Privacy Policy
This policy explains what personal data Karl collects, why we process it, who we share it with, and the rights you have. Karl is a product of Authoricy AB. It sits alongside our Terms of Service, GDPR commitments, and Cookie Policy.
1. Who we are
Karl is an AI marketing platform operated by Authoricy AB, a company registered in Sweden under company number 559565-6827, with its registered office at Eriksbergsgatan 13, 114 30 Stockholm, Sweden, and operations in London and Stockholm. In this policy, “Karl”, “we”, “us”, and “our” mean Authoricy AB.
For questions about this policy or how we handle personal data, contact us at hello@getkarl.io. We have not appointed a statutory Data Protection Officer; our data-protection contact is Alexander Retzlik, reachable at that address.
2. The two roles Karl plays
Karl processes personal data in two distinct roles, and your rights depend on which applies:
- As a controller — for the personal data of our own customers and prospects: the people who run, buy, or enquire about Karl. We decide why and how that data is processed, and this policy governs it.
- As a processor — for the personal data that flows through Karl when it works on a customer's behalf (for example, the enquiries, messages, and booking details a business's own customers send to Karl's AI receptionist). The business is the controller of that data; we process it only on their documented instructions under our Data Processing terms.
If you are an end-customer of a business that uses Karl and you want to exercise your rights over your data, please contact that business directly — they are the controller. We will support them in responding.
3. Personal data we collect
Account and relationship data
When you create an account, book a demo, or contact us: your name, business name, work email, phone number, role, and the contents of your communications with us.
Billing data
Billing contact details, business address, and VAT number where applicable. Card payments are handled by our payment provider; we do not store full card numbers.
Service content (Customer Data)
Where you use Karl to handle enquiries, bookings, reviews, and contact records, the personal data within that content is processed by us on your behalf as processor. You remain responsible, as controller, for the lawful basis on which it was collected.
Integration data
When you connect a calendar, practice-management or CRM system, a messaging channel, or a business listing, we process the data needed to deliver the service — for example availability, contact records, and message threads.
Website and usage data
When you visit getkarl.io we collect device and usage information and analytics events, subject to your cookie choices. See our Cookie Policy for the full list.
4. How we use personal data, and our lawful bases
Under the UK GDPR we must have a lawful basis for each processing purpose. Ours are:
| Purpose | Lawful basis |
|---|---|
| Providing and operating the Karl service for you | Performance of a contract |
| Account administration, support, and billing | Performance of a contract; legal obligation (tax/accounting) |
| Securing the service and preventing misuse | Legitimate interests |
| Improving and developing the product | Legitimate interests (balanced against your rights) |
| Marketing to existing business customers about similar services | Legitimate interests |
| Marketing emails to prospects, and non-essential cookies/analytics | Consent |
Where we rely on legitimate interests, you have the right to object — see Your rights. Where we rely on consent, you can withdraw it at any time without affecting prior processing.
6. International transfers
At launch, personal data processed by Karl is hosted in the United Kingdom and the European Economic Area (EEA). Some of our providers process personal data outside the UK or EEA — for example in the United States or Canada. Where they do, we rely on a UK or EU adequacy decision where one applies, or otherwise on Standard Contractual Clauses together with the UK International Data Transfer Addendum and any additional safeguards needed.
7. How long we keep personal data
We keep personal data only as long as needed for the purpose it was collected:
- Account and relationship data: for the duration of your contract and then up to 24 months, except where a longer period is required — for example 6 years for UK tax records.
- Service content we process on your behalf: per your instructions and our Data Processing terms; by default deleted or returned within 30 days of the end of your contract.
- Website and analytics data: per the retention periods in our Cookie Policy.
8. Your rights
Under the UK GDPR you have the right to: access your personal data; have it corrected; have it erased; restrict or object to processing; data portability; and withdraw consent where processing relies on it.
To exercise any of these, email hello@getkarl.io. We will respond within one month. If your request concerns data where we act as processor for a business, we will direct you to that business as controller.
10. Contact and complaints
If you have a concern about how we handle personal data, contact us first at hello@getkarl.io so we can put it right. You also have the right to lodge a complaint with a supervisory authority.
In the UK, that is the Information Commissioner's Office (ICO) at ico.org.uk. In Sweden, it is the Swedish Authority for Privacy Protection (IMY) at imy.se.
11. Changes to this policy
We may update this policy from time to time. The “last updated” date at the top shows the current version, and we will notify you of material changes through the service or by email.