment processing services (for billing purposes only, PCI-DSS compliant)

A complete and current list of subprocessors is available upon request. We provide 30 days' notice before adding new subprocessors, and you may object to such changes.

5.2 Legal Requirements

We may disclose your information when required by law, court order, legal process, or to protect our rights, property, and safety. We will notify you of legal demands for your data unless prohibited by law or court order.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice and ensure the receiving party honors this Privacy Policy.

7.1 Technical Security Measures

• Encryption: TLS 1.3 for data in transit, AES-256 encryption for data at rest
• Access controls: Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), principle of least privilege
• Network security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection
• Application security: Secure coding practices, regular vulnerability assessments, penetration testing
• Data isolation: Customer data is logically isolated and cannot be accessed by other customers
• Security monitoring: Security Information and Event Management (SIEM), continuous monitoring, automated alerts

7.2 Organizational Security Measures

• SOC 2 Type II certification: Annual third-party security audits against AICPA Trust Services Criteria
• Staff training: Mandatory security and privacy training for all personnel
• Background checks: Conducted on all personnel with access to customer data
• Vendor management: Due diligence and contractual security requirements for all subprocessors
• Incident response: Documented procedures for security incident detection, response, and notification
• Business continuity: Disaster recovery and backup procedures tested regularly

7.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Our notification will include the nature of the breach, affected data categories, likely consequences, and remedial measures taken.

9.1 Your California Rights

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to Limit: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

9.2 Categories of Personal Information

We collect and process the following categories of personal information:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, billing records)
• Internet/network activity (browsing history, interactions with our service)
• Professional information (company name, job title)
• Inferences (preferences, characteristics derived from your activity)

9.3 Exercising California Rights

To exercise your California privacy rights, contact us at support@karma-bot.comwith "California Privacy Request" in the subject line. We will verify your identity and respond within 45 days. You may designate an authorized agent to make requests on your behalf by providing written authorization.

Notice: We do not sell personal information and have not sold personal information in the past 12 months. We do not share personal information for cross-context behavioral advertising.

11.1 AI System Classification

Our AI system is classified as a limited-risk AI system under the EU AI Act. It generates customer support responses and requires transparency obligations but is not considered high-risk.

11.2 AI Processing Details

• Purpose: Automated customer support response generation and conversation management
• AI Providers: OpenAI (GPT models), Anthropic (Claude models)
• Training Data: AI models are pre-trained by providers; your data is NOT used to train models for other customers
• Human Oversight: Optional approval workflows available; confidence thresholds for automated responses
• Limitations: AI may produce inaccurate responses; human escalation available for complex queries
• Transparency: End users can be notified they are interacting with an AI system

11.3 AI Accuracy and Limitations

While our AI achieves high accuracy on common support queries, it may occasionally produce incorrect or inappropriate responses. We implement confidence scoring, approval workflows, and human escalation to mitigate these risks. You maintain full control over whether AI responses are automatically sent or require human review.

14.1 Cookie Categories

• Essential cookies: Required for website functionality (authentication, security)
• Analytics cookies: Google Analytics, Vercel Analytics (with IP anonymization)
• Preference cookies: Remember your settings and preferences

14.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect website functionality. For analytics cookies, you can opt-out through our cookie consent banner or browser settings.