Privacy Policy — Karla
Effective date: [DATE] Who we are: [LEGAL ENTITY NAME] ("Karla", "we"), [POSTAL ADDRESS]. Contact: [privacy@withkarla.com]
1. Our two roles
Karla handles personal data in two capacities, and it matters which applies:
- As a controller — for the account holders who sign up and log in (their email, name, and account activity). We decide how that data is used.
- As a processor — for the details a customer adds about their teammates (names, roles, teams, birthdays, start dates). Here the customer (the employer) is the controller; we only process this data on their instructions to provide the service. Our obligations for this data are set out in our Data Processing Agreement.
This policy covers the data we control. For teammate data, the customer's own privacy notice governs, and our DPA governs our processing.
2. What we collect
Account holders (controller): email address, name (optional), authentication records and sessions, and the organisation details you set (org name, timezone, reminder settings).
Teammate records (processor, on the customer's behalf): name, role, team/ department, birthday (you may hide the year), employment start date, and privacy flags (e.g. "hide birth year", "opt out").
Operational data: reminder send logs (which reminder type was sent, for which day), and standard server/security logs (e.g. IP address, timestamps) used to run and protect the service, including rate-limiting abuse of public links.
We do not collect special-category data intentionally, and we ask customers not to put it in free-text fields. We currently do not process payment card data ourselves; if paid billing is added, it will be handled by a PCI-compliant payment processor and this policy updated.
3. Why, and our legal bases (GDPR Art. 6)
- To provide the service you asked for — performance of a contract.
- To keep the service secure and working (logs, rate-limiting, abuse prevention) — legitimate interests.
- For teammate data, our customer determines the legal basis as controller; we act on their documented instructions.
Under the NDPA, we rely on the corresponding lawful bases (contract, legitimate interest, and consent where applicable) and honour the data-subject rights it provides.
4. Who we share it with (sub-processors)
We use a small set of vetted providers to run Karla. They process data only to provide their service to us:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting | [US / region] |
| Neon | Database (Postgres) | [region] |
| Resend | Sending reminder & sign-in emails | [US] |
A current list lives in our DPA. We do not sell personal data and do not use it to serve ads.
5. International transfers
Some providers process data outside your country (e.g. in the United States). Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent measures under the NDPA. Details on request.
6. How long we keep it
We keep account and teammate data for as long as the account is active. When an account is deleted, we delete its data within [30] days, except where we must retain limited records to meet legal obligations. See Data deletion & retention.
7. Your rights
Depending on your location (GDPR/UK GDPR, and the NDPA in Nigeria), you may have the right to access, correct, delete, restrict, port, or object to the processing of your personal data, and to withdraw consent.
- If you are an account holder, contact us at [privacy@withkarla.com].
- If you are a teammate whose data was added by an employer, please contact that employer (the controller); we will assist them in responding. An admin can remove a teammate at any time, and anyone can be set to "opt out".
You may also complain to your data protection authority — in Nigeria, the Nigeria Data Protection Commission (NDPC); in the EU/UK, your local supervisory authority.
8. Security
Data is encrypted in transit (TLS) and at rest by our providers. We use passwordless magic-link sign-in, scope every request to the signed-in user's organisation, rate-limit public endpoints, and minimise the data we collect. No system is perfectly secure, but we take reasonable measures to protect it.
9. Children
Karla is a workplace tool and is not directed at children. We do not knowingly collect data from anyone under [16].
10. Changes
We may update this policy; we'll change the effective date and, for material changes, notify account holders.
11. Contact
[LEGAL ENTITY NAME], [POSTAL ADDRESS] — [privacy@withkarla.com].